The £650m over four years that the government allocated to cyber security in 2010 was recently branded "embarrassing" by Bob Ayres, a former intelligence officer at the US Department of Defense, in an interview with Computing, and yesterday a swathe of experts at Infosec told me that it is nowhere near enough.
Further reading
UK's investment in cyber security is not embarrassing - £50m is enough, claims security director £650m investment 'underlines importance' of UK cyber security, says Cabinet Office Security education: Training to beat tomorrow's hackers
Prime Minister David Cameron and Foreign Secretary William Hague have been keen to trumpet their investment to the press whenever possible, but it's hard to find anyone with an in-depth understanding of the situation who finds the figure even remotely palatable.
Adrian Price, head of information security at the Ministry of Defence, is charged with protecting the data crown jewels - the information which if lost, could in his words "cause military operations to fail, involve wholesale loss of life and potentially bring down the government". He also feels that the UK's spending on cyber security is woefully inadequate.
"The rule of thumb tends to be that a minimum of 20 per cent of gross turnover should be spent on protecting information and assets, so £650m is not enough," he said.
"It's not enough; it works out as roughly £10 per person," added Arnie Bates, head of information security at Scotia Gas Networks.
So has the government failed to ask the experts how much money is really needed? Has it asked them, and subsequently ignored their recommendations? Or did it just settle on the lowest figure it thought would look acceptable?
Charlie McMurdie, head of the Metropolitan Police's Central e-Crime Unit, explained that she is able to demonstrate a return on any investment in her team, with funds invested resulting directly in foiled attacks.
"If I put £100,000 worth of police resources on an attack, it'll prevent £20-30m being lost from the economy," she stated. However, she too lacks the required funds.
"I wish I had three or four times the capability I have," she said. "If I got another £5m, I could hire the right people to provide the capability [I need]. We need to invest far more, and commit to upskilling law enforcement more."
McMurdie's plea for an additional £5m is thrown into stark contrast by US cyber budgets. The US will spend £2.5bn on cyber security this year alone, and will raise this to £3.1bn next year. Scott Cruise, legal attaché from the FBI to the US Embassy in London, emphasised that his organisation is rapidly directing its focus to cyber crime.
"Cyber crime is fast emerging as the next threat on the horizon to eventually surpass terrorism. We're now calling it a national security threat. The FBI is going through tremendous changes now as far as we look at cyber security, hiring computer experts, training agents to be more equipped to deal with these cases, and reducing national vulnerabilities to cyber attacks."
