The Government launched its follow on programme to Project Auburn today, which is designed to broaden the sharing of cyber-threats between businesses and the Government. Recent studies, including the report from Mandiant, have demonstrated that the attacks are happening on a daily basis and against companies of all sizes.
Project Auburn was aimed at the largest of companies and critical infrastructure providers, but incidents (such as that with Dyson) have shown that it really is any and every company that is a target. It will need the security incident information that the larger companies have access to, in order to help protect themselves.
While the new project has many plus points, there are still issues surrounding just who will have access and exactly what to. The new group of companies (160 of them) is still only a very small subset of UK businesses and it needs to be broadened out considerably more. While many companies may not be able to contribute to the information pool, they will be able to consume it. Along with the information on the attacks there needs to be guidance on how the threat can be recognised and mitigated. This guidance needs to be written in language which can be understood by non-experts, as well as by experts, to address the majority of SMEs in the UK.
The launch makes reference to the ability to monitor attacks and who is being targeted in real-time, there needs to be a notification mechanism in place for companies and organisations which are not currently participating in the programme – and it needs to be relatively rapid. A government process which takes three months to notify the organisation that is under attack and having information exfiltrated is of little use.
Finally, there needs to be international cooperation. From an Internet and cyber-attack perspective, there are no international boundaries, so information needs to be shared – not only between the UK Government and UK businesses, but also in a reciprocal arrangement with other equivalent security programmes in other countries.
Forewarned is forearmed.