The National Cyber Security Summit in London last week provided some real food for thought. It’s a conference that we’ve actively supported over the last two years as we passionately believe international collaboration is one of the keys to successfully addressing the challenge of national cyber security.
This year’s stand out speaker was Major General Jonathan Shaw, head of the defence cyber operations group at the MoD. The MoD have taken responsibility for allocating the UK governments 650 million pound investment in national cyber security infrastructure and are thus under the national microscope.
In his speech Shaw singled out Estonia as a leading light when it comes to national cyber readiness. Estonia’s cyber history is well publicised as it suffered a debilitating series of DDoS attacks during 2007 that targeted and took down critical web-based national infrastructure. Shaw said: “Estonia represents a country that is in a post-attack mode, unlike most of the other western countries that are still in pre-attack mode.”
The post attack philosophy that Estonia has adopted is relevant to the wider discussion because it emphasises that “every owner and user of a network is responsible for its security, to include critical service providers particularly in the private sector, but also individual users.”
The idea that individual citizens should take responsibility for the security of the networks that they use is interesting and begs a broader discussion about national cyber hygiene. In fact cyber hygiene, or more accurately the lack of it, was a recurring theme through nearly all of the presentations at the conference. It’s becoming abundantly clear that all the technology in the world won’t solve the current cyber problem unless we collectively do something fairly radical to change and improve the way humans see the Internet.
A panelist at the conference suggested that “if employees put their hand up [and alerted IT] every time they clicked on something on a web page that didn’t do what they were expecting then the cyber threat could be dramatically reduced – perhaps by as much as 90%.” This may well be a gross exaggeration, but the truth is that as a user-community we are ignorant of the issues and we aren’t taking individual responsibility. If we’re going to tackle this problem it’s essential we spend as much time and money educating users as we do investing in sophisticated technology systems to mitigate the threat.
In Estonia cyber security training is part of elementary-level school curriculum with plans in place to expand the programme into preschool. The reason Estonia is perceived as a cyber leader [by Shaw] is that it experienced an attack, dealt with it, learned from it and moved on with this knowledge and education. Shaw said “I am not suggesting that the best way to become stronger is to be a victim of an attack, but Sony, RSA and others will stand stronger in the future due to their experiences in 2011.”
Maybe it’s time we all took a look at our own levels of cyber hygiene and started taking responsibility for the networks that we use?
Speaker presentations from the conference can be found here. The audio from the event can be found here