Speech

Cyber security: City Week 2014

Francis Maude, Minister for the Cabinet Office, spoke at City Week 2014 about the importance of cyber security.

This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
The Rt Hon Lord Maude of Horsham

I’m incredibly proud of the contribution that the financial services industry makes to this country: it is successful, it contributes a huge amount and employs a huge number of people. And it’s something we’re really, really good at.

London, as Europe’s great financial centre, has always thrived because of its networks: going right back to the Roman roads, all connecting out from London in ancient Britain; to the shipping routes that held together the Empire, coming back to the Pool of London not very far from where we are sitting. Of course, the clippers that sailed from the quaysides and the warehouses on the banks of the Thames 200 years ago took weeks, if not months, to reach their destination.

Now of course the digital revolution has all but eradicated the concept of distance and time from global business. London is better connected to markets around the world than at any time.

Of course this month we celebrated the 25th anniversary of the birthday of the World Wide Web. Sir Tim Berners-Lee apparently considered calling his invention “the Mesh” or the “Information Mine” before he settled on the World Wide Web. Hearing the alternatives is just a reminder of just how much we’ve become used to the concept of “the web” as part of everyday life.

When we talk about cyber security it’s often all about the threat. When we talk about it – because we need people to take it seriously – we often lay huge emphasis on dark and threatening aspects of it. There are dark and threatening aspects and we need to do that, but we shouldn’t ignore the central truth that the internet is fantastic. It is a liberating and dynamising thing, it has revolutionised the way we live and work, it has connected people together. It’s a massive force for good, for prosperity and freedom and for building social capital. There are so many benefits.

So cyber security isn’t a necessary evil: it’s a massive opportunity, which is what I want to focus on today.

It’s an opportunity to build a firm foundation for the economic recovery – so that the financial institutions that emerge from the Great Recession are stronger, safer, more secure and more alert to the risks than before.

But it can also be part of a long term plan for sustained growth. Cyber is a business of the future in its own right, bringing with it the opportunity for jobs and investment, innovation and prosperity.

Making the UK a safe place to do business

The cost of cyber security breaches to our economy has roughly tripled just over the last year. It is now in the order – we don’t know exactly, how can we - of £20 to 40 billion per year.

Last year PwC’s Information Security Breaches Survey found that 93% of large corporations had a breach of some sort. The average cost of each one is said to be somewhere between £450,000 and £850,000. We know however of one London-based company which had a loss of £800 million in revenue, just in one company from a cyber-attack.

Most of the companies represented here today have probably been on the receiving end of such an attack. Not all of them will know they have. Whether you’re based in London or New York, Hong Kong or Singapore, the story is the same. Cyber security is now part and parcel of the world you do business in. As more operations go online and our networks and systems become ever more inter-connected, as they will, so the scope of potential targets will grow.

So when in 2011 when we launched the government’s National Cyber Security Strategy we backed it with serious folding money - £860 million in funding at a time when budgets across the piece are facing cuts. In the last financial year alone we saved £10 billion in efficiency savings – so the fact we’ve committed such a huge chunk of money tells you how highly cyber security ranks in our priorities.

But this funding will only be effective if government and business work closely together.

So we’re working closely with you, and with other businesses, to raise awareness of the threat to reputation, revenues and intellectual property from cyber-attack and the measures that businesses can take to address these.

Of course the financial sector has always been particularly vulnerable. Sensitive commercial data, intellectual property and transactional information are all hugely valuable to online criminals and whenever this kind of information is shared, all that’s needed is for one party to lower their guard for everyone to be left exposed.

Of course, sharing information is absolutely fundamental to the global economy so you will never be able to completely eradicate the risk. But if the UK is to be a safe place to do business - which it must be - then cyber security must be ingrained in every area of operations, at every level, from the boardroom to the trading floor.

You will all be I imagine familiar with the 10 Steps Guidance for Cyber Security which we published in 2012. Many of your organisations will have participated also in the Cyber Security Health Check with audit companies last year, which we’ll repeat this year to help inform levels of awareness and preparedness across the FTSE350.

In January this year new guidance was produced specifically for the corporate finance community on how to give cyber security high priority during transactions.

Published by the Institute for Chartered Accountants and a taskforce of a dozen major professional organisations, it aims to provide practical advice for any firm involved with mergers and acquisitions, buyouts, venture capital and Initial Public Offerings - whether a small businesses replacing an existing debt facility or a large company preparing to list.

To accompany this advice, we’ve also developed an industry-led organisational standard for cyber security. It’ll give businesses a clear baseline to aim for in addressing cyber security risks for their company.

Companies adopting the standard will be able to advertise the fact that they meet the criteria. It could give them a competitive edge in a marketplace that will increasingly be demanding better cyber security from its suppliers. Because we try to practice what we preach, we’re also working to raise cyber awareness within government.

We now have a network of SIROS - Senior Information Risk Owners - in central government and in the wider public sector. These people are at board level with responsibility for managing information risks. Then there are the Information Asset Owners, who take responsibility for risks at a working level on projects. But all civil servants are required to undertake training as well, because everybody has a role to play to reduce risks.

We’ve also been building the structures that will make the UK economy more resilient.

Last year we launched the Cyber Security Information Sharing Partnership - the CISP - so government and business partners can exchange information on threats and vulnerabilities as they occur in real time, and it being in real time is incredibly important.

Starting with fewer than 100 partners, now well over 300 businesses have joined CISP.

These include the British Banking Association; the IMRG (the Online Retail Association); the Law Society, and the Institute of Chartered Accountants England & Wales.

