Should the UK’s cyber protection be centralised?

So this evening, I was reading through the Intelligence and Security Committee’s Annual Report 2010–2011 (you know, just casually). As I delved inside, I became particularly intrigued by the sheer number of agencies who were tasked with protecting the UK from cyber attack, or at least some particular portion of it.

Now I’m no cyber guru, but it seemed to me baffling that we could have created such a uniquely complicated tangle of overlapping authorities spread across a whopping 18 (!) different agencies (nominally headed by the Cabinet Office):

It would seem that I am not alone either.

Of course, this is slightly old news, but the government’s response to the issue is definitely not. It appears now that government has begun to attempt to unravel this convoluted web (sorry for such a terrible pun!) of agencies through the establishment of a new, centralised (at least partially) cyber security hub (full report here), which it announced in November.

My knowledge of this topic area is very limited, but I was interested to know from some of the cyber aficionados (and others too) as to their thoughts on these issues:

– Is it right for multiple agencies be employed across the private and public sector to formally help protect the UK from cyber attacks? It seems that, done right, this could lead to an synergistic, mutually supportive system whereby the different agencies provide interlocking safety nets that stop threats more effectively than a single brittle barrier. But done wrong, it could be a chaotic shambles where no one really takes overall responsibility, coordination breaks down and massive gaping gaps are left open for cyber attackers to exploit.

– Is the government right to try to scoop it all up under the jurisdiction of one centralised centre? This seems like a good idea on the surface, but will having one central agency like this ultimately lead to bureaucratic inefficiency? In fact, is this even really viable as an idea, or will the other entities – particularly within the private sector – continue to flourish at such a rate that the centre will quickly become all but obsolescent?

Any thoughts?



15 thoughts on “Should the UK’s cyber protection be centralised?

  1. Mike Few says:

    Yes! Centralize and build one big base. Call it a cyberwar forward operating base (CWFOB). Surround it with massive T-walls and concertina wire to ensure protection of the everyone inside. Send positive reports to the Ministry of Truth with long, extensive quantitative datasets marking extensive measurements of progress to insure increased funding. Hire civilian security guards to provide outer security.

    Everyone is now safer. There is nothing to fear.

  2. This is one of those absolutely absurd situations which only gets more stupid the deeper you look at it. There are also teams within Army/Navy/Air Force whose remit is cyber protection too, although their scope is more limited, and they are not plugged into this network in the same way, however (of course) they have overlapping responsibilities in some cases!

    Add to that the private sector organisations who are ultimately the suppliers of a lot of the resources used to impliment cyber protection and it all becomes a rather bizzare exercise. Whether it turns out to be pointless is still to be determined.

    What’s also still to be determined is what cyber protection is actually for. Is it to stop cyber crime? Because thats a police issue. Sort of, except it depends what you call cyber crime. Technically hacking someone’s home wifi is a cyber crime of sorts, but whose responsibility is stopping that? Is it to stop a theoretical ‘cyber war’ (I apologise for bringing that term back to the comment feed, I know no one likes it). Because thats a military thing. Between those two points is your vast array of activities which are both “cyber” and “bad”, with no clear idea who is responsible for policing what.

    This is one of those times where (as I believe Mike has eloquently noted above) whatever sandwich you eat, its going to turn out to be full of s*it. You either get a big messy pile of agencies, or you end up with one unweildly one which is unable to do the sort of critical analysis that creating real cyber protection will need.

  3. Clement Guitton says:

    As you mentioned, cyber security is a topic that touches upon a wide spectrum of issues and this is partly why it can get pretty messy when trying to look at the bigger picture and at overlapping mandates.

    The structure to tackle cyber security in the UK is quite unique in a European context. France and Germany have apparently adopted for a more centric model with a seemingly powerful agency (respectively ANSSI and BSI) being facilitator and enabler: the same agency coordinates the policy and has the technical expertise to implement it.

    I say apparently because the situation is not that clear either (in France, the DGSIC is also in charge of coordinating, as the CIO is in Germany). In the UK, there also exists a ‘Threat Production Board’ supposed to coordinate cyber security policy.

    I once asked a question to an OCSIA official about the efficiency of the UK model and he answered that:
    the general aim was to identify all the possible cyber areas that can fall within existing departments, give them the responsibility for this new cyber mandate, and eventually (potentially) remove the OCSIA.

    The UK needs to be given credit for identifying all these areas, and it is almost clear who ‘should be in charge’ for any of them. Critical national infrastructure (CPNI, BIS), police (PCeU, SOCA), etc. It is not as clear for France for instance that does not have a central agency to deal with critical national/information infrastructure.

    Who’s responsibility is it to stop people hacking into someone’s house’s wifi? This is clearly PCeU, but I agree that there are issues. The first one is conceptual. The UK does not implement a classification of cyber crime that differentiates between crime facilitated by information systems and crime targeting information systems. The second one concerns resources. PCeU just got a bigger budget in 2011, but they still have a certain ‘threshold’ on cases they can take on. As the budget is not so important (£100m/year, 104 policemen as for 2011), they have to take into consideration the damage caused by the crime, and if they have the forensic technical knowledge and adequate information to solve the case.

