Cabinet Office minister Francis Maude will today announce the Government’s futuristic-sounding ‘Fusion Cell’, a 12-15 person group of elite security experts who will sit in front of screens at a secret location monitoring cyber-attacks against the UK and its businesses in real time.
Launched as part of the Cyber Security Information Sharing Partnership (CISP) meant to connect the expertise of GCHQ, MI5 and Government to the businesses community, the Government hopes Fusion Cell protect businesses from the waves of cyber-attacks that hit them every day.
CISP was trialled to 60 businesses as part of Project Auburn over the last year and has since been be extended to 160 firms, including many in defence, energy, telecoms and key parts of the public sector.
The key job of Fusion Cell is to give participants visibility on attacks as they happen, something that has dogged cyber-defence plans to date.
If it sounds like a James Bond movie directed by the Wachowski Brothers then that is probably the intended effect, but there will also be mundane dimensions to its job.
Firms will be expected to share data on the attacks they are experiencing and offer vetted staff to aid Fusion Cell’s work.
"We know cyber attacks are happening on an industrial scale and businesses are by far the biggest victims in terms of industrial espionage and intellectual property theft, with losses to the UK economy running into the billions of pounds annually,” Francis Maude said in a trailed statement.
"The initiative meets a key aim of our cyber-security strategy to make the UK one of the safest places to do business in cyberspace.”
According to comments made by unnamed officials, the UK Government remains unconvinced by the EU’s proposed Network and Information Security (NIS) directive, which would compel companies in critical sectors to report security breaches.
Rather than encouraging openness and sharing, the fear is that EU-wide legal compulsion might have the opposite effect of causing firms to share only what is required, leaving out essential detail.
Notably, in the UK’s model, reporting into the CISP using a secure web portal will be confidential.
This difference of emphasis does underline the extent to which the UK’s plans are driven by concerns over business security; the EU’s anxiety is as much about the effects on citizens.
Last month the UK announced a separate unit, the Cyber Crime Reduction Partnership (CCRP), meant to connect police, security industry experts and academics in the fight against mainly criminal cybercrime.
This was followed up some days ago by a multi-institution academic research unit on the back of a £4.5 million ($6.8 million) GCHQ grant, tasked with finding vulnerabiilites in software.
The Government’s concern over cyber-attacks is understandable. According to an MI5 report last year, one London-based firm lost £800 million in revenues after a cyber-attack launched by a foreign state.
Some have criticised the initial scope of the CISP.
"We would like to see the scheme provide outreach to include smaller and SME organisations," commented McAfee director of public sector strategy, Graeme Stewart.
"This sector makes up the supply chains of large corporate and government organisations and therefore a substantial portion of their risk comes from this supply chain failing to understand the threat posed by nefarious cyber activity,” he added.