Govnet Cyber Security Summit 2014: Francis Maude
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
The Minister for Cabinet Office gave the keynote speech on government and business sharing information to combat cyber security threats.
It’s a pleasure to speak to you today.
Cyber security is a shared responsibility. The internet is too complex for any single organisation to respond alone. So it’s crucial that the public and private sectors come together at events like this to discuss how we can work together to protect ourselves online.
The timing is good too with The Imitation Game in cinemas, which tells the story of Alan Turing and Bletchley Park. It’s a reminder of Britain’s amazing heritage in cryptography and computer science.
If you visit the museum at Bletchley Park they have on display a piece of cable from an early Turing machine. It’s practically all that remains from one of the world’s first proto-computers – but it only survived by chance. One of the workmen tasked with dismantling the equipment at the end of the war used it to tie up his holdall because the fastener had broken.
It’s amazing to think the computer age began in a quiet corner of Buckinghamshire, but the need for discretion and secrecy meant the UK’s part in this story was almost forgotten.
Today, things are different, and we can’t afford to be modest. When Tim Berners-Lee invented the World Wide Web 25 years ago, he did it in a way that was open and free, so that anyone could take his creation and help it expand and grow.
So as much as we focus on making the cyber threat sound dark and menacing so that people and businesses protect themselves online, we must never lose sight of the benefits and the opportunities that the internet has brought.
The digital revolution has the power to create jobs, transform public services and to change the way we live and work. In so many areas – from cyber security to satellite communications – Britain is at the forefront of developments, and we should be shouting about this from the rooftops: this is a strength for Britain – and we’re determined to seize the opportunities that the digital age presents.
National cyber security strategy
Cyber attacks are ranked as a tier one threat to the UK. When the coalition was formed in 2010 we conducted a Strategic Defence and Security Review that ranked cyber alongside risks like terrorism, international conflict and natural disasters when measured against both the likelihood of occurrence and severity of impact. So when we published the UK’s first Cyber Security Strategy – 3 years ago next Tuesday – we backed it with £860 million of investment up to 2016.
Normally my day job is about trying to save money. And when you consider the pressures on spending across government, I think the fact we’re prepared to invest such a large sum in beefing up our cyber resilience is an indication of just how seriously we take this issue.
Government leading by example
It’s absolutely right that government should lead by example, and over the past few years we’ve launched a number of initiatives to secure our own systems and to support others. We want the UK to be one of the safest places in the world to do business – it’s part of our long term economic plan.
Only yesterday, CESG, the information security arm of GCHQ, launched a new certified training scheme in partnership with APM Group. It will certify cyber security training courses to ensure they meet the required standard. It will also help individuals and businesses quickly identify the courses most relevant to their needs.
We’re also keen for good cyber practice to reverberate through our supply chain. Since October this year, the government requires all suppliers bidding for certain personal and sensitive information handling contracts to be compliant with the 5 critical controls set out under the Cyber Essentials scheme.
This scheme gives businesses clarity on good basic cyber security practice and will provide protection against the most common threats. It’s often the simplest measures that can make the biggest difference. After going through a certification process, businesses will be able to show they have the right measures in place by displaying the Cyber Essentials badge, which we hope becomes the cyber equivalent of the MOT certificate.
Cyber security is also an important consideration as we transform the government’s digital presence. We started with GOV.UK, a single website for all government services and information, which celebrated its 1 billionth visitor last month, despite the fact it’s only been open for 2 years.
Now we’ve turned our attention to digitising 25 high-volume public services.
One by one these services are becoming faster, clearer and more convenient to use, and the number of people using them continues to grow – for instance, 1 million people used the new Independent Electoral Registration service in the 2 months after it went live.
So as we go digital by default it becomes even more important that someone signing in to use a service is who they say they are. That’s why we’re developing GOV.UK Verify with funding through the National Cyber Security Programme.
For the first time people will be able to prove their identity in an entirely digitally manner. It will allow government – and eventually private sector services too – to trust that a user is who they say they are. This work is still at a relatively early stage – it went into public beta testing earlier this month – but, in time, it will make a real contribution to trust and security in the digital age.
Coupled with Verify, we’ve also been investing to ensure the public sector staff have the necessary skills and capabilities to help combat the threats government faces in cyberspace.
By training skilled staff at the Department for Work and Pensions and investing in HM Revenue & Customs’ Cyber Security Command Centre, for instance, the National Cyber Security Programme aims to ensure the departments responsible for our largest online services have the technology and capabilities they need to operate safely online.
But while it’s right the government leads by example, we can’t do it alone. There’s no single magic bullet to neutralise the cyber threat, but the one thing common to all our efforts – whether it’s about resilience, or awareness, or capability and skills – is co-operation.
