Cyber Symposium 2015
Speech by Michael Fallon, Secretary of State for Defence.
I’d like to thank my French colleagues for arranging this symposium.
It’s an impressive gathering, as M Le Drian said, with strong international representation.
And what brings us all together is a growing interest in cyber and growing desire to keep several steps ahead of the threats we face.
I’m told this is the first of hopefully a series of events bringing together our militaries on cyber.
And, given the calibre of the individuals in this room, I’ve no doubt you will make a valuable contribution to the cyber debate.
French Cyber relationship
It’s also always a pleasure to share a platform with my good friend M Le Drian.
In fact, this is our tenth meeting in just over a year.
Which reflects the closeness of a relationship that has gone from strength to strength since the signing of the historic Lancaster House Treaty 5 years ago.
As M Le Drian has already indicated…our cyber relationship with France is amongst our most valued.
…with our 2* Military Cyber Co-ordination Group that reflects that close working relationship on cyber,
….that helps us share threat information to help us both improve defence of our military IT networks.
…that helps us share information and lessons on how to train cyber specialists.
…and which will be galvanised by the creation of our Combined Joint Expeditionary Force …that has been we tested on exercises this year.
Threats
And underlying this joint activity is a real sense of urgency.
An awareness of the scale, the diversity, complexity of the challenges we face. 100 years ago, as the name of this ampitheatre reminds us, we stood together on the frontline of a Great War.
…today we stand on the frontline of a virtual war.
And though the warheads launched are invisible…cyber is far from a theoretical threat. Our adversaries, whether
…revanchist Russia or evil ISIL
…are becoming ever more adept and determined to use cyber to force their advantage.
We’ve seen cyber attacks
…on TV5Monde and on Sony …on government systems in Estonia …on a Polish airline.
And cyber is not just used to gain military advantage, but to also, of course, radicalise individuals and spread misinformation as we are seeing with Da’esh.
Such dangers are only likely to grow.
One in seven people on earth are using Facebook.
…which can get worldwide headlines simply by adding a dislike button to its pages.
Another reminder of how fundamentally connected we are.
Of how our societies
…in the words of M Le Drian, when introducing the ‘Pacte Defense Cyber’, last year
… qui n’ont jamais été aussi dépendantes du numérique
(have never been so digitally dependent).
That makes us vulnerable.
Nor is it only our defence networks….already under daily attack…that are at risk
…but our civilian infrastructure.
Our transport networks.
Our energy networks.
Our banking systems.
Our economy as a whole.
The cost of cyber security breaches to the UK economy roughly tripled over just the last year.
Now in the order of £20 to 30 billion per year.
…compared to £10.7 billion for drugs supply and £8.9 billion for organised fraud.
And what makes web attacks harder to stop…besides the anonymity of the attacker…is the proliferation of low-cost technology…which can allow a minor hacktivist using a home computer to pose a threat.
Twenty years ago in an article appropriately entitled “alerte dans le cyberspace” Paul Virilio wrote that
….la bombe informatique nécessitera, au XXIe siècle, une nouvelle dissuasion, une dissuasion sociétaire, pour parer aux dégâts de l’explosion de l’information généralisée
((in the 21st century the information bomb will necessitate a new social deterrence to ward off the destructive effects of the explosion of generalised information)).
We’ve heard how France is developing its response to this “information bomb”. Today I’d like to set out briefly the UK’s response. It revolves around 3 ideas.
Putting Cyber front and centre
First, it’s about putting cyber front and centre of our thinking.
Cyber is now hardwired into UK defence’s DNA.
If you attended the DSEI exhibition in London recently…you’ll have seen the cyber zone….the first time the exhibition has given cyber a dedicated slot of its own.
That reflects a wider trend. These days we’re fitting cyber capability as standard into our tanks, ships and planes.
Fifth generation tech such as the F35 Lightning II not only give pilots enhanced network connectivity …allowing them to send real time information …untainted and unseen by others…from the battlefield to the back office…up to ministers…and back again.
Not only are we enhancing our kit…but we’re upgrading our training… testing out our cyber capabilities in a virtual environment.
And we’re supporting our future leaders in learning more about cyber.
Our 150th Cyber Masters student has just started their course this month at Cranfield University.
