Cyber Security Strategy third anniversary
Francis Maude spoke to mark the third anniversary of the Cyber Security Strategy, announcing a cyber mentoring scheme and the 'Cryptoy' app.
It’s a great pleasure to be here at the Institute for Chartered Accountants in England and Wales (ICAEW) and I’m grateful to them for being our hosts. I’d also like to thank them for the work the Institute does to help ensure the cyber security of their members and their members’ clients. This year the ICAEW has worked with the Department for Business to create a free online training course to help accountants and lawyers protect themselves and their clients online. And through their membership of the Cyber Security Information Sharing Partnership – the CiSP – they play an important role in sharing and disseminating updates and advice on threats and vulnerabilities. It’s partnerships like this which are helping us tackle the cyber threat effectively.
Three years ago we said that as part of our long term economic plan we wanted to make the UK one of the safest places in the world to do business, which is why we published the first comprehensive national Cyber Security Strategy. And we backed it at a time of financial restraint with serious money, £860 million-worth of funding.
But the internet is simply too large and complex for any single organisation to act alone. Too often governments have a tendency to pretend they have all the answers, but I’m the first to say they don’t. So when we talk about cooperation this is more than just a trite platitude, it is absolutely crucial to success. We can only do this by working together, which is a theme to which I will continue to return to this morning.
The threat
Three years on and the threat is still as serious as ever. As I was in the car on the way here just now, almost the last story on the Today Programme was about the attack on Sony Pictures:
- computer networks crippled
- intellectual property stolen
- personal details leaked
A global entertainment giant with a turnover in the billions, left with no option but to send staff home. They’re not alone. eBay, JP Morgan – even Dominos’ Pizza. Just some of the most high profile cyber-attacks this year – and these are just the ones that make the news.
All companies – large and small – face threats and vulnerabilities on an almost daily basis. And as someone said on the radio just now, there are 2 kinds of companies. Companies that have had an attack and companies that haven’t yet been attacked. All companies are vulnerable.
Cyber security has long since ceased to be an issue for the IT department alone – it’s an issue for the boardroom too. Look no further than the CEO of the Target retail chain in the US who resigned in May after the loss of personal data belonging to millions of shoppers. So if you sit on a company board, and you don’t already have your chief information security officer’s number in your phone, now’s the time to add it.
All this sounds pretty grim and dark and threatening and spine-chilling and we should feel it really matters. But we shouldn’t forget that this threat only exists because of something magnificent – the internet. It’s unquestionably changed our lives for the better and we must never lose sight of this.
Earlier in the week I was at Tech City in Shoreditch to open the first gathering of the new Digital Five group of nations, D5. These are the 5 most digitally advanced countries in the world – the UK, South Korea, Estonia, New Zealand and Israel. It’s a forum to discuss and collaborate on how we can support our growing digital economies and learn from one another’s experience of digital government.
We should approach cyber security with the same ambitious attitude – not because we’ve been brow-beaten into defending ourselves, but we have something magnificent and transformational that we want to strengthen and advance.
Awareness
One of the most useful ways in which we can cooperate is by raising awareness of how people can keep safe online. For all the complexity of digital technology, GCHQ estimates that 80% or more of currently successful attacks could be defeated by simple best practice.
Earlier this year we launched Cyber Essentials to help businesses protect themselves against the most common threats, and we want as many firms as possible to become certified under this scheme. We’ve also teamed up with private sector partners including anti-virus companies and banks to run the Cyber Streetwise campaign to increase the number of people and small businesses adopting simple cyber security measures.
You’ll have seen no doubt some of the posters on the Tube or some of the online adverts and we believe it’s already making a difference. Since its launch over 600,000 people have visited the Cyber Streetwise website and the online films have attracted over 5 million views. Most importantly, 2 million adults have taken steps to change their behaviour online.
CERT-UK
Businesses and governments also need to co-operate to share information and co-ordinate action. Earlier this year, I opened CERT-UK, our first national Computer Emergency Response Team. It co-ordinates our response to cyber issues on a daily basis, identifying and tracking risks as they emerge and, when necessary, bring others together to respond.
Now sitting as part of CERT-UK is the Cyber Security Information Sharing Partnership (CiSP), through which government and business partners can exchange information on threats and vulnerabilities in real time, so the response can also be in real time. As of this week, 750 organisations have joined the Partnership, a 50% increase on the target we set for the end of 2014. The more partners that join, the more information that’s shared, the better the overall picture and the greater our collective resilience.
This year we’ve been trialling a regional CiSP node in the East Midlands in collaboration with regional law enforcement agencies. On the strength of that pilot, we will launch a second node in the south east in 2015 and others will follow.
I’m pleased to confirm also that information sharing forums established for the Commonwealth Games will be re-launched as a dedicated Scottish node, with similar initiatives planned in Wales and Northern Ireland.
The message here is that cyber threat is not a London phenomenon and we are determined to ensure that our resilience is country-wide.
Growth
But we should also recognise that cyber is a business of the future in its own right. Cyber security already employs some 40,000 people and is worth £6 billion to the British economy.
