Ladies and gentlemen, thank you for inviting me here to talk about cyber security.
I’m looking forward to having a good discussion although I must admit to being a trifle nervous.
I was reminded earlier of Don Bradman’s advice to his fellow countrymen:
“don’t give the Englishmen an inch. Play it tough, all the way. Grind them into the dust”.
Well I hope your approach to me here will be a little more gentle.
So before getting into the meat of the issue, let me start by setting out what I mean when I use the term cyber today.
The cyber domain
In the Ministry of Defence we are concerned with the environments in which armed forces can operate and defend.
Traditionally these have been physical geographic domains, land and sea for thousands of years, in twentieth century the air and space too.
We see cyber as new global domain.
It consists of the interdependent network of information technology infrastructures computer systems, and embedded processors and controllers that power the internet and telecommunications networks.
The infrastructure that creates the domain is physical, but the connections it creates are not bounded by geography.
Cyberspace has revolutionised the way the world does business, educates, and entertains, the internet being the driving force of this revolution.
And our networked societies have come to rely on these connections, not only for information and social experience, but for the delivery of public services, for utilities like power and water, for economic growth and prosperity.
The infrastructure may be machine, but cyber space is a distinctly human environment, shaped by people and abused by people.
Shaped by people because the human desire for information and access is driving the technology, not necessarily the desire for security.
Abused by people because cyber crime, cyber espionage, cyber terrorism, cyber vandalism, are all just human pursuits, simply crime, espionage, terrorism, vandalism and conflict by another means.
This is about the suffix ‘crime’, not the prefix ‘cyber’.
The difference is the method, not the outcome or the intent, stealing money or information is stealing, regardless of whether it is done by pick-pocketing or hacking.
So I do not agree with those who say we need a massive raft of new criminal offences relating to the internet.
What we do need is to become smarter in preventing, detecting and prosecuting the use of cyber space for criminal or nefarious ends.
And we will have to do this at an international level, because there are no geographic barriers in cyberspace.
Like any other area of security we will have to strike a very delicate balance in cyberspace between personal freedom, national sovereignty and international stability.
As the London conference set out earlier this month, we should focus on all the positive benefits of cyberspace, supporting economic growth and development, encouraging social freedom, providing choices, but doing so while ensuring safe and reliable access.
Because cyber is a methodology not an outcome, cyber policy and cyber security is difficult to place within the normal departmental system of government.
So let me set out how the UK is approaching this both domestically and internationally.
Economic growth and development
For the UK, and most other nations for that matter, the economic well-being of our nation is increasingly reliant on the security and resilience of our interconnected networks and systems operating in cyberspace.
These networks are not always clearly defined and working out exactly what to protect is difficult but ensuring that businesses are able to operate unmolested by criminals has to be a primary goal.
It is not possible to be sure how much money is being lost to our economy as a result of cyber crime: most estimates come from online security companies.
A survey completed earlier this year by the UK company Detica was probably the most thorough ever conducted in the UK: it put the figure at £27 billion which seems plausible.
It’s a big figure and it is likely to continue growing.
How do we respond?
Well first we have to recognise that this can’t be just government’s problem.
This has to be a shared responsibility between government, business and users.
Industry has a responsibility to do more to prevent cyber crime, for example through more secure devices, systems and services.
The private sector has to lead in the development of improved Internet security products, systems, services and standards in cyberspace, and to make the market easier to navigate for consumers.
There is a responsibility on users too to apply online the sort of basic commonsense behaviour they use in everyday life to keep themselves safe.
What I call basic cyber-hygiene:
- keep your anti-virus software up to date
- regularly scan your computer for viruses
- don’t post sensitive personal information on open sites
- don’t open email attachments from senders you don’t recognise
- don’t download files you are unsure of
To illustrate how far people have yet to get the message, in the UK only around a quarter of all purchasers of a new PC ever activate their online virus protection.
In a busy city you would never leave your front door unlocked when leaving the house, so why do that with your e-valuables?
Of course none of this is to say that government has no role to play.
It does, particularly in law enforcement and the defence of critical national infrastructure, but its main function will be as a facilitator, encouraging the spread of fast networks, encouraging best practice in business and encouraging individual responsibility.
But when it comes to tackling cyber crime, the efforts of users and businesses can only go so far.
The only approach that can be effective will be a concerted and urgent international effort.
We must ensure there are no safe havens for cyber criminals, what is unacceptable behaviour “offline” must also be unacceptable “online”.
Just as in the domestic arena, this does not mean that we need a new set of laws purely to police cyberspace, rather we should ensure that those international legislations and treaties that protect us are also enforced in the cyber domain.
And this goes beyond crime, it should also apply to the other relations between states which are governed by treaties, including in conflict situations.
