The Minister for Cabinet Office spoke at IA14, the government's 2014 conference for cyber security and information assurance decision makers.
It’s a pleasure to speak at IA14.
Much has changed since I spoke at IA12, 18 months ago. We’ve some new tools at our disposal. New talent is entering the cyber security profession. Awareness is steadily rising.
But the most obvious change is that growth has returned. The UK is one of the fastest growing economies in the developed world. This presents 2 challenges, which I’m going to talk about today.
The first challenge is to redouble our efforts as part of our long term plan for the British economy to make the UK one of the safest places in the world to do business. The economy that emerges from the Great Recession needs to be stronger, more secure and more attuned to the risks than ever before.
The second is to seize the opportunity that cyber presents for innovation and enterprise, and for jobs and prosperity. Often we focus on the threat because we want companies and organisations to take note and take action. That’s important. But cyber security shouldn’t be seen as a necessary evil. It’s a growth business in its own right and it can be a strength for Britain.
The answer to both these challenges is that businesses and government are better off working together. Pulling in the same direction, with the same goals, makes us stronger and more aware, and leaves us far better placed to mitigate against the threats and maximise the opportunities that cyber presents.
Those who would do us harm have been busy over the past 2 years.
Perhaps the most high profile example was the recent attack on eBay. All it took was a small number of employee log-in details to be jeopardised for hackers to obtain the entire customer database. As a result 128 million people – equivalent to twice the population of Britain – had to change their passwords.
Earlier this year, the Heartbleed vulnerability emerged. The origin of that particular problem wasn’t even malicious – it was caused by a single simple error among reams and reams of code. I’m told that the code in question was written late on New Year’s Eve – which I’m sure has absolutely no connection whatsoever…
Most recently, we’ve faced Gameover Zeus – not just a virus, but a worldwide pandemic – with the power to intercept and redirect financial transactions from infected computers. These are just the ones we hear about; the ones that got through – others have been thwarted.
I can tell you of a recent case where a state-sponsored hostile group gained access to a system administrator account on the Government Secure Intranet. Fortunately this attack was discovered early and dealt with to mitigate any damage.
For that – and in many other cases – we can be thankful that we have some brilliant people working to keep us safe. They’re drawn from GCHQ and the security services, the armed forces, the police and National Crime Agency, the civil service, and of course the private sector too, but they share much in common. They’re bright, motivated and have bucket loads of expertise.
Many are in the audience tonight and I’d like to take this opportunity to thank them. Their work truly represents some of the best I’ve seen in the public sector.
But they can’t do it alone. We’re all responsible for our own security, in government, in business, in our homes and whenever we go online.
An organisation is only as strong as its weakest point. Even the smallest of chinks in a company’s armour can have far reaching implications. So the responsibility for good cyber security is shared at every level.
Many of you will be familiar with the 10 Steps for Cyber Security guidance that we published in 2012.
There’s an onus on the most junior employee to protect his or her passwords – just as there’s an onus on the chief executive and the non-executive directors to ensure cyber security is taken seriously in board meetings.
We’ve also developed the new Cyber Essentials scheme, launched on 5 June.
It gives businesses clarity on good basic cyber security practice and will provide protection against the most common threats. After going through a certification process, businesses will be able to show they have the right measures in place by displaying the Cyber Essentials badge, which we hope becomes the cyber equivalent of the MOT certificate.
It already has support from a whole range of organisations including the CBI, Federation of Small Businesses and the Institute of Chartered Accountants. The insurance industry is also supporting the scheme with 2 firms, Marsh and AIG, offering incentives for businesses to become certified.
From October, government will require all suppliers bidding for certain personal and sensitive information handling contracts to be Cyber Essentials certified.
In March this year, our ability to respond to cyber threats took a massive step forward when I opened CERT-UK, our first national Computer Emergency Response Team.
In the past, when I’ve met my counterparts overseas, one of the things they always asked me was why there wasn’t a single point of contact for cyber security incidents in the UK. CERT-UK fulfils that role. Our international partners now know who to call, as does government, business and academia.
It also means that a single organisation is coordinating our response to cyber issues on a daily basis and can identify and track risks as they bubble up and, when necessary, bring others together to respond.
I visited CERT-UK again a few weeks ago to see the difference they’ve made. Since its launch 2 months ago, hundreds of incidents have been reported, of which over 80 have required engagement from CERT-UK.
