Next Steps for Tackling Innovation Challenges in Cybersecurity

In early June, PaCCS External Champion Dr Tristram Riley-Smith participated in a panel at CogX 2020, under the chairmanship of National Security Chief Scientific Advisor Professor Anthony Finkelstein. Panelists explored the question: Do we have the industry we deserve, rather than the industry we want, when it comes to delivering Defence and Security solutions? Following that event, Dr Riley-Smith wrote this piece to share his perspective with members of the PaCCS network. 

There’s never been a greater need to explore the role that technology will play in helping us rebuild, reconstruct and get the next ten years right.

This was the theme of CogX 2020, which asked “How do we embed resilience into our organisations, harness technology for good and address the current health crisis whilst not forgetting the climate and importance of a strong economy?” This question is not a new one. Rather, it speaks to the challenges discovered by the PaCCS community during our work on Innovation Challenges in Cybersecurity in 2016.

Four years ago, as PaCCS Impact Champion for UKRI, I gathered together a small group of people from the research, policymaking, industry and investment communities to ask why we weren’t seeing more cybersecurity solutions pulled through from hundreds of research projects underway in our universities.

Two major challenges emerged from our deliberations. We saw problems with market literacy and with a dysfunctional supply chain.

A flourishing market needs to be a literate market. But in 2015 we found two forms of market illiteracy. First and foremost, there was a yawning gap of understanding about the threat. If the threat is misunderstood – or, worse, underestimated – demand becomes diluted and needs are poorly defined. Secondly, there was ignorance about “what good looks like”. Consequently, there was an oversupply of technical solutions with no satisfactory way of assessing quality. This wasn’t helped by an under-supply of cybersecurity professionals to help us make sound judgments.

This last point overlaps with that second major challenge, around a dysfunctional supply chain. Our workshop in 2015 found that the world was suffering from an acute skills gap, with a million of cybersecurity vacancies around the world. Moreover, the chain linking universities, industry, investors and government was broken, with no clarity of direction, poor information exchange, and a lack of incentives.

The Policy Briefing that emerged from our discussions offered a suite of recommendations for addressing the problem. In doing so, we avoided placing responsibility exclusively at the feet of Government. These challenges stem from deep cultural & institutional factors embedded in all parts of our society. We all have a part to play in resolving them. But Governments should take the lead.

So where do things stand now?

There have been significant positive developments, not least with the implementation of a National Cyber Security Strategy (running from 2016-21 and planning to invest £1.9bn). We can also celebrate progress achieved by the UK’s National Cyber Security Centre. It is frequently in the news, drawing our attention to information about the threat and how to counter it; its Cyber Retraining Academy is exemplary and works in partnership with government; and it is funding innovation accelerators and Academic Centres of Excellence for teaching (as well as researching) cybersecurity.

I am also a fan of Cyber-ASAP: the academic start-up programme run by DCMS and Innovate UK’s Knowledge Transfer Network. Thirty-three teams have graduated in the first three years (with a further 28 progressing through Stage 1 of Year 4). A strong emphasis is placed on helping researchers with exciting ideas – covering many different aspects of cybersecurity – to develop commercial skills and instincts. Cybersecurity companies are out there, raising funds from investors and starting to make a difference in the world, as a result of this programme.

But those problems of market literacy and broken pipeline identified in 2015 are still with us. We need to do more. Six areas worthy of further attention are:

1. Standards

I would like to see Government working more closely with commerce and industry to promote standards in different sectors, performing a role like NIST in the States – the National Institute of Standards & Technology. Moreover, we need to determine whether it is possible to develop a trusted kitemark for endorsing high quality solutions.

This needs to be a partnership, but the leadership shown by policy-makers working with the Automotive Industry (exemplified by the UN’s World Forum for Harmonization of Vehicle Regulations) should be rolled out to other sectors (e.g. Railways, Airlines, and operators managing the Critical National Infrastructure (CNI)

2. Skills

Recent research shows that the worldwide skills gap now stands at 4 million, with the total size of the existing cybersecurity workforce standing at 2.8 million. Closer to home, IPSOS Mori conducted an analysis of the UK’s technical skills gap in 2018: this found that out of 1.3m businesses in Britain, 700,000+ had a basic skills gap[1] and 400,000+ carried a high-level skills gap (including Forensic Analysis, Penetration Testing, Security Architecture and use of Threat Intelligence).

Government has started to promote cybersecurity training, with apprenticeships and with 4-year university courses that include mandatory work experience. But this needs to be given a major boost, not only providing the opportunity for developing trusted professionals to work in the UK, but also to develop and deliver those skills around the world.

3. Regulation

In 2015 we challenged Government to set up a Cyber Security Executive (CSE). This would follow the model of the Health & Safety Executive, imposing an obligation on organisations to report attacks and breaches, developing responses, and promulgating best practice, and penalising those organisations which fail to apply standards.

