Over the last five years, UK intelligence service GCHQ has spent nearly £1 billion on its cyber security initiative, but the civil servant in charge of the program has admitted, “the bottom line is it hasn’t worked.”
Alex Dewedney, Director of Cyber Security for CESG (Communications-Electronics Security Group) – a division within GCHQ – told the audience at the RSA security conference in San Francisco last week that, in order to fight cyber security threats to businesses, services, and governments, GCHQ needs more manpower, not money.
“I think the best way to sum up the challenge we face is that while we’ve done a lot over the past five years and spent quite a lot of money as a government, particularly in those years of austerity we’ve been through, the bottom line is it hasn’t worked,” Dewedney said, according to Computing.
“[People believe that] if we keep doing that, then somehow it will magically cause improvement to happen. That approach by itself is not sufficient,” he added. “We can’t just pass information on threats to businesses and tell them to go and deal with it themselves.”
Chancellor of the Exchequer George Osborne has, despite a fiscal policy of austerity, announced plans to double GCHQ’s cyber security budget to £1.9 billion by 2020, but Dewedney thinks that throwing money at the problem is the wrong approach, saying that it’s “not so much a money issue as it is a human resources issue.”
One place that the government should be spending money, argues Dewedney, is on upgrading IT systems. “Not […] spending money on fixing legacy IT issues […] is killing us.”
“I’ve tried to make this argument to my bosses that surely you have to start [with legacy] before you try to do anything more sophisticated,” he said. “But the response has been ‘I’m not spending cyber security programme money to subsidise other departments’ IT budgets’.”