Cybersecurity spending: Here's where the money goes

Tackling state-sponsored attacks on critical infrastructure and the defence supply chain remain top priorities, according to newly published figures.
Written by Steve Ranger, Global News Director

The government has provided some more detail of how it spends its £200m annual cybersecurity budget, with defending against sophisticated and state-sponsored attacks on critical national infrastructure and the defence supply chain taking the majority of the funding.

The government published its National Cyber Security Strategy in 2011. Among its objectives is to make the UK more resilient to online attacks and "better able to protect [its] interests in cyberspace".

The strategy is backed up by the National Cyber Security Programme which - with £860m in funding over five years - aims to improve the UK's capability "to detect and defeat high-end threats", as well as boosts the police's capacity to deal with online crime and improve cyber awareness and risk management across UK businesses.

In its most recent progress report, released last week, the Cabinet Office detailed where the £200m it intends to spend on the programme this year will go.

The largest portion (£93.2m) will go on "sovereign capability to detect and defeat high end threats." Much of this will go to surveillance agency GCHQ to "detect and defend against the increasingly sophisticated cyber threats facing the UK", the Cabinet Office said.

UK government spending on the National Cyber Security Strategy 2014-5. Image:
UK Cabinet Office
While the report says much of this work "is necessarily classified", it adds the intelligence gathered by GCHQ is being used to "provide protection at pace and scale to key networks of national significance". It said in the coming year GCHQ will be expanding a programme to share intelligence on "hostile state and cyber crime activity" with security-cleared personnel in communications companies so they can also protect their networks from attack.

The second largest slice of funding will go to "mainstreaming cyber through defence" aimed at improving security through the defence supply chain (the £200m budget doesn't include more general defence spending in the cyber arena, where the armed forces are building their own offensive digital warfare capability as part of £500m project.)

Earlier this year the government revealed that state-sponsored hackers had managed to breach its secure intranet, while the defence industry has also long been a target for state-backed hackers looking to steal military secrets.

Both of the two top areas for cybersecurity spending are a response to an ongoing hacking epidemic, much of it with either the explicit backing or tacit approval of a nation state.

Beyond these two areas, as part of £200m funding, the government is also spending £29.1m on improving the police response to cybercrime and £21m on private sector awareness.

The report details some of the attempts to make the private sector do a better job of cybercrime prevention, such as the 'Health Check' project carried out by the Department for Business, Innovation and Skills (BIS) to assess how the boards of top UK companies are managing online risks.

The department has also published advice for the corporate finance sector addressing the cyber threats around mergers and acquisitions, buyouts, and venture capital.

The report noted a number of successes achieved by the taxman's own in-house cybersecurity team, which has assisted in the prevention of fraud totalling more than £100m this financial year.

The report said 94 percent of fraudulent emails spoofing HMRC web domains are now being deleted by ISPs before they reach their customers' mailboxes. HMRC has also responded to more than 75,000 phishing reports and taken down more than 4,000 illegal websites.

However, the overall state of cyberdefence in the private sector remains patchy: the government's own research shows that 81 percent of large organisations and 60 percent of small organisations reported a breach, while the cost and severity of breaches increased significantly.

For small organisations, the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15m, according to the report.

In June, GCHQ, BIS, and the Cabinet Office launched the Cyber Essentials certification to encourage adoption of basic security controls by companies. Since the launch only 124 have been awarded the badge. However, as of October this year, having Cyber Essentials accreditation has been mandatory for some suppliers to government which is likely to boost adoption.

More on cyberdefence

Editorial standards