Earlier this year, I opened CERT-UK, our first national Computer Emergency Response Team, to bring about closer co-operation between businesses and the government and law enforcement agencies. It means that there is now a single organisation co-ordinating our response to cyber issues on a daily basis, which can identify and track risks as they emerge and, when necessary, bring others together to respond.
Already its services have been much in demand, responding to numerous threats like Heartbleed, Gameover Zeus and Shylock – just 3 examples from a constant stream of incidents. Officials from CERT have worked behind the scenes to help co-ordinate cyber security around the NATO Summit in Wales and contribute to the security of the Commonwealth Games in Glasgow.
Sitting as part of CERT-UK is the Cyber Security Information Sharing Partnership or CiSP for short. CiSP enables government and business partners to exchange information on threats and vulnerabilities as they occur in real time. This enables a ‘fusion cell’ made up of analysts from business and law enforcement to draw together a single intelligence picture of cyber threats facing the UK.
By the end of October, nearly 700 companies had joined the Partnership and it continues to grow. This year we’ve been trialling a regional CiSP node in the East Midlands which is run in conjunction with the Regional Organised Crime Unit. We are currently evaluating the success of this trial and hope to develop similar regional nodes elsewhere.
In September, CERT-UK responded to the Bash vulnerability, also known as Shellshock.
Details first emerged late one evening, but before 9am the next morning CERT-UK had already posted information onto the Cyber Information Sharing Partnership and in the following 72 hours there were over 1,000 page views. CiSP members were actively sharing their own information to contribute to our situational awareness and a number of new companies joined the Fusion Cell during this period, further building the capability.
This is the pattern for success: governments and businesses working together – quickly and in real time – to share intelligence, learn lessons, pool capabilities and coordinate action.
CiSP works on trust. It has government involvement, but it’s business-led. Information is shared voluntarily, and that’s why it works. The more partners that join, the more information that’s shared, the better the overall picture and the greater our collective resilience.
You’ll be hearing from CERT-UK’s director, Chris Gibson, later today and I would encourage as many organisations as possible to join.
Critical national infrastructure
The government is also working closely with owners and operators of the UK’s Critical National Infrastructure, most of it of course now in the private sector.
Through the National Cyber Security Programme we’re funding an ambitious programme of work to make sure both government and businesses know our critical cyber assets – the ones that keep the country running. We want to understand their resilience to sophisticated cyber attacks so we can work together to keep these systems secure.
This work is proceeding well and I’m pleased to see how positively the private and public sectors are embracing the importance of working together to make the UK as whole more resilient.
We also want to work with cyber businesses to help them grow. Later today I’m off to Worcestershire to visit the cluster of small cyber security firms that belong to the Malvern Cyber Security Cluster and to meet some of the brilliant people they employ.
In recent years the number of firms in this region has grown from around 45 to nearer 75, and the area is deservedly becoming known as Britain’s ‘Cyber Valley’. These firms may be small, but they’re innovative, agile and are winning contracts around the world.
A case in point is Titania – a firm of 22 staff and growing – which supplies its software to customers in over 60 countries. This afternoon I’ll have the privilege of opening their new premises – a sign of their growth and success.
So a part of our long term economic plan, we’re backing cyber firms like these through the Cyber Growth Partnership and the Cyber Exports Strategy. We want to be exporting £2 billion worth of products and services by 2016.
And with the support of funding from the National Cyber Security Programme, we’re working to bring together clusters of cyber firms in other places, including Cambridge, Bristol, London, Southampton and Brighton.
We’re also working with business to identify and develop cyber skills and expertise in the next generation to meet the demands of the workforce. We can’t just look in the normal places. Some of the best are self-taught and we want them to help make the UK safe online.
Earlier I mentioned Bletchley Park, which was full of people from all kinds of backgrounds – from chess grandmasters to experts in Egyptian papyrus. What they all had in common was sheer brain power. We need to be much better at finding and nurturing their modern day equivalents.
Earlier this year I opened the final of the 2014 Cyber Security Challenge. It’s one way of demonstrating the value of cyber security as a career opportunity to as wide an audience as possible. There were over 2,000 new joiners this year, with 18,000 registered overall. Almost 1 in 3 of those who reach the final stage of the competition go on to find work in cyber security. It’s just one of the ways we’re trying to plug the skills gap.
The cyber threat is nothing that cannot be matched and defeated through human ingenuity or expertise, which is why we’ve got to get better at identifying and developing people with talent so they can help keep us secure.
So, in conclusion, my message today is that we must continue to work together – this is absolutely essential to success. Only by working together in real time can we share the information and intelligence necessary to combat the threats more effectively and mitigate our weakness before the cyber criminals have the opportunity to exploit them.
But we can also turn a necessary evil into an exciting opportunity for jobs and growth, innovation and advancement. This will make the UK one of the safest places in the world to do business and ensure that our economy and society continues to benefit from the ongoing digital transformation.