[BreachExchange] Is Britain safe from a major cyberattack? Government approach 'poor and chaotic' says report

Fri Feb 3 16:55:58 EST 2017

http://www.ibtimes.co.uk/britain-safe-major-cyberattack-government-
approach-poor-chaotic-says-report-1604753

The UK government's ability to protect British businesses and citizens from
major cyberattacks is being undermined by an inconsistent and chaotic
approach to monitoring the scope of data breaches hitting the country, a
damning report compiled by MPs has revealed.

The Cabinet Office's role in protecting British interests when it comes to
cybersecurity remains "unclear within central government" and there
"appears to be no coordination across the wider public sector," the
committee of public accounts' analysis said.

The paper, released by the cross-party House of Commons committee on 3
February, described the processes for recording departmental data breaches
as "inconsistent and dysfunctional" while slamming an overall lack of
oversight and an ongoing skills shortage.

"Poor reporting of low level breaches, such as letters containing personal
details being addressed to the wrong person, reduces our confidence in the
Cabinet Office's ability to protect the nation from higher threat
cyberattacks," the report found.

It continued: "Without a consistent approach across Whitehall to
identifying, recording and reporting security incidents, the Cabinet Office
is unable to make informed decisions about where to direct and prioritise
its attention.

"The use of the internet for cybercrime is evolving fast and the government
faces a real struggle to find enough public sector employees with the
skills to match the pace of change."

The committee said there are "major and unexplained variations" in how
individual government departments report security breaches. Ironically, the
paper was released as Parliament announced a series of events to mark a
so-called Cyber Security Month.

Between 2014 and 2015 the report said the 17 largest government departments
recorded a total of 14 major data incidents and 8,981 non-reportable
incidents. Of the 8,981, HMRC recorded 6,038 and the Ministry of Justice
2,798.

The other 15 departments recorded only 145 between them, fewer than 2% of
the total. Additionally, several departments recorded no non-reportable
incidents at all, including the vast Department for Work and Pensions, it
said.

"The Cabinet Office does not collect or analyse departments' performance in
protecting information on a routine or timely basis and was not aware of
the wide variability and inconsistency of departments' self-reporting
processes," the committee revealed.

A spokesperson for the UK's Cabinet Office, putting a positive slant on the
findings, said in a statement: "The government has acted with a pace and
ambition that has been welcomed by industry and our international partners
right across the globe.

"Our comprehensive and ambitious national cyber security strategy,
underpinned by £1.9bn of investment, sets out a range of measures to defend
our people, businesses, and assets; deter and disrupt our adversaries; and
develop capability and skills."

The news came as UK defence secretary, Sir Michael Fallon, accused Russia
of "weaponising" fake news and using cybercrime to undermine Western
democracies.

"Today we see a country that in weaponising misinformation has created what
we might now see as the post-truth age," he said on 2 February. "There is
[also] the use of cyber weaponry to disrupt critical infrastructure and
disable democratic machinery."

Russia-linked hankers have been accused of infiltrating numerous targets
including the World Anti-Doping Agency (Wada), the US Democratic National
Committee (DNC) and France's TV5Monde station. It routinely uses
cyber-intrusions for political meddling.

In response to Fallon, the Kremlin said his assertions had little merit.
"We express regret for this hostile stance of the minister," said Kremlin
spokesman Dmitry Peskov. "We are sure that such allegations are baseless."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170203/d2788000/attachment.html>