Improving UK cyber resilience: AI, software and skills
Tech Minister Saqib Bhatti's speech to the National Cyber Security Centre's CyberUK 2024 conference in Birmingham.
For more information, please read the press notice.
You can also watch the speech on YouTube (see video from 22:05)
Good morning, hello and thank you for coming here today.
Can I first of all start by thanking the National Cyber Security Centre team who’ve worked so hard to put on this fantastic event – and everyone else who has helped them.
When I received my briefing today I was told I’ve got the ‘who’s who’ of the national cyber security industry here, although it did make we wonder if you’re all here, who is taking care of our national cyber security?
I jest of course, I know depth through resilience is exactly what we mean.
The government’s National Cyber Strategy really does explain how we can make progress if we work together as a community – so it’s great to see everyone here, making that happen.
It’s also great to be back in Birmingham and for those of you who might know, I used to be president of the greater Birmingham Chamber of Commerce, so for me - and my constituency’s not too far from here - this is very much a local gig.
But I can tell you from first hand experience that there are some fantastic cyber and tech firms in the area.
And when the Department for Science, Innovation and Technology was created last year, it gave us a real opportunity to focus on those types of businesses, and have a real focus on the innovation which changes lives and sustains economic growth.
The department – or as well call it, “DSIT” - plays a key role delivering the National Cyber Strategy.
Our policy for the government leads on improving cyber resilience, growing the cyber security sector, improving cyber security skills and addressing the cyber security of new and emerging technologies.
And if we are to take full advantage, cyber security must be at the heart of all the new and emerging technologies, like AI, quantum computers and semiconductors.
The three big challenges that we are addressing are making things “secure by design”, how we use strategic levers to lower cyber risk, and making sure we have the right rules and controls, including regulation. And I’m going to address each one of these in turn.
Secure by design
The first big challenge is making things “secure by design”. The fact is many technology products and services have not been developed with security as a fundamental feature. This could be anything from an entry camera on our front door which has a poor, factory default password, to a company-wide file system which isn’t protected by two factor authentication.
And it would be unreasonable to expect people to be able to protect themselves against every threat. So we need to make the tech more secure.
And that’s why we take a “secure by design” approach to help ensure technology is developed with security built in from the start.
Many of you will remember the Mirai botnet attack which infected millions of IoT devices around the world. This was made possible because of poor security in IoT devices, which used common factory default usernames and passwords.
So to address this, we developed new product security laws. And just two weeks ago they came into effect.
So from now, when consumers buy a ‘smart’ device which connects to the internet, those devices must meet three new security requirements.
- They cannot have any default or easily guessable passwords.
- They must state how long the product will receive security updates for.
- And manufacturers must also publish contact details, so vulnerabilities and security bugs can be reported and fixed.
This is going to significantly improve the security of the devices we use in our homes.
These new laws are the result of over seven years of work – ably supported by a number of you who are in the room here today. So can I give you a heartfelt thank you for all your contributions.
These principles are now being used across the world in places like Australia and Singapore.
This shows how UK leadership can have a significant positive impact on the direction of global tech policy.
Another key part of our approach is what we’re doing on software security.
And as you will all know, software is fundamental to virtually all technology used by businesses, from programmes for managing payroll, to essential operating systems. Protecting software is crucial to protecting businesses and ensuring that our data and money are secure.
And yet we all know, there have been a number of high-profile attacks on software which have affected organisations around the world.
Last year, the BBC, British Airways and Boots were all affected by an attack on the MOVEit software which compromised personal data through payroll systems. And an attack on Advanced software in 2022 resulted in disruption to NHS and social care services.
And these incidents demonstrate the severe, widespread impacts attacks on software can have.
But through collective work, we can ensure that such attacks are not an inevitable cost of doing business.
And that’s why, for the past year we’ve been working with industry partners to tackle this.
So today we’re publishing a call for views on a new Code of Practice for Software Vendors.
It sets out how developers and vendors can ensure software is developed and maintained securely, with improved information sharing through supply chains.
The code sets out four principles:
- Secure design and development
- Build environment security
- Secure deployment and maintenance, and
- Communication with customers.
Many of our industry stakeholders have helped co-design that code. And I know many of you are here today, so thank you once again for all your input.
We published the code on the gov.uk website this morning and I invite you all to take a look.
Getting this right is a crucial part of ensuring the future security and resilience of our tech ecosystem.
Another area that we’ve been looking at is Artificial Intelligence.
To ensure the opportunities of AI are fully realised, AI systems must be developed, deployed and operated in a secure and responsible way.
Since the highly successful AI Safety Summit back in November, we’ve been developing a set of rules to help developers of AI tools ensure that their products are secure and resilient against hacking and tampering.
Today we’re also publishing those rules in a new Code of Practice on the Cyber Security of AI.
It’s based on the NCSC’s Guidelines for secure AI system development which were published back in November.
And again, we’re keen to make sure this is right, so we’re really keen to have your feedback.
The Code on AI Cyber Security is intended to form the basis of an international standard on AI cyber security, so it is crucial we have your views.
The two codes of practice I have announced today are aligned and are designed to complement each other.
Strategic levers to lower cyber risk
The second big challenge is how we use strategic levers to lower cyber risk.
