UK and US Strategies for Public Private co-operation on Cyber

On 1st March I presented in the House of Lords on the role of the Cyber Resilience Centres as part of a DPA meeting to discuss the current challenges with regard to operational risk, the role of insurance and the need to ensure that cyber skills programmes address what organisations need to do if they are to obtain cyber insurance at all, let alone get it renewed after an incident.

I put the role of the Cyber Security Centres into the context of the current UK Cybersecurity Strategy . I said that NCSC support for the regional and local operations needed to be compared with the equivalent US Federal support programme, run by CISA. I also said that the role and objectives for the London Cyber Resilience should be compered to those for the New York Cyber Command.

I also said we had barely ten days to ensure that with Cyber Skills were include among the headline priorities for Local Skill improvement Plans, although we have until the end of May to get the details agreed. I promised the audience that I would use my script as the basis of a blog (see below) and would add a short progress report (see also below) on the actions under way to get Cyber included in mainstream careers advice and skills programmes, both nationally and for London (as the largest global financial services, fintech and cybertech hub outside North America).

On the 2nd March I was sent a link to the new US Cyber Security Strategy. The strategy talks (Section 1.2) about “Scaling Public Private Collaboration” and (Section 2.2) “enhancing Public Private Operational Collaboration to Disrupt Adversaries”.  Once upon a time the UK had an embryonic equivalent to the US “Sector Focused Information Sharing and Analysis Centres” (the ISACs). They were called WARPs. Those for local government still exist but are not mentioned in the new UK strategy … and nothing has taken their place … though there are a number of ad hoc groups.

I also liked the reference in the US strategy to the NCFTA – although the irony is that it sits outside the Federal Government … 400 miles from Washington – which is why it so effective. The UK still has no real equivalent – and for it to work as well it should probably be based in Plymouth – 400 miles from London, albeit with  better rail service. (I made that comment in Plymouth five years ago at the launch of the pilot that became the basis for the Cyberhub programme. It proved to be accurate because the hosts, now BIT Training, were able to broker global co-operations and pilot talent and training approaches that would probably have been impossible “this side of Dartmoor”)

I particularly liked objective 2.3: in the US strategy: “Increase speed and scale of intelligence sharing and victim notification”. But like much else in the US strategy there is no indication as to how this is to be achieved.

The section on skills (4.6) “Develop a National Strategy to Strengthen out Cyber Workforce” is, however, curiously weak. It is well behind what some of the US based cyber employers and professional bodies who are helping the “Cyber Skills for London programme” are seeking to achieve with regard to their UK talent acquisition programmes.

= = =

The role of the Cyber Resilience Centres within the UK National Cyber Strategy

(Script for DPA meeting in House of Lords on 1st March)

For those of you who do not know me. I was Secretary General of DPA, then called EURIM, when David Blunkett was Home Secretary and we hosted the policy studies into policing the on-line world. That is the main reason why I am Convenor of the Advisory Group for London Cyber Resilience Centre, helping to complete unfinished business and joining up the dots at the operational level.

The revised  UK National Cyber Strategy, issued in January, refers to  “reorienting our cyber sector innovation programmes away from large, often London-based initiatives to a regionally delivered model, built in partnership with local industry, innovators, law enforcement and academia; and taking steps to increase the diversity of the cyber workforce – recognising that being able to harness and nurture the skills and talents of the whole population is critical for our national security …

“The National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU) provides national leadership and coordination of the response, supported by a network of dedicated Regional Cyber Crime Units (RCCUs) …  as well as the Metropolitan Police Service’s Cyber Crime Unit …. complemented by dedicated Local Cyber Crime Units (LCCUs), embedded in each of the 43 police forces … can investigate and pursue offenders, help businesses and victims protect themselves from attack and work with partners to prevent vulnerable individuals from being drawn into committing cyber-crime.

Centralised crime reporting, triage and analysis is provided through Action Fraud, hosted by the City of London Police … The City of London Police also coordinate victim support, including through the Economic Crime Victim Care Unit.”

The implementation plan refers to:

“ A more inclusive and strategic national cyber dialogue with industry, academia and citizens by establishing a new senior National Cyber Advisory Board and building on the already strong networks of cyber growth and resilience partnerships and the academic centres of excellence for cyber security research and education.

More integrated and effective regional cyber networks across the UK, enabling stronger partnerships between government, businesses and academia to support sectoral growth and business resilience. We will work with regional cyber clusters and the recently established UK Cyber Cluster Collaboration (UKC3), the growing number of regional cyber innovation centres and Cyber Resilience Centres, strengthening links between local businesses, academic centres of excellence and law enforcement.

These steps will build on the range of existing relationships between the National Cyber Security Centre (NCSC) and its stakeholders, between government departments, arm’s-length bodies and the sectors of the economy they represent, including CNI and regulators, and the government’s wider dialogue with industry and the digital and technology sectors.”

The Cyber Resilience Centres were to begin by delivering services in line with a Home Office contract to tailor NCSC provided cybersecurity guidance and support for local SMEs. The contract provides modest funding towards overheads, while partnerships are agreed between local police forces, universities, councils and the private sector to pull together the resources to meet regional needs, beginning with a set of common services and shared brand.

Those services are:

  • Community membership services which include uncharged access to NCSC materials and alerts and charged access to support bundles supported via Cyber Path students
  • Cyber PATH which uses supervised work experience students on approved courses to provide support for SMEs
  • Panels of registered partners who will help SMEs adopt Cyber Essentials and/or assess them for Cyber Essentials Plus
  • Uncharged access to Cyber Alarm (threat monitoring) and the Global Cyber Alliance toolkit (including DMARC compliance).

