A top director at UK spy agency, the Government Communications Headquarters (GCHQ) has admitted he was fighting a losing battle when it comes to cybersecurity – despite an £860m boost in government funding over the past five years.
Alex Dewdney, director of cybersecurity at CESG which is the information security arm of GCHQ, was speaking during the recent RSA conference in San Francisco where he outlined some major problems encountered by cyber-experts tasked with protecting the UK from attack.
"We can point to lots of achievements around understanding the threats much better, about taking steps to mitigate those threats, addressing the national skills base and so on but, nationally, we are not winning the fight on cyber security," Dewdney said.
The UK government has invested a total of £860m on cybersecurity over the past five years as part of the Cyber Security Programme while pouring cash into projects like the Computer Emergency Response Team and the Cyber Information Sharing Partnership. Furthermore, to fight the growing threat from cybercriminals chancellor George Osborne recently confirmed that, in the next funding round, spending will rocket to more than £3.2bn.
To highlight the scale of the problem now faced by GCHQ, Osborne claimed the agency was now actively monitoring "cyber threats from high-end adversaries" against 450 companies across the UK aerospace, defence, energy, water, finance, transport and telecoms sectors.
Cyberwar cash not enough
Dewdney stressed that he sees the importance of the investment, but stated his personal opinion that – to fight the escalating cyber problems – it was still not enough.
"I think we would be losing a lot more if we hadn't done all the things we've done over the past five years. So, don't get me wrong. All of that has been worthwhile," he said. "But there's been something of a mantra in the UK that the solution to all of our problems is information sharing and public/private partnerships – that if we keep doing that then somehow it will magically cause improvement to happen. That approach by itself is not sufficient."
Another worrying issue, according to the director, was that despite the investment no money is being spent on resolving the security issues emerging due to the agency's use of so-called 'legacy' computer systems. Indeed, last year it was revealed that the UK government had not funded migration from Microsoft for Windows XP – despite some departments still running the outdated software.
Dewdney appeared frustrated at the apparent refusal to migrate to a newer – and better protected - computer apparatus. "We've not been spending money on fixing legacy IT issues, and that is just killing us. I've tried to make this argument to my bosses that surely you have to start there before you try to do anything more sophisticated," he said.
"But the response has always been 'I'm not spending cybersecurity programme money to subsidise other departments' IT budgets'. Come on, it's the aim that you have in mind that justifies it, but I haven't won that battle yet."
Dewdney has been employed by CESG since August 2015. Prior to his current role he was the head of cybersecurity at the British Embassy in Washington DC. IBTimes UK contacted GCHQ for comments but had received no response at the time of publication.