The digital transformation
It’s a pleasure to open the tenth Payments Council Cyber Security Conference.
Tomorrow is Halloween and part of my job description as Minister for Cyber Security is to speak at events like these to try and make the cyber threat sound as dark and menacing as possible so that people take steps to protect themselves.
But this is also an opportunity to take stock of how the digital revolution has completely changed the way we work and live for the better – because as much as we focus on the threats, we must never lose sight of the benefits.
When Tim Berners-Lee created the World Wide Web 25 years ago, he did so in a way that was open and free. That was an incredible gift to the world, because it made it possible for anyone to take this invention and use it to create new technologies, solutions and opportunities. And that’s exactly what happened in your sector.
This August saw the twentieth anniversary of the first online purchase – which, believe it or not, was a Sting CD. Despite that inauspicious start, Amazon, eBay and PayPal followed, changing the face of retail, and soon after banks made it possible for people to manage their accounts online.
Alongside online shopping and banking came new ways to manage and transfer money. Over the last 10 years we’ve seen the arrival of one new technology after another: from chip-and-pin to mobile and contactless payments.
There are now more ways to pay than ever before. So the digital revolution has ushered competition, choice, speed and convenience into the world of payments.
And the upside hasn’t just been for consumers and businesses, it’s been a boon for philanthropy too. The internet created new ways to buy but also to give, which has been fantastically useful for the marathon runners, cake bakers and skydivers among us.
Every year payment systems process over 7 billion transactions, worth over £75 trillion – everything from bills by direct debit to welfare payments by the state. So it’s in all our interests to keep the sector safe.
This should determine the spirit in which we approach cyber security – not because we’ve been bowed and beaten into defending ourselves, but because we have something wonderful and transformational which we want to strengthen and advance.
And that’s why cyber security is an important part of our long term economic plan – because we want the UK to be one of the most secure places in the world to do business.
When eBay was attacked earlier this year, the damage wasn’t just the theft of data or the possibility of fraud. It was about confidence too. 128 million customers had to change their passwords – and not all of them came back.
One successful attack – caused perhaps by the smallest of chinks in a company’s armour – can have massive repercussions. Whether someone’s buying their Christmas presents online, or using the cashpoint in town, or texting money to a charity while on a train, they all want to be sure their money and their details are safe.
Yet recently JP Morgan suffered a data breach which affected 76 million individual customers and 7 million small businesses in the United States. This is just one of the latest and most high profile examples – sadly businesses and banks experience these kinds of attacks all the time. And if the largest bank in America can fall victim to attack, then any business or online service can be vulnerable.
This is the threat we face: relentless in nature; global in reach; and substantial in impact. So how do we retain trust and build confidence when faced against this?
Law enforcement is certainly important. That’s why we backed our National Cyber Security Strategy – which celebrates its third anniversary next month – with £860 million of investment, much of which is directed toward beefing up our capabilities in this area.
It’s meant we’ve been able to establish the National Cyber Crime Unit within the National Crime Agency. Half of the NCA’s 4,000 officers are now being trained to become digital investigators and we’re funding the College of Policing to train a further 3,000 officers by 2015.
And earlier this year the Met Police launched FALCON, a new cyber crime and fraud team for London which is believed to be the largest of its kind in Europe. It will make the capital a hostile place for cyber criminals and fraudsters and build stronger relations between the Met and London’s businesses.
For the same reasons we’re also establishing specialist cyber teams to run investigations and provide advice and support to the public and businesses in regions.
All this will help but, by itself, won’t be enough to keep us safe online. We must recognise that we can’t do it alone. The internet is too large – and the threat too complex – for any single organisation to respond by itself.
We will only be truly effective when we work together, pool resources, share information and co-ordinate our response. That’s why our law enforcement agencies are working in partnership with their international counterparts.
Our success against the recent Shylock malware, which had infected 30,000 PCs around the world, is a good example. In the first project of its kind for a UK law enforcement agency, the National Crime Agency led the international response from the European Cybercrime Centre at Europol in The Hague. Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to co-ordinate action in their respective countries, in concert with counterparts in Germany, Poland and France.
The UK is actively engaged with developments in Europe, particularly the negotiation of the Network and Information Security Directive: we need strong cyber security in all member states, and this Directive can help. However, this should not come at the cost of onerous regulation on business and we will continue to work hard to influence the negotiations.
