Whitehall official outlines cybersecurity funding plan

The government plans to spend £650m on projects ranging from raising consumer security awareness to increasing GCHQ's capabilities, according to a top Whitehall official

A high-ranking Whitehall official has outlined how the government plans to spend £650m on cybersecurity.

The funding, which was announced in October, will be spent on a number of initiatives: "It's a national programme, with a range of activities ranging from improved public awareness through to GCHQ abilities at the other end," the official told ZDNet UK on Wednesday. GCHQ works in close co-operation with the Cyber Security Operations Centre (CSOC), the government body charged with responding to cyberthreats.

Part of the funding will go towards establishing high-level industry groups such as the Telecommunications Industry Security Advisory Council (TISAC), said the official. TISAC was set up by the Cabinet Office Central Sponsor of Information Assurance (CSIA) — which became part of the Office of Cyber Security (OCS) in 2009 — to discuss and respond to threats to UK telecoms resilience. TISAC includes senior executives and chairmen of communications providers, operators, internet exchanges, telecoms regulator Ofcom, the OCS, and the Department of Business, Innovation and Skills (BIS).

The official said that TISAC had been successful, and that the government is now looking to establish high-level cyber-response groups in different sectors of the critical national infrastructure, such as financial services. "There are already a lot of financial [cyber-response] groups, and [the financial sector] really recognises the value of having strategic discussions between the public and private sectors," said the official.

The £650m funding forms part of the Strategic Defence and Security Review (SDSR).

Total government spending on information security is around four percent of the annual £16bn public-sector IT budget, or £640m a year, the OCS told a government committee on Wednesday.

Steve Marsh, deputy director of OCS, told the Commons Science and Technology Committee that the £650m was in addition to existing funding. It was difficult to give an exact number for government information security spending, Marsh said.

"The announcement of £650m is new money, in addition to what we spend on IT security, which is estimated at approximately four percent of the IT budget, [which is] £16bn a year," Marsh said. "Cybersecurity rests on existing mechanisms, and there are other contributions, with different estimates across different departments."

Professor Mark Welland, chief scientific advisor for the Ministry of Defence, said that the MoD had 350 people who were specifically trained in cybersecurity, and that the MoD research budget for cyber-defence was £6.5m. In addition, said Welland, all MoD staff underwent some form of information security training.

London School of Economics information security expert Peter Sommer told the committee that it was difficult to know how much the public sector spent on information security, as part of the budget went to secret intelligence agency budgets, and the rest was split over disparate public-sector bodies.

"The problem is we don't know the budget the government is putting in GCHQ," said Sommer. "Part is in the police, part in the Cabinet Office, and part appears in other budgets. It's easy to say we're not spending enough, but we don't know how much is being spent."