News & views

Monday, October 17, 2016

GCHQ’s National Cyber Security Centre is planning to launch the ‘Great British Firewall’ as a defence against major cyber attacks. Justin Clarke, Director of Underwriting and Pricing at NIG considers how much protection it will offer SMEs.

Earlier this year, a National Audit Office report criticised the government’s data security measures as “chaotic”. It identified “at least 12 separate teams or organisations in the centre of government had a role in protecting information… with different mechanisms.” The report concluded, “Government now needs to introduce a cohesive risk management exercise… and consider technologies and strategies to mitigate the risks identified.”


A new security centre
The government’s response to that criticism is the new National Cyber Security Centre (NCSC), a public facing department of GCHQ. The NCSC’s first initiative will be what the media has dubbed ‘The Great British Firewall’.

Protecting UK cyber security by establishing a ring of cyber steel is, on the face of it, good news for all UK businesses. As GCHQ sees it, private sector ISPs such as BT, Sky and Virgin Media will provide the firewall and identify and filter out malicious content.


Censorship concerns
This large-scale approach to cyber security has, not surprisingly, worried civil liberty groups. They argue this gives GCHQ too much say over which sites are malicious, and too much power to silence sites the government disapproves of.

It didn’t help that GCHQ’s current Director-General for cyber security and soon-to-head of NCSC, Ciaran Martin announced the firewall at a conference in Washington, alongside officials from the US National Security Agency (NSA). GCHQ and the NSA already have a track record of intrusive joint hacking operations. As one commentator put it, “this seems like the fox protecting the chicken.”


Government controlled, private sector supplied
Martin sought to allay fears, “Addressing privacy concerns and citizen choice is hardwired into our programme. It’s crucial that all of these economy-wide initiatives are private-sector led. The government does not own or operate the internet.” Whether you see his statement as a concession to civil rights groups, or an admission that NCSC and GCHQ don’t have the resources to maintain such a comprehensive firewall themselves, depends on your point of view.


Will it protect SMEs?
The firewall, Martin contends, won’t just benefit government sites and those industries crucial to national security, it will also protect major private companies. However, his speech failed to mention any benefits to UK SMEs.

Even if the ‘Great British Firewall’ makes the UK less vulnerable to cyber attack, it’ll be little comfort to SMEs worried about the impending EU GDPR (General Data Protection Regulation), coming into force in May 2018. Firstly, as Graeme McGowan, Technical Director of BeCyberSure Ltd confirms, the GDPR stipulates that even if a company outsources its data security, it’s still ultimately responsible for any failure. So hiding behind the ‘Great British Firewall’ – even if extends to SMEs – won’t be an option.


Taking responsibility
Secondly, Martin sees the firewall providing scaled-up DNS (domain name system) filtering, to catch and prevent high volume attacks such as the malicious emails with fake @gov.uk addresses. Describing this policy as active cyber-defence, Martin said, “We trialled it, and whoever was sending 58,000 malicious emails per day from taxrefund@gov.uk… isn’t doing it any more.”

That’s fine if such an email is blocked en route to your business, but it will still leave you vulnerable to more sophisticated and selectively targeted spam. Graeme McGowan reiterates SMEs, however hard pressed, must take responsibility for their own cyber security. “We need to understand the Internet of Things (IoT) is already changing our risk environment. Wearables, mobile devices, and removable media will all need to be factored into the discovery process to measure your exact data exposure.”

He continues, “Usually, due to their lack of scale or deep pockets, SMEs are the most vulnerable to cyber attack and data breach. They’re often easy targets; management is not engaged, defensive sophistication is lower, technical defences will be out of their financial reach, and training budgets are frequently non-existent. Yet simple InfoSec hygiene, which almost every company can afford, greatly reduces the chances of an SME becoming a target, and therefore a victim.”


A firewall that’s not for all
The ‘Great British Firewall’ may sound like an impressive bulwark against the threat of ill-intentioned cyber invaders, but its defences aren’t likely to provide SMEs with much protection. Once again, SMEs will be responsible for their own cyber destiny.

As Graeme McGowan concludes, “A combination of engaged management, good governance and effective education and training is a critical aspect of your information security efforts. This will play a major part in ensuring your company is less likely to be targeted by cyber criminals – and that, if you are attacked, you can respond efficiently and effectively.”