U.K. Cyber-Security Strategy Beefs Up Defenses, Information Sharing

The United Kingdom outlined plans to secure critical infrastructure and improve the country’s cyber-defenses to protect national security and citizens from multiple cyber-threats.

The United Kingdom will create a new cyber-crime unit within the National Crime Agency to deploy cyber-specialists with skills and experience solving cyber-crimes to police departments across the country to assist with investigations, according to the Cyber Security Strategy released by Francis Maude, the Minister for U.K.'s Cabinet Office and Paymaster General, on Nov. 25. The new unit would build on the Metropolitan Police's eCrime Unit, which has been actively involved in breaking up cyber-fraud gangs this year.

The National Crime Agency is the U.K. equivalent of the Federal Bureau of Investigation. The new division is set to be fully operational by 2013.

The goals are ambitious. By 2015, the measures outlined in the strategy document will place the United Kingdom in a position "where law enforcement is tackling cyber-criminals, citizens know what to do to protect themselves, effective cyber-security is seen as a positive for U.K. business, a thriving cyber-security sector has been established, public services online are secure and resilient, and the threats to our national infrastructure and national security have been confronted," Maude wrote.

The Cabinet Office is expected to report back next year on its progress.

The government classified cyber-security as a "tier one" national security priority in 2010 and set aside 650 million pounds over the next four years to be used for cyber-defense, according to Maude. The bulk of the funding will go towards the government's efforts to detect and counter cyber-attacks.

The plan outlined a new public-private sector collaboration in which the government and businesses will exchange information on cyber-threats and responses. Similar to the Defense Industrial Base Pilot launched by the United States Department of Defense, the partnership will allow organizations to receive classified details about cyber-attacks and information on how to counter them.

The U.S. version of the program is limited to defense contractors and similar organizations. The British counterpart will include companies from the defense, finance, telecommunications, pharmaceutical and energy industries in a pilot program that will be launched in December. Based on the pilot's success, the hub will be expanded in the spring to include other sectors, according to the document.

The British government is also investing in "proactive measures to disrupt threats to information security."

The Centre for the Protection of the National Infrastructure will also be expanded to include organizations that have previously not been considered part of critical infrastructure. While the list of organizations was not available, businesses where the threat to revenues and theft of intellectual property could cause "significant economic damage" to the U.K. would be covered, the document said. The strategy also noted that "much of the U.K.'s critical infrastructure is not in government hands but is owned and managed by the private sector."

Authorities will also set up a simplified cyber-crime reporting system through the existing Action Fraud reporting center. Users will also receive training to increase public awareness of online threats. A voluntary code of conduct with Internet service providers will also outline how users whose computers are infected with malware will be notified and receive instructions on how to mitigate the problems.

The plan also discusses improving the military's defense capabilities, without actually committing to responding to cyber-attacks with military force. The Pentagon officially committed to that as an option in a report to Congress publicly released Nov. 21.

"This strategy outlines the creation of a new Joint Cyber Unit hosted by GCHG (Government Communications Headquarters), which will develop our military capabilities to give the U.K. a comparative advantage in cyber-space," according to the document. GCHG is a British intelligence agency that handles communications and information systems security.

The Cyber-Security Strategy document "heralds a new era of unprecedented co-operation between the government and the private sector on cyber-security, working hand in hand to make the U.K. one of the most secure places in the world to do business," Maude said.