Experts Comments On UK National Cyber Security Strategy

Following the news on the government’s 1.9 billion announcement in cyber defence spending,  IT security experts from Corero Network Security, Glasswall Solutions, HEAT Software, SentinelOne,  Imperva, ESET, comparitech.com, CrowdStrike,  Veracode, WhiteHat Security, Barracuda Networks, Digital Guardian,  ForgeRock and DQM GRC commented below.

Dave Larson, COO and CTO at Corero Network Security:

“Plans unveiled today by Chancellor Philip Hammond focused on major initiatives to better protect the businesses and ultimately, the citizens of the UK. The ever increasing and evolving cyber threat landscape has become dinner table conversation as of late, these events are becoming increasingly common, and proactive, automated solutions must take centre stage in defeating the threat. The modern Nation cannot sit back and hope that the next cyber-attack won’t impact critical infrastructure or take down major online institutions.

“These initiatives must be paired with consumer education in understanding the threats that exist and how to avoiding becoming an unintentional pawn in cyber warfare. Additionally, when you think about attacks on the Internet of Things escalating from consumer devices to businesses, enterprises, government agencies, utilities and more – you realize it is time to more aggressively secure every endpoint so entire networks including cloud services don’t collapse and leave us vulnerable to other forms of terrorism.”

Greg Sim, CEO at Glasswall Solutions:

“The government’s launch of the National Cyber Security Strategy is excellent news, given the huge growth in the dangers to businesses around the globe from targeted attacks, such as threats hidden in email attachments.

The National Cyber Security Strategy must recognise the severe dangers posed by these threats and implement new innovations which are needed to overcome the conservatism and reliance on outdated methods that are undermining our defences.

The majority of organisations are still deploying security solutions that search in the wrong places and are designed to remove previously identified threats or signatures. But the reality is that criminals have moved on and are attacking the lifeblood of organisations, striking at the heart of the business email systems with weaponised documents by making sophisticated alterations in the structure of common file-types such as Word documents, PDFs, Excel and PowerPoint files. When these files are opened, their malicious payload executes and companies are immediately plunged into the damage limitation and clean-up process, which assumes they realise the breach in time and they are not victims of resident malware for many months.

There must be wider recognition that traditional signature-based AV security no longer cuts the mustard and that criminals are also using social engineering techniques, gaining a detailed picture of people and organisations all along the supply chain so they can achieve maximum impact.

While investment in cyber-security training is a positive step, too much of the focus is on detecting and mitigating attacks that have already happened. Prevention is much better than cure and innovative solutions that eliminate malware attacks must be the way forward, allied to an approach that hands the initiative back to organisations by putting them in charge of security policy in relation to files.

The only effective solution to defend against these attacks and the deliberate corruption of email-bound documents lies in file-regeneration technology that produces a benign, sanitised file at sub-second speeds which is checked against the manufacturers’ standards.”

John Ferron, CEO at HEAT Software:

“This is great news. It is very promising that the UK government is upping its game and developing a concrete plan to prevent the damaging effect of cyber-attacks. As the recent DDoS attacks on IoT devices have shown, whilst the UK has started to take cyber-security more seriously with the establishment of the NCSC and the proposed plan for a ‘Great British Firewall’, cyber-defence needs to be permanently positioned at the top of everybody’s priority list to keep up with the rapid evolution of cyber-crime.

An especially important aspect of the proposed strategy is that it highlights the susceptibility of old legacy IT systems to cyber-attacks. The strategy noted that many organisations, including government organisations, are still reliant on legacy systems, which leaves them incredibly vulnerable to ransomware attacks or data breaches. This is because these legacy systems were not designed to be able to deal with the cutting edge tools used by modern cyber-criminals.

The government should be using this new strategy, and its budget, as an opportunity to lead by example and educate all other organisations on how to use a layered approach to deal with cyber-crime. Pure prevention strategies such as blacklisting and antivirus alone are ill equipped to deliver anything like the levels of protection they once did. The UK needs to understand that there’s no silver bullet that can entirely insulate them from cyber and data security threats. However, a layered approach to security that incorporates people, process and technology will enable them to mitigate against 99% of their risks. Automating the installation of security updates and combining this with application control makes it almost impossible for unapproved software to run on public systems. On top of this encryption and device control provides added protection against insider threats, a growing issue made worse by the impact of BYOD.

