Francis Maude made a speech at the International Centre for Defence Studies (ICDS) in Estonia on 3 May 2012.
Check against delivery.
I am delighted to be here in Estonia and talking about a topic which is so important for both our countries.
The immense possibilities, and the huge challenges presented by the cyber revolution - how we can harness the opportunities and protect ourselves online without spoiling the very thing we are trying to protect.
At the present moment - can we imagine trying to go about our daily lives without the internet?
Cast your mind back and you may remember doing just that - there was a pre-internet world in which we all functioned.
But today with cyberspace such a powerful, ingrained part of our lives - it can be surprising to recall that the World Wide Web only began two decades ago.
The internet has revolutionised our working and social lives in this time. Today there are over two billion people online - almost a third of the world’s population. Billions more will join them in the next decade.
There is no denying the power of the internet and the power it gives individuals.
But of course the web does not discriminate between the people it empowers - and we know it can be a powerful tool for those who wish to do harm.
It’s often said that the internet holds up a mirror to our society - it reflects the best ideas, the most imaginative thinking, our entrepreneurial spirit. But it also shows up many of our worst characteristics. There is a dark side to the internet.
So do we throw our hands up in despair? Switch it off - return to a paper world?
Of course not. We’re not trying to protect ourselves from the internet - which remains a massive force for good in the world.
We need to protect the internet from hostile actors - the criminals, the hackers, the terrorists - who want to exploit it for less positive ends. And we need to protect children too from inappropriate material.
And as we meet the challenges presented by cyber space governments involvement needs careful consideration. The internet has flourished because it has been shaped by its users, not by governments.
Estonia and the UK
These are messages I know do not need reiterating in Estonia. My meetings with President Ilves and Prime Minister Ansip, and my visits to the Cyber Defence Centre of Excellence and the ICT Demo Centre, amongst others, have demonstrated to me just how much you have achieved in this field.
Estonia has emerged as one of the most connected countries in the world, a pioneer in the fields of public sector ICT and cyber security.
And I’m hugely impressed by how much of government is online here. Paperless Cabinet meetings. E-voting, E-health, E-schools. 97% of tax returns completed on line in minutes. Most importantly, the individual has complete control over the information held on them, via the X-Road.
What works here in Estonia might not work everywhere, but most of it can. And I know you are already exporting aspects of it across the world.
International cooperation is at the heart of our cyber approach in the UK and I am confident that my visit here is the first step in a deeper relationship on cyber between our countries.
This will build on the strong alliance we already have - through our experience fighting alongside each other in Helmand Province, Afghanistan. Our shared commitment to security. Our flourishing business relationship. And our shared drive for the EU to maximise the benefits of the Single Market to promote growth - including the Digital Single Market.
So I am very pleased to be able to announce that the Embassy here in Tallinn has begun the process of recruiting a new member of staff who will focus specifically on cooperation on cyber, and act as a permanent point of liaison with the Cyber Defence Centre of Excellence.
We will develop an Action Plan to identify the areas we can cooperate across government and business. And we will work together to tackle the challenges and exploit the immense opportunities which the cyber revolution brings.
The UK Challenge
I want the UK to learn from Estonia’s many successes in this field - and I know that we in the UK have much to offer Estonia.
In the UK the web is vital for our way of life, vital for our economy - around 6% of the UK’s GDP is generated by the internet and this figure is set to grow. We are exporting £3 in e-commerce goods for every £1 in imports. And we are working to ensure our public services are digital by default.
At the same time identity theft, phishing scams, card fraud online - are some of the fastest growing crimes in the UK. And as businesses and government services put more of their operations online the scope of potential targets grows.
A recent survey showed that one in seven large organisations have been hacked in the last year with large organisations facing one outsider attack per week; small businesses face one a month.
Intellectual property theft through cyber crime is a major concern. Countries and organisations across the globe are losing billions of pounds each year to cyber criminals.
UK Government networks continue to be regularly targeted by foreign intelligence agencies, or groups working on their behalf.
And we know that the threat is accelerating. High end cyber security solutions that were used 18 months ago by a limited number of organisations to protect their networks may already be out in the open marketplace - giving cyber criminals the knowledge to get round these protective measures.
