CPNI’s WARP: will the new cyber security budget reach the parts that need it?
Today is the Day of Cuts, the day when George Osborne has announced how he is going to reduce the budget deficit. I’m not an economist, so I’m going to make no comment whatsoever about the pros and cons of what he’s doing. Instead, I want to talk about Cameron’s Statement on Strategic Defence and Security Review, also published today. Specifically,
Over the next four years, we will invest over half a billion pounds of new money in a national cyber security programme.
This will significantly enhance our ability to detect and defend against cyber attacks and fix shortfalls in the critical cyber infrastructure on which the whole country now depends.
We already have an organization that is designed to protect the critical cyber infrastructure: CPNI, the Centre for the Protection of the National Infrastructure. I wonder how much of this money will actually go to CPNI? Or will it instead end up in the pockets of government-favoured businesses (like BAE’s Detica, or Microsoft or Intel et al). Detica already sounds as if it owns a slice:
Detica welcomes the £650m announced in the Strategic Defence and Security Review, as an important catalyst to protect the UK and build much needed UK cyber capabilities…
Cyber crime is one of the Nation’s greatest threats and we therefore welcome the Government’s commitment to improving cyber security in the UK. By partnering with the UK Government, we will be able to share capabilities and critical information to ensure that the UK can protect its critical national infrastructure and drive exports.
Martin Sutherland, Managing Director of Detica
Microsoft, of course, has already made its pitch with the Internet Health Certificate proposal; and the Microsoft/Intel Trusted Computing Platform would solve all the problems anyway! Either way, Microsoft will undoubtedly do anything it can in order to remain the primary supplier to government and especially education (which is ridiculous in hard times when Linux and OpenOffice are free).
But CPNI already has a programme. It’s called WARP: warning, advice and reporting point. WARPs are like-minded, trusted niche communities that share security information among their members and with other WARPs. For those who understand the concept of a CERT, a WARP is a CERT writ small – so that any organization can afford one. If you don’t understand CERTs, think of it as a sort of cyber neighbourhood watch. It’s actually a very, very good idea. And you’ve heard of the WARP, yes? Right. No, I’m sure you haven’t.
And that’s because of an almost total lack of funding for a very good idea that would have the potential to dramatically reduce the impact of computer infections across the country for a very minimal cost. There are other problems, of course – like the UK’s endemic attitude towards secrecy so that CESG could release security information to local authority WARPs but not private sector WARPs; and the lack of money to establish a centralised security store for all WARPs; and the lack of funding to allow the programme to evolve as fast as the threat landscape evolves… But all of these problems could be solved with just a tiny fraction of this new funding.
So will CPNI be getting the money? And will it pass any on to the WARP programme. I thought I’d ask. The CPNI website says it doesn’t speak to the press; enquiries are handled by the Home Office. So I tried the Home Office.
“WARP? What’s that?”
“CPNI? What’s that?”
“I think that’s the Cabinet Office.”
Not according to CPNI, I said.
“Oh, well the Chancellor’s on his feet at the moment, so we can’t say anything until he’s finished.”
I couldn’t face trying to explain that I was after information about the SDSR, not the CSR. So I asked if they would be able to help after Osborne had sat down.
“I doubt it.”
The Home Office hasn’t even heard about the Centre for the Protection of the National Infrastructure. So I very much doubt that it will get much money. And I hope I’m wrong, but I rather think that the worthy WARP programme will get even less. Instead, as always, the money will disappear in projects aimed at providing draconian security in return for further erosion of personal liberty. Same as it ever was. It’s all so very sad.