It’s a great pleasure to join you all here today at the National Cyber Security Centre’s annual conference.
As you’re all no doubt aware, Manchester has a long and strong connection with computing.
It was the home of the world’s first stored-program computer, nicknamed ‘Baby’, which was built at the University of Manchester in 1948 – 60 years ago this year.
It’s also where Alan Turing worked on pioneering research into artificial intelligence.
Now it’s one of the homes of the NCSC which has not only made a name for itself here in the UK but has attracted international admiration too.
And GCHQ are shortly to open their brand new facility in Manchester, recruiting tech-savvy people and forging partnerships with Manchester’s thriving tech and academic communities.
But I bet the makers of ‘Baby’ back in the 40s, could never in their wildest dreams have imagined how far technology would come and that it would still have such a prominent home here in Manchester.
They could not have known the huge benefits that the digital revolution would bring, or the global opportunities it would open.
But nor would they have anticipated the darker side of technology that would become apparent, or the threats that it poses.
And today I want to talk about what these threats are and what we are doing as a government to tackle cybercrime as well as what needs to happen next.
Because we must be in no doubt, the cyber sphere is where modern day crime is being committed and international conflicts played out.
And we know that cybercrime comes in different guises:
It’s perpetrated by ruthless organised crime gangs who conduct hacking and phishing on an industrial scale and target intellectual property;
It’s sophisticated scams that can bring down businesses or wipe out life savings, with the proceeds laundered at the touch of a button.
And cybercrime can hit anyone at any time – governments, institutions, businesses and individuals.
And globally it costs billions.
Nearly 7 in 10 large businesses have been affected, with an average cost of £20,000 per business. Some breaches leave companies on their knees.
Cyber breaches are serious, costly and disruptive.
And cybercriminals are commercialising and expanding their services. You might have heard about the case of the Essex cybercriminal Goncalo Esteves, also known as KillaMuvz, who set-up a business selling criminals services to get around anti-virus software. These could be yours for as little as £5 and earned him half a million pounds in Bitcoin. We put him in jail earlier this year.
The impact of cybercrime on individuals can be very significant too. Being hacked or the victim of a cyber scam or fraud can be frightening, expensive and humiliating.
One in ten of us have been the victims of cybercrime and these days we are 20 times more likely to be a victim of crime online than offline.
And then there’s the Dark Web where anonymity emboldens people to break the law in the most horrifying of ways with platforms that enable dangerous crimes and appalling abuse.
A sickening shopping list of services and products are available:
You can buy half a kilogram of Fentanyl, the drug responsible for over 20,000 overdose deaths in the US in the last year alone, for around £5 a gram.
Alternatively, you can get a semi-automatic pistol for less than the price of a second-hand car.
And for both – you can pay in Bitcoin.
There are sites that live-stream child abuse to order, space for terrorists to plot and share their murderous expertise and the option of ordering drugs to doorsteps.
Here in Manchester, a gang of five university students were recently sentenced for selling more than £800,000 worth of drugs on the Dark Web to customers in Australia, Europe, New Zealand and the United States. They received a combined sentence of 56 years.
And then of course, there’s the broader cyber threat.
Hostile state activity in cyberspace is the most alarming expression of that threat.
Over the last year we’ve seen a significant increase in the scale and severity of malicious cyber activity globally and we have been clear that we will not tolerate this.
We know that there are several established, capable states seeking to exploit computer and communications networks to gather intelligence, personal information and intellectual property from the government, military, industrial and economic targets to advance their strategic goals.
Hostile states, groups and individuals are using cyber tools to commit crimes, to project power, to intimidate their adversaries, and to influence and manipulate societies in a manner which makes definitive attribution difficult.
But we have started to call this activity out:
We called out Russia for meddling in elections;
We called out Russia again for the destructive NotPetya cyberattack of June 2017;
We called out the North Korean actors known as the Lazarus Group for the WannaCry ransomware campaign, which was one of the most significant to hit the UK in terms of scale and disruption. As you’ll remember, it disrupted over a third of NHS trusts in England and thousands of operations were cancelled, putting lives at risk.
Chairing the first ever cyber COBR after the incident really brought home to me how damaging attacks like these can be and how important cybersecurity is. It was sobering to learn that the National Audit Office’s conclusion was that the NHS could have avoided the crippling effects of the “relatively unsophisticated” Wannacry ransomware outbreak with “basic IT security”.
And the fact is that the threat is not diminishing. Over the past six months, the NCSC has responded to 49 incidents associated with Russian cyber groups, some of which have hundreds of potential victims. Russian actors have systematically targeted the UK amongst others, expanding the number of sectors targeted, in addition to the energy, telecoms and media sectors that the Prime Minister highlighted last November.
That’s why I am the first Home Secretary to have regular cyber briefings with the NCSC and the NCA. Because in the same way that I check in with MI5 and counter-terrorism policing to make sure I know everything there is to know about the terrorist threat, I want to know all I can about the cyber threat too.
So this is the threat landscape we’re faced with.
And as Ciaran has warned himself, a major cyberattack in the UK is a matter of when, not if.
It’s absolutely right that we take action. It’s not just the Wannacrys we need to protect ourselves against, but the cyber scams that put money into the pockets of organised criminals because they think they have easy targets.
Back in 2016 we launched our five-year National Cyber Security Strategy, supported by £1.9 billion of investment.
Our Strategy brings together the best from government and industry to develop new ways to strengthen our defences, deter our adversaries and develop the broader capabilities we need to respond.
Establishing the NCSC was a central part of the Strategy.
You will have heard a lot I’m sure about the NCSC’s impressive work. And this conference – and your presence here – is testament to the vital role it’s performing. And I’m incredibly thankful for your hard work, dedication and skill.
