Back in November 2007, Spy Blog commented: Countering terrorism with more quangos - more detail of Gordon Brown's security statement
The Labour Government has now published, without bothering to consult the general public, its first public UK Cyber Security Strategy, "coincidentally" in the same week as the US government re-launched their own military Cyberspace Command plans.
New Cyber Organisations
The Cyber Security Strategy sets out the Government's plans to establish two new organisations, both of which will be established in September 2009, and will be operational by the end of March 2010:
An Office of Cyber Security (OCS) to provide strategic leadership for and coherence across Government. The OCS will establish and oversee a cross-government programme to address priority areas in pursuit of the UK's strategic cyber security objectives.
A Cyber Security Operations Centre (CSOC) that will bring together existing functions: to actively monitor the health of cyber space and co-ordinate incident response; to enable better understanding of attacks against UK networks and users; and to provide better advice and information about the risks to business and the public.
3.22 Both new structures will be established in September 2009 and will be operational by the end of March 2010.
Some obvious Spy Blog questions:
Does either the Office of Cyber Security or the Cyber Security Operations Centre
- have an elected Cabinet Minister directly responsible for it, and democratically accountable for its failures (or, in theory, responsible for its successes) ?
- have even a junior elected Minister directly responsible for it, and democratically accountable for its failures (or, in theory, responsible for its successes) ?
- have even a senior Civil Servant of Permanent Secretary rank directly responsible for it, and professionally accountable for its failures (or, in theory, responsible for its successes) ?
- have any independent budget to spend on Cyber Security ? If so, then how much ?
- replace any of the other existing bureaucratic agencies, offices, departments, quangos, non-departmental government bodies etc, ?
- have any planned strong statutory legal enforcement powers i.e. criminal prosecutions with fines and or prison sentences ?
- have any planned weak statutory legal enforcement powers e.g. like the Information Commissioner ?
- have the power to cancel or amend Government IT projects and IT contracts if they are fail the Cyber Security standards ?
- have the power to cancel or amend Government IT projects and IT contracts if they fail the Privacy and Liberty Proportionality criteria ?
- be easily and securely contactable by the general public via secure SSL/ TLS encrypted web response forms, or PGP encrypted emails or by (freephone) telephone ?
- be easily and securely contactable by the people who look after Critical National Infrastructure systems via secure SSL/ TLS encrypted web response forms, or PGP encrypted emails or by (freephone) telephone ?
- be easily and securely contactable by the general public or by Critical National Infrastructure people, most of whom work in the private sector, 24hours a day, 7days a week, including holidays ?
If, as we suspect, the answers to most of these questions is "no", then this UK Cyber Security Strategy is worse than useless, and is just some more Must Be Seen To Be Doing Something political propaganda.
Wading through the "engagement / stakeholder / addressing / combating" etc. spin doctor / management consultant nuspeak, some paragraphs do stand out:
There is a "vision" statement:
Citizens, business and government can enjoy the full benefits of a safe, secure and resilient cyber space: working together, at home and overseas, to understand and address the risks, to reduce the benefits to criminals and terrorists, and to seize opportunities in cyber space to
enhance the UK's overall security and resilience.
Incredibly, for a document which must have been approved by Admiral Lord West of Spithead, the unelected, democratically unaccountable Home Office Parliamentary Under-Secretary (Security and Counter-terrorism), and a former Chief of Defence Intelligence and former First Sea Lord in charge of the entire Royal Navy, there is an astonishing reference to military history, both in the Executive Summary and repeated in the Conclusion, and also quoted in the Press Release
Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our advantage in cyber space. This Strategy - our first national Strategy for cyber security - is an important step towards that goal.
4.2 Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyber space.
So is the plan to create a militarily dominant Cyber Space Military Force, capable of taking on not just one, but any two potential global adversaries simultaneously, like the Royal Navy was designed to do in the 19th and 20th centuries ?
When exactly in the 20th century did the UK "secure the air" ? After the end of the First World War, Britain was never again the dominant "air power".
There is a mention of an unspecified UK offensive military Cyber Space attack capability, as well as of vague defensive capabilities.
