GCHQ is losing the cyber security war because it focuses too heavily on information sharing rather than fixing old systems and investing in skilled staff.
This was the stark message from Alex Dewedney, director of cyber security at the Communications-Electronics Security Group, who admitted that the approach has not worked despite a £1bn spend over the past five years.
Dewedney suggested at the RSA security conference in San Francisco last week that a "more interventionist policy" may now be needed.
"I think the best way to sum up the challenge we face is that, while we've done a lot over the past five years and spent quite a lot of money as a government, particularly in those years of austerity we've been through, the bottom line is it hasn't worked," he said.
Dewedney explained that he could "point to lots of achievements around understanding the threats much better", but acknowledged that the UK is "not winning the fight on cyber security".
"There's been something of a mantra in the UK that the solution to all of our problems is information sharing and partnerships. [People believe that] if we keep doing that, somehow it will magically cause improvement to happen. That approach by itself is not sufficient," he said.
"We can't just pass information on threats to businesses and tell them to go and deal with it themselves."
Dewedney added that 90 per cent of UK enterprises suffered cyber security breaches last year, and criticised the UK government for not spending money on fixing legacy IT issues that have left a situation that "is killing us".
"I've tried to make this argument to my bosses that surely you have to start [with legacy] before you try to do anything more sophisticated," he said. "But the response has been: ‘I'm not spending cyber security programme money to subsidise other departments' IT budgets.'"
Chancellor George Osborne pledged in November to double cyber security funding to £1.9bn by 2020, chiefly to try to prevent IS "using the internet for hideous propaganda purposes", but Dewedney argued that funding is not the most pressing issue.
The problem is "not so much a money issue as it is a human resources issue", he said.
To hear more about security challenges, the threats they pose and how to combat them, make sure you sign-up for the Computing Enterprise Security and Risk Management conference on 24 November.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment