Chancellor speech: launching the National Cyber Security Strategy

"The new strategy is built on three core pillars: defend, deter and develop, underpinned by £1.9 billion of transformational investment...", says the Chancellor, Philip Hammond.

The Rt Hon Philip Hammond

Thank you Toni for that kind introduction and good afternoon everyone.

I’m delighted to be here at Future Decoded.

I come to this conference a strong advocate of the role of technology in transforming our society and building our economy.

When I was appointed Chancellor of the Exchequer just a few months ago, the first business person I met wasn’t the CEO of one of the UK’s big banks or car manufacturers – crucial though those sectors are to the economy.

It was Masayoshi Son, the Chief Executive of SoftBank, on the morning he announced the £24 billion purchase of the Cambridge-based Arm Holdings.

It was the biggest European tech deal in history; the largest ever single Japanese investment in Britain. And it was fitting that he was the first businessman I saw as Chancellor – because the tech industry is the future of the British economy.

Mr Son told me, when we met in No11, that he wanted to buy into Britain because he saw the huge potential Britain has to play a leading role in the next global wave of technology innovation – the internet of things.

That meeting – and many others I’ve had subsequently – reinforced my belief that the UK is strongly positioned to be at the cutting-edge of the digital revolution.

Why? Because Arm isn’t a one-off. In fact, it’s one of the most successful products of a proud history of British technological innovation stretching back decades.

Just take Cambridge – the home of Arm – as an example:

From educating Alan Turing in the 1930s, to building one of the first general-purpose computers in the Mathematical Laboratory in the 40s; from Watson and Crick discovering DNA in the 50s, to the founding of Cambridge Consultants in the 60s – one of Britain’s first technology-transfer businesses.

Fast forward 50 years and our tech industry is growing at pace – up 42% since 2010.

We have more tech unicorns than anywhere else in Europe; we’re home to the largest data centre in Europe; and we’re the world leader in e-commerce.

It’s a little known fact outside this hall that we Brits do more online shopping than any other nation. So it’s clear we have some world leading potential.

The question is: how do we get in front? And how do we stay there?

I believe there is a once-in-a-generation opportunity for the UK to cement our role as a leader in digital tech innovation, and to future-proof the economy of post-Brexit Britain.

And we need to take that opportunity.

People have already started describing the phase we’re entering as a Fourth Industrial Revolution. And just like in the First, there are some who resist that change and the disruptive effects it can bring. Let’s call them handloom weavers.

The fears that machines could render humans obsolete are as old as machines themselves.

It was almost 500 years ago, back in 1589, that the British inventor William Lee was refused a patent for a new knitting machine by Queen Elizabeth I.

And in responding to his patent application the Queen used these words, she said to him:

Consider thou what the invention could do to my poor subjects.

It would assuredly bring to them ruin by depriving them of employment, thus making them beggars.

Denied his patent, the inventor was swiftly poached by the French King Henry IV – a timely reminder perhaps that our friends across the channel are not novices when it comes to trying to seduce a key UK industry… But it also illustrates a wider point – that human anxiety about technological change is nothing new.

A vicious rearguard was fought against the railways in Victorian Britain – prophesying doom if they were built; in fact, of course, they transformed Britain into the richest country in the world.

We’ve seen it across many industries over many years: agriculture, weaving, switchboard operating and shorthand typing…

and yet as old jobs disappear, new, previously unthought-of opportunities open up and the economy re-trains and re-absorbs the displaced workers.

But being optimistic about technological change isn’t simply a matter of being grateful that technology has made our lives immeasurably easier – though inventions like washing machines, air travel, television, mobile phones and the internet have certainly done so.

It’s about doing all we can to foster innovation, because technology has the power to make everyone in society better off, to lower costs, to raise living standards and to improve our quality of life.

Better productivity in farming and food production over the past 30 years has seen the share of food costs in the average family budget fall from almost 20% to 10%.

Over the past two decades the real price of new cars has fallen by almost a quarter.

Put in simple economic terms, and I know I don’t need to put things in simple economic terms for this audience, applying technology increases the output from a given level of inputs – raising productivity – which in turn raises incomes.

And there is more transformative technology on the horizon.

Generating not just improved productivity, but entirely new capabilities.

The sharing economy and increased remote working are creating new opportunities for income generation. Companies like DeepMind are working with the NHS to drive major improvements in patient outcomes through better use of health records data – spotting trends that would otherwise be invisible.

And Britain has brilliant firms at the cutting edge of virtual reality, autonomous vehicles, wearable tech, artificial intelligence and in so many other sectors.

So of course, we must be alive to the short-term economic and social consequences of the changes that technological innovation can bring.

But as Chancellor, I am in absolutely no doubt that we must embrace change, not fear it.

I want Britain to be the best place in the world to found and to grow a tech business.

I know of course that government can’t deliver innovation – that’s something only you can do.

But government can play a role and does have a role in nurturing that innovation and creating the conditions in which new businesses can grow.

We were the first country in the G20 to put coding on the curriculum – something in which Microsoft played a key part.

We’ve overseen a major shift towards STEM subjects in our education system over the last six years, and since 2014 Maths has been the most popular A-level subject in English schools.

We’ve created an environment for businesses to thrive – with competitive taxes, a skilled workforce, support for growing companies through our venture capital schemes…

investment in digital infrastructure, and a further £220 million of funding for tech innovation announced just last month.

But these steps alone aren’t enough.

If we want Britain to be the best place in the world to be a tech business, then it is also crucial that Britain is a safe place to do digital business.

As you all know, increasingly, the systems that underpin our daily lives are connected to the internet – air traffic control, satellites, power grids – as well as the domestic devices in our pockets, our homes and our cars. Perhaps tellingly, the exception to that rule is military communications, which tend to avoid internet connection for the most sensitive systems, such as weapons fire control.

So just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust in, faith in the whole digital edifice will fall away.

We need a secure cyberspace – and we need to work together business and government to deliver it. Media reports remind us on a regular basis of the scale of the challenge we face.

Everyone in this room I’m sure is aware, last month we witnessed a worrying expansion in the scale of D-DOS attacks.

Hijacked security cameras being exploited to launch a colossal attack on a US server company, preventing access to major websites for millions of people.

A small number of UK government Digital services were also affected by that attack, but because we had the right defences and contingency plans in place, we were able swiftly to get these back on line.

We’re also witnessing more targeted, spear-phishing attacks which use social engineering techniques to maximise the chance of success.

This type of attack is thought to be one of the ways hackers got into Sony’s networks in 2014. And the damage caused in that attack – both commercial and diplomatic – show how important it is to invest in staff training and awareness.

Then there are attacks that take advantage of insecure coding, weak access controls, poorly implemented cryptography and unprotected databases, none of which I’m sure any of you have to own up to, just a few of the common vulnerabilities.

And the consequences are significant.

TV5 Monde witnessed a total shutdown of all its TV channels last year – because of an attack purportedly from a terrorist group, but which some security companies have ascribed to a state with a record of other recent high profile attacks – answers on a postcard to No10 Downing Street please.

In Ukraine, two electricity companies suffered a major power outage, with blackouts for several hours due to the first known cyber-attack on an electricity network, suspect probably the same.

Closer to home, TalkTalk suffered a data breach that left the records of 157,000 people at risk. And the list, unfortunately, goes on.

Saudi Aramco; the US Government Office of Personnel Management; as well as hundreds of UK businesses, public sector organisations, universities and charities which have been hit with ransom ware.

These attacks demonstrated what everyone here in this audience already knows about the reality of successful cyber-attacks: significant consequences including loss of customer data, significant financial costs, disruption of services, reputational damage, indeed threats to the infrastructure of the state itself.

We have to respond to this threat.

And in addressing it here in the UK we are not starting from scratch…

In the last Parliament we invested £860 million over five years to significantly enhance our capabilities to protect our government networks, improve our incident response and to tackle cyber crime.

We cemented our partnerships with industry, working closely on ground-breaking issues like cyber-insurance. And we bolstered the UK’s cutting edge academic capability, establishing 13 Academic Centres of Excellence that specialise in developing cyber security research and innovation, attracting students and investment in to the UK.

In recognition of the risk cyber attacks pose, the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK – that’s the same level as terrorism, or international military conflict.

And in order to lead our national response to cyber from the very top of government, we established a permanent Cyber Committee, bringing together Cabinet Ministers from the Foreign Office, Ministry of Defence, Home Office, Culture Media and Sport and Health among others.

The creation of this dedicated Committee has been an important innovation in how central government works together – and with our intelligence and security agencies – to tackle the threats we face.

As Chancellor I chair that Committee, and previously, as Foreign Secretary with responsibility for the brilliant GCHQ, I had a key interest in it.

And through that involvement , I’ve seen the full extent of those threats: Threats to our data, to our IP, to our military secrets, to our financial information and perhaps most important of all, to our infrastructure itself, all of those areas are targets for our adversaries.

The action the government has taken over the past 6 years has made the UK an acknowledged global leader in cyber security.

But we must keep up with the scale and pace of the threat we face.

So today I am launching the government’s National Cyber Security Strategy for the next 5 years.

The new strategy is built on three core pillars: defend, deter and develop, underpinned by £1.9 billion of transformational investment.

First of all Defend. We will strengthen the defences of government, our critical national infrastructure sectors like energy and transport, and our wider economy.

We will work in partnership with industry to apply technologies that reduce the impact of cyber-attacks, while driving up security standards across both public and private sectors.

We will ensure that our most sensitive information and networks, on which our government and security depend, are protected.

In practice, that means government taking a more active cyber defence approach – supporting industry’s use of automated defence techniques to block, disrupt and neutralise malicious activity before it reaches the user. The public have much to gain from active cyber defence and, with the proper safeguards in place to protect privacy, these measures have the potential to be transformational in ensuring that UK internet users are secure by default.

We are already deploying active cyber defence in government and we know it works: we’ve already successfully reduced the ability of attackers to spoof government e-mails as a key example.

Until 6 weeks ago we were seeing faking of some @gov.uk addresses, such as ‘taxrefund@gov.uk’.
Criminals have been using these fake addresses to defraud people, by impersonating government departments.

50,000 spoof emails using the taxrefund@gov.uk address were being sent a everyday – now, thanks to our interventions, there are none.

The second pillar is deterrence. We will deter those who seek to steal from us, threaten us or otherwise harm our interests in cyberspace.

We’re strengthening our law enforcement capabilities to raise the cost and reduce the reward of cyber criminality – ensuring we can track, apprehend and prosecute those who commit cyber crimes.

And we will continue to invest in our offensive cyber capabilities, because the ability to detect, trace and retaliate in kind is likely to be the best deterrent.

A small number of hostile foreign actors have developed and deployed offensive cyber capabilities, including destructive ones. These capabilities threaten the security of the UK’s critical national infrastructure and our industrial control systems.

If we do not have the ability to respond in cyberspace to an attack which takes down our power networks leaving us in darkness, or hits our air traffic control system, grounding our planes, we would be left with the impossible choice of turning the other cheek and ignoring the devastating consequences, or resorting to a military response.

That is a choice that we do not want to face – and a choice we do not want to leave as a legacy to our successors. That is why we need to develop a fully functioning and operational cyber counter-attack capability. There is no doubt in my mind that the precursor to any future state-on-state conflict would be a campaign of escalating cyber-attacks, to break down our defences and test our resolve before the first shot is fired. Kinetic attacks carry huge risk of retaliation and may breach international law.

But in cyber space those who want to harm us appear to think they can act both scalably and deniably. It is our duty to demonstrate that they cannot act with impunity.

So we will not only defend ourselves in cyberspace; we will strike back in kind when we are attacked. And thirdly development. We will develop the capabilities we need in our economy and society to keep pace with the threat in the future.

To make sure we’ve got a pipeline talented of people with the cyber skills we need, we will increase investment in the next generation of students, experts and companies.

I can announce we’re creating our latest cyber security research institute – a virtual network of UK universities dedicated to technological research and supported by government funding.

The new virtual institute will focus on hardware and will look to improve the security of smart phone, tablets and laptops through innovative use of novel technology.

We’re building cyber security into our education systems and are committed to providing opportunities for young people to pursue a career in this dynamic and exciting sector.

And we’re also making sure that every young person learns the cyber life-skills they need to use the internet safely, confidently and successfully.

These three pillars that I’ve outlined – deter, defend and develop – are all supported by our new National Cyber Security Centre, based in Victoria in central London.

For the first time the government will have a dedicated, outward-facing authority on cyber – making it much simpler for business to get advice on cyber security and to interact with government on cyber security issues. Allowing us to deploy the high level skills that government has, principally in GCHQ, to support the development of commercial applications to enhance cyber security.

The Centre subsumes CERT UK and will provide the next generation of cyber security incident management. This means that when businesses or government bodies, or academic organisations report a significant incident, the Centre will bring together the full range of technical skills from across government and beyond to respond immediately.

They will link up with law enforcement, help mitigate the impact of the incident, seek to repair the damage and assist in the tracing and prosecution of those responsible.

Across all its strands, the National Cyber Security Strategy we’re publishing today represents a major step forward in the fight against cyber attack.

It is a key component of the government’s ambition for Britain to be the best place in the world to run a tech business.

And it sets out clearly how we intend to develop our partnerships with business to achieve that. But government cannot be solely responsible for managing cyber risk.

Chief executives and Boards must recognise that they have a responsibility to manage cyber risks, just as they would any other operational risk.

Similarly, technology companies – many of whom are represented here today – must take responsibility for incorporating the best possible security measures into the design of their products.

Getting this right will be crucial to keeping Britain at the forefront of digital technology security – itself a growing business sector.

We are not at all complacent.

We know we must fight for Britain’s share of the exciting opportunities in digital technology business that lie ahead.

But we know, too, that we begin with certain advantages:

  • our business friendly climate

  • our world-class science and technology base

  • our skilled workforce

  • our digital history and culture

  • our impressively online retail consumers

  • our language, our time zone, and our legal system

And now we want to add: the most secure cyber environment anywhere; where government, business, security agencies and academia work together to defeat the hackers and the phishers, the criminals and the rogue states.

Creating one more reason to make Britain the location of choice for cutting-edge digital business to start, to grow and to succeed.

One more reason why the Fourth Industrial Revolution should flourish in the home of the First.

Thank you.

Published 1 November 2016