UK firms to trial sharing of cyber attack data
LONDON (Reuters) - Britain will try to bolster defenses against cyber attack by encouraging companies to overcome their reluctance to admit computer security breaches and share their experiences with each other, the government said on Friday.
Companies from five strategic sectors - defense, telecoms, finance, pharmaceuticals and energy - will take part in a pilot with the government starting in December to exchange information on cyber attacks and threats to their businesses.
Britain, where six percent of GDP is generated by the internet, says cyber crime is being committed on an "industrial scale" and costs its economy 27 billion pounds ($42 billion) a year. Government networks are under siege from more than 20,000 malicious emails every month.
It hopes the cyber security "hub" linking government and corporates will lead to greater openness about internet threats and create a more effective shield against them.
A British official said the government's involvement would mean companies could report cyber attacks without their identity being revealed, a concern that has prevented many disclosures.
The pilot, part of a 650-million-pound ($1 billion) programme over four years, will also help to raise protection for critical infrastructure from an emerging threat of cyber attack from militant groups, the government said.
Although militant groups mainly went online to spread propaganda and communicate, British intelligence sources had picked up "chatter" about using the internet to target infrastructure such as energy grids, the official said.
"So far it has not been a big feature of what we see, they still are more interested in covering the streets with blood," he added.
The Stuxnet computer worm attack on Iran's nuclear programme, linked to Israel and the United States, has shown the potential for launching assaults on key equipment through cyberspace.
The reputational risk of admitting a computer system break-in, as well as the threat of legal action from shareholders, has lead to many companies keeping quiet rather than revealing their vulnerability to cyber crime.
"If you are a large international bank you don't want to admit you found you were penetrated nine months ago, because that implies you weren't paying attention," said Alan Calder, chief executive of British private information security firm IT Governance.
He doubted a voluntary project like the pilot would foster greater co-operation among companies against cyber threats.
Unlike in much of the United States, there is no requirement in Britain for companies to disclose data security breaches.
"I don't think it will work. The core target, the defense and financial sector, are much more likely to say nothing unless there is regulatory requirement to do so," Calder said.
A number of high profile online assaults this year on international companies such as Sony, Citigroup and Lockheed Martin, as well as against institutions like the International Monetary Fund, have raised doubts about the security of government and corporate computer systems.
Britain did not detail the companies taking part in the pilot. Officials said Prime Minister David Cameron had discussed the project in February with a group of firms including Barclays bank, energy firm BP, telecoms group Vodafone and energy supplier Centrica.
(Editing by Janet Lawrence)