How the regions build on the core Home Office “model”, within a common branding, varies. The North West Centre is co-located with those working on programmes linked to the creation of the National Cyberforce campus at Samlesbury.  The North East has strong support from Local Government and Police and Crime Commissioners with Sheffield Hallam building on the legacy of the EU-funded programme which made South Yorkshire and Humberside the safest place in Europe to run a small business.

The Welsh Government is providing additional support and Scotland has moved further along the direction of travel to a more integrated approach.

London is Different

The last of the Cyber Resilience Centres, that for London, finally received its funding in January, as the revised national strategy was being published. It is using the Home Office contract as the start point for three dimensions of partnership within the National Strategy.

The first dimension is marketing-driven partnerships to deliver projects that will enable the current Home Office model to be scaled to meet the needs of the 20% of all UK businesses, including 47,000 SMEs and 380,000 VAT registered Micro-Businesses, based in London.

The second dimension is professionally driven partnerships to meet the needs of the world’s largest financial services/fintech/cyber hub (target) outside North America. It generates over 25% of UK GDP and over 30% of tax revenue. It employs over 25% of UK cyber professionals. It commissions over 75% of commercial cyber security revenues.

The third dimension is volunteering partnerships using those supported by their employers as part of their own career development programmes to help implement the cyber-community dimension of the community policing changes on which the Met Police Commissioner is consulting as part of  The Turnaround Plan .

In each area the task is to assemble coalitions of those willing to work together across organisational and funding barriers to deliver results.

Most of the regional centres co-located with the regional organised crime unit and staffed from police secondees. London has the Met Police, City of London Police and British Transport Police on its board and is hosted by City University in the midst of the UK’s most powerful Cyber Cluster.

City University is co-ordinating the Cyber PATH programme for London as part of much more ambitious exercise to meet the needs of London as a global Fintech and Cyber Hub, including inputs to the mainstream Local Skills Improvement Plan. Meanwhile the Greater London Authority has made an extra contribution to help plan and launch community outreach programmes to help meet the needs of London’s SMEs.

The first task of the Advisory Group for London, which I convene, is to advise how to secure support from those wanting to sell security services to the world’s largest Fintech and Cyber hub outside the Americas. In parallel we will be looking for similar support from their target customers – those based in London who want to help secure their supply chains, include for staff, and their customers – globally and nationally, not just within the M25.

London also has its own levelling up agenda – against New York, with its 400 strong Cyber Command. We also need to help the national programme for all the UK regional cyber security centres to level up against the programmes run by CISA, the Federal Cybersecurity and Infrastructure Security Agency, to help the 50 sovereign commonwealths and 20,000 law enforcement agencies of the USA.

That means working with global players, including vendors, customers and professional bodies to adopt best practice in organising effective co-operation around the world – not just locally with the UK Government and its security agencies.

At the heart of that co-operation are the Insurance Underwriters. They have very expensively begun to learn what it is that makes victims vulnerable to attack, what reduces the harms they suffer when they are attacked and what makes it easier for them to recover and resist future attack.

The critical importance of rapid and effective action on the skills needed NOW

I therefore have a number of objectives today – from the high level to the mundane. A common thread, however, is to expedite the process of ensuring that operations of all types and sizes have access to the advice and guidance they need to obtain cyber insurance at affordable cost and make a successful claim when they are attacked. But they will also need the skills necessary to understand and follow that guidance.

The Cyber Security Council is working on long term skills needs but the deadline for the London Skills Improvement Plan, which will determine public sector FE and HE skills spend over the next few years is three months away, at the end of May.

We also need immediate action to assemble groups of employers and training providers willing to work together to develop, accredit and use micromodules covering the skills they currently lack to meet their own needs and those of their more vulnerable customers and suppliers.

Those micro-modules should knit together to fit the current and future frameworks on which the cyber security council is working but time is not on our side. London therefore needs intercept and interoperability strategies to enable its employers and training providers to meet the evolving demands of global insurers and regulators as well as of national and international professional bodies and accreditation organisations.

Finally, Have you heard from the team assembling your Local Skills Improvement Plan ?

If not, your priorities are probably NOT among their priorities.

They are due to submit those priorities to DFE by mid-March and the completed plan by the end of May.

Forget the Northern Ireland Protocol and getting Brexit done, or not. The LSIP will have far more impact on the future health and wealth of your business and that of your employees.

End of script

= = =

Update on creation of  National and Local Cyber Skills Partnerships

The speaker before me gave an update on the work of the Cyber Security Council  on mapping career paths and certifications. The members of the Council working on certifications and qualifications have been making real progress with digesting the many maps of cyber skills and career paths into a form intelligible to teachers and careers advisors.

It is now, therefore, realistic to bring forward the plans discussed six months ago to use the vertical market employer engagement processes of the Careers and Enterprise Company group to create a Cyber Careers Partnership which uses the mainstream LEP based careers advisors to reach all schools, not just the 2% of schools reached by current cyber skills programmes.

This will not be ready in time to help the headline priority setting stage of the LSIP process – by late March.

But, given support from a critical mass of cyber employers and training, as well as the relevant officials in DfE and what is now DSIT, could well be operation in time to help with inputs to the detailed plans due by the end of May. 

The action I took away from the DPA was to ask those working on the Cyber Skills for London programme to contact the Cyber Security Council and the Career and Enterprise Company to restart the discussion put on hold last September because the time was not then ripe. It is now.

Given support from a critical mass of employers who are serious about addressing their own skills needs, as well as helping address those of their supply chain and customer base, we should be able to use the LSIP process to progress than the US, even if they can gt their Strategy through Congress.