Report highlights global concerns over government handling of cyber security
Two-thirds believe governments are not adequately protecting critical network infrastructure
Following on from the government's admission in December 2012 that parts of the UK's critical national infrastructure (CNI) have been mapped, a recent report has found that significant concerns exist around the world regarding government cyber security preparedness.
The report, the eighth 'Worldwide Infrastructure Security Report' compiled by Arbor Networks, a security software firm, found that two-thirds of respondent organisations are concerned that governments are not doing enough to protect CNI.
The study also found that confidence in the efficacy of law enforcement is relatively low, with 53% of respondents indicating that they do not refer security incidents to law enforcement. The primary reason, according to 44% of the organisations who do not refer incidents, is a 'lack of resources or time', while 36% said it is because they do not trust that something will be done about it, and 28% said they do not report as a result of 'law enforcement non-responsiveness'.
Furthermore, nearly half of respondents said that they could not see any change in the value of law enforcement to their internet security operations compared to last year. Indeed, 23% said that it had become even less useful, although 30% of those surveyed said that has become more useful to internet security operations.
Despite evidence that faith in government initiatives to ensure cyber security remains at a low ebb, organisations are becoming increasingly proactive in improving their readiness to respond to cyber security incidents. Almost 58% of respondents said that they have established a Computer Emergency Readiness Team (CERT) or Computer Security Incident Response Team (CSIRT), up by 18% from last year, while two-thirds said that they are actively involved with their national or regional CERTs/CSIRTs.
The study found that over 84% of respondents believe that government CERTs/CSIRTs have a positive role to play in responding to operations security incidents and welcome their involvement.
Awareness of regulatory requirements varies widely from country to country, however. Just 20% of respondents said that they are aware of laws, guidelines or regulations in their country that mandate DDoS (Distributed Denial of Service) defences. Almost half- 48% - said that there are no requirements for protection from DDoS attacks, while 32% said that they do not know whether requirements existed or not.
Currently, UK companies are not obliged to report cyber attacks like their US counterparts, and it is believed that the government is reluctant to compel them to do so. Instead, as announced in the recent cyber security strategy update , in 2013 the government plans to establish a UK National CERT and a new Cyber Incident Response scheme, an industry-run service that helps organisations who have suffered a cyber security breach.
However, the European Union (EU) is understood to be prepared to introduce its own element of compulsion around the reporting of cyber security incidents. The EU is due to release a number of cyber security regulatory proposals later this month, and it is understood that the executive committee is considering making it mandatory for companies that operate parts of CNI to report significant online attacks and security breaches.