This has not happened. But I continue to believe this is a route worth exploring, with support from tougher cybersecurity legislation. Companies currently have a stronger incentive to hide evidence of attacks on their systems and data, because of the short-term impact on business reputation. There is also confusion about liability and responsibility: dysfunctional economic mechanisms can lead those responsible for weak defences to suffer far less cost from a security breach than society at large.

4. Awareness-Raising

 This remains a major challenge, not least among Small and Medium-Sized Enterprises, as illustrated by recent research by Drs Maria Bada and Jason R.C. Nurse.

Research is now under way to analyse the problem: for instance, the Cybercrime Research Team in the Home Office has tasked Dr Christian Kemp of Anglia Ruskin University to talk to LEAs and SMEs about the challenge that PROTECT teams face in attempting to embed effective cybersecurity practices in small businesses.

Other ideas were flagged up at our 2015 Policy Workshop that continue to have validity. For instance:

• Can Government work with creative industries (including the gaming sector) to design and deliver more effective messages?
• Can we promote more cybersecurity leadership from Regulators (to protect the CNI) and the insurance industry (to protect businesses and service-providers)?

5. Pull-Through

There must be a transformation in the way in which we translate research into products and services.

I cheered in 2015 when the Chancellor announced a £165m “Defence and Cyber Innovation Fund”. My enthusiasm dimmed when, in 2018, it emerged that only £10m of tis sum was dedicated to Cyber and it was to be merged with a National Security Strategic Investment Fund, where cybersecurity was one of eleven areas of focus.

Despite individual initiatives like this, and Cyber-ASAP and NCSC Accelerators, I am left with the impression that Government has taken a piecemeal approach to this issue, with individual elements appearing too siloed. The dots need joining up: this should be a major goal in the next National Strategy.

There is a bigger, strategic challenge around the contribution that HMG could make to stimulating the pull-through of innovative cybersecurity solutions through public procurement. This has been the subject of a separate PaCCS Policing Briefing, and all the recommendations there could be applied to this cybersecurity challenge (https://www.paccsresearch.org.uk/policy-briefings/innovation-defence-security/).

6. International Collaboration

Finally, we must make strenuous efforts to engage constructively with others around the world, not least because we are exposed to the weakest link in the global safety net, wherever it’s located.

We must learn from others, including those nations doing better at nurturing innovation (from the research-base and elsewhere). Israel, Singapore and the United States have an impressive track record here. Why can’t we, for instance, launch a CNI cybersecurity demonstrator like the one at a water treatment plant set up by the Singaporean Government working in partnership with Singapore’s University for Technology & Design?

But we should also be promoting international standards & countermeasures. With funding from the World Bank and HMG, Oxford Martin’s Global Cyber Security Capacity Centre has been making a real difference around the world, conducting national audits using its Cybersecurity Maturity Model. This has led, I understand, to Ghana to sign the Budapest Convention countering cyber-crime; to Vanuatu building a National CERT; and to Switzerland centralizing its cybersecurity functions under a National Cybersecurity Advisor.

All this is small beer compared to the profound challenges we face in achieving a better balance between freedom and security in cyberspace.

Shoshana Zuboff has heightened our awareness of surveillance capitalism, where the digital footprints and shadows that we leave as we progress through cyberspace are commodified by profit-making enterprises without our full knowledge. We need to do better in protecting citizens from this exploitation (made possible by a set of free-market values baked into the internet) – the subject of a Corsham Institute Report that I contributed to in 2016 (http://www.stgeorgeshouse.org/wp-content/uploads/2016/10/Trust-and-Ethics.pdf);

But there is a fresh surveillance threat that we need to be alert to, posed by the New Internet Protocol promoted by the Chinese Government. This advocates a new way of operating the World Wide Web, boosting state surveillance in a way that should be deeply troubling to those subscribing to the sort of liberties advanced by the United Nation’s Universal Declaration of Human Rights. There are good reasons for addressing deficiencies in the current infrastructure of the internet, not least because of the opportunities it brings to those intent on causing harm. But I doubt the New Internet Protocol is the answer.

CogX are right to say there’s never been a greater need to explore technology’s role in helping us rebuild, reconstruct and get the next ten years right. When it comes to securing cyberspace, we all have a part to play in this process, because it is caught up in all our futures (in the workplace and at home). But the work of PaCCS has shown there are great opportunities for Government to take a lead.

—-

[1] Defined as being where organisations are not confident in carrying out one or more basic tasks, including: creating back-ups, controlling admin rights, setting up automatic updates, choosing secure settings, restricting what software can run, detecting and removing malware, secure personal data transfers or storage, and setting up configured firewalls.

Cover Photo by Adi Goldstein on Unsplash