A cybersecurity official has revealed how the government will spend £650m earmarked for cybersecurity, saying it will spread the funds across GCHQ, government departments and agencies, and the police.
The funds will also be used to develop links with the private sector, Ian McGhie, deputy director of the Office of Cyber Security and Information Assurance (Ocsia), said on Wednesday.
A government official has revealed details of cybersecurity spending, with funds to be administered by departments including the Ministry of Defence (above). Photo credit: Chris Guy/Flickr
"We've been talking to defence companies and ISPs, but we're not just concerned with one area of the private sector," McGhie told ZDNet UK. "We hope more companies will get involved, and I personally would like to see more industry bodies involved, as they tend to have clout."
In October, the government pledged to invest over £500m to boost critical national infrastructure and improve cybersecurity as part of its five-year defence plan, the Strategic Defence and Security Review (SDSR). This figure was later set at £650m.
The £650m will go towards the National Cyber Security Programme (NCSP), a series of projects designed to enhance unity of action against cyberthreats across government, the private sector, individuals and international entities, McGhie said in a speech at the Counter Terrorism Expo 2011 in London.
The government will concentrate on four 'pillars' in the NCSP: improving national cybersecurity, improving cyber-defence of critical infrastructure, combating cybercrime, and enhancing education and skills.
Overall, the £650m will be divided between 65 percent spent on capabilities, 20 percent on critical cyber-infrastructure, nine percent on cybercrime specifics, one percent on education, and five percent on reserves, according to McGhie.
To improve national cybersecurity, the Department for Business, Innovation and Skills (BIS) will use a portion of the funds "to provide clever strategic leadership" in developing cybersecurity capabilities in the private sector, said McGhie. The government wants to balance providing incentives to get businesses to improve information security with regulation — which would be used as a last resort.
"There's no appetite to put down the rule of law, but a delicate balance needs to be struck with regulation," said McGhie.
Different departments will work with different industries on efforts to boost cybersecurity. BIS will work with the telecoms sector, the Treasury will work with the financial sector, while the Department of Energy and Climate Change (DECC) will work with the energy sector.
The second strand, cyber-defence, covers national operational architecture projects. These are delivered by the GCHQ intelligence agency and its information assurance arm CESG, as well as the Ministry of Defence (MoD).
GCHQ wants to improve capabilities, and looks to detect and defend against cyberattack. – Ian McGhie, Ocsia
McGhie said the government is keen to maintain a "sovereign capability" when it comes to information assurance (IA) and security products, meaning the UK should rely on products built or tested within its borders and not have to rely on those created in other countries.
"The information-assurance community is failing to deliver common, good solutions," said McGhie. "GCHQ wants to improve capabilities, and looks to detect and defend against cyberattack."
He added that GCHQ will plug some of the money into the 'Five Eyes' forum, which consists of the UK, US, Canada, Australia and New Zealand. The organisation is dedicated to co-operation on cybersecurity issues.
The Cyber Security Operations Centre (CSOC), the UK government cyber-defence and attack centre linked to GCHQ, wants to improve national and international awareness of cybersecurity, and to "assess and respond to incidents better than it has done in the past" according to McGhie.
The CSOC will have a specific focus on security for the Public Sector Network (PSN), a cluster of government networks, and the G-Cloud, the government's cloud. The CSOC will look at authentication and identification standards that are PSN-wide, and will look at hardening G-Cloud and PSN datacentres.
Some of the funds will go to the Centre for the Protection of National Infrastructure (CPNI), so it can give cyber-protection advice to companies working in the life sciences and low-carbon technology sectors.
The Cabinet Office will use a portion of the funds to better align cybersecurity and information assurance, and to try to make sure the two separate streams are integrated smoothly. The government will work with...
... information security vendors and government suppliers to make sure that security processes and products are up to scratch.
We'll make sure we co-design solutions with industry, rather than coming up with a government bubble that when tested doesn't really work as hoped. – Ian McGhie, Ocsia
"We'll make sure we co-design solutions with industry, rather than coming up with a government bubble that when tested doesn't really work as hoped," said McGhie.
The Ministry of Defence is using a portion of the money to set up its Defence Cyber Operations Group (DCOG). In the run-up to the Strategic Defence Review in the autumn of 2010, there was "a clamour to set up a cyber command" along the lines of the US model, but the MoD "would never have got funding in the current spending round to make that credible", said McGhie.
The DCOG will look to incorporate cyberdefence capabilities in systems that do not have embedded security at present. In a second phase of operations, it will look at "high-end capabilities", which are currently in research and development.
In the third pillar, combating cybercrime, GCHQ wants to improve its real-time understanding of attacks, and support the government's e-crime agenda, according to McGhie. The push on crime will be re-emphasised in May, when the Home Office expects to launch a new National Cyber Crime Strategy.
For its part, the Metropolitan Police Central eCrime Unit (PCeU) has "done excellent work", and gained increased funding from 1 April, he said. It will use a portion of the £650m to develop forensics and mainstream cyber-training.
The police unit is looking to improve the action it takes in response to the operational intelligence it receives, McGhie added. "[PCeU] gets lots of good information, but they can't always process it in a way that leads to convictions," he said.
The Serious Organised Crime Agency (Soca) will put some of its allocation towards its analysis base, its deterrent operations and "to mainstream cyber in a way that hasn't been the case", said McGhie. Soca has been criticised in the past for not devoting enough resources to cybercrime.
The police will also devote some of their funds to look into setting up a centralised reporting mechanism for e-crime, according to McGhie.
Soca and PCeU have already been given a £63m boost to cybercrime policing from the £650m pot, in funding announced by the Home Office in February.
The fourth pillar of the NCSP is education and skills improvement. A portion of the funds will go towards building public awareness of digital risks, via schemes such as Get Safe Online.
Ocsia is hoping that the cybersecurity investment will act as seed funding for further government resources and efforts.
"We're trying to sweat the £650m so it does as much as possible," McGhie told ZDNet UK. "Let's not forget, this £650m is against a background of a lot of cuts. £650m will not solve this problem; the view is this will deliver a cascade effect."