It’s amazing to think it’s now 25 years since the World Wide Web was invented – and the internet for longer still before that.
Because of the amazing ways it’s changed the way we live and the way we work, and because of the open and organic way it grew, it didn’t take long for the first cyber threats to emerge.
One of the world’s first cyber-attacks was as far back as 1988 - a worm called Morris. It sounds rather harmless and quaint – and in some ways probably was tame compared to the destructive potential of the kind of attacks we face today.
The media is now full of stories about multiple denials of service attacks and significant data losses.
93% of large corporations had a breach over the past financial year. The average cost of each one is somewhere between £450,000 and £850,000, although we know of one London-based company which lost £800 million worth of revenue because of an attack.
But as much as we make the threat sound dark and menacing, and as much as we want individuals and businesses to sit up, take note and, more importantly, take action, we mustn’t lose sight of how the internet has transformed our lives already for the better– and the opportunities and potential it offers for the future.
Throughout history, transport links, communication routes, marketplaces – any place where people come together to do things – have always attracted criminals, from the classic masked highwayman of 18th century England to the modern day pirates drawn to the international shipping lanes in the Somali basin. And of course it’s no different in the realm of cyber.
The internet obviously isn’t inherently a bad thing. It’s inherently a really good thing. It brings people closer together and for the most part it is a huge upside – we must never lose sight of that. And the work that is done by people involved with cyber security is ultimately all about making the internet a safe place so we can all share in the benefits.
This afternoon I’ll be speaking in the Square Mile to the financial services sector as part of City Week. I expect some of you may be attending both events today – so please try and look surprised when you hear me say the same things over again….
But the message I’ll take there to the business leaders and economists present will be a simple one. Cyber security isn’t a necessary evil: it’s both an essential feature of - and a massive opportunity for - the UK’s economic recovery.
At the most basic level, the financial institutions that emerge from the great recession have to be stronger, safer, more secure and more alert to the risks than they were before.
CERT-UK is going to play an incredibly important role in ensuring that we have that firm, resilient, foundation underpinning our economy. It’s crucial.
The path to CERT-UK
2 and a half years ago we published the National Cyber Security Strategy. It marked a ratcheting up of the seriousness with which we take cyber security – and our determination to ensure our national security and the safety of everyone who uses the internet.
And that determination is evident in the fact we backed the Strategy with proper folding money. At a time when budgets across government have been cut, we put more money into cyber security - £860 million to be precise.
But no one entity – particularly government - can tackle these threats on its own. So we put partnerships at the heart of that strategy.
The presence of Steve Collins [National Grid] and Larry Zelvin [US Department of Homeland Security] here today underlines our commitment to working with business and with our international partners.
Last year, in this very room, we delivered the Cyber Information Sharing Partnership (CISP) - so government and business partners can exchange information on threats and vulnerabilities as they occur. That real time information sharing is absolutely crucial. We started with fewer than 100 individual members, but there are now over 1,000, and over 350 businesses and organisations have registered.
Chris Gibson [CERT-UK Director] will talk about this in his speech, but I am pleased to announce that the CISP now has a permanent home inside CERT-UK.
We have representatives from some of those partners in the CISP, including the Law Society, the British Banking Association and the Institute of Chartered Accountants for England & Wales, which is the first accountancy body to join. I can announce that earlier this month IMRG - the UK’s Online Retail Association – also joined CISP, bringing numerous retailers into that fold.
I’d like to thank all these bodies all for the work they do to promote the CISP to their members.
I recall when we launched CISP a year ago, Howard Schmidt, the former White House cyber security tsar, commented on how much the UK had achieved in a really quite short space of time.
And today – a little over 2 years after publishing the strategy – we’re now launching a second major new tool, the UK’s Computer Emergency Response Team.
Of course today is just the ‘Go Live’ date: there’s already been a lot of hard work and a lot of effort to reach this point.
I announced our intention to create this at GCHQ’s last major information assurance conference, hot on the heels of our experience at the London Olympic & Paralympic Games.
Every day during that time witnessed new feats of sporting achievement – but also countless attacks against the digital infrastructure. We successfully defended our core networks against a range of threats, working seamlessly across government and the private sector. We also worked closely with our international partners, and we saw a number of government CERTs galvanise their capabilities to meet the challenges associated with this unique event.