Our responses have to be fast and flexible. What works one day is unlikely to work a matter of months or even weeks later
In the UK we have rated cyber attacks as a Tier 1 threat to our national security and despite a tight financial situation set aside new funding of £650million to develop our response in the next four years. And one year ago we established a transformative national cyber security programme (NCSP).
This first year has focused on building our capability to resist cyber threats including investing in and improving our ability to detect and combat threats and the policing and reporting of cyber crime.
The UK, like Estonia, does not treat cyber defence as a solely military issue. We bring together the expertise of departments and law enforcement agencies under the umbrella of the Office of Cyber Security and Information Assurance in my Department - the Cabinet Office.
Improving the UK’s cyber security requires a multi-faceted approach involving a number of Government departments and agencies working in close partnership with industry and academia. The same kind of cross-government and cross sector approach which I know you have taken in Estonia.
Our Cyber Security Strategy published last November set out our four key objectives for ensuring the UK can manage the risks and harness the benefits of cyberspace.
1) Our first objective is to make the UK one of the most secure places in the world to do business in cyberspace.
Government can’t do this alone - the private sector is the largest economic victim of crime and economic espionage perpetrated through cyberspace. And much of the infrastructure we need to protect in the UK is owned and operated by the private sector.
Partnership with industry is essential and we are raising awareness in businesses of the potential threat to reputation, revenues and intellectual property from cyber attack.
There needs to be more alerting and greater awareness of attacks - with private organisations working in partnership with each other, Government and law enforcement agencies; sharing information and resources so we can build up a better picture of the threats we’re facing and collectively fight a common challenge.
We recently pioneered a joint public/private sector cyber security ‘hub’ with five business sectors - defence, telecoms, finance, pharmaceuticals and energy to allow us and the private sector to exchange actionable information on cyber threats and manage the response to cyber attacks.
The benefits of this are already emerging. In one case our intelligence agency GCHQ learning of a significant campaign of malicious emails targeting UK defence companies which they duly alerted that community to.
Our aim is to increase the scale of this engagement, jointly with industry, moving to full operational capability later this year, whilst expanding to include other organisations. Ultimately we want to see industry taking the lead on this important initiative so it’s led by industry for industry.
I have seen from my visit to the ICT Demo Centre and my meetings with ICT start ups at the Tehnopol business incubator how closely business and governments are working together in Estonia. It’s a model we certainly seek to follow.
Cyber security is also an opportunity for businesses. We are engaging with a wide range of sectors to discuss how we can help bolster cyber security as a selling point for businesses, for example, we are working on agreeing industry cyber security standards - helping businesses to advertise the fact they are managing cyber risks properly.
At the same time we are sharpening the law enforcement response to cyber crime - leading to some notable successes in the last year including our Met police preventing around £140m worth of cyber crime.
Our cyber programme has paid for the expansion of our Serious Organised Crime Agency - which has recovered nearly 2 million items of stolen payment card details since April 2011 worth approximately £300m to criminals.
And last week SOCA announced that dozens of websites offering credit card details and other private information for as little as £2 have been taken down in a global police operation.
In March this year we launched a dedicated Crack Cyber Team at HM Revenue and Customs - funding the recruitment of high calibre technical experts, analysts and investigators to protect the Revenue and its customers.
Going forward we have committed to a new Cyber Crime Unit in the National Crime Agency by 2013 that will deal with the most serious national-level cyber crime and to be part of the response to major national incidents - drawing together and enhancing the work of the e-crime unit in SOCA and that of the Police eCrime Unit.
A Cyber Specials pilot programme has also been approved - this involves bringing in people with specialist cyber skills from outside law enforcement to help the police tackle cyber crime. I understand Estonia has a similar endeavour in bringing in reservists to help in this increasingly important area of law enforcement.
2) Our second objective is to make the UK as a whole more resilient to cyber attack and better able to protect our interests in cyberspace.
To do this our Ministry of Defence and GCHQ have established a Joint Cyber Unit to develop new tactics, techniques and plans to deliver military cyber capabilities to confront high-end threats.
The Cyber Security Operations Centre (CSOC) has delivered a number of exercises to test and improve the UK’s capability to respond to a cyber security incident and has participated in several including a joint EU-US exercise.
