We are told that there will be a revamped National Cyber Security Strategy published in the next few months. This will explain what the £650 million of new money allocated for cyber security in the spending review will actually be used to deliver (I understand that Whitehall Departments are still bickering over who will get their hands on this money – the Ministry of Defence and the Home Office both believe it should come to them rather than the Cabinet Office).
However, I wonder whether it will also propose legislation. In the United States a number of members of Congress are putting forward what they are calling the “Homeland Security Cyber and Physical Infrastructure Protection Act of 2010”. This will give a statutory basis to the Office of Cybersecurity & Communications based in the Department of Homeland Security and would, in particular, create a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the .gov domain and critical infrastructure networks.
This is an interesting model. In the UK, the Government bodies that are responsible for protecting the critical national infrastructure do not have a statutory basis and do not have any formal powers. In my view, this hampered the effectiveness of the old National Infrastructure Security Coordination Centre, which is now incorporated into the Centre for the Protection of the National Infrastructure and falls under the ambit of the Security Service.
I have long advocated that underpinning the “voluntarist” and consensual framework Government needs to have a statutory frmaework that – in extremis – can be used to require Government agencies and those private companies that supply much of the national infrastructure to meet certain minimum standards and can direct action effectively in the event of some major problem arising.