Francis Maude spoke to the Information Assurance conference about the government's cyber security strategy, one year on.
Watch speech on YouTube
Go back just twenty years and the internet was the preserve of a small group of academics, scientists, researchers -
-Today thanks to the efforts of the early internet evangelists there are connections in all corners of the world. Over two billion people are online, with billions more set to join them in the next decade.
And ask most people what the internet has done for them - and the answers will come flowing -
Email, Wikipedia, Google, YouTube, Twitter -
We can connect to people all over the world - news travels faster, ideas are shared more easily and we have far greater access to information whether it’s what your government is up to or when your next bus is arriving -
The internet has revolutionised the way we do business and is driving growth - the UK’s Internet-related market is now worth £82 billion a year and this is set to rise.
Whitehall until now has lagged behind the business world in providing convenient online services for customers but this too is changing. We recently set out plans to make billions of savings and provide a better service to users by making public services digital by default.
In short - the internet is manifestly a massive force for good here in the UK and across the world. But the reason we are here today is because the rise of the internet has also transformed the risks we face.
Cyber attacks are one of the top four threats to our national security and cyber crime is costing our economy billions of pounds a year. And as businesses and government move more of their operations online, the scope of potential targets will continue to grow.
If we stand still - we risk damaging confidence in the web and without public trust all the benefits the internet brings will be lost.
It’s a race: to build sufficient cyber defences to match the growing volume and dependence of our online economic, security and social interests. And it’s a race we can only win if we work together -
Government, industry, academia and the public. We are all invested in the success of the internet - and we all have a shared responsibility to make it safe.
The accelerating threat
As you’ll be aware the government is taking the cyber threat extremely seriously.
In the last year our understanding of the threat has dramatically improved - and it’s clear there’s no room for complacency. High end attacks that were previously aimed at specific targets such as the defence sector are now reaching the open marketplace even faster.
Industry suffers at the hands of such threats. One recent survey found that 93% of large corporations and 76% of small businesses had a cyber security breach in the past year.
Nor are we immune in government. On average over 33,000 malicious emails are blocked at the Gateway to the Government Secure Intranet every month. These are likely to contain - or link to - sophisticated malware, often sent by highly capable cyber criminals and state sponsored groups. A far greater number of malicious, but less sophisticated emails and spam are blocked each month.
During the Olympics, the London 2012 Games systems recorded millions of cyber-related events, ranging from harmless glitches to deliberate attempts to disrupt Games-related digital infrastructure. This was a real test of preparedness and response and demonstrated that managing this sort of risk is now a fact of life for any major event or business.
Our responses to these threats have to be fast and flexible, both in government and in the private sector. What works one day is unlikely to work a matter of months or even weeks later.
The government has rated cyber attacks as a Tier 1 threat and despite a tight financial situation we have committed £650million to the transformative National Cyber Security Programme to bolster the UK’s cyber defences.
And today is the one year anniversary of our cross-government Cyber Security Strategy for ensuring the UK can manage the risks and harness the benefits of cyberspace.
Earlier today I updated Parliament on our first year progress. And while there is further to go it is clear we are already in a stronger position.
Achievements so far
The strategy essentially sets out how we can get ourselves into a position where law enforcement is beating cyber criminals; businesses and citizens know what to do to protect themselves; and threats to our national infrastructure have been confronted.
And this last year we have concentrated our efforts on building the UK’s capacity to detect and resist cyber threats. First and foremost this has meant investing heavily in new and unique capabilities for GCHQ. Much of their key work can’t of course be discussed but they are doing ground-breaking work to identify and analyse hostile cyber attacks in order to protect our core networks and services.
On top of this we’re improving and investing in our law enforcement agencies so they are better prepared and resourced to handle the increasing volume and sophistication of online crime.
For example we have created three regional hubs in the Police Central e-Crime Unit who have already exceeded their target of averting £504million worth of cyber crime in just two years. While the Serious Organised Crime Agency has repatriated over 2.3 million items of compromised card payment details to the financial sector in the UK and internationally since 2011, with an estimated prevention of potential economic loss of over £500 million.
We’re also building a partnership between government, law enforcement agencies and business for tackling cyber threats. This is crucial because private sector is the largest economic victim of crime and economic espionage perpetrated through cyberspace. And much of the infrastructure we need to protect in the UK is owned and operated by the private sector.
One of our key initiatives has been the pilot of a joint public/private sector cyber security ‘hub’ called ‘Project Auburn’ to promote information sharing between government and industry on attacks and potential threats.
And to support this we have ‘kitemarked’ four incident response and cleanup companies so that organisations which have suffered an attack know where to go to get the support they need to get back up and running.
GCHQ is also developing a Commercial Product Assurance scheme, which will give institutions confidence that the security features of the products they buy to manage their cyber risks are effective. The first product assured under the scheme has already saved HMRC £2.4m.
We are also reaching out to more companies beyond the critical infrastructure. GCHQ, the Department for Business and the Centre for the Protection of National infrastructure (CPNI) have been working with FTSE companies and a broad range of private sector organisations to raise awareness of the threat and the need for companies to improve their cyber security capability.
