Cyber Security Strategy for "Protecting and promoting the UK in a digital world". This document follows closely on the heels of the FCO organised 'London Conference on Cyberspace' at the beginning of the month. Such high profile events are showing the importance of cybersecurity and management of threats on the UK Government mainstream political agenda. The declaration of cyber-security as a Tier 1 threat, and the much-cited investment of £650 million into the four-year National Cyber Security Programme (NCSP) further prove the commitment. This document sets out a UK strategy to be achieved by 2015 and provides the outline for future regulatory approaches to these developing risks.
It states in rather utopian language (taking lessons from the UN clearly...) -
Despite this laudable sentiment, there has been criticism that the Strategy provides insufficient coherency for realisation of many of its aims. The Chartered Institute of IT notes that a framework for greater integration between public bodies, industry and individual citizens is required. Overlooking the lack of explicit detail at this stage, the Strategy does indicate key areas of investment and development for the next three years. I provide discussion of a few aspects that I found interesting.
The Strategy clearly acknowledges the importance of strong intelligence and the expertise of GCHQ. The Government wants the UK to pave the way as a leading environment for secure e-commerce and online activity. Development of the 'public/private hub of expertise on cybersecurity' is going to provide practical assistance in this regard. The development of defence technologies by increasing partnerships between GCHQ, private firms and academia is an area where the government foresees growth. Beyond this, a proactive approach to cyber-defence is also creating offensive technologies, which William Hague noted in October. This highlights the UK's role within the increasingly publicised global cyber arms race.
It is noted that because most of cyberspace infrastructure is owned by private companies, there is great need for "private organisations to work in partnerships with each other, government and law enforcement agencies, sharing information and resources, to transform the response to a common challenge and actively deter the threats we face in cyberspace". These partnerships are recognition of the need for new governance methods, and as long as respective interests are balanced they seem a positive development. However, Lessig in the bible of cyberspace regulation, Code v2.0, noted the risks of seamless integration of law and technological architecture to create a system of perfect regulation in cyberspace. He acknowledges the necessity of a trigger to force this interaction, in this case security issues. It is important to remember that as new security centric governance structures are developing, balanced and proportionate regulation is essential. Proportionality is mentioned in the Strategy, but as many post 9/11 legislative developments have shown, when faced with balancing security and privacy, the government often struggles to achieve the correct balance. The real challenge for this Strategy is foreshadowing effective governance structures that addresses security challenges whilst maintaining respect for individual rights.
In terms of hard international laws, the UK as Chair of the Council of Europe for six months has made a renewed commitment to persuade other countries to develop compatible laws with the Cybercrime (Budapest) Convention. There is also a commitment at a domestic level to raising awareness of cyber specific sanctions for cyber offences within the UK judiciary. Considered in conjunction with the review of the Computer Misuse Act 1990, this may result in a range of new offences in the revised legislation, fit for purpose in this age. Another area of focus is cross border law enforcement with cooperation and prevention of safe havens. Although this approach seems more plausible in Europe (where information sharing system like Schengen I - with II on its way - already exist) for other non-European countries this seems a more unobtainable. Domestically, the establishment of a cyber crime unit in the new National Crime Agency (NCA) will draw on expertise of Serious Organised Crime Agency (SOCA) and the Met Police Central e-Crime Unit (PCeU).