What advice does a genuine expert give on cybersecurity?
When the political history books are written the comment by the former Justice Secretary, Michael Gove given during the Brexit campaign that “Britain has had enough of experts” may just be his professional epitaph.
I disagree with Mr Gove on this point and that when making decisions of great magnitude the wise course of action to take is to assimilate the facts from experts in the particular field of interest in order to arrive at a satisfactory conclusion.
It is however relatively rare that you get to ask such an expert and when the opportunity arises it has to be taken. Fortunately for me such an opportunity arose earlier this week at the Cheltenham Literature Festival. The annual festival brings together a wide variety of authors, some well knowns, others less so into a ten-day smorgasbord of literary themed events. One such event was titled ‘How Big Is Big Brother’ and covered off the topic of how intelligence agencies have to balance surveillance with civil liberties.
Hosted by the philosopher Julian Baggini, the former Chair of the UK Intelligence and Security Committee, Sir Malcolm Rifkind, explained how this fine balance was struck. Having been in the most senior positions of government, including Secretary of State for Defence, he has intimate knowledge of the threats that the UK faced. Obviously I wondered what his view would be on the current threat from cybercrime, cyber terrorism and other cyber related issues. Sadly, I couldn’t ask him during the Q&A session at the event, but did grab a few words with him afterwards,
In his role at the Intelligence and Security Committee he had complete oversight of the policy, administration and expenditure of the Security Service, Secret Intelligence Service (SIS), and the Government Communications Headquarters (GCHQ). One has to assume that he was aware of all the necessary details of threats and intelligence matters in order to carry out his duties, skilfully and with due consideration. This means that on top of his enviable political career, where he would have been granted the highest level of access to information, he has been at the very top of intelligence circles as cybercrime has escalated.
I asked Sir Malcolm the question, “What advice would he give to companies who are concerned over the current threat from cybercrime”. My thoughts were that he could answer this, based on his extensive knowledge, swiftly succinctly and in the time it would take to sign the copy of his memoirs, “Power and Pragmatism” that I had just picked up from Waterstones.
After a pause and due consideration, he replied. “Follow the advice of CESG”. We then chatted on a few other points to do with risk awareness and board level responsibility, but it was that one point that was the ‘headline’ from our brief conversation.
CESG was the information security arm of GCHQ but has recently been brought together with the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI) to collectively become the new National Cyber Security Centre (NCSC). This new body went ‘live’ in early October 2016.
Their aim, according to their website is “to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. We work together with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management. This is underpinned by world class research and innovation” which says to me that this is a collection of leading experts from across many disciplines advising on all aspects of cyber security.
The NCSC itself is a part of GCHQ, so one has to believe that the threats, plots, trends and attacks that GCHQ monitor and disrupt, will frame the advice given by this new body. Even in these early stages of their operation they are providing threat assessment reports, which should become essential reading to CISOs throughout the land, and I’m sure there will be much more to come in the future.
Michael Gove may have had enough of experts, but in the realms of cyber security we need expertise and advice from those on the very front line of this escalating threat. I for one will follow with great interest the progress and advice of the new NCSC and alongside the recommendation from Sir Malcolm I would suggest that you do too.