Speech by Chloe Smith, Minister for Political and Constitutional Reform at the Infosec 2013 conference in London.
Many thanks to the organisers for inviting me to give the keynote address. I know that this is a well-respected event by the sheer numbers of exhibitors and the investment you’ve made to be here.
It is heartening to see that this sector is thriving and that there is so much innovation and vitality in this field. With so many global and UK companies represented it is clear that the UK has an important role in this growing sector. Today, I would like to share with you some of the steps we are taking to raise the profile of cyber threats and generate demand for more and better cyber security products and services.
Firstly though I would like to give you a brief overview of our UK Cyber Security Strategy and objectives.
In 2010, when this government first came into power, the Strategic Defence and Security Review determined that cyber attacks were one of the top four threats to our national security. This is still the case today.
Cyber threats come from a variety of sources but we broadly categorise them as emanating from state-sponsored actors, hacktivists or cyber criminals. The motivations for attacks vary from ideological, political or fanatical, to financial.
I don’t need to tell this audience that almost every day there is a news story about an organisation being ‘hacked’ or individuals being defrauded by online criminals in new and ever more sinister ways.
And government is faced with these threats on a daily basis. On average over 33,000 malicious emails are blocked at the Gateway to the Government Secure Intranet every month. These are likely to contain - or link to - sophisticated malware, often sent by highly capable cyber criminals and state sponsored groups. A far greater number of malicious emails and spam, but less sophisticated emails and spam are blocked each month.
Strategy and objectives
So what is government doing to help protect UK interests in cyberspace? In 2011, we produced our UK Cyber Security Strategy, setting out 4 clear objectives:
- We must make the UK one of the most secure places in the world to do business in cyberspace
- We must make the UK more resilient to cyber attack and better able to protect our interests in cyberspace
- We must help shape an open, vibrant and stable cyberspace that supports open societies
- We must build the UK’s cyber security knowledge, skills and capability.
£650 million of investment over 4 years has been put in place; in of course one of the tightest fiscal environments government has ever seen. This underlines the importance we place on cyber security.
In December last year we reported on progress against the strategy and the work being carried out under the National Cyber Security Programme as well as our forward plans. This covers all the objectives I’ve outlined in terms of enhancing skills, research and education, policing and tackling cyber crime, international engagement and capacity building, new measures to help protect the UK industry as well as the Critical National Infrastructure. Information on all these efforts can be found on GOV.UK and we will be reporting back again to parliament again at the end of this year.
Making the UK a safer place to do business
Objective 1 of the strategy relates to the need to protect and fuel UK business interests and is what I would like to focus attention on today.
Industry is by far the biggest victim of cyber threats. We have stated before that cyber crime, ranging from IP theft to cyber espionage to online fraud, is costing the UK economy billions of pounds a year. And as businesses and government move more of their operations online, the scope of potential targets will continue to grow.
Later today David Willetts, the BIS Minister, will be releasing the 2013 Cyber Security Breach survey results. The statistics are very revealing and provide us with the insight we need to determine how and where we direct resources to support UK industry.
In particular response to this, we are launching today new guidance for SMEs on how to protect themselves from cyber threats. In addition, we are announcing a new Innovation Voucher Scheme for small businesses through the Technology Strategy Board. An Innovation Voucher provides companies with a grant to work with a supplier for the first time and should be invested in an idea or problem that is a challenge for the business and for which specialist support is required. The cyber security element of this scheme will fund 100 companies with Innovation Vouchers of up to £5000 each.
Across government then we are working hard to raise awareness of cyber security throughout industry and ensuring that the right incentives are in place for industry to take responsibility for securing their own interests. But where government can help, we will.
For example, at the end of March, Francis Maude launched a ground-breaking partnership between government and industry – the CISP (Cyber Security Information Sharing Partnership). The scheme currently involves 160 companies allied with government to share information and intelligence in ‘real-time’ on cyber threats to UK companies and how to mitigate them. As part of this we have set up a ‘Fusion cell’, funded by the National Cyber Security Programme, which brings together experts from the security services, law enforcement and industry to work together to address cyber threats in a trusted environment. The ultimate aim is to extend this scheme beyond CNI (Critical National Infrastructure) companies and eventually to include SMEs.
Raising awareness in industry
We are working to create better awareness of the threat throughout both the public and private sectors; this is to help drive informed demand at the very highest levels within organisations to ensure that their key information assets are well-protected.
To this end we have been giving advice and guidance to businesses. Last September, for the first time amalgamated advice from the Cabinet Office, the Security Services and BIS was delivered to an audience of 200 Board-level directors of FTSE companies. The “Ten Steps to Cyber Security” booklet has been well-received to such an extent that in January this year at Davos, the World Economic Forum cited it as an example of best practice. Copies of the booklet are available on the CESG stand here today andit is also available on .gov.uk
The Cyber Security Sector
As we are successful in raising cyber security standards across the private sector, growth in demand for products and services to support this should follow.
So we are putting in place the right environment for a vibrant and self-sustaining cyber security market-place of good UK based cyber security providers.
We are determined to help seize the business opportunities in cyber, promoting the UK cyber security industry both domestically and across the globe.