And just yesterday this government launched a new world-fist £13.5 million Cyber Innovation Centre in London to help secure the UK’s position as a global leader in the growing cybersecurity sector.
It’s not a boast to say that we are good at cybersecurity in the UK. But my message today is that we can and need to be even better.
The world of cyber is fast-developing and we need a fast-developing response to match. One that recognises that it is the responsibility of everyone in the UK to fight the evolving threat.
That’s why today I’m pleased to announce that we will be investing over £50 million over the next year to bolster cyber capabilities within law enforcement at a national, regional and local level.
This includes money for the National Crime Agency to support their work going after sophisticated cybercriminals and the prevention of cybercrime in the first place.
It also includes over £5 million to be invested in local and regional policing which will in part help to set-up dedicated cybercrime units in every police force in England and Wales, to ensure no matter where you are in the country; the police have the skills and the expertise to respond.
This will help forces investigate cybercrimes, support local businesses and local victims and provide the advice and care they need. It will also help local law enforcement to deter potential cybercriminals before they get involved in crime.
Because currently only 30% of local police forces have a cyber capability that reaches the minimum standard – and as crime changes, policing needs to change too.
We will also be giving £3 million to continue the great work of CyberAware; our nationwide campaign to educate the public and businesses with the latest advice on how to take simple steps to protect against cybercrime. In addition there will be more money to support victims of cybercrime, improving the information they have on how their crime is progressing and being dealt with.
Because whilst criminals plot and hide behind their screens, their actions have real-life consequences for their victims.
My own father was the victim of fraud and I know from personal experience the importance of supporting those who have been victimised through no fault of their own. And now that it’s happening online, it’s happening to even more people.
And I talked earlier about the threatening world of the dark web.
Earlier this year, we secured the conviction of Matthew Falder, a prolific and sickening paedophile operating on the Dark Web, who admitted 137 charges and was sentenced to 32 years – the largest sentence we’ve seen handed down for dark web activity to-date. It took the combined skills and expertise of the NCA, the security and intelligence agencies and our strong working partnership with other countries to catch him. It’s vitally important that we have the ability to tackle more cases like this in the future.
So today I’m pleased to announce that we will be giving over £9 million to enhance the UK’s specialist capabilities which will include work to combat the criminals who continually exploit the anonymity of the Dark Web.
The funding will help to build on the ongoing investigative work of the National Crime Agency’s Dark Web Intelligence Unit and the security and intelligence agencies, to disrupt and bring to justice those who use the dark web as a marketplace to trade illegal goods and services, including drugs, firearms and malware.
We will also develop a new national training programme for police and the wider criminal justice system, sponsored by the National Police Chiefs Council. This will ensure that officers and others are equipped to properly investigate and prosecute cases relating to the dark web.
And beyond the dark web, it’s right that we take all the steps we can to learn, improve and test our ability to respond to a national cyber crisis.
And today I’m pleased to announce that we will be running the UK’s first live national cybercrime exercise to test the response of our security and intelligence agencies, police and first responders, in the event of a large scale cyber incident.
I’ve already set out the clear threat from hostile states. This government has a robust, comprehensive cybersecurity strategy to stop interference from foreign actors and the sort of malicious cybercrime that I have spoken about today. This strategy includes calling out those states and publicly attributing their actions where we believe it is in the best interests of the UK to do so. We will not shy away from taking the tough decisions necessary to keep us all safe.
So that’s what we will do next. But as business owners, cybersecurity experts and individuals, you can do a lot to help too.
Because in the same way that shops protect themselves from burglary with locks, alarms and security guards, I expect businesses to take equivalent precautions digitally.
When customers trust a company with their data, they expect that it’s kept safe. An important way of doing this is putting in place strong cybersecurity measures. We provide that technical advice in the form of the Small Business Guide and Cyber Essentials and the 10 Steps to cybersecurity.
And personal cybersecurity also needs to be something which staff at all levels are taught about – from new joiners, to board members.
And for those businesses making internet-connected products, cybersecurity should be factored into the design. Because as it becomes possible to connect more devices to the internet and we continue to build the internet of things - from toasters to washing machines - the number of avenues for hackers widens. As does the devastating impact they can have on our lives.
And it sounds really obvious but we must all remember to install the latest software and app updates and to use strong passwords. All of these seemingly small things can really make a difference.
And if you have cyber skills, then my plea is that you’re generous with them. There’s valuable technical cyber expertise in the private sector which can be harnessed by law enforcement in the fight against cybercrime.
My department has worked with the police to increase the number of skilled volunteers – cyber specials, and cyber volunteers – who lend their time and expertise to the National Crime Agency or their local police force. I want to see more of the home-grown expertise which we are rightly proud of, in use. And I encourage all of you who have the skills, to get involved.
And ultimately, to understand the scale of the cyber threat, to build the strong intelligence we need on new cyberattacks, we need everyone to report cybercrime as and when it happens. Measuring cyber offences is a recently new phenomenon and the more information we can gather about these types of crimes, the better.
And I really can’t overstate the gains there are for all of us from a proactive approach to cybersecurity.
Because we’ve come a long way since the Manchester Baby Computer. Cyber capabilities have multiplied beyond the wildest dreams of her creator.
We need to make sure we stay not just at pace but steps ahead of those who seek to exploit the possibilities of modern technology.
And my vow to you is that this government will continue to tighten the net on the cowardly keyboard warriors and those who wage state-sponsored cyber warfare.
The internet can be such a powerful force for good and we will not allow it to become a place where evil can fester.
But we do need your help.
Our security and prosperity are inextricably linked and with your help, I want to make the UK the safest place in the world to do business online.