    Concerning cyber terrorism, the Counter Terrorism Command of the Metropolitan Police Service is in charge of it. But as with cyber crime, they don’t really bother trying to define it. Damon Crawshaw, from the Counter Terrorism Command, mentioned 2 months ago at a RUSI event: ‘The department is not struggling as much with defining cyber terrorism but more on implementing solution to fight it’. You get the picture.

    Is this model more efficient to tackle cyber security as other European examples? Or is departmentalism and struggle for power affecting trust and information exchange?
    (see Richards, D and Smith, M. ‘Politics in Whitehall – as elsewhere – is about spoils, about who gets what’). I’ll come back with an answer to that (hopefully) at the end of my PhD…

    On another topic, a very interesting information in this report (that was not available anywhere else before the publication of the new UK cyber strategy 2011) is the allocation of budget and the fact that intelligence services get almost 60% of the national cyber security program. This is easily explained by the fact that GCHQ has the technical expertise to tackle cyber security (with CESG), but is still quite remarkable.

  4. Francis Grice says:

    I’ll put you down as a ‘no’ then Mike? That answer definitely brought a smile to my face!

    Chris, some very interesting points, thank you. Yes, I imagine that the lack of a clearly defined goal for cyber defence makes the task infinitely more difficult – how can you achieve what you want to achieve when you don’t know what that is! Your appraisal of the problem sums up very much the line of thought that I was reaching as well – a bit of a damned if you do, damned if you don’t outcome. If you centralise too much, then cyber protection could become excessively bureaucratic, staid and inefficient, but if you have too many agencies you might generate conflict, gaps and lack of coordinating purpose.

    Thanks Clement for the fascinating and very informative response. I agree that it seems like the UK is beginning to get a grip on these things and that, in itself, is a very good thing. Better for the government to be engaging and not necessarily getting it quite right, than not engaging at all and therefore most certainly getting it entirely wrong (well, I suppose unless complete government abstinence IS the best way forward!) You mentioned the French and German models – am I right in thinking (and here I’m very much in the realm of anecdotal knowledge, so bear with me), that Russia and China have far more centralised models than any of us? Or is that just another example of paranoid Western delusions creating a phantom, bogeyman ‘evil empire’ who – in our imagination at least – has created a masterful mechanism of doom that works with perfect efficiency and power?

    • I think the issue that will crop up most of the time in the current system is that policy and implimentation are happening in lots of different places. The ideal situation, such as one exists, is probably to try and centralise those functions, then allow for individual departments to take the functioning model and apply it to their area of responsibility. That way you can develop a coherent system which interlocks at the macro level, but can be applied to each department. You probably also need that policy and implimentation team to deal with situations when something occurs which bridges departmental responsibilities, as they are the people who can see the “big picture” and will be able to unify the response.

  5. Simon Barr says:

    It appears that we’ve ended up with a political rather than pragmatic compromise to the cybersecurity problem. The pragmatic compromise would have been to allocate most of that £650m budget to the law enforcement agencies which as Clement points out, was not what just happened.

    GCHQ and CESG may well be the ‘best fit’ in terms of technical expertise but their response so far has been operationally ill-defined (as everyone agrees). I suspect CSOC is not what many people think it is.

    We can say that there’s been very little external recruitment from outside these agencies (either public or civil service internal) for cybersecurity experts at the technical level. Looking at the table above it becomes very clear why – the concentration has been on non-technical policy wonks to do policy definition and defining operational … erm, policies in preparation for the rather undignified Cabinet Office hungry hippo exercise that just took place.

    The problem now will be transparency and accountability – those policy wonk positions have mostly been reserved posts so don’t expect their output to become public knowledge this side of 2099. Additionally, as with many poacher-and-gamekeeper policy remits, success is defined by the absence of reportable incident rather than its presence so maybe that unseemly lineout exercise that’s just taken place is all we’re actually ever going to see of our hard-earned £650m after all.

  6. The Faceless Bureaucrat says:

    You raise an interesting point, FG. On the one hand, as you point out, a centralised approach might lower the ‘transaction costs’ of coordination. However, it seems that the emerging best practice/conventional wisdom is to go for more dispersed institutional arrangements, ones characterised as networked rather than hierarchical, marked by dispersed leadership and workforce, “guided by simple yet flexible rules” rather than being “policy and procedure driven” (See WEF, Global Risks 2012, 7th ed. p. 33). All of this would increase what we now call ‘resilience’, a concept which will be repackaged and sold as ‘antifragility’ by Mr Black Swan himself, Nassim Nicholas Taleb, later this year.

    • Mike Few says:


      To add to your point, in the last twenty years (or maybe one hundred years?), we’ve gotten on with this notion that “cheaper is better.” For example, today, many would argue that it is better to purchase produce, meats, fish, and sometimes dairy abroad b/c with technology, it is cheaper to mass produce and transport.

      I, however, would rather purchase my food locally even if it cost a bit more- taste better, less chemicals, less storage time from ground to my stomach, and keeps my neighbors employed. So for me, looking at more than the transaction costs, cheaper is not necessarily better.

  7. Pingback: Leading the World (?) « The Rosemont Report

  8. Pingback: Leading the World (?) « The Rosemont Report

Leave a Reply

Your email address will not be published. Required fields are marked *