The British government has outlined two new schemes to invest up to £100 million in reinforcing the nation’s cyber security.
The first, the ‘Digital Security by Design’ challenge, was announced by Business Secretary Greg Clark on Data Privacy Day, 28 January. Under it, the government will plough up to £70 million into helping the technology sector build greater resilience into computing and networking hardware.
The investment will be delivered by UK Research and Innovation through its Industrial Strategy Challenge Fund – subject to business case approval and match funding from industry, said the government.
The money is intended to support research into the design and development of hardware that will be “more secure and resilient from the outset”. The aim is to “design out” cyber threats by “designing in” security and protection technologies to hardware and chip architectures, according to the announcement.
However, it is unclear what – if anything – makes the scheme a national one in IP terms, or how it relates to R&D work that technology providers are already carrying out. Bare metal security has been a significant trend in recent years.
Government policy is for the UK to become a “world leader in the race to eradicate some of the most damaging cyber security threats facing businesses”. More than 40 percent of UK businesses have experienced a cyber security breach or attack in the last 12 months, said the government.
The Business Secretary hailed the move: “This could be a real step-change in computer and online security, better protecting businesses, services, and consumers from cyber attacks, resulting in benefits for consumers and the economy,” he said.
“With businesses having to invest more and more in tackling ever more complex cyber attacks, designing in security measures into the hardware’s fabric will not only protect our businesses and consumers, but ultimately cut the growing cyber security costs to businesses.”
Also on Data Privacy Day, the government announced that a further £30.6 million will be made available to ensure that “smart systems” – Internet of Things (IoT) and edge devices – are also safe and secure.
The new ‘Security of Digital Technology at the Periphery’ programme will again be delivered by UKRI, this time through its Strategic Priorities Fund.
Digital Minister Margot James said of the announcements, “We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cyber security is built into the design of products.
“This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber attacks.”
Dr Ian Levy, Technical Director of the National Cyber Security Centre, added, “The National Cyber Security Centre is committed to improving security from the ground up, and we have been working closely with government to promote adoption of technology and practices to protect the UK.
“We hope this additional investment will drive fundamental changes to products we use every day. This is vital work, because improving hardware can eradicate a wide range of vulnerabilities that cause significant harm.”
More than 420 million IoT devices will be in use across the UK within the next three years, according to government figures. Worldwide, the number could hit 20 billion to 30 billion devices in the same timescale, say a range of analyst forecasts.
However, 2018 reports from the Consumers Association, Mozilla, the University of Texas, and others, revealed that some consumer-level IoT devices have been rushed to market with fundamental security flaws in them. Others are frequently used without changing default settings, such as passwords, making them easy for hackers to compromise.
One report published a year ago by security company ESET found serious problems in some of the most popular smart devices at that time, including products from Amazon, Sonos, NETATMO, Nokia, and D-Link.
In one case, the flaws were so severe, researchers contacted the manufacturer directly, rather than publish their findings.
In recent months, the Department for Digital, Culture, Media, and Sport (DCMS) has been carrying out its own review of smart consumer products, in partnership with the National Cyber Security Centre (NCSC). DCMS published a Code of Practice for Consumer IoT Security in October 2018, to help ensure that products are secure by design.
Such initiatives are relevant to business users, because smart speakers, cameras, thermostats, and lighting systems designed for the home are increasingly being adopted in the enterprise. For example, Amazon is extending the corporate potential of its Alexa assistant and associated hardware via a range of business skills.
Any insecure online camera, hub, thermostat, or even smart lightbulb could offer hackers a route into enterprise systems and access to sensitive data.
Be part of a discussion and connect with like-minded leaders in your sector at our exclusive event series on banking and RegTech.