Is the UK government really preoccupied with offensive IT security?
I just came across the article "Expert says UK government is too preoccupied with launching cyber attacks," which quotes Cambridge professor Ross Anderson as saying
"The spooks – GCHQ– are getting 90 per cent of this new £650m for cyber security. The rest, about £65m, is going to the police."
The article then goes on to interpret this as saying that over 90 percent of the UK government's funding of IT security is for offensive instead of defensive operations.
But CESG, the part of the UK government that's responsible for defensive IT security happens to be part of GCHQ, so that interpretation of the funding seems more than a little misleading. If CESG gets funding, it comes in through GCHQ, even if absolutely none of the money is used for offensive operations.
So this spin on the UK government's budget is a bit like saying that the US government spends over $665 billion on building dams and bridges each year. The US Department of Defense's budget may indeed be over $665 billion, but the fact that the DoD will spend $665 billion certainly doesn't mean that all of it will be spent on dams and bridges, even if the US Corps of Engineers (the guys who actually do build dams and bridges from time to time) happen to be part of the DoD.
Does it make sense to have the people who do defensive IT security part of the same organization that does offensive IT security?
This particular article seems to think that this is a bad idea, but I don't think that this is true. People who defend against attacks without knowing exactly what sort of attacks are realistic and feasible probably aren't as good at their jobs as people who don't know those sort of things. And the best place to learn that sort of thing is probably in an organization that's responsible for offensive IT security operations.
I'm filing this article under "journalist trying way too hard to make things sound controvertial that really aren't." Just like I would if I saw the article "Expert says US government is too preoccupied with building bridges and dams."