The chancellor announced a £1.9bn investment in internet security measures yesterday. Or at least announced how that allocation was to be spent. It looks to be pretty thinly spread across a range of measures: securing critical infrastructure, funding innovation, recruiting new criminal investigators.
Put simply, it’s not enough. But then, could it ever be?
The big challenge in cybersecurity is balancing the risk/reward ratio closer to somewhere like the physical world. Imagine trying to commit some of the most famous internet attacks and crimes in person and you are instantly into Hollywood territory. Conning people into giving up their savings in order to secure millions in reward? Do that face to face and it’s Ocean’s 14. Breaking into global corporations to steal high value data? Mission Impossible. Disabling a country’s nuclear programme? Bond.
But to do these things remotely? Yes, sometimes complex, sometimes expensive. But it appears the chances of detection are relatively low and the risks of capture even lower. I don’t think long sentences are a particular deterrent (and the evidence supports this), but even so it’s hard to equate someone hacking a bank from their bedroom with walking into a branch wielding a shotgun.
The problem is the range of possible crimes we are trying to address at once. Spam emailing millions on the hope that one or two may not be aware of the African prince scams (or African astronaut as a recent twist incorporated) is very different from a state actor disabling the energy grid. Or from a hacking group flexing its digital muscles by taking down a key piece of internet infrastructure. The skills and tools to address these different crimes are wildly different and responsibility for them owned by different pieces of government — or other, more international bodies entirely. These are often international crimes that pay no attention to borders, albeit they may be targeted at a specific nation — as with the rash of robodialler attempts to convince people they are in arrears with HMRC.
We spend around £35bn a year on defence and around £15bn on law enforcement. As a proportion of this, £1.9bn is pretty significant. But put into the context of a global cybercrime, terror and espionage threat, it seems like small change.
The impact of that investment can only be amplified through co-operation.
Firstly, improved security comes with the co-operation of the general public. A willingness and openness to learning basic lessons to improve their own security. Over time we will, as we have done in the physical world, become more security conscious, eliminating the opportunist threats through better systems and better behaviour. The digital equivalent of window locks and mortice bolts, and the awareness of risk that stops us clicking on things that we shouldn’t.
Secondly, we need the co-operation of the makers of hardware and software. The big software vendors have learned to better engineer security into their systems, and this week’s story about Google and Microsoft notwithstanding, better at patching holes as they find them. But hardware makers have a lot of catching up to do. The increasing range of internet-connected devices from cars to cameras, kettles to cookers, seem to have incredibly poor security standards. Every one of these is not just a threat to its owner but a weapon to be wielded at others, as part of a botnet. Governments should sanction those failing to implement appropriate security standards. Perhaps even enforce them with ‘nematode’ software that breaks into insecure devices and upgrades their protection.
Thirdly, we need the co-operation of international partners. This may be counter to the prevailing political rhetoric, an idea that we are somehow made more secure by throwing up bigger borders between our island and the rest of the world. This idea was out of date when the vikings arrived, let alone in an age when the marauders can arrive through any one of huge array of glass tunnels just a millimetre across.
The internet is a global state. Our future security within its borders is the responsibility of all digital citizens.