The principle must be that states should continue to comply with existing rules of international law and the traditional norms of behaviour that govern interstate relations.
Any use of force and armed conflict, including that states must settle their international disputes by peaceful means in such a manner that international peace, security and justice are not endangered.
The UK is developing a range of cyber capabilities which would be used in accordance with the well understood Laws of Armed Conflict and more generally under domestic and International law.
The use of any UK military capability is subject to strict ministerial oversight.
And because cyberspace is a domain, a means to an end, it is not an end in itself, well understood concepts such as proportionality of action apply to cyberspace as much as they do to actions in the air, land or maritime domains.
What makes cyber so potent as a tool is a number of factors.
First, the all-pervasive nature of computers in our lives, in the critical national infrastructure, in our economy, in our financial services, in defence, which creates huge vulnerabilities.
Second, the low technological threshold of entry.
Our adversaries can exploit the same technology used by citizens going about their daily business.
That laptop that sits on the desk at home or in the office, used to do accounts, send email or catch up with television programmes, is the same instrument that could be used to launch an attack on our critical national infrastructure.
In this way, a single networked laptop in the hands of a sophisticated and informed attacker could be as effective a weapon as, say, a cruise missile.
Third, there are no geographical barriers in cyberspace.
An attack could be launched from any corner of the world with little warning.
Unlike a conventional military movement, which requires the kind of organisation, mobilisation and logistical support that is hard to hide, a cyber attack can essentially be covert until the moment it begins to do its work.
Fourth, attribution of both cause and effect will be difficult to achieve.
As we already know from the recent STUXNET worm, it can be very difficult to trace from where and by whom an attack was initiated.
And it may be unclear when a cyber event is taking place, what its exact purpose might be or the ultimate aims of the attacker.
Fifth and perhaps most insidious, with cyber it is possible to rapidly create a mass effect.
As we saw in the cyber attacks of Georgia in 2008, hackers can be enlisted to ideological causes, equipped with the means to carry out mass attacks, so called botnets and given the target information to direct and synchronise attacks.
Rather than a single attack on a target, this can result in hundreds of thousands of computers worldwide being hijacked.
All this means that cyber is a powerful asymmetric tool.
We have seen how terrorists can attack symbolic rather than military targets, the 9/11 attacks on the World Trade Centre being an obvious example.
It can only be a matter of time before terrorists begin to use cyberspace more systematically, not just as a tool for their own organisation, but as a method of attack.
So, is cyber a perfect storm for those of us concerned with security?
Let me offer two considerations that might encourage us to see some light.
Firstly, to quote a well known law of Physics, every action has an equal and opposite reaction, defence seeks to nullify attack ad infinitum.
Quite what the technological reaction to cyber will be is as yet unclear but a response will emerge.
Secondly, what we present as vulnerabilities to ourselves are also vulnerabilities for our allies too, this is a great opportunity to pool our resources.
And we should not forget the same vulnerabilities may apply to our enemies as well.
We cannot guarantee our security in cyberspace without international action.
We need to think and act internationally because cyberspace is international space.
There is a lot of work being done bi-laterally and multilaterally to develop common understanding and common positions with other countries and international organisations.
My department has been working closely to develop enhanced cyber relationships.
For instance, the importance of cyber has been reflected in recent discussions we have had with Australia as well as with other allies such as the US and France amongst others.
Cyber needs to be considered alongside land, air and maritime in our campaign planning.
To that end we are engaging with our trusted military partners to ensure that ‘Cyber’ is fully integrated into our preparations for future coalition operations and we are identifying opportunities for both information and burden sharing.
In conclusion ladies and gentlemen, the cyber challenge is genuinely everyone’s problem, because the solution requires action at all levels:
- the application of basic cyber hygiene by all citizens both at home and at work
- partnership at a national and international level between governments and industry to protect critical infrastructure and ensure network resilience
- and broad engagement with allies and friends abroad to establish the principles of international action
So let me finish with one final thought.
In 1860, the Pony Express fast mail system was set up in the United States.
It revolutionised cross-continental communication, reducing time it took messages to travel from the Atlantic to the Pacific to about 10 days.
The Pony Express has since been mythologised in print and film, the bravery of the riders, the romance of the Wild West.
But do you know how long this iconic system actually lasted?
18 months, 18 months before the ponies were replaced by the telegraph.
My point is this, technology moves quickly.
No matter how we protect ourselves today, we cannot stop thinking about how we protect ourselves tomorrow.
In an era of cloud computing where there is an app for every occasion, where we can’t always predict what the next big thing will be, we will need to be adaptable, flexible and fast off the mark to protect national security.
We will need to be open to new opportunities, but ever aware of the dangers we will continue to face.