This year’s Olympics in the United Kingdom will not be immune to cyber attacks by those who would seek to disrupt the Games. The Beijing Olympics saw 12 million cyber security incidents during their Olympics. We have rightly been preparing for sometime - a dedicated unit will help guard the London Olympics against cyber attack - we are determined to have a safe and secure Games.
I know that here in Estonia, your State Information System Authority (RIA), and your Cyber Defence League are doing vital work in increasing business and government’s resilience to cyber attack - I am discussing as part of my visit ways in which we can learn from each others’ experiences.
3) Our third objective is to build the UK’s cyber security knowledge, skills and capability.
Our ability to defend ourselves in cyberspace in the future depends upon a strong skills and knowledge base. ICT has become so endemic to how we live and yet most of us simply know how to work a device - not why it works. ICT skills must be increased and building our cyber security skills pool is a key part of that.
I know that in Estonia you take this very seriously - and the partnership between government, business, and the academic community is well advanced - I heard earlier about the investment which Skype is making in the IT Academy.
We are also working with industry and academia to promote skills and education in cyber security across the UK. By its very nature, much of the work done in this area is innovative and we are looking to see if there is more widespread commercial applicability in this area.
We also support an initiative called the Cyber Security Challenge - which is using innovative techniques and offering scholarships and rewards to people to steer their careers towards cyber. A recent winner was working as a postman, but now works as an information security professional for the Royal Mail.
There is also a long term aim to build up a skilled workforce in this field. GCHQ has awarded “Centre of Excellence” status to eight UK Universities conducting cyber security research and there will be opportunities for more to apply this autumn.
I want to explore the possibility of links to cyber security research and education here in Estonia as well - I know that Tallinn Technical University is rapidly developing its offer in this area, becoming a global centre of excellence with more and more courses offered in English for international students.
4) Our final objective is to help shape an open, vibrant and stable cyberspace which the public can use safely and supports open societies
This is also about education in part - no matter how safe our systems and networks are, we need to ensure the people who use them are educated about how to protect themselves, their businesses and their families online.
So in the UK the Government works with the private sector and law enforcement on an initiative called Get Safe Online (GSOL), which provides education, information and advice on Internet safety to UK consumers and small businesses.
I’m announcing today that we have committed almost £400,000 this year to enhance and expand this initiative. And further to the support given by Government I am also pleased to announce that three more major private sector organisations BT, Symantec and Camelot have signed up as sponsors of GSOL to enhance its already impressive list of partners and we look forward to further organisations coming aboard.
In addition, through the National Cyber Security Programme we have also backed a campaign to promote people reporting online fraud through an innovative online ‘viral’ campaign - ‘The Devil’s in your Details’ - available on You Tube as it gives a great replication of how an online criminal might steal and then use you personal and financial information.
The UK is also committed to finding ways of establishing mutual trust in global cyberspace so we can collectively tackle the threat of online crime.
We last year ratified the Budapest Convention on Cyber Crime, which provides a framework for international law enforcement cooperation and we are working hard to get other countries to sign up to this as well as supporting the Council of Europe’s Global Project on Cybercrime.
Last November we hosted the London Conference on Cyberspace to initiate a global conversation on the future of the Internet and how we might establish certain norms of behaviour in cyberspace. President Ilves’ valuable contributions being what first inspired me to make this visit to Estonia.
And I am pleased to say this conversation has caught the attention of a wealth of nations, including China and Russia, and a further conference is to be held in Budapest in October this year and then Seoul in 2013.
The networks on which we now rely for our daily lives transcend organisational and national boundaries. And across the world we can all gain from exporting best practise, sharing information and building mutual defences.
Falling costs mean accessing the internet will become cheaper and easier, allowing more people around the world to use it. This will drive the expansion of cyberspace further and as it grows so will the value of using it.
We all want to get ourselves into the position where law enforcement is beating cyber criminals, businesses and citizens know what to do to protect themselves and threats to our national infrastructure have been confronted.
To do this we need a multi-stakeholder approach to internet governance - resisting state intervention that would stifle growth and the free exchange of ideas at its heart.
By building mutual trust and partnerships at home and abroad I believe we can find right balance between freedom and regulation and ensure the UK, Estonia and the World will be able to tackle the dark side of cyberspace and enjoy the still emerging benefits.