At the same time, we’re making sure defence’s supply of top talent is continually replenished by setting up a cyber reserve to attract the brightest brains from the private sector.
But cyber demands we adapt our tactics as well as our weapons and training.
So we’ve got the Joint Forces Cyber Group …bringing our service arms together to develop the novel techniques we need to confront high-end threats.
And all this activity critically, is underpinned by investment. We believe it’s better to invest in digital now than pay the penalty later on.
So, as the headline writers are fond of writing “we’re putting our money where our mouse is”…channelling more than £860 million into our National Cyber Security Programme.
However, the story doesn’t end here. Like the technology itself we must continually adapt.
What capabilities will we need to counter cyber adversaries in future? How can those tools be used to complement our response in other areas of defence?
That’s why cyber is pivotal to our Strategic Defence and Security Review now currently underway.
Creating resilience culture
Yet the response on cyber cannot simply involve government.
We have to create a culture of cyber resilience across society.
The UK government is sending out the right signals by committing to a basic level of cyber security.
…improving the resilience of core government ICT networks to cyber attacks…through authentication and ID assurance.
…and building a new Public Sector Network (PSN)… and creating a new security model for the sharing of services.
…but we’re also actively encouraging good cyber etiquette throughout our military and civilian services.
All our staff must complete mandatory information handling refresher training, annually, and take responsibility for their data.
…while we have networks of information risk and asset owners… embedded in our organisation to properly police data and deal with problems.
Since cyber blurs the lines between the public and private sector… we’re also urging industry to take cyber safety seriously.
We’re running exercises with government and industry to test their capacity to withstand cyber attack.
We’ve set up the UK’s national Computer Emergency Response Team CERT-UK …bringing together industry, government and academia to enhance our cyber resilience.
And we’ve launched a national “gold standard” for ‘Cyber security, cyber essentials’.
…so that companies handling sensitive and personal data can demonstrate they are secure and trustworthy.
That recommends business put in place critical controls…such as firewalls, access controls and maleware protection…to protect business from common cyber threats.
To date, more than 1,000 British companies have been awarded a Cyber certificate.
Lastly, we’re encouraging organisations to share information on threats and vulnerabilities as they occur through the Cyber Information Sharing Partnership (CISP) …complemented in ‘Defence by a Cyber Protection Partnership’.
That enables a “fusion cell” made up of analysts from business and the law enforcement and intelligence communities … to draw together a single intelligence picture of cyber threats facing our country.
More than 1,000 members and over 400 businesses and organisations have already signed up.
So we are determined to lead the way on cyber security standards.
And not just because we’re interested in our self-preservation.
…but because…by showing we’re one of most secure places in the world to do business in cyberspace…we can attract the investment that helps our economy grow.
The internet accounts for 8 per cent of the UK’s GDP advantage.
Over the last 10 years the ICT sector has grown three times as fast as the whole economy.
And that could be worth hundreds of billions of pounds to us in the years ahead.
Global responsibility
My third and very final point…to echo M Le Drian…is that tackling these online obstacles also requires an international effort.
Even strong multinational organisations like NATO
…are only as strong as their weakest link.
So the onus is on all of us…
…especially as key players in international institutions…to get our house in order.
That requires investment to avoid systems obsolesce in an age of exponential technological advance.
It requires better education among all government and business internationally about the importance of being safe in cyber space.
And it requires us to work together across frontiers to establish the new rules of the game.
Cyber operates in areas of ambiguity where what is and what is not considered an act of aggression… what should or should not be suitable response…are by no means clear cut.
So we need to adapt our doctrines accordingly…understand how best to respond in a range of different scenarios.
Conclusion
So there’s we’ve a great deal to discuss at this conference today.
And I’m not expecting all the answers.
After all, much work is already going behind the scenes …and it’s better to keep our adversaries guessing.
But…having this conference today is sending out a sharp signal to our adversaries.
That
…whatever their virtual schemes
…we’re on the case
…and we’re determined to bring all our vast capabilities
…all our enormous expertise to bear
…to thwart their plans in the real world.
Finally, I am delighted to announce that the UK will run the next of these Symposiums in London in late 2016. As I hope you agree, this is a valuable forum for exchanging information and ideas, and I am very pleased that we can build on the momentum that our French colleagues have started here today.