Cyber security represents an opportunity for the UK – both for companies where cyber is core to their business and for companies across all areas of the economy who need to develop a competitive edge through demonstrating that they handle information responsibly and protect the details of those they do business with. We have every reason to believe that UK firms are well placed to capitalise on this growing market.
The UK has history of being innovators in technology and in technical areas such as cryptography which is maintained to this day in our universities. We know how to implement this as our ongoing strengths here underpin our cutting edge position in areas such as online commerce and banking. Undeniably, there is a massive growth potential for UK businesses and innovators to do very well in the cyber security sector.
Making a difference often relies on the forging of new partnerships – not necessarily between government and industry but business to business. A good example of this is an SME in Malvern, called IASME, a small business that has developed a cyber security standard specifically for SMEs. IASME has partnered with a local insurance provider (Sutcliffe and Co) underwritten by AIG to offer reduced premiums to those companies that are assured against the IASME standard. This approach is helping to grow these two small businesses, offering an innovative approach to cyber risk management, as well as growing the cyber security market in the local area. Linked to this is a series of awareness-raising events that IASME are holding around the UK for SMEs to introduce them to cyber risk and promote this insurance offering: quite impressive stuff for a micro-business. We applaud this approach and BIS is also contributing to these ‘roadshows’ to offer the government view and present on HMG is doing to stimulate supply and demand for cyber security.
And to help more companies demonstrate that they are cyber savvy we are also bringing clarity to the broader standards landscape helping companies identify the best of the standards that exist in the marketplace and to protect organisations against cyber attacks.
GCHQ and BIS have drawn up, in partnership with industry, a series of requirements for what a good organisational standard for cyber security would look like. We are relying here on market support and industry telling us what their preferred standard is and how it aligns with the requirements.
At the last count, there are around 2380 UK companies in the cyber security sector which equates to 21 % of all UK security companies. In total, these companies support well over 26,000 jobs - currently 16% of all UK security employment. According to a UK Security Sector Report, UK Cyber Security sales amounted to £3.8bn with UK exports of £800m. Cyber security global growth is forecast over the next four years to be over twice that of the security sector as a whole as economic constraints bite in traditional defence and security markets. So it is clear that this is a growth sector and one which we should encourage and nurture.
The Cyber Growth Partnership
To this end, we have launched a new Cyber Growth Partnership, led by BIS and Intellect, the ICT representative organisation, representing over 850 large and small technology organisations. Central to this will be a high level group which will identify how to support the growth of the UK Cyber security industry, with an emphasis on exports. It will also help identify what currently stops the cyber security sector from growing, with a particular emphasis on SMEs and boosting their market potential.
The first meeting of this group took place last month. The main outcome of the meeting was an agreement with industry on the practical steps they needed the government to take to support export growth. For example we are looking at ways in which those businesses which government has procured cyber security products from can promote the fact that they are an HMG supplier to their prospective customers overseas.
We also discussed how industry and government can work together to ensure that the right inputs such as skills, R&D and funding are available to support growth.
It is early in the life of the group and we are keen that we don’t lose momentum – however the indications are that this group can play an important role in addressing issues that impact on sector growth.
Skills and research
The ideas for skills and research we discussed as part of the cyber growth partnership are focussed on what we can and have to do in the future.
Through the National Cyber Security Programme we are investing in skills research and training. Last week two new Centres for Doctoral Training in Cyber Security were established within UK universities to bring people with the right skills and knowledge into the cyber security field. The CDTs will provide broad training focused exclusively on cyber security and engage with industry to ensure that this training reflects the complex and dynamic nature of cyber threats. This is in addition to funding for Academic Centres of Excellence in Cyber Security status to 11 UK universities and 3 new Research Institutes.
We are also taking steps to improve cyber security skills among young people and to widen the pipeline of talent coming into this field. e-Skills UK is developing interactive learning materials on cyber security for GCSE and A-level students. We expect these materials to be available to schools from September 2013.
At the end of last year, GCHQ and the other Intelligence Agencies launched a new technical apprenticeship scheme which aims to identify and develop talent in school and university age students. They aim to recruit up to 100 apprentices who will be enrolled on a tailored two-year Foundation Degree course. We also sponsor the Cyber Security Challenge UK in its work providing advice, support and guidance for anyone interested in a career in cyber security, and we want to create opportunities for employers and previously unidentified talent to come together. Since its launch in 2010, over 10,000 people have registered with the initiative.
GCHQ has also established a set of certification schemes to improve the skills and availability of cyber security professionals. The Certification for Information Assurance Professionals scheme will help Government and Industry to recruit cyber security professionals with the right skills at the right level, and into the right jobs. It will also assist participants to build a career path and to have the opportunity to progress through re-assessment as skills and experience grow.
All this will take time to filter through but we are putting in place the right processes to achieve increase the numbers of skilled people needed to help protect UK business.
In conclusion, cyber threats are an increasing challenge for UK businesses but they also present many exciting opportunities as well. We are making every effort to address the threats through improving our ability to detect and defend UK interests in cyberspace. We have to work with you, with UK businesses to help this growing sector to thrive. We want to work with industry through real and meaningful partnerships to ensure that UK businesses capitalise from this growing demand for the benefit of the UK as a whole.