On 22 February BCS, The Chartered Institute for IT held a thought leadership debate on the issue of taking the cyber challenge to the citizen.

To get the discussion started there were two speakers who set the scene. The first was Rick Crosby from the Office of Cyber Security at the Cabinet Office.

The first thing he said was that cyber is in place and that last year £650 million had been allocated for cyber security, which is a huge amount. He said that even the Prime Minister had hosted cyber meetings, which shows that he is interested and how important it is.

In addition to this there was also the first London conference on cyber security and in autumn 2011 the government updated and published the UK Cyber Security Strategy.

He continued by saying that cyber space is very important to government and said that cyber security is not just about ICT, it’s about how we use cyber space.

Cyber security is now considered a Tier 1 threat and we are vulnerable because our prosperity depends on it. Cyber, he said, is good but there are risks. There is now an established cyber security programme and the £650 million allocated for it, at a time of austerity, shows how important it is. The government has set out a vision for 2015 to derive economic value from a secure cyber space and believes that cyber is part of the way we are living in the UK.

However, if businesses can't be secure then we can't move forward, he said. To do this the infrastructure that runs everything online needs to be secure.

The UK needs the skills to be secure, however, and there is a skills gap. The issue is about making sure that the infrastructure is secure, without this the industry can do nothing. You also need to do incident management and have a strategic engagement with industry. In order to combat cyber crime we need to work with industry. There are also international aspects of cyber space as it is transnational and everyone's priority.

He then asked what the issues are. Cyber security is not all about high-end threats. These are threats but it's not all about these. There is industrial espionage, online commerce has fraud implications and government sites need to be secure.

He added that we also need to consider SMEs and every citizen that has an online presence and that online commerce is growing. Deperimeterisation is another issue; he said that we can't hide behind firewalls when you have people bringing their own devices to work. Then there is the cloud, how do we secure this and where is the data?

Going back to the skills issue he again asked if the UK has the skills and if not, how do we develop them. He said that we need security ICT skills and services and people who will operate them.

He moved on to say that shopping and banking online is growing and the government needs to learn from them as online services are better. We also need to look at people's behaviour online as people like social media.

There are issues, of course, such as risky web browsing and online fraud. Then there is the citizen. This is only part of the problem, the internet wasn't designed to be secure and he said that we can't secure the endpoint. All we can do is provide advice that will stop 80-90 per cent of the problems.

He said that the attackers are sophisticated and they adapt very quickly. We need to arrest and prosecute criminals and also deter them; but how do we do this? We need to balance this out with prosperity. Security reduces functionality so how do we work around this? Online needs to be secure and usable.

He finished off by asking a few more questions: who is the person online? Is it the illiterate adult or the literate child? How do we give them the information they need to be safe? Can the company that sells the goods do more to reduce the risks?
The second speaker was Wendy Goucher from Idrach.

Wendy started off by saying that perhaps the term cyber might not be the right word and that the internet is a dangerous place, but is also the place for a lot of communication problems.

Online working is nothing new; the crimes that are committed on the internet have been going on since time immemorial, it's just that the citizen is disconnected with it.

People die, commit suicide and lose money online, but the internet is also beautiful and all embracing. With it she said she could see her cousin's children, read books and see friends on Skype.

For many people this is what they see. You can also buy things that you would not usually see. People are also duped and swindled.

How would you design a safe internet she asked? You would start again. She then used the analogy of the development of the radio. It used to be that people would dress up for radio in the 1950s and 60s. Then with the invention of the transistor radio, radio was everywhere and it didn't matter what you looked like.

The internet is the same because on the internet no one knows what you are. Now we are getting people to understand the threats. You have got to change behaviour; you need to have a safe way to use social media. One thing is that you have to secure your brain and think, would I do this with people in the room or at a football stadium?

She said that whatever security measures are in place they have to be something that enables people to carry on with what they are doing. An example of a campaign that worked was with the compulsory wearing of seatbelts. She said that the phrase 'Clunk click every trip' didn't motivate people to wear their seatbelt necessarily, but it was an aide memoire.

Another example she gave was the AIDS epidemic and the introduction of flavoured condoms that made sex fun.

The biggest problem though Wendy said is that people will say 'why bother'. Will it stop them doing what they are doing? Whatever technology or strategy that gets used has got to make life better, not worse. She said that legislation is not the answer.

She finished by saying that there needs to be a product, or a message, that is clear and can be implemented. A padlock that is small is not the answer, she said, you need to move away from the technology.

The debate

After the speakers the attendees then debated the issues over dinner and each table reported back their discussions at the end of the meal.

The major thread of the debate was that there needs to be a better way of getting the information over to the public. One person commented that there is a lot of information out there but it is all about how the information is communicated. It needs to be something that is inherent, something akin to kerb drill.

Others said that it needs to be something that everyone understands and perhaps one way to do this is to engage major websites, but frame it in a way that people relate to.

Another person said that it needs to be cool and that being safe needs to be cool. They said that it could be something like the drinking and driving and the HIV campaigns. On top of this they said that there needs to be a social message. It needs to be fun so that people can enjoy feeling enabled. However, there are many different demographics and they feel that they protect themselves.

One idea was that there is a need to engage with advertisers and the issue needs to be relevant to the social context. One way to do this would perhaps be to have some kind of product placement or perhaps a storyline about it in a popular soap opera, such as Eastenders, or use other popular media.

An alternative was to incentivise the process, such as you get a free app if you put a password on your phone. Or perhaps just make it fun and use games to get the point across. It was suggested that it must not be cloaked in geeky myth and that it, perhaps, needs to be sexy in some way.

A thread that came up on a few tables was about education. Some felt that security needs to become a life skill and that people learn best when they are in their own community and that security needs to be part of the school curriculum.

Common sense in the virtual world needs to be taught, but then, as one person said, we also need to educate the teachers.

Other people said that the emphasis lies with the PC manufacturers to make their hardware safe and that all apps should 'do what they say on the tin.' Following on from this it was suggested that ISPs should do a lot more than they currently do as the consumer should have more protection online and that the government should provide leadership and solutions.

However, as one person said, it is all well and good to make the internet secure in the UK but the internet is a worldwide thing. It isn't one dimensional, regulation will play a part, but there is more to it than just that. But then who will pay for it? The end provider, the net provider, the government?

It was said that security won't be free, but it has to be easier. The internet was also compared to the Wild West and that knowledge and knowledge management is what is required.

On the flipside there were others who thought it should be implemented with a much harder line and that devices should be secured and imposed. They also said that people shouldn't have to buy it, but that it should be a lot easier.

As one person said none of these suggestions are solutions. They said that what we need to ask is what is the problem we are trying to fix? Fraud, ID loss, personal safety? They gave an example of people being stalked online and then targeted in Afghanistan.

They also mentioned Facebook blackmail and added that DNS is an issue that needs to be addressed. The same table also compared the internet to shark infested custard and asked the question what should people do differently?

One of the last comments was that in the future the internet will underpin everything that we do and so the security has got to be much easier than it is at the moment. Having said that you can't regulate for future criminal activity and how people will use the internet in the future.