I am pleased that Alex Van Someren will be speaking shortly about his views on these opportunities. I recently visited Worcester-based SME Titania. Despite being only 22-strong, they already supply software to customers in over 60 countries. Last month they were a deserved winner of the British Chamber of Commerce Award for National Small Business of the Year. You’ll be hearing from Ian Whiting from Titania very shortly, but the thing to recognise is they’re not alone.
They’re part of the Malvern Cyber Security Cluster in Worcestershire, which is fast becoming Britain’s ‘cyber valley’. When I first visited in 2012 there were around 50 companies, but now there are nearer 75. I am pleased to say we are supporting the development of a further 13 similar clusters around the country, from Belfast to Brighton, Cardiff to Cambridge, Edinburgh to Exeter.
That work has been made possible by the Cyber Growth Partnership – another great example of government, industry and academia working together.
One of the ways we will help these clusters to grow is through our Cyber Exports Strategy. Cyber security craves technical innovation and entrepreneurial ambition, backed by world-class skills and research – all of which the UK has in spades, so there’s a huge potential market for UK cyber expertise and products abroad.
Figures published by UK Trade & Investment in July show our cyber security exports have now passed £1 billion. This represents an increase of 22% over the previous year and puts us on-track to reach our target of £2 billion-worth of exports by 2016.
Skills
So we’re supporting businesses to increase the resilience of our economy. And we’re also supporting them to take advantage of the world-wide market for cyber security products and services.
The one thing that’s essential to both these objectives is skills. We’ve been working closely with higher and further education institutions to build our knowledge base and research capabilities so we can better understand the cyber threat.
There are now 6 GCHQ-certified cyber masters degree programmes, 2 centres for doctoral training, 3 research institutes and 11 academic centres of excellence.
This year we also teamed up with the Open University to launch a free online introductory course about cyber security. Almost 25,000 people have enrolled since October and a second run begins next month.
Today I can announce new grant funding for colleges and universities in Newcastle, Birmingham, Lancashire and Liverpool to develop and demonstrate new resources to improve cyber security education and learning.
Firms are crying out for people with cyber skills, and the demand is only going to grow, so today we’re also unveiling 2 further measures to help computer science graduates gain practical experience and guide them towards a cyber-security career.
The first is a new cyber mentoring scheme, through which employees from the cyber security profession will act as mentors for recent graduates and students interested in a cyber security career. This will include advice about qualification requirements and training opportunities, help with CVs and interview preparation, work shadowing or short placements.
Secondly, following the success of their existing cyber camps, the Cyber Security Challenge will deliver a series of cyber camps for recent graduates. These will be provided in association with universities on a regional basis to improve the employment rates of their computing science graduates.
The camps will offer the participants hands-on experience of cyber security over several days and the opportunity to gain an industry recognised foundation qualification. Most culminate with a competition which brings together all the skills acquired, often in a real life scenario. Perhaps most valuable is the opportunity to meet other cyber security enthusiasts, and to talk to cyber security professionals from household name companies. But we also need to cast the net far beyond academia.
The Alan Turing film The Imitation Game is a reminder that the UK has a rich heritage in computer science and cryptography. Toward the end of the war, Turing worked with a man called Tommy Flowers to build Colossus, the world’s first digital programmable computer. Turing was a Cambridge mathematician; Flowers an engineer from the Post Office. They came from different backgrounds but what they had in common was sheer brain power. These kinds of brilliant people are still out there, in normal homes and workplaces, but we’ve got to get much better at identifying them and matching them up to the opportunities in the workforce.
Earlier this year, I opened the final of the 2014 Cyber Security Challenge. Funded jointly by government, academia and business, it’s a fantastic way of demonstrating the value of cyber security as a career opportunity to as wide an audience as possible and it has attracted almost 20,000 registrations to date.
But we need to do more. Famously, the government recruited winners of a Daily Telegraph cryptic crossword competition to work at Bletchley Park. Today I’m pleased to announce a similarly creative solution in the hunt for expertise, but with a 21st century spin. It’s a new app called ‘Cryptoy’ that’s been developed by students on placement at GCHQ and is available for anyone to download free from today from GooglePlay.
The app showcases famous ciphers and codes from history, include types used by the Julius Caesar and Mary Queen of Scots through to the Enigma codes of the Second World War. It’s designed to be a fun teaching aid for pupils aged 14 and over, to develop interest in code making and breaking and associated disciplines like mathematics and programming. We hope it will help spark awareness of the career opportunities available for those who equip themselves with the right skills.
Conclusion
So in conclusion, the government has continued to work with businesses and academia to help make the UK one of the safest places in the world to do business. This is part of our long term economic plan. We want to be a place where people and businesses want to invest.
This is an area of strength for Britain. We already punch above our weight in cyberspace. But we have the potential to be so much more. So let’s carry on working together. Because by seizing the opportunity for jobs and growth, innovation and advancement, Britain can genuinely be a 21st century cyber superpower.