The government's cyber security strategy - too little too late?

The government needs to go after hackers outside of its jurisdiction, say experts

Security experts have given the government's new cyber security strategy announced today a cautious welcome, but warned that greater efforts are needed internationally to ensure the safety of the internet.

The main elements of the strategy announced by prime minister Gordon Brown today included a new cyber security operations centre, a national cyber security office and a cyber security tsar. Also announced was extra funding to help improve information sharing, and enable better detection and response to online attacks.

Tony Dyhouse, director of government-backed organisation the Cyber Security Knowledge Transfer Network, said IT crime is "crippling the UK economy" and needs to be addressed by government.

"Cyber criminals are using innovative methods to steal vast amounts of money, therefore a strategic approach to combating cyber crime is essential," he said. "We need to stay one step ahead of organised e-crime activity, and the UK’s Cyber Security Strategy is the best way forward."

Rick Howard, director of intelligence at managed security services firm iDefense, added his backing to the proposals, but said it was too early to tell if these measures would actually prove effective.

"It is encouraging to hear about the British authorities reaching out to the white hat hacker community; the Russian and Chinese have been doing that for years and are way ahead of both the US and the UK in this regard," he said. "In the Chinese case, they use their hacker community to collect unclassified intelligence from western government workers and contractors. The fact that the UK intends to use hackers for a good cause is encouraging.”

Martin Sutherland, managing director of security consultancy Detica, said the strategy would succeed or fail depending on the amount of funding it receives.

"The programme announced today will require a strong partnership between government and industry, as well as extensive international engagement," he said.

"If the commitment is there, and the necessary funding, we believe this programme will make a substantial difference in ensuring that cyber space, and hence the public, becomes safer and more secure."

Ed Rowley, EMEA technical consultant at security vendor Marshal8e6, agreed that the global nature of the internet calls for more than separate national cyber security strategies, as announced by the US and now the UK.

"Only international co-operation between governments and ISPs will afford the level of security we expect and this still looks a long way off,” he said.

Steve Watts, co-founder of SecurEnvoy, argued that a better strategy from the government would be to encourage a more decentralised model of security, encouraging businesses and individuals to protect their own networks.

“Most organisations realise it’s their own responsibility to prevent cyber attacks," Watts said.

"But many still follow the ‘sun screen’ approach, and only apply measures when it’s invariably too late. While the government can’t claim ultimate responsibility, what it can do is encourage accountability – by putting the schemes in place to support it.”

Mikko Hyppönen, chief research officer at F-Secure, added to the voices welcoming the announcement, but warned that from a law enforcement perspective, a more global approach is required.

"Establishing an international agency - 'Internetpol' - with the enforcement power to really target the organised criminals who operate on the web is the best way forward in the fight against online crime," he said.

"It would ensure that investigations start at the top of the crimeware food chain and bring to justice the people who are running the online crime syndicates."

In truth, all the serious rhetoric from Gordon Brown aside, the success of the cyber security proposal really depends on how much funding the government is prepared to commit to the programme.

Recognising that there is a problem is an encouraging first step, but a cure will continue to prove elusive unless the government is prepared to engage internationally with governments around the world, especially those who allow cyber criminals to flourish undisturbed.