2.11 We also recognise that when criminals, terrorists and others use cyber space for malicious purposes they are also exposing themselves to new risks. Cyber space is therefore a useful domain for the UK to exploit to our advantage in fighting crime and terrorism, as well as in the military sphere.
2.12 There is an ongoing and broad debate regarding what 'cyber warfare' might entail, but it is a point of consensus that with a growing dependence upon cyber space, the defence and exploitation of information systems are increasingly important issues for national security. We recognise the need to develop military and civil capabilities, both nationally and with allies, to ensure we can defend against attack, and take steps against adversaries where necessary.
That does not appear to be equivalent to the Royal Navy's "two fleets" strategy of the 19th and early 20th centuries.
Of course, anything which might actually be useful in a detailed, informed, public debate on this Strategy, is being kept secret:
1.4. There is obviously a degree to which the disclosure of information regarding the UK's cyber security capabilities could be exploited by potential adversaries. Balanced against this risk, however, is the Government's strong belief in making public as much information as possible. In this document we have made every effort to withhold only information which
would compromise our national security aims were it to be released.
Further detailed disclosures might "compromise our national security aims" if those aims include "Being Seen To Be Doing Something" and "Not Being Criticised For Incompetence".They would not necessarily worsen the real threats to national security.
There are some weasel worded promises:
Our approach will be proportionate to the risks and we will put the protection and promotion of our fundamental rights and values at the heart of our work.
Security and Liberty
1.12 The Government believes that the continuing openness of the Internet and cyber space is fundamental to our way of life, promoting the free flow of ideas to strengthen democratic ideals and deliver the economic benefits of globalisation. Our approach seeks to preserve and
protect the rights to which we are accustomed (including privacy and civil liberties) because it is on these rights that our freedoms depend. A fundamental challenge for any government is to balance measures intended to protect security and the right to life with the impact they may have on the other rights that we cherish and which form the basis of our society.
1.13 Cyber security poses particular challenges in meeting the tests of necessity and proportionality, as the distributed, de-centralised form of cyber space means that a wide range of tools must be deployed to tackle those who wish to use it to harm the UK's interests. A clear ethical foundation and appropriate safeguards on use are essential to ensure that the power of these tools is not abused.
However, exactly the same sort of Orwellian newspeak is used by Labour politicians and Civil Servants to describe the existing Database State Surveillance policies, which only pay lip service to the Principles of Data Protection and our Fundamental Human Rights to privacy, free speech, freedom to travel, freedom to associate etc.
The Strategy seems to be mainly a job creation scheme for another layer of bureaucracy:
To address the UK's cyber security challenges, the Government will:
- Establish a cross-government programme with additional funding to address the following priority areas in pursuit of the UK's strategic cyber security objectives:
- Safe Secure & Resilient Systems
- Policy, Doctrine, Legal & Regulatory issues
- Awareness & Culture Change
- Skills & Education
- Technical Capabilities & Research and Development
- International Engagement
- Governance, Roles & Responsibilities
- Work closely with the wider public sector, industry, civil liberties groups, the public and with international partners;
- Set up an Office of Cyber Security (OCS) to provide strategic leadership for and coherence across Government;
How much "additional funding" ? Will this be "new money" or simply the usual Labour government "double counting" of already allocated existing budgets ?
At least 8 bureaucratic "workstream" committees, with plenty of foreign travel for "consultation" with "partners" will be set up.
N.B. there are no quantitatively measurable criteria which would allow the public to judge if this Office of Cyber Security is a success or a failure
There are parallels with the now defunct, yet arguably more powerful, Office of the E-envoy.
- Create a Cyber Security Operations Centre (CSOC) to:
- actively monitor the health of cyber space and co-ordinate incident response;
- enable better understanding of attacks against UK networks and users;
- provide better advice and information about the risk to business and the public.
So what is the Cyber Security Operations Centre going to do , which the other existing agencies and quangos are not already doing e.g. CESG, CPNI, CERT, CEOP, SOCA, MI5, Police Computer Crime units etc?