Whilst parts of the public sector are not generally held up as shining beacons of security best practice, there are areas where private and public sector can take a leaf out of each other’s books, as the security challenges facing both continue to escalate. The recent reinforcement by the Chancellor of the Exchequer, Philip Hammond, of a £1.9 billion investment in bolstering the UK’s cyber defences also highlights the increasing need for cooperation between business, government, academia and industry to confront the growing menace of cybercrime.
Over the last decade, one could argue that parts of the private sector have demonstrated more examples of best practice in cyber security. That doesn’t mean to say that all businesses are adequately secure – on the contrary. However, by the same token those businesses, whose very existence in a global competitive market depends on good security, offer a good blueprint for success in protecting sensitive data. One fundamental principle that such organisations have embraced is the importance of balancing security against the competing challenges of usability and cost. An inability to focus on all three will result in failure, as users will find ways to sidestep security measures if they prove too onerous and managers will continue to weigh up cyber risk and the cost of compromise against the corresponding cost of investing in cyber security. Only relatively recently has this triple imperative been widely recognised by government; a reality which has in the past been hampered by out-dated practices including slow and cumbersome certifications and accreditation processes.
Cost, risk and usability, the triple imperative
In the past three to four years there has been a cultural shift within government as the term ‘commercial best practice’ became pervasive. This has had a profound effect on the way that systems have been architected, procured and deployed and how government is looking to the private sector for both inspiration and guidance in the introduction of technology and practices. The recently introduced Government Classification Scheme (GCS), is reflective of this approach to security, which in part seeks to redress the balance between cost, risk and usability. For example, today processes like the Commercial Product Assurance (CPA), run by the National Cyber Security Centre, which dictates the process for new products to be certified for government use, is much more flexible and efficient than its past equivalents. There has also been a real drive to give responsibility for informed risk management to the data owner rather than using process to obscure responsibility. However, the nature and scale of threats faced by government within the cyber domain today is of an unprecedented scale and magnitude. This means that some differences will continue to exist between the public and private sector, however the principle of efficiency, cost and usability is now well established.
On a global scale the UK has a world leading reputation for security expertise, but arguably this has not yet translated into a vibrant home-grown cyber security industry of a scale that fulfils national potential. Cyber security is recognised by the British government as a tier one national threat that is attracting substantial government funding and driving an increased need for collaboration between government, academia and industry, which is in turn driving innovation in the cyber security ecosystem.
Both private and public sectors face a fundamental challenge: to address the asymmetry that exists between the capabilities most businesses present to the world and the huge number of adversaries wishing to exploit them, reflecting the cost and effort required to detect and respond effectively to today’s threats. One area that government is arguably ahead of industry, is in gaining confidence in the identity and state of end user devices. Most high-profile data breaches involve the exploitation of vulnerabilities on end user devices. In the field of identity and access management, technologies exist to enable the authentication not only of users but also to determine the level of trust that can and should be conferred on devices. By increasing the level of trust in both devices and users, businesses can significantly reduce their attack surface.
A move towards the secure desktop
Many of the building blocks in use today in government have evolved out of the commercial space. One such example is the Trusted Platform Module (TPM), a cryptographic chip that ships with most Intel devices (with Trust Zone a similar technology for ARM-based devices). These ‘trust anchors’, as they are known, are hardware standards becoming increasingly adopted in government circles, to enable the establishment of a level of trust in the state of a device by taking cryptographic measurements of systems and patches deployed on that device. Initiatives such as these are leading to the widespread deployment of secure desktops in government. Systems for accessing cloud based platforms, containing some of these trust-supporting features to offer secure browser-based access to virtual applications across varying form factors. This move towards secure desktops is making it an order of magnitude more difficult for attackers to exploit than common desktop systems. Typically using open-source operating systems at their core, they are mature enough to address cyber threats, using a robust architecture, whilst balancing the triple challenge of security, usability and cost efficiency that is critical for success. This is an example of where government are driving standards adoption that the private sector may do well to embrace.
Another area where government has a natural advantage is the area of data classification. An important element of any mature IT security strategy involves conducting regular security audits, which as part of an ongoing risk management regime should entail identifying and prioritising data assets. Introducing appropriate data classification schemes is likely to become increasingly relevant to commercial businesses, faced with the need to comply with the EU General Data Protection Regulations, due to come into effect in 2018, as they seek to avoid the threat of substantial fines of up to 4 per cent of turnover, associated with the loss of personally identifiable information.
The role of legislation
In future, we are likely to see continued convergence between public and private sector with approaches to Cyber security. There is an imperative for businesses to demonstrate security best practice, and industry giants like Google and Facebook are investing in some areas of cyber significantly beyond related investments from national budgets, driving innovation in multiple fields of cyber security. This will ensure that there will continue to be an interchange of skills, knowledge and technology between the private and public sectors. The question for both commercial and public organisations to address, is how their organisation lines up on a spectrum of security conscience ranging between ‘best practice’ at one end and ‘negligence’ on the other. Government is increasingly taking a lead in publicising the threat of cyberattack, but to date has only enjoyed limited success in raising awareness of good practice with initiatives like the Cyber Security Essentials Scheme. Recent history suggests that for many businesses, left to their own devices, they will continue to minimise their investment in security. As the EU GDPR is somewhat non-prescriptive in the measures that businesses need to deploy to demonstrate best practice, it’s likely that either further regulation or more compelling guidance will be needed to drive many businesses to take the necessary steps to protect themselves, their employees and the public, in a world where digital transformation and increasingly interconnected devices forms a potent mix with a cyber threat that continues to grow.
About the author: Co-founder and Chief Executive Officer of BeCrypt, Bernard Parsons is a technology expert with more than 25 years of experience spanning robotics, embedded systems and telecommunications as well as high-end security technology.