Finally, they’ve announced that someone will lead the assault on Cyber defence, and even better, he’s a military type. We don’t know his name yet, but we do know he’s a General.
This is, on balance a Good Thing. My fear for a while was that they would appoint a career Civil Servant to the role, and whilst I have no issue with that, a man who has spent his career handling really sensitive material makes sense. Because military types handle information that literally is mission critical every day, one would hope he will have a grasp of the cost of poor information handling and the real cost of system (both procedural and IT) failure.
I have two concerns which I’d like to see addressed though. First is that in my experience, the military tends to appoint staff into Infosec/IA roles that have no background in that space, and demand they pick up the topic at breakneck speed. This is often a positive: I have been honoured to make the acquaintance of military staff who work in the IA space that are able to apply a pragmatic approach not coloured by dogma or industry hype because in their last role they were working in sandy places doing something completely different. I’ve also met a few that have struck me as slightly struggling to get their head around a highly specialised topic and can be easily swayed by an industry that has traditionally sold on FUD (fear uncertainty and doubt). The panacea to this is to ensure the new General has a cohort of high quality advisors, maybe with IA industry background, but mostly with a realistic view of the world and its issues.
The second issue concerns what his brief will be and where the money is targeted. I’ve written before about the dangers of not shoring up the weakest links in this space. Spending a boatload (or tankload now) of cash on the likes of SOCA and a NOC down at Cheltenham is great, but outlying systems on any network become the easiest point of entry. CESG recently gave a presentation highlighting the five major points of attack on UK Government as identified by GovtCert:
(from lowest to highest threat)
• Website vulnerability (i.e. badly patched websites being defaced)
• Non-targeted attacks (i.e. Malware)
• Government-brand phishing (e.g. someone pretending to be HMRC offering you a tax refund)
• Targeted attacks (i.e. deliberate, highly sophisticated attacks by perpetrators known and unknown)
• UK Government itself (from poor patching procedures, policy and procedure being ignored or dodged, to wrong communication channels being used for classified materials)
The new General needs to ensure he focuses on the wider requirements of Cyber defence, and spend money for the maximum impact across Government.