Welcome to the Foreign and Commonwealth Office and thank you all for taking the time to join us here today.
Over the past few decades the pace of technological change has been blistering. As use of the internet has grown it has shaped our industries, the way we work and how we live our lives to a previously unimaginable degree.
This change has been a huge boon to the United Kingdom. 6% of our GDP is generated online and this year online retail sales will top £50 billion. Briton’s do more of their shopping online than any other nation. We have some of the globe’s leading technology firms and a culture that has embraced the internet and all the advantages it has brought.
The flip-side of the speed and breadth of this technological advance is that while we have embraced the good, we have not always done everything we might to prevent the bad.
As online access becomes easier, and more people spend more time online, we are creating a fertile environment for cyber crime, cyber espionage and the activity of hackers.
With the launch of the ‘10 Steps to Cyber Security’ we hope to support British businesses to take full advantage of the benefits of the internet whilst at the same time taking reasonable steps to mitigate the risks.
This event is the product of a huge coordinated effort between GCHQ, BIS, CPNI, Home Office and OCSIA, who have all worked together to develop this guidance based on a rigorous assessment of the known risks to the UK and the most up to date means of countering them.
I would like to pay particular tribute to all the men and women of GCHQ, and to their Director Iain Lobban for the work they do for our country. Day in, day out, they work tirelessly to protect our national security and interests. From countering the threat of terrorism, protecting Government and business from espionage or supporting our armed forces; GCHQ brings extraordinary skill, expertise and creativity to keeping Britain safe.
In a moment Iain is going to talk to you about the nature of the cyber threat, and the vulnerabilities that you may not even know your company has. We know that at the very least, 1 in 5 FTSE-listed companies has been compromised, across six sectors, including several major names we would all recognise.
This year alone there have been attacks on Government Departments, IT and telecoms giants, banks, engineering firms, legal firms, audit houses, manufacturers, energy suppliers, academic institutions, broadcasters, construction companies and even charities.
And as Foreign Secretary and Minister responsible for GCHQ I see what the cumulative effect can mean for our whole country.
When I visit countries such as China, Brazil or India, it is clear to me where the United Kingdom’s competitive advantage comes from. We won’t be able to compete with emerging nations on labour costs or bountiful natural resources. We compete on our knowledge.
Our expertise is our expertise. Whether it is supply chain design, the algorithms that predict customer behaviour, the inner works of electronic money markets, or the design of the latest jet engine; our innovation, knowledge and experience is this nation’s greatest economic asset.
But it is also one that is very easily stolen or disrupted.
Put simply, cyber criminals cannot be turned back at the border. They are not constrained by the guard at your office door.
Your businesses work across national boundaries. You may be multi-national companies or have overseas suppliers; you may have customers from every continent or have your email servers based in other countries.
Even if you don’t think of yourselves as an international organisation, I would be surprised if you don’t have an international communications system or if your information does not cross oceans and transit servers all over the world, every minute of the day.
You would laugh at the idea of leaving your office buildings unlocked and unguarded all night, or providing perfect copies of your customer’s credit card details to passers-by; but this is, in effect, what you are doing if you fail to take basic steps to protect your company from cyber attacks. Sophisticated malware and exploit packs can now be purchased for as little as £3,000 and you don’t need a huge amount of expertise to use them. This means it is becoming easier to participate in cybercrime.
The challenge is immense, and it is growing rapidly.
For any company the impact of being targeted in a cyber attack in this way could be catastrophic, whether for your intellectual property, reputation or future.
We need every UK company to take the threat seriously and to adopt the recommendations.
In recent months, and I am sure they won’t mind me mentioning it as it has been so widely reported, we have seen the impact for O2 and Natwest of a failure in their IT systems. Many 02 customers lost service for two days after a network issue and a problem with a software upgrade meant that Natwest couldn’t process account transactions. I am not suggesting that these problems were caused by a cyber attack, but it does show the modern reliance on complex computer systems and the potential impact if they are disrupted.
This is why we are publishing this booklet today. We want British companies to be as safe as possible and for their businesses to thrive. The measures and practises in this booklet can help your company to guard against 80% of the known cyber threats. This is good news.
And there is more good news. Cyber security isn’t simply a risk; there are also huge opportunities for the UK.
If we instil in our organisations a high-level of cyber security then we will inspire confidence in our ability to protect our own assets. That confidence will convince investors and customers that we can look after their interests. This will in turn help British business to grow its export market and create an even more attractive proposition for inward investment.
Taking the right approach towards cyber issues can be a part of working towards building the UK’s economic prosperity and helping the global economy.
Indeed the UK’s National Cyber Security Strategy is built on the idea that in the future, the social and economic benefits of the digital age can be expanded to all people and countries around the world, in a way that minimises the risks.
The United Kingdom is already a world leader in the skills and knowledge necessary to make the most of the internet. We want to make sure that we support our businesses to benefit from that expertise. There is no reason why we cannot develop cutting-edge products and services whilst at the same time defending our critical networks and infrastructure, and as a Government, we will help you to do that.
That is why we are publishing this guidance and why Iain is going to share with you information some of which is normally kept secret.
We are asserting our vision of a cyberspace in which not just governments, but business and civil society play a critical part. Some countries disagree, preferring a state-centric approach. We must therefore be energetic with our business partners in defining the rules of behaviour that govern the online world and shaping a cyber environment that protects our way of life in the UK and protects our democratic values. That is why I hosted the first ever international conference on cyberspace in London last year and that is why I will be at the Budapest Conference in October.
But it is not an issue that governments alone can address.
In fact, nothing would be more self-defeating than the heavy hand of State control on the internet, which only thrives because of the talent of individuals and of industry within an open market for ideas and innovation
This guidance aims to provide you with some ideas for assessing your companies’ approach to these issues. We must strive for a model for internet governance in which governments, business and users of the internet work together in a collective endeavour, establishing a balance of responsibility, for the benefit of us all.
I hope we can continue to push the limits of ingenuity developing versatile technologies that improve virtually every aspect of our lives. We are trying to start a process that will bring Government and business closer on cyber issues so that we can continue to build a safe online environment. I hope you all will benefit from adopting the recommendations in the guidance. I believe that with the right collective approach we have a bright technological future, with the prospect of further yet-undreamt of innovations still to come. But we will only get the benefit of that if we protect our work, our intellectual property, our designs and our latest confidential material from ever more unscrupulous and effective attack.