We’d had measures in place to deal with threats to essential services for some time, but what the Olympics taught us was the need for better coordination.
A scoping study met with over 100 different organisations and individuals across government, law enforcement, industry and academia to gain insight and understanding and develop a vision for a national CERT.
Since then, a lot of work has been done to build the system: recruiting the right people; getting the technology and process in place; and forging those all-important links with partner organisations in other countries.
Getting to this point has been a team effort across government, business and with our international partners. A lot of you in the room have given your time, your advice and your resources and we look forward to working with you, building on these partnerships in the future.
The role of CERT-UK
CERT-UK brings together a number of sources of expertise, including the Cyber Security Incident Response Team and the Cyber Security Information Sharing Partnership.
To supplement this existing capability, CERT-UK is now forging partnerships with law enforcement agencies and other government and national CERTs, as well academia and business.
At the sharp end, the CERT-UK will take the lead in coordinating the management of national cyber security incidents. One area where it will play a particularly important role is in providing support to our Critical National Infrastructure companies.
CERT-UK will provide an authoritative voice to those agencies and organisations that are helping the UK to become more resilient and to prosper in the internet age.
It will also share information with companies to promote situational awareness and effective mitigation of threats, which CISP also helps to fulfil, and something I’m sure Steve Collins will talk about later.
And I’m pleased to announce that NOMINET, who are with us today, have launched Cyber Assist, the first cyber security service designed specifically for UK small businesses.
But as important as it is that we build our own national resilience in the UK, cyber security is, at heart, an international issue. The cyber domain knows no borders and cyber security is an issue that no one country can afford to ignore or address alone – and I look forward to hearing Larry’s views on the US perspective.
CERT-UK will be single point of contact for our international partners for CERT-to-CERT engagement, an increasingly important area of dialogue. It will manage incidents that cross national borders and it will share information that promotes situational awareness and effective mitigation of threats.
Of course, we will never be able to eradicate cyber threats completely, but you can lessen the impact. Only by working closely together – at home and overseas - can we increase awareness and build resilience to reduce the impact of cyber threats.
Nature of the work
It all sounds like a lot of hard work – and it is, and will be.
Cyber threats to the UK are diffuse, unpredictable and generally anonymous. They could come from organised criminals based in another continent; or they could come from a teenage computer hacker closer to home.
The cyber hacker needs to succeed only once, but those protecting us must be successful all the time; around the clock, day after day, week after week. And of course, nothing in the digital world ever stands still. It’s forensic and painstaking work and it’s absolutely relentless.
I have a very high level of confidence that we can achieve this.
I think the UK is at the forefront of global cyber security. That sounds like asking for trouble to say that. It doesn’t contain any hint of complacency I stress, because we know that this changes all the time. But we start from an OK place in terms of how we progress from here.
And I’d like to take the opportunity to pay tribute to the work of GCHQ, National Crime Agency and the security services.
Much of their efforts to protect us from cyber threats inevitably takes place behind closed doors away from the glare of publicity. But they’re at the vanguard of our defence, and their work makes a really direct contribution to the security and wellbeing of the whole country.
I’ve visited Cheltenham now a number of times, and I’ve always been struck by how GCHQ and their operations represent much of what is best about our public sector. I know that we’ll see exactly the same ethic, the same dedication and hard work, from all those involved with CERT-UK and its partner organisations.
So, in conclusion, 2 years since publishing the Strategy for National Cyber Security we’ve delivered both a Cyber Security Information Sharing Partnership and – as of today – we’ve also delivered a cyber emergency response team: just two of a range of initiatives delivered in partnership with business and academia.
We can never be complacent: we really can’t. But I think everyone involved with the Cyber Security Strategy can be proud of the progress we’ve made from what was essentially a standing start.
Government can’t do this by itself. I think CERT-UK shows our intent on where we want to go: ever closer coordination between government, business and academia to share insights and share advice; better cooperation with our international partners.
And that job will never be done – it will always be a work in progress. But, from today, CERT-UK means we can go forward with a new tool in our armoury: better prepared, better informed, better connected and ultimately more resilient.