The UK government has launched both its five-year cybersecurity strategy and the new National Cyber Security Centre (NCSC), laying out its plans to change the way we view online threats.
Speaking at Microsoft's Future Decoded event yesterday, NCSC technical lead Dr Ian Levy said the government's National Cyber Security Strategy 2016-2021, aims to "fundamentally change the return on investment of attacking the UK".
Changing the cybersecurity narrative
Levy, who brings 15 years of cybersecurity experience from his days as technical director at the Government Communications Headquarters (GCHQ) used the example of the Heartbleed exploit to show that a 45-year-old vulnerability can still cause massive disruption.
Heartbleed wasn't nearly as catastrophic as it was made out to be, according to Levy. But he said: "We allowed for 45 years the same programming errors to occur over and over again. As we become more dependent on technology and machines we have to change this narrative to one of harm reduction."
Read next: What you need to do about Heartbleed
Levy said that existing "stupid" cybersecurity advice needs to change, moving away from "do not open suspicious attachments" and "make regular password changes". This sort of advice is "trying to get the user to compensate for bad system design", Levy said, demanding evidence-based risk management advice instead.
Levy wants to move away from a culture of fear to one of practical prevention. "Everything we do as an industry focuses on making it sound really, really bad because then you can't possibly defend yourself and you buy the magic amulet," Levy said, somewhat sarcastically. "My job as part of the NCSS is to change that fear into evidence driven by data."
How this data is collected, and the potential impact on privacy will need to be addressed though. Levy said: "I want to start generating real, national scale data so we have metrics that mean something to the average person on the street."
Levy said he is tired of being told how much cyber crime costs the UK without any evidence (even though these figures tend to come from the government itself). He said: "I want to be able to explain to the public how we are spending their money so they understand the effect we are having. More importantly we have to do it transparently."
The other core capability beyond education within the new centre is around a more linked-up approach to incident management.
Chancellor Philip Hammond outlined this capability himself. Also speaking at Future Decoded, he said: "For the first time the government will have a dedicated, outward facing authority on cybersecurity, making it much simpler for business to get advice on cybersecurity and to interact with government on cybersecurity issues."
The centre takes over from the Computer Emergency Response Team (CERT UK) in this regard.
"[When] businesses or government or academic bodies report a significant cyber incident the centre will bring together the full range of skills from government and beyond to respond immediately," Hammond explained. "It will link up with law enforcement to help mitigate the impact of the incident, seek to repair the damage and assist in the tracing and prosecuting of those responsible."
Hammond did say that government can't be held solely responsible for cybersecurity, putting the onus on businesses and tech companies to be robust in their own security. He said: "Chief executives and boards must recognise responsibility to manage cyber risks just as they do with any other operational risks.
"Similarly, technology companies must take responsibility for incorporating the best possible security measures into the design of their products."
Cyber security strategy 2016-2021
Hammond used Future Decoded as a platform to 'announce' the government's broader five-year cybersecurity strategy, which was originally announced 12 months ago and includes £1.9 billion of investment. The strategy centres on three strands: Defend, Deterrence and Develop.
Read next: The UK's 13 most infamous data breaches 2016
Defend focuses on a more "active" approach to cyber defence. In practice that means "supporting industry use of automated defence techniques to block, disrupt and neutralise before it reaches the user."
Secondly, deterrent focuses on better prosecution of cyber criminals. "We will deter those that seek to steal from us in cyberspace by strengthening law enforcement to raise cost and reduce rewards of cyber crime," Hammond said. "To detect, trace and retaliate is likely to be the best deterrent."
The third — develop — is about closing the digital cyber skills gap, with the announcement of 13 new academic centres "attracting students and investment into the UK" and a new virtual institute which will focus on hardware and look to improve the security of smartphones, tablets and laptops through the innovative use of technology.
"We are building cybersecurity into our education systems and are committed to providing opportunities for young people to pursue a career in this exciting sector," Hammond said. "We are also committed to ensuring that every young person learns the new cyber life skills they need to use the internet safely, confidently and successfully."
Unfortunately the chancellor only made one brief mention of personal privacy during his 15-minute speech outlining the strategy. "With the proper safeguards in place to protect privacy these measures have the potential to be transformational to ensure UK internet users are secure by default," he said.
The 84-page strategy document itself contains two mentions of the word privacy, namely: "We will preserve and protect UK citizens' privacy." I feel better already.
With the government's Investigatory Powers Bill - with all of its associated risks to public privacy - nearing UK law this week, a clearer outline of how the new strategy will impact the balance between safety and privacy will be required.
The problem arises when you get rhetoric like this from the government: "If we do not have the ability to respond in cyber space we would be left with the impossible choice of turning the other cheek or resorting to a military response, that is a choice we do not want to make."
Here, the fear mongering that Levy warned against is being used to justify huge investment and as a potential instrument to allow for more state-sanctioned snooping, all in the name of anti-cyber crime and "terrorism".
Levy on the other hand is saying more of the right things, however the details are thin on the ground. Both Hammond and Levy spoke about giving the UK the information and skills needed to stay safe online, however aside from criticising the existing advice, neither individual, nor the 84-page report, has any new advice for the public yet.
To be fair, the NCSC will be releasing advice in the first quarter of next year, according to Levy, where they will have to put their money where their mouth is. I for one will be interested to see what the new advice and results will look like.