Keeping up with the security race

In places, the UK government’s National Security Review (NSR), published last October, reads more like the annual report of a board of directors whose predecessors have been sacked en masse. Eager to get the company turned around, the new board wastes no time in throwing the blame for past failures on the previous administration, and presents a picture of renewed energy, better decision making and better value for money.

This is as one might expect. But the government’s perceptions of the threats facing the country, and its proposed countermeasures, have serious implications for risk managers – especially since the NSR has used classic risk management methodology to conduct its risk assessment.

Three tiers of risk

The risks are split into three tiers, which take into account probability and impact. Terrorism remains at the top of the list. The NSR recognises that in the nine years since 9/11, an under-pressure al-Qaeda has been changing its operating methods, not only by seeking havens in failed states such as Somalia, but by encouraging individual ‘untrained’ adherents in western countries.

“Such lone terrorists,” says the review, “are inherently unpredictable and their plots difficult to detect.”

The NSR also re-emphasises al-Qaeda’s desire to acquire chemical/biological/nuclear capability. In the absence of serious terrorist incidents directed at organisations, risk managers may have become complacent over the years. But the NSR’s concern should come as a reminder that anti-terrorism precautions should remain high on the list of priorities for any large organisation.

Cyber alert

What should really make risk managers sit up and take notice is the NSR’s assessment of the danger of cyber attack. “Cyber security has been assessed as one of the highest priority national security risks to the UK,” it reads.

It cites the $1 trillion (£600bn) a year businesses lose to cyber crime and the 12 million cyber attacks a day on China during the Peking Olympics.

It also refers to the Stuxnet worm, discovered last June, which was described by IT security specialist Kaspersky Labs as “a working and fearsome prototype of a cyber weapon that will lead to the creation of a new arms race in the world”.

Stuxnet threat

By infecting the programmable logic controllers used in many automated processes, malicious software such as Stuxnet can directly attack and damage industrial manufacture. Although Stuxnet is estimated to have taken teams of coders and many man-months to create, precedent suggests that such directed cyber attacks are likely to become cheaper and more prevalent.

NSR reaction

The NSR’s response to this threat is vague. It says the government will “develop a transformative programme for cyber security, which addresses threats from states, criminals and terrorists; and seize the opportunities cyber space provides for our future prosperity and for advancing our security interests”.

This either means the government does not yet have a clear idea what to do or it has an idea but does not wish to go into detail.

As ever, the risk manager’s first line of response has to be to attempt to quarantine vital processes (Stuxnet was spread through infected USB flash drives). But setting up contacts in Whitehall to discover what the “transformative programme for cyber security” might entail can do no harm.

Come together

Finally, tucked into the introduction of the NSR, is a further strand of government thinking. “We need to build a much closer relationship between government, the private sector and the public when it comes to national security … Business and government will need to work much more closely together to strengthen our defence against cyber attack and to prepare for the worst.”

Fine words perhaps. But the quick-thinking risk manager may nevertheless recognise an opportunity to pick up the phone and see what contribution they can make – and perhaps what funding is available in return.