Our latest research has found that half of businesses suffered a cyber breach or attack in the past year. This is just simply not acceptable. The cyber threat remains significant and widespread, from industrial levels of phishing emails, through to the ever increasing threat of ransomware.
So we do need to find ways of reducing the risk.
And one way is through standards. Schemes like Cyber Essentials continue to have an impact on raising the baseline of good cyber security.
And as I know was mentioned yesterday, new statistics from insurers show that organisations which have Cyber Essentials are 92% less likely to make a claim on their cyber insurance than those which don’t have Cyber Essentials.
So let me be unequivocally clear: Cyber Essentials works. And we need to get many more businesses and organisations to adopt Cyber Essentials, and prevent those basic attacks which are so prevalent. This will have a huge impact on the UK’s overall level of cyber resilience.
And then there’s skills – one of the most important strategic levers the government is working on.
Having more skilled people in the industry – and across the wider economy – is a fundamental part of our strategy. The UK must have a sustained supply of diverse and high-quality individuals in the cyber workforce.
So we’ve been working with the UK Cyber Security Council to improve career pathways and professionalisation.
At the moment it can be difficult to define what ‘good’ looks like in the cyber security profession.
The UK Cyber Security Council has now developed professional titles so cyber security practitioners can demonstrate the skills that they have, and prove their capability to employers. By having a common standard across the workforce, we will ensure that employers get the skilled staff they need and that quality cyber professionals are in the jobs that are protecting our businesses and national security.
It’s very much in the same way that chartered professionals are commonly recognised in professions like engineering and accountancy - we expect cyber security practitioners who have been awarded professional titles to be acknowledged as the gold standard.
Today – in partnership with the UK Cyber Security Council, regulators, and members of techUK – I’m publishing a public statement on how public and private sector organisations will begin to use professional titles.
The government will strengthen its approach to cyber skills by embedding professionals and professional titles across the public sector cyber workforce by 2025.
Regulators of critical national infrastructure and members of techUK have also signalled their support for professional titles.
So for more details, please read the statement that we’ve published today on gov.uk.
Professional titles in cyber security will increasingly be used by government, regulators, and industries, and these will become commonplace.
We want employers to start considering how they will incorporate professional titles into their recruitment and development practices, so that they can recognise the skills and experience of their existing cyber specialists.
So we look forward to working with industry on this.
But the skills challenge isn’t just about today’s existing professionals. It’s also about investing in the future and helping young people develop their skills.
Most of you will be aware of CyberFirst, the government’s successful programme to help identify and develop talented young people, and encourage them towards a cyber career.
Since 2016, the programme has reached over two hundred and sixty thousand [260,000] students in two and a half thousand [2,500] schools across the UK.
It has shown success in developing a high calibre pipeline of talent for the cyber security sector. In particular, CyberFirst is encouraging more students to take up computer science.
So we want to scale up the CyberFirst programme and we want to expand its impact.
Today I’m announcing a call for views on the future direction of CyberFirst. This includes seeking views on the creation of a new, independent organisation to take over the delivery of CyberFirst delivery and scale it up.
Your views will matter. This is your opportunity to shape the future of the cyber security industry.
Finally, I can also announce today the government will be launching a campaign to encourage entries to a new cyber skills competition later this year.
The new cyber skills competition will aimed at 18-25 year olds and will be run by our partner SANS. And we’ll be saying more about this soon.
Rules & controls / regulations
The third big challenge is making sure we have the right rules and controls – including regulation.
We’ve already announced we will update the NIS Regulations as soon as Parliamentary time allows. This includes bringing managed service providers into the scope of the regulations.
And yesterday the Director of GCHQ spoke about the cyber threat from China. The wider cyber threat is also impacting the economy. And it’s very clear that not everyone shares our values of liberty, or respects our rule of law. These actors cannot be allowed to prevail.
The measures I’ve outlined here – and our wider approach – will help address that economic threat and ensure that our economy remains secure, resilient and prosperous.
And working with industry, we will ensure, together, that we will keep Britain safe.
UK cyber security sector
Finally, I wanted to talk about the cyber security sector itself.
None of what I’ve talked about today is possible without a rich, healthy, innovative ecosystem of cyber security firms in the UK.
So we’re publishing new figures this morning showing the UK cyber security sector continues to grow and develop at an impressive rate.
In the past year, the sector generated over £11.9 billion pounds, up 13% on last year.
You did that.
The sector now employs over 60,000 people, an increase of 5% from last year – generating nearly 2,700 new jobs.
You did that.
This is a great set of results and testament to the hard work of everyone here, so thank you for all that you do.
But we do want to go further.
My colleague Stephen McPartland MP has just completed a review which will deliver and detail how cyber security can be a driver of further economic growth.
I know Stephen is here today so I thank him for his work - and I’d also like to thank everyone here who provided evidence for the review.
Conclusion
Since I started this job last year I’ve become aware of the dedication and professionalism of the people in this room and across the country - and the efforts you’ve all made to keep the nation safe.
I’m immensely proud of all that you’ve done – and what we can do when we work together as a community.
And we in this government are unashamedly pro-innovation, pro-enterprise and pro-safety. And we will always champion you. Frankly, we need you. Britain needs you.
Thank you so much. And enjoy the rest of the conference.
For more information, please read the press notice.