We continue to assist UK government bodies in this area and have worked closely with NCSC in particular to ensure our technology meets the public sector’s needs and requirements.”

Andy Norton, Risk Officer – EMEA at SentinelOne:

“Clearly Cyber Security, is becoming a differentiator in attracting investment and business. The level of protection afforded to UK based business and its citizens, will need to eclipse recent European directives, to achieve that in a post Brexit world.

Let´s hope the money is well spent on vigilance and protection, fixing the current failings, rather than testosterone fuelled posturing trying to attribute attacks and “strike back against those that try to harm our country.”

Amichai Shulman, CTO at Imperva:

“I personally like the tone of the announcement. It seems that the money is aimed at increasing cyber safety for the general public rather than adding protection to “critical infrastructure”. I’ve talked about it numerous times in the past.

Most modern nations spend much more on the attack side rather than the defense side. When they do spend on defensive technologies it is to protect “national interests” and “critical infrastructure”. While these are important causes, over the years modern nations have failed to invest in “cyber safety” for the masses – making the Internet a safer place for people who conduct commerce and surf for information and fun.

If, as stated by the UK official the additional funds are going to be invested in better policing of cyber space as well as helping commercial organizations to get protection then this is a much desired long deserved investment.”

Mark James, Security Specialist at ESET:

“With so much malware being delivered via emails and websites the only way we are going to stop it is investing in the right places. Providing the right expertise and professionals to give the best advice along with investing in the right software and or hardware to identify attacks or incoming risks will need a substantial cash injection. Sadly it’s not going to just happen overnight and requires ongoing investment in training and future projects.

One of the problems we have always seen is information sharing, being able to get real time useable data on how threats are incoming and evolving will be invaluable for our defence. But having the means and processes in place to not only stop attacks but find and prosecute the criminals responsible wherever they may be, is what we need. With international boundaries and the ability to administer an attack from almost anywhere in the world successfully, prosecuting cyber criminals with the sentences that sends a clear message would do a lot of good.

Investing in our upcoming cyber security professionals is one of the areas that needs to be expanded, it should be an area teenagers consider alongside traditional careers and one that should be easily accessible by all. We also need to ensure help and training is available for anyone who needs it in understanding the everyday risks involved in using computers, tablets and mobile devices.”

Lee Munson, Security Researcher at Comparitech.com:

“The British Empire Strikes Back would make a cool-sounding film, but the plot surrounding the Chancellor’s plan to inject £1.9 billion into the nation’s cyber security defences is, at best, a confusing one.

“Automated defences, designed to nullify phishing and other nefarious emails, sound like an awesome solution to a problem that has plagued the best business and technical minds for at least a generation.

“Quite how they will work is entirely unclear at this time, but this security researcher is super-excited at the prospect of the silver bullet so many of us in this industry have yearned for since the dawn of the internet.

“More than that, I am even keener to see how the UK will ‘stike back’ at those who threaten Britain across the interwebs when there isn’t enough cash on offer for the process of identification, let alone retaliation, unless ‘Russia done it’ is now the official government line in response to all cyber-attacks.”

Mike East, VP EMEA at CrowdStrike:

“The DNC attack is a defining moment in our industry. It’s pushed governments to a point where they have no choice but to discuss and agree what’s acceptable and what’s not when it comes to cyber crime, and take decisive action.

“The UK’s cash injection to shore up cyber defence is a nod to its acceptance that reactive action to cyber threats is no longer enough. The next step is to use intelligence to support the detection and management of attacks, and better counter criminal activity.

“The theft of information to uncover a government’s national security strategy is one thing, but the theft of information in order to influence elections, is another – it changes the dynamic.

“Ultimately, the UK government has a fundamental right to protect its citizens. Moving forwards it must focus on understanding its adversaries better – their motives, their tactics, and how that intelligence can be used in order to stay one step ahead.”

