UK Cyber Security Strategy themes revealed

Businesses will be asked to share sensitive security information with competitors as part of the UK government's upcoming Cyber Security Strategy, ZDNet UK has learned
Written by Tom Espiner, Contributor

The UK government will urge businesses to form 'uncomfortable partnerships' with competitors as part of the upcoming UK Cyber Security Strategy, ZDNet UK has learned.

Businesses must look to forming close working relationships with competitors to share sensitive cybersecurity information, they will be told when the document is published. The UK Cyber Security Strategy is due on 25 November, a Cabinet Office spokesman confirmed on Thursday.

The document, already delayed twice, will update a two-year-old strategy and lay out the government's plans for dealing with the problems of cybercrime and cyber-espionage. The Cabinet Office leads the UK government's cybersecurity response, in conjunction with the Office of Cyber Security and Information Assurance (Ocsia) and the Cyber Security Operations Centre (CSOC) at Cheltenham.

ZDNet UK has learned from two separate sources that Owen Pengelly, deputy director of Ocsia, talked about the upcoming strategy in a closed session at the London Conference on Cyberspace on 2 November. Press movements were severely limited at the conference and even after lengthy accreditation and security procedures, journalists were barred from attending any of the sessions.

Businesses will be asked to form "uncomfortable partnerships", according to Pengelly, to share knowledge about cyberthreats and attacks. Organisations have historically been wary of sharing sensitive security information with competitors, due to concerns that rivals may gain commercial advantage or leak the information to damage business reputation.

New forms of partnership will include an extension of the Virtual Taskforce model of information-sharing between banks and the police. This will extend to more business sectors, and retain the 'cyber hub and nodes' system for collating and distributing data on attacks. The Metropolitan Police eCrime Unit is one of the law enforcement agencies in the Virtual Taskforce which currently shares information about crimes such as the online theft of financial credentials with banks and other agencies at home and abroad, including the FBI.

UK government agencies will look to share more cybersecurity information with organisations as part of the strategy, the ZDNet UK sources said.

Major themes in the Cyber Security Strategy include a focus on efforts to make the UK more resilient to cyberattack. The government set up CSOC in 2010 to coordinate its response to attempts on information systems, while agencies such as the Centre for the Protection of National Infrastructure (CPNI) also work with the private sector to strengthen information and physical security.

The Cyber Security Strategy also aims to better protect UK interests on the internet, according to ZDNet UK sources, as the government wants the UK to be seen as a safe place to do business online. No details of how it will do this are known.

The government will push for an 'open' internet, without censorship or restrictions on access to information., and will aim for better information assurance and incident response in organisations. It has been making a number of efforts to improve IT security skills in the public sector, including asking CESG, the information assurance arm of GCHQ, to appoint skills certification bodies such as BCS, IISP and Crest.

A government spokesperson confirmed the Cyber Security Strategy plans on Thursday.

The government has placed increasing emphasis on cybersecurity, amid growing concerns about the possible economic impact of successful attacks on information systems. In October 2010, it announced it had elevated cyberattacks to 'tier-one' threats, alongside terrorism, military crises and major disasters, and said that it was putting £650m into UK cyber-response.

The British government has faced a number of criticisms in the past over its approach to cybersecurity, including that it does not share enough information on cyber-threats with critical national infrastructure organisations.

Editorial standards