As the UK emerges economically wounded from the COVID-19 lockdown and we head towards a potential Brexit cliff edge at the end of 2020, it is more crucial than ever that we invest in boosting our cybersecurity capability. Australia knows only too well how state actors are using cyber attacks, the ultimate form of ‘plausible deniability’, to inflict damage on its private and public institutions. Prime Minister, Scott Morrison, publicly confirmed that recent cyber attacks had spanned “government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”.
The UK has been hit repeatedly by cyberattacks in various forms over the past few years, including those intended to subvert the political system, but there is undoubtedly much more to come, and we need to be prepared. While our economy is somewhat fragile, cyberattacks have the potential to setback any recovery even further. This begs the question; is the UK government doing enough to ensure we are prepared for the future of cyberattacks, and if not, what more needs to be done?
Department of Digital, Culture, Media & Sport (DCMS) invests £10m in cyber tech
In June 2020, the Government’s Digital, Culture, Media & Sport (DCMS) department confirmed that it is investing £10m in the development of new cybersecurity technology. Through the Digital Security by Design scheme, grants are being awarded to firms and academic institutions who are developing innovative solutions to handling cybersecurity threats. Nine grants have already been given, including to the University of Southampton to further develop their HD-Sec system which is designed to “accelerate the process and cut down errors and security vulnerabilities in software design that can be exploited by hackers”. The Universities of Birmingham and Glasgow which are both developing solutions based around microchip technology to defend and protect sensitive systems and data, have also received funding.
While the investment of £10m will be welcomed by businesses seeking funds to take their technology to the next level, whether to prototype or beyond, it is questionable whether such a modest amount of money (compared to the estimated £1bn cost to the UK economy just due to cyberattacks on Internet of Things devices), is really enough to make a difference.
What can the UK learn from the EU when it comes to cybersecurity investment?
It is one thing to invest in businesses and solutions, but what is also needed is an investment in education and skills development to ensure the UK has the digital and cyber expertise needed for the future. UK Culture Secretary, Oliver Dowden, in a recent speech to the UK Tech Cluster Group announced the government’s intention to “build a highly skilled digital workforce across every region of the UK, so that people can shift into the digital or tech sectors or digitise their own businesses”. Referring to the approach taken by the US government after the second world war, Dowden stated, “The GI bill gave American veterans the skills and qualifications to move into new areas of work after World War Two, helping them to readjust to civilian life. Likewise, we need a strategy that will help workers here adjust to a digital-led economy after coronavirus”. This approach has echoes of the national five-year digital skills investment plan launched by the French government in 2017. Under the Plan d’investissement dans les compétences (PIC), around €15bn is being made available to fund the training of one million young people and one million job seekers. While this investment is not solely in cyber, their serious investment in digital skills will inevitably encompass cybersecurity technology development.
There are many other programmes and entities which are emerging in the EU, including CyberSec4Europe, a “European Cybersecurity Competence Network”. CyberSec4Europe are working on creating a network of centres of cybersecurity expertise, with one central hub. The initiative is only in the pilot phase, but it has bold ambitions:
- “To pave the way for a sustainable cybersecurity ecosystem through the development and pilot operation of a feasible governance model for a Cybersecurity Competence Network, thoroughly tested through successful pilot projects addressing important industrial challenges in the areas of health, smart cities, finance, maritime transportation and supply chain management.
- To meet the Member States’ next-generation cybersecurity challenges through strengthening research and innovation competence and cybersecurity capacities, both at the national as well as at the European level.
- To secure EU’s digital economy, society, democracy and infrastructure through the establishment of foundations for pooling and streamlining the development and deployment of cybersecurity technology and strengthening industrial capabilities”.
One of the many challenges of leaving the EU fully at the end of December 2020 is that at a time when regional cooperation will become essential in getting ahead of cybercriminals, the UK is taking a more independent and distanced approach. It will remain to be seen whether the UK will continue to play a role in EU cybersecurity programmes, but it is difficult to see how this can be achieved as effectively as being a member of the political union.
If the UK is to sever ties with the EU in terms of cooperation on cyber technology research and expertise, it may be that the countries which make up the Five Eyes (FVEY) intelligence alliance, Australia, Canada, New Zealand, the United Kingdom and the United States, will co-operate on investment, research, funding, and skills development in the same way the EU currently are.
Since 2016, the UK has been focused on Brexit, and, more recently, COVID-19, and hence has lacked the long-term strategic planning needed to tackle security matters such as cybercrime properly. As we emerge from the pandemic and from the EU, it will remain to be seen whether the conservative government is able to move beyond the rhetoric that we can remain world leaders in technology (who can forget that the UK was supposed to have a ‘world leading’ COVID-19 track and trace system by 1st June). It can be done, but it will take serious planning, investment, and international cooperation.