Sitting as part of CERT-UK is the Cyber Security Information Sharing Partnership (CiSP) platform. Cyberspace is simply too big for any organisation to have sight on everything that’s going on and so there is a massive need to pool our information for mutual benefit.
CiSP enables government and business partners to exchange information on threats and vulnerabilities as they occur in real time. It started with 100 partners; but on average 30 new organisations join each month, swelling the current total to over 450. It includes a number of professional organisations like the Law Society and the British Banking Association who are bringing their members into the fold.
Every day they notify members of around 215,000 abused IP addresses, so they can be blocked or dealt with. The secret of its success is very simple. It’s about trust.
CiSP works because it has government involvement, but it’s business-led. Companies are under no compulsion. Information is shared voluntarily.
This enables a ‘fusion cell’ made up of analysts from business and law enforcement to draw together a single intelligence picture of cyber threats facing the UK. The more businesses that join and the more information that’s shared, the better the overall picture and the greater our collective resilience.
Let’s look at the experience of BT as an example. Cyber security is absolutely critical to their business which is why they’re part of the Cyber Information Sharing Partnership. In one instance, CERT-UK shared data with BT about UK servers that could be used to perform a distributed denial-of-service attack, meaning BT were able to assess the threat to their own networks. The information originated from a separate CERT in Germany and may not have reached BT had it not been relayed by CERT-UK.
In another instance, BT was alerted by another CiSP member to stolen credentials appearing on the internet, including those of BT employees.
The value of CiSP was really brought to the fore in responding to Heartbleed. CiSP rapidly warned members of the threat, providing signatures that could be used to detect abuse. BT have since told us that “amongst all the media frenzy surrounding Heartbleed, CiSP provided a haven where members could cut through the noise and exchange meaningful updates and intelligence with each other”.
This is the pattern for success: governments and businesses working together to pool expertise, learn lessons, share capabilities and coordinate action.
A good example of this cooperation is our preparation for the Commonwealth Games. Two years ago the London Olympic & Paralympic Games faced many threats to its digital infrastructure. The organisers, private sector suppliers and the security services worked in unison to defend our networks. Now we’re sharing the lessons from London with the Scottish government.
CERT-UK has already been assisting with the preparations: walking through incident response arrangements and raising awareness among some of the small and medium sized businesses that are supporting the Games.
Similarly, the Centre for Protection of National Infrastructure has been advising Scottish companies. And when the Games begin Police Scotland will work side by side with the technical staff from the National Cyber Crime Unit to deal with incidents as they occur.
By working together we will also maximise the opportunity that cyber presents to business throughout the UK.
Cyber security demands technical innovation and entrepreneurial ambition, backed by world-class skills and research – all of which the UK has in spades. In the past year, I’ve discussed cyber security with my counterparts from as far afield as India and Israel, Spain and South Korea and it’s clear that the phrase “Made in Britain” has enormous resonance.
In March, I visited the headquarters of Cassidian in Newport, which produces everything from encryption projects for Eurofighter Typhoon aircraft to secure networks for government communications.
Cassidian is one of the giants – but I’ve also visited small firms like Titania, one of 40 small cyber security companies clustered around Malvern in Worcestershire and, despite its small size, supplies products to organisations in over 50 countries.
Cyber has the potential to create new businesses – and to turn small companies into large ones.
Take the Phoenix IT Partnership as an example. Just over 15 years ago it had a turnover of £26 million a year and 500 staff. But then it won a contract from Northrop Grumman to help provide automated fingerprint ID services to police forces across England and Wales. Now they have 2,300 staff, in 20 UK locations, with a turnover of over £230 million.
We want to support precisely these kind of companies, which is why we’ve produced the first ever Cyber Exports Strategy. We aim to be exporting £2 billion worth of products and services by 2016 – that’s a sharp increase on the £850 million we sold last year.
To conclude, technology moves on – the opportunities grow, so do the threats. There will never be a steady state. We can’t pause; we can’t slow down, even for a minute. There’s always something more we can be doing to protect ourselves.
The internet has revolutionised the way we live and work and it connects people closer together than at any point in human history. However serious the threats, they don’t change the central truth that the internet has been, and will continue to be, a massive force for good in the world.
The strength of our partnerships, and the trust that enables us to share information, will allow us to build a safe and secure economy, and grasp the opportunity for future growth, so everyone can prosper from the digital age.