These are just some of the professional organisations that are endorsing the CISP to their members and I’d like to thank them for helping to spread this incredibly important message.

They’ve all recognised that cyberspace is simply too big for any organisation – whether public or private – to have sight on everything that’s going on and so there is a massive need to pool our information to bring mutual benefits. CISP works because it has government involvement, but – and this is crucial – it’s business-led. Companies are under no compulsion. Information is shared voluntarily.

This enables a “fusion cell” made up of analysts from business and the law enforcement and intelligence communities to draw together a single intelligence picture of cyber threats facing the UK and that knowledge and single picture is for the benefit of all partners.

The more volume, the more traffic there is – the more useful it becomes to all of us and the richer and more useful our collective knowledge. Just this morning, after several years in development, I opened the UK’s first national Computer Emergency Response Team – CERT-UK.

Find out more about the launch of CERT-UK. </div>

We already have existing CERT capabilities, but the new national CERT will provide a core incident management response and act a single focus point for international sharing of technical information on cyber security.

Slowly these mechanisms – better awareness, closer cooperation, more sharing of intelligence and information – are coming together to make businesses more resilient.

At the end of last year, the Bank of England brought these capabilities into play for Exercise Waking Shark 2, a simulated attack on London’s financial sector.

It brought together 14 firms, 6 financial market infrastructure providers, together with the Financial Conduct Authority and the Treasury to see whether they could withstand a coordinated cyber-attack. It was supported by CISP, backed by the National Cyber Security Programme.

Compared to the kinds of cyber-attacks seen to date, the exercise scenario was extreme. But it was designed to be so. It put pressure on the participants, not just to see how well companies responded individually, but to see how the information sharing mechanisms work when the heat is on.

The exercise worked well to validate and rehearse existing response arrangements and, just as importantly, identified further areas for improvement.

This year we will be looking to support other sectors develop exercises, particularly those owning and operating Critical National Infrastructure, most of which of course these days is not in government hands, which is why partnership is so vital.

Cyber growth

The global cyber security market is growing by more than 10% a year and we want Britain to be part of that and to benefit from it.

And this is something that we are good at – this is a strength for Britain – and we need to exploit it and make the most of it to create jobs and wealth.

Earlier this month, I visited the headquarters of Cassidian in Newport, which produces everything from encryption projects for Eurofighter Typhoon aircraft to secure networks for government communications. I met with some of the rather brilliant apprentices who working there to develop the skills and experience the economy is going to need in the years to come – they’re bright, enthusiastic and have enormous potential.

Cassidian is one of the giants – but I’ve also visited small firms like Titania, one of 40 small cyber security companies clustered, maybe rather improbably, around Malvern in Worcestershire and, despite its small size, supplies products to organisations in over 50 countries.

In the last year I’ve met with my counterparts from Israel, India, Spain and a couple of weeks ago the Czech Republic. And I’ve seen how highly regarded British technological expertise and innovation is regarded overseas – especially when it is allied to the international reputations of our great universities, which again is crucial.

It’s one of the reasons why we’ve just launched a new Cyber Security Suppliers’ scheme. Qualifying businesses can use an exports badge to demonstrate to potential customers that they are a supplier of cyber products and services to the UK government.

The scheme has been delivered through the Cyber Growth Partnership, which is celebrating its first year of operation today. As a government, we want to do everything we can to boost the UK cyber security sector, domestically and across the globe. We want to be exporting £2 billion worth of products and services by 2016 – that’s a sharp increase on the £850 million that we sold last year - and we’ve produced the first Cyber Exports Strategy which sets out how we will help to achieve that.

But if we’re going to grow our cyber security sector, then we need to ensure we have the right people with the right skills coming into the workforce. There’s currently a gap between the increasing opportunities to work in cyber security and the available pool of talent.

Earlier this month, I opened the final of this year’s Cyber Security Challenge. Funded jointly by government, academia and business, it’s one of the ways we’re working together to demonstrate the value of cyber security as a career opportunity to as wide an audience as possible – and actually it’s working and working well.

Almost 1 in 3 people who reach the final stage of the competition go on to find work in cyber security.

This year’s winner was a 19-year-old from Cambridge university computing student – a previous winner was a postman.

Their backgrounds differ, but what they have in common is brainpower.

We’ve got to get better at identifying this talent and putting it to work - a practical way in which the partnership between business and government can improve our capability.

Conclusion

Cyber security has a language entirely of its own – one of malware, botnets, worms and trojans - but I think in the last couple of years the City has come a long way in mastering this language and the financial services sector is now far more fluent in the risks of cyber security than even just a couple of years ago.

Last autumn I was at the 3rd international conference on cyberspace in Seoul, South Korea. And it is quite clear in all the conversations you have that we are in the UK are thought to be quite good at this; we are in the forefront of activity.

Read speech by Francis Maude at Seoul. </div>

I recall when we launched CISP, Howard Schmidt, the former White House cyber security tsar, commenting on how much the UK had achieved in quite a short space of time.

I think we are punching above our weight in cyberspace but we can’t even have a flicker of complacency. This is the most fast moving, fast changing environment in which neither government nor business nor academia can rest. This absolutely will be a job that’s never completed. It will always be a work in progress.

Cyberspace is vast and no one country or company can succeed alone. Only the strength of our partnerships and the trust which means information can be shared in real time that will see us through. This is the rock upon which we can build a safe and secure economy, and grasp the opportunity for future growth, so everyone can prosper from the digital age.

Published 31 March 2014