“What can the government do to prevent cyber-intrusions? The simple answer is not a lot.”

Gavin E.L. Hall of the University of Birmingham writes for Fair Observer:

Amid the WannaCry cyber-incident of May 12, with its ransomware attack on the the British National Health Service, comments focused on whether the attack was preventable and if it presents increased vulnerability for public sector organizations, with attention to the use of the outdated Windows XP. Such analysis glosses over an essential question: What do we want the role of the government to be and, indeed, what could it or what should it be?

The role of the government in cyber-security has two essential debates. First, there is the dividing line between corporate — including the public sector — and government responsibility. Second, if some role for the government is accepted, then which branch of government should have primacy or be involved at all? The UK’s 2016 National Cyber Security Strategy attempts to delineate the responsibility of the individual, corporate and government.

See also Why Britain’s National Health Service Was Unprepared for Ransomware Attack
Podcasts: The Cyber-Attacks on Britain’s National Health Service

The strategy established that the NHS and other public bodies had “the responsibility to safeguard the assets which they hold, maintain the services they provide, and incorporate the appropriate level of security into the products they sell”. In light of the WannaCry malware infestation, the operational failure lies within the NHS as opposed to the government. However, at the strategic level, it remains within the purview of the government “to protect citizens and the economy from harm” as it “is ultimately responsible for assuring national resilience…and the maintenance of essential services and functions”.

Thinking about the roles and responsibilities in UK cyber-security, consider who holds the information regarding cyber-intrusions and malicious activity in the cyber-environment. The National Cyber Security Centre, as part of UK Government Communications Headquarters (GCHQ), is the central data coordination point for government oversight of cyber-activity.

However, from March 2015 the government has emphasized the role of insurance companies in managing and mitigating risk in the cyber-environment. The cyber-insurance market has been growing in recent years and is expected to grow significantly following the WannaCry incident.

So insurance companies have an increasing amount of information on the preparedness and vulnerabilities of UK networks. How much of this should be shared with the NCSC?

The immediate response is all of it. Considering that the exploit used by WannaCry was “identified long ago” by the US National Security Agency (NSA), perhaps a government agency as the central collation point for all cyber-environment data is not necessarily in the interest of enhancing security within UK cyber-security or, indeed, in the global commons.

And what can the government do?

The simple answer is not a lot. The removal of geographic boundaries, the increase in actors, the deniability of actors, the variations in potential target groups, and the overall impact on social cohesion mean that the job is beyond the scope of the government as primary provider of cyber-security for the nation, hence the blurred delineation seen in the 2016 strategy.

Attempting to continue on the present course is reliant on the hope that no significant intrusions occur. But they will, and the individual, corporate, and public-sector bodies that utilize the cyber environment need to have a clear understanding that their data is their responsibility. The first step is an educational starting point that a cyber-intrusion will happen and you will lose data. The question then becomes how to minimize the loss and recover data, known as resilience. This role should be the government’s concern in the cyber-environment, helping minimize the harm suffered by an intrusion across all levels of the UK cyber-environment.

The accountability for individual, corporate or public sector aspects of cyber-security should be transferred to the insurance industry. This means that body X with good investment in cyber=security will pay a lower premium than body Y which has negligible investment or is reliant on out-of-date technology. The effect of such a shift would be that all entities would be forced to take cyber-security seriously or face higher premiums and a hit to their bottom line.

For the public sector, there will have to be not only consideration of IT procurement, but also a cost-benefit analysis of increasing premiums versus new infrastructure. In the event of a future intrusion in the public sector, we will see if the government has to admit that it chose the cheap option with its citizens’ data.

TOP PHOTO: Britain’s Government Communications Headquarters