We also need to work together at home. Earlier this year, I opened CERT-UK, our first national Computer Emergency Response Team, which will bring about closer co-operation between businesses and the government and law enforcement agencies. It means that there is now a single organisation co-ordinating our response to cyber issues on a daily basis, which can identify and track risks as they emerge and, when necessary, bring others together to respond.
Sitting as part of CERT-UK is the Cyber Security Information Sharing Partnership, or CISP for short. CISP enables government and business partners to exchange information on threats and vulnerabilities as they occur in real time. This enables a ‘fusion cell’ made up of analysts from business and law enforcement to draw together a single intelligence picture of cyber threats facing the UK.
You’re going to hear more about CERT a bit later on from its director, Chris Gibson, but I would encourage as many organisations as possible to join, because the more that do, and the more information that’s shared, the better the overall picture and the greater our collective resilience.
Better law enforcement – and better sharing of intelligence – helps us respond to cyber threats, but of course the most effective approach is to defend ourselves against the possibility of cybercrime before it occurs.
Many of you will be familiar with the 10 Steps for Cyber Security guidance that we published in 2012.
Responsibility for good cyber security is shared at every level. There’s an onus on the most junior employee to protect his or her passwords – just as there’s an onus on the chief executive and the non-executive directors to ensure cyber security is taken seriously in board meetings. So if they haven’t already done so, then companies need to have a plan in place to protect themselves, with tried and tested contingencies.
And now there’s a way for firms to show they’re taking the threat seriously, in the form of the new Cyber Essentials scheme. It gives businesses clarity on good basic cyber security practice and will provide protection against the most common threats. And after going through a certification process, businesses will be able to show they have the right measures in place by displaying the Cyber Essentials badge, which we hope becomes the cyber equivalent of the MOT certificate.
Since October this year government now requires all suppliers bidding for certain personal and sensitive information handling contracts to be Cyber Essentials certified – because we want good cyber practice to cascade down our supply chain.
Businesses and government alike must also work together to educate the public – and online consumers in particular – so they are better informed of the risks and how they can reduce them.
I hope you have seen our Cyber Streetwise campaign in action. It’s a major public awareness campaign delivered in association with a number of private sector partners including Facebook, BT, anti-virus firms and banks.
The first phase of the campaign successfully ran in the beginning of the year and from the evidence we believe it helped avert losses of £27.2 million among the public. And I’d like to thank the Payments Council for supporting the Get Safe Online Week.
The involvement of government and businesses has helped it become the UK’s leading source of unbiased, factual and easy to understand information on online safety. Recent evidence from the National Fraud Intelligence Bureau revealed that £670 million was lost nationwide to the top 10 internet frauds in the space of a year.
So it’s the simplest steps that are the most effective such as regularly updating anti-virus software or treating unsolicited emails with caution. And we all need to be repeating these basic messages again and again. Because ultimately it comes back to trust – if government and businesses come together to present a clear, consistent message to the public, then they will have confidence in our advice and can take the necessary steps to protect themselves. And trust cuts right to the heart of how we build modern digital services, whether in the public sector or in business and retail.
The more we spend our life online, the more important it becomes that someone signing in to use a service is who they say they are. Until now, we’ve had to rely on offline methods, or on digital systems that that don’t give a high enough level of confidence for modern, sophisticated services.
That’s why we’re developing GOV.UK Verify. For the first time it will allow people to prove their identity in an entirely digitally way. And it will allow government – and eventually private sector services too – to trust that a user is who they say they are.
This work is still at an early stage – it went into public beta earlier this month – but we are working with business to develop the service so that, in time, it can make a real contribution to trust and security in the digital age.
So, in conclusion, the march of technology means there are more ways to pay than ever before. This is good news for businesses and the public alike.
But it does mean we must be vigilant and protect ourselves online. And cyber security must not just be an issue for the IT department – it’s an issue for the boardroom too.
So my message today is that we must continue to work together. Because only by working together can we share the information and intelligence necessary to combat the threats more effectively. And only by working together we can educate businesses and the public, so we can mitigate our weaknesses before cyber criminals have an opportunity to exploit them.
This will help make the UK one of the most secure places in the world to do business. And it will help ensure people have confidence in the security of new technologies – so they can continue to benefit from the many ways in which the digital revolution is transforming our lives.