Cyber Security for the masses in the UK

Back in November 2011 the UK government unveiled it’s Cyber Security Strategy – aimed at protecting the UK’s infrastructure from the threat of on-line attacks.

OK, a bit late to the game here but it seemed like the idea was sound enough.  It stated:-

The Cyber Security Strategy on the vision for UK cyber security in 2015:
Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.

  • Objective 1: The UK to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace.

  • Objective 2: The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace.

  • Objective 3: The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies.

  • Objective 4: The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives.

Now we’re about half way through the target date, and I’m left wondering just what happened.  Then, last week there was an announcement by GCHQ that they are opening up the CESG Certified Professional (CCP) scheme to private companies.

Chris Ensor, deputy director for the National Technical Authority for Information Assurance at CESG, said he would like to see organisations responsible for securing the UK’s critical national infrastructure get certified through the scheme.

Now, it would seem to me, this isn’t aimed at the masses.  Let me explain.  We may understand that we all use the ‘backbone’ of the internet to get to the world wide web, and this needs to be there for us to get anywhere.  However, at the same time, the government/security services are implementing plans to restrict use, censor sites, decrypt personal data, record usage and so on.  Hardly, a plan to meet the objective 3 above.

As for Objective 4, well I can see sites in other parts of the world that help promote Cyber Security and ‘Safe surfing’, two notable one’s from Australia are StaySmartOnline for Parents, children and education .. heck everyone.  Then there is also the cyber(smart:) site,  with plenty or resources for kids, teachers, parents.. including lesson plans by age groups, videos, competitions.

By contrast the whole picture in the UK is somewhat less than coherent – UK cyber security community is quite a list, the most useful for the ‘man on the street’ would be the GetSafeOnline.  But, frankly visually it’s a mess, and starting with a darn pop-up wanting a survey didn’t help me like the site…..  I found the “Get Safe Top Ten” page and had a quick read….

5. Make sure your wireless network is secure at all times.

Nothing wrong in that, but then no real advise…. nothing about the fact you should change the default encryption key which is easily cracked.  Nothing about channel selection, and whilst it mentions  (WEP, WPA and WPA2), it goes no further.  Companies with networks/home users with networks could move to 802.1x, and beyond with user certs and so on.  What about restricting hours of access?   They mention the use of Public Hotspots, but fail to mention even the simple technique of always using the https url in place of http to encrypt the data, or simple software to test for man-in-the-middle attacks!

Meanwhile, I was at this point going to point you at the American – Department of Homeland Security site and the fact it’s the 10th Anniversary of ‘National Cyber Security Awareness Month‘ but with the ongoing problems with federal budget, perhaps a better site would be their StaySafeOnline site.

Even the French “Agence nationale de la sécurité des systèmes d’information” (ANSSI) site is easier to navigate and it’s easy to find guides on security, best practices and information about courses and qualifications.

Perhaps, the UK government and The Rt Hon William Hague MP is waiting for the “Budapest Conference on Cyberspace” which finishes today before they ‘push the boat out’, but then I for one am not going to hold my breath.