U.K. Touts Its Cybersecurity Cred
Looking to Gain Competitive Edge, Government Works With Businesses to Safeguard Internet Data
By ALISTAIR MACDONALD And DANIEL MICHAELS
LONDON—Last year, British defense consultants NDI UK Ltd. received a call from a government agency with ominous news: NDI's computers had been targeted by hackers in China. Cybersleuths from the government's Center for the Protection of National Infrastructure quickly descended on the company to inspect and clean its systems.
NDI's experience is increasingly common as businesses and governments around the world face a surge in computer-network intrusions. Less common, say computer-security specialists, is the British government's reaction and its effort to put cybercrime on the business agenda.
The U.K. aims to make a new boast about its business competitiveness.
As Britain this week prepares to host the first global conference on cyberspace—to be attended by officials from 60 countries—it is preparing to market itself as a center of cyberprotection for the private sector.
Most governments, including the U.S., have focused their response to cyberthreats on the military and national infrastructure. But Britain also is focusing on ordinary business, hoping to tout Internet security as a competitive advantage, the way many countries flaunt their tax regimes and pro-business regulations.
"We are saying it is not just about government, it's about all of the market, it's about all of the economy," Francis Maude, the U.K. minister in charge of cybersecurity, says in an interview.
[UKCYBER]
Despite deep cuts to the overall budget, Britain will put an extra £650 million, or about $1 billion, into cybersecurity in coming years. The country also is creating a cybersecurity hub in which the government and private sector can share real-time information on attacks and responses.
Britain's efforts place more emphasis on private commerce than the U.S. does, some experts say. "There's a whole swath of the private sector and U.S. society that's not covered," a senior U.S. defense official says.
Some U.K. agencies, such as Britain's patent office, already market their readiness. The Intellectual Property Office pitches itself to patent lawyers as a steward of business secrets, with tight procedures and security. "We think protecting intellectual property effectively is a competitive advantage," says Ioan Peters, the office's head of technology.
The government offers large companies a "risk analysis service," advising companies about what needs protection. The message: Cybersecurity affects shareholder value and must be addressed at the board level, not just by the information-technology department.
U.K. officials urge some companies to keep all computers handling research and development completely isolated from the Internet, as government specialists do.
Britain's efforts began in 2007, when Adam West—the security adviser to the prime minister at the time, Gordon Brown—said that the U.K. had "not yet realized the full risks of cyberattack." The government soon established the Office of Cyber Security & Information Assurance, which Mr. Maude now heads. But with no new funding, the effort floundered until last October, when the government of Prime Minister David Cameron designated cyberattacks as a top-tier threat, alongside terrorism, and put new money into the effort.
A February study by the government and Detica, the cybersecurity unit of British defense giant BAE Systems PLC, estimated that cybercrime costs the U.K. £27 billion annually, and that British businesses hemorrhage information valued at £17 billion a year. The government says it is under almost constant attack, receiving more than 20,000 malicious e-mails a month.
Mr. Maude says his department, the Cabinet Office, saw a "sophisticated" attack on several staff last month. An email, apparently from an internal address, asked users to click on a link to fix a security issue. Users were directed to a bogus website where they were to download a file that would have given access to Cabinet Office systems had it not been discovered.
Companies also are targets. Cyberthieves last year stole more than 2.9 million user names and nearly 90,000 user names with banking details from Betfair Group PLC. The British unit of U.S. defense firm Raytheon Co. thwarts dozens of attempted attacks every week, according to a person familiar with the matter.
Many in Britain point the finger at China. "We think there is a certain amount coming from China," Mr. Maude said.
Robin Fox, managing director of NDI UK, says he wasn't shocked when the government told the defense consulting firm last year that the attack came from China. A cybersecurity analyst says NDI faced multiple intrusions throughout 2009 by a Chinese group that apparently targeted 70 companies or organizations in multiple countries, including several U.S. defense companies.
Mr. Fox has used the experience to exhort customers to protect their computers. "It's very powerful if you get up in front of a group and say, 'This happened to us and it might happen to you,' " he says.
But some firms aren't heeding the warnings. Mr. Maude, the government minister, says companies often believe that if they aren't Internet firms, they are safe. But firms have email systems and keep "a huge amount of data stored in a way that is vulnerable," he said.
U.K. officials hope to persuade companies to share information through the new "hub," by having them submit sensitive information through the government, which can redact details. A pilot project is expected to be running before next year.
—Siobhan Gorman in Washington contributed to this article.