John Smith, Principal Solution Architect at Veracode:

“Following the launch of the National Cyber Security Centre last month, the British government is clearly making a concerted effort to secure the country against the ever-evolving threat landscape. From organised criminal groups and script kiddies, to ‘hacktivists’ and foreign states, the threat of data breaches is real and the effects can be severe. The data, digital identities and even lives of citizens can be impacted and, in some cases, put at risk. Both the UK government and UK businesses suffer when valuable secrets are stolen and given to outside interests.

“However, it is essential that beyond investing in the agencies which deal directly with active cyber defences, the government must take a more holistic approach to cybersecurity. Greater education around security threats is needed to reduce the nation’s cyber risk. Only consider that the government’s Cyber Streetwise campaign which recently found that two thirds of SMBs don’t consider their business to be vulnerable – despite evidence proving that cyber-attacks are on the rise. When combined with the recent NAO report attacking the government’s “dysfunctional” approach to data security, it is clear that much more can – and needs to – be done.”

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:

“It is a step in the right direction for the UK government to invest more money in cyber defence and training. In our experience, money is always better spent in the defence of future attacks rather than in trying to find and abolish the culprits. The issue is not the attackers – they are always going to exist – it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.”

Paul Lyden, VP Northern Europe at Barracuda Networks:

“The National Cyber Security Strategy has been a long time coming. Modern cyber threats are no longer simple to defend against and so the news that the government is finally picking up the gauntlet will be welcomed by businesses of all sizes. The crucial change in recent years has been that cyber criminals are shifting towards more targeted scams and more advanced malware that cannot be detected by traditional techniques. What’s more, the increase in mobility and sheer volume of devices has exponentially increased the potential attack surface. We are in a kind of golden age for digital crime. The business has injected change at accelerating speed into all elements of IT and many organisations are simply trying to keep their security stable. It has become quite easy for attackers to find an unprotected door.”

Thomas Fischer, Threat Researcher and Security Advocate at Digital Guardian:

“The plans announced by the government demonstrate a good application of investment across the three cornerstones of IT security; people, process and technology. Many of the automated tools discussed in the strategy are widely available to businesses today, but we still come back to the issue of ensuring that the proper processes are in place and people are provided with the right skill sets and training. Faced with a constantly changing business landscape and changes in staff, it is very difficult for businesses to ensure security processes are well applied and that a strong foundational security culture exists.

Most organisations already accept that it is not if, but when, they were breached. This expectation may well reflect the fact that malicious parties are now more likely to extort the victim, or release the data to forums or even the public. Time and the security skills shortage are the enemies in this situation and they make it hard to ensure the three cornerstones are kept current and relevant.

Simon Moffatt, Senior Product Manager at ForgeRock:

“The announcement that the UK government is to boost cyber security defence is a welcome one. Many organisations and end users are facing an increasing array of attacks, identity theft and malicious activity than at anytime previously and any active investment in reducing these risks is a positive step forward.

However, we are really just keeping pace with the ever-changing threat landscape. From an end user perspective, increased awareness and education of potential threats is a must, whilst private sector organisations need fully documented data breach plans in place.

As more organisations undergo digital transformation and place more and more services and applications online, they need to implement strong device and person-based identity and access management practices, providing secure contextual authentication and protection of identity related data, which will allow them to give the right access to the right people, at the right time.”

Christine Andrews, Managing Director at DQM GRC:

“Whilst we welcome any boost in spending by the UK government to improve cyber security, unfortunately real progress will only occur when the organisations themselves start taking data governance seriously and consider cyber security as a boardroom issue – not a problem that can be resolved in a backroom department.

Assistance from the government is a supportive step in the right direction, but it is vital that the organisations themselves implement an engaging staff training programme to ensure all employees are aware of the need to manage data securely. The most common and destructive mistakes are often due to human error – not state-sponsored, powerful cyberattacks. For example, even the simple loss or theft of a USB stick or laptop containing personal information about the business could seriously damage your organisation’s reputation, as well as lead to severe financial penalties”