Two different takes emerged last week on how two different parts of UK national government think they should be protecting their polities, economies and citizens.
What makes that contrast even more interesting: one is the ‘official’, national view – that of Westminster, while the other is that of the rising power base north of the border, that of Scotland’s seat of power, Holyrood. And it’s a difference that could become even more acute should Brexit strains push the two governments even further apart than they seem to be growing on this, and so many other issues.
The two approaches can be summed up thus: the view in London is that better skilling up is the key to success, while from Edinburgh, the emphasis seems to be more on common standards and approaches inside organisations, especially public sector ones – but also the supply chain that provides goods and services into those organisations has to be much more cyber security conscious, too.
One way to view this is that for Tories, you get better security by building a home-grown security sector – and for Scottish Nationalists, you spend money making the public sector safer, whether it likes it or not (a key lesson of the WannaCry crisis, perhaps?).
To be clear, training isn’t the only thing Her Majesty’s (main) Government thinks is necessary. As head of cyber security skills at the Department for Culture, Media and Sport (DCMS) Matt Parsons, where he leads The Cyber Security and Data directorate, told an audience of UK IT tech firms this week, there’s been money put into the National Cyber Security Strategy and a range of other initiatives for sure.
But more British people with security skills is without question a priority, too. At a special event techUK, which acts as a voice for the UK tech sector, put on last week all about assessing the progress of that very National Cyber Security Strategy one year on, Parsons said:
We are looking at a number of ways to retrain people who are interested in moving into the industry – at pace and at scale.
In practical terms, his team’s ‘ways’ over the intervening 12 months have included financial support for candidates looking to acquire Master’s degree level competence in cyber security via courses accredited at government (GCHQ) level, special short training ‘academies’ in the discipline and its apprenticeship scheme to attract interested youngsters from less traditional academic backgrounds into the ‘profession’. There’s also some work going on at school level, he said, with a so-say ‘cyber schools programme’ to try and discover (and encourage) both potential boy and girl security stars of the future.
As a result, the Directorate is now well-armed to apply what it’s learned from these interventions and ramp up cyber security employment, with such moves all aligned with national priorities:
One of [the Strategy’s strategic outcomes] is that the UK has a sustainable supply of home-grown cyber security professionals to meet the growing demands of an increasingly digital economy in both the public and private sectors and defence.
For the government, what that will have to look like is a more professional cyber security employment environment, like having Royal Charter status for practitioners, a process he told the techUK event is all about what’s now a “nascent” field achieving “coherence”.
Part of that could even be a new national cyber security professional body “intended to represent the sector” that would be created between government and industry and which would reflect the economy’s needs. Work on this front has actually started, he told delegates, with his team, the National Cyber Security Centre and the Cabinet Office convening a number of workshops where input on what such a thing could encompass from business, vendors and academics. Parsons said that government will now chew through what it heard before going to a public consultation phase on such a possible professional set-up next year.
Want our business? Prove you’re cyber-trustworthy
All well, and sensible enough for sure – and given that there’s been a claimed £1.9 billion of taxpayer money devoted to the Strategy, the sector can be reassured something is happening. So why does Scotland think it needs something different?
For it seemingly does – with Deputy First Minister John Swinney claiming this week he’d cooked up his own – one that will help make his part of the UK “one of the safest countries in the world to live in and one of the most reliable places to do business with”.
Our public sector action plan will encourage all public bodies, large or small, to achieve common standards of cyber resilience.
I want our public sector to lead by example on strengthening cyber security to help ensure Scotland is ready to deal with all emerging threats.
Well, of course he hadn’t cooked it up on his own – Holyrood says it actually came from “industry experts” on its National Cyber Resilience Leaders’ Board. In any case, the Public Sector Action Plan on Cyber Resilience will encourage all Scottish public bodies to implement the same baseline standards of cyber security in their organisations.
For Edinburgh, these include moves like active threat intelligence sharing, clear cyber incident response protocols and appropriate independent assurance that critical protection against the most common forms of attack is in place.
As a result, all public bodies can now achieve “a common base level of cyber security resilience”, says the Joint Chair of the Board’s Public Sector Steering Group, Dr Keith Nicholson.
That will ensure, he said, Scotland’s public sector will be better protected against cyber-attacks to the benefit of both the organisation and the citizens of Scotland. So the onus is very much on beefing up institutional competence, not so much skills:
[We will] develop a proportionate, risk-based policy in respect of supply chain cyber security (aligned appropriately with GDPR requirements), to be applied by public bodies in all relevant procurement processes… recipients of public grant funding [will need] to have in place appropriate, proportionate and risk-based cyber security arrangements… a number of leadership bodies will commit to work towards becoming exemplars in respect of cyber resilience, helping identify common issues and solutions, and sharing learning and knowledge with the wider public sector.
We’re not suggesting there is a conflict per se between an emphasis on skills and one on a more institutional approach here. And for sure, the overall UK Cyber Strategy does see ‘national’ protection as a priority.
But it is definitely of interest to see that Scotland says we need to do that by making public sector managers and suppliers responsible in contrast to the much less statist/laissez faire approach London sees as desirable.
A combination of the two is probably the best synthesis.
But it does feel we are seeing a completely different approach to cyber security under the Saltire than the Union Jack?
Image credit - Image free for commercial use