New Cyber Security Guidance for Business on safeguarding valuable assets such as intellectual property and online services was launched at a meeting of ministers and chairmen of FTSE 100 companies in September.
There is no doubt that the UK as a whole needs to become more cyber savvy if we are to prosper in a digital world in the future. IT has become central to how we live and yet today most of us simply know how to work a device - not why it works.
To counter this we have worked with industry and academia to enhance skills and education in cyber security across the UK.
For example, GCHQ has awarded “Centre of Excellence” status to eight UK Universities conducting cyber security research and £6 million has been set aside for two new research Institutes, one of which is already set up.
We have also worked hard to raise awareness of cyber threats to the public through the recent Get Safe Online Week and a ‘Devils In Your Details’ campaign focusing on online fraud which reached over 4 million people.
Finally we are working in partnership with other nations and organisations to help shape the development of cyberspace to support its role as a driver of open societies whilst promoting stability and reliability.
The faster cyber security capacity can grow globally the quicker our online community becomes more secure and in October we announced the creation of a new fund of £2million a year for a new centre to drive Global Cyber Security Capacity Building.
This centre will be based out of one of our leading Universities in cyber security expertise, and will bring together from across the world those who have a stake in cyber security and the experts in tackling cyber crime.
Future challenges - maintaining growth
All of this, and many other actions we have taken, means the UK is in a much better position than we were a year ago - but of course we are not about to sit back and say job done. There is much more to do - the nature of the threat means we cannot afford to drop our focus even for an instant.
The Olympic and Paralympic Games were a key test of our ability to defend the UK against cyber attacks. And the lessons we learnt will inform our cyber security national Incident Management plans in the future. I am pleased to announce today that the government will establish the first UK national Computer Emergency Response Team - to improve national co-ordination on incident response and provide a focal point for international sharing of technical information on cyber-security.
London 2012 was a truly digital games - which reflects the fact that we live in a society where increasingly our working and social lives play out on the web.
But if we want this to continue there is no doubt that we must continue to take steps to maintain public confidence and trust in the online world.
Success hinges on government and law enforcement agencies building even stronger partnerships with the private sector to combat the threat.
So far we’ve made progress raising awareness but this is only half the story - government also needs to get the right incentives and structures in place to encourage and support the behaviour change needed in industry.
In January we are set to launch a new UK Cyber Information Sharing Partnership with industry. This will provide a confidential environment for firms to share cyber threat information and where we aim to develop the capability to share information on cyber crime threats in real time.
The government will also work closely with the private sector and standards bodies to support the development of industry-led ‘organisational standards’, to ensure there is clarity about what good practice looks like for an organisation trying to manage its cyber risk.
This will not only give firms clear steps to follow in managing their cyber risk - it will also give customers and investors a clear indicator of whether a firm is taking this risk seriously.
We shouldn’t forget as well that cyber security also presents an opportunity for companies with the growth in demand in the UK and globally, for vibrant and innovative cyber security services.
To support this, the government will launch a ‘Cyber Growth Partnership’ in conjunction with Intellect, the ICT members organisation which represents over 850 technology organisations, large and small.
Central to this will be a high level group which will identify how to support the growth of the UK Cyber security industry, with an emphasis on increasing exports. It will also help identify what currently stops the cyber security sector from growing, with a particular emphasis on SMEs and boosting their market potential.
And it’s clear that improving cyber security skills is critical if we are to maximise the business opportunities of the networked world and keep the UK at the forefront of innovation. So there will also be further work to stimulate skills in cyber security including:
- Cyber security is to be built into engineering degrees led by the Institution of Engineering and Technology
- The provision of over 80 PhD student sponsorship awards thanks to funding by GCHQ and government departments
- A programme to recruit ‘Cyber Reservists’ to the MoD - more detail on which will be announced next year
- Interactive learning materials on cyber security for GCSE students led by eSkills UK
Finally business and government need to continue to educate customers so that everyone using the Internet is better informed of the potential risks and how to protect themselves online.
This process has started with initiatives like Get Safe Online Week. And HMRC is rolling out new technology which alerts visitors to their website when they have an out of date browser which may pose a security risk to them. It is intended that the service will be rolled-out across government once it is tried and tested.
Next spring, in partnership with the private sector, we will launch a package of new initiatives aimed at increasing cyber confidence and measurably improving the online safety behaviour of consumers and SMEs.
These activities will be measured through a new ‘National Cyber Confidence’ research tracker, which will regularly track online safety perceptions and behaviours.
The internet is a powerful tool - it has revolutionised our daily lives these last twenty years, to the extent it can be hard to recall functioning without it. But we cannot be blind to the fact that the internet does not discriminate between the people it empowers.
We need to protect the web and all the benefits it brings us from the criminals, the frauds, the hackers, the terrorists - and ensure it continues to be for everyone.
We’re making progress - as I’ve set out today. But the threats won’t disappear and they are ever-changing - and we will continually be assessing our progress and re-prioritising resources as necessary.
But one thing is certain - to succeed going forward we will have to work together - to share our resources, skills and intelligence.
It is through strong partnerships between government, the industry, academia and the public that we will continue to enjoy the many and still emerging benefits of a networked world.