Speech given by Karen Bradley on 12 March 2014 on e-crime and information security.
In 2011, CISCO estimated that the Internet connected over 10.3 billion processes, sources of data and ‘things’.
By 2020, CISCO stated that this has the potential to reach 50 billion .
As a maths graduate, I find that a staggering fact.
But today I’m banking on the fact that personal connections continue to make the biggest difference in our world.
My name is Karen Bradley, and I am the new minister with responsibility for Modern Slavery and Organised Crime in the Home Office.
I’m delighted to meet you all today.
I have only been in office for a few weeks, however in that short time I have been taken by the wide range of activity that is taking place with Industry partners to tackle the threat of cyber and cyber-dependant crime, such as fraud.
You heard yesterday from the head of the National Cyber Crime Unit, Andy Archibald, on how the National Crime Agency aims to develop this cooperation.
Today, I want to give you an overview of what we, in government, are doing to ensure that the UK derives as much value as possible from cyberspace, whilst tackling the threats within that environment.
I would like to set out the changes that are taking place to help us tackle these threats.
I would also like to talk to you about the partnership that I want to see develop between government, industry and our other partners, to bear down on cyber criminals and increase the cyber security of the UK.
The Cyber Threat
Cyber security, including cyber crime, remains a ‘tier one’ threat to national security.
It is costing the UK economy billions of pounds a year.
In 2013, Financial Fraud Action UK noted that cyber-enabled card-not-present fraud cost banks an estimated £140 million in 2012.
In the same year, cyber-enabled banking fraud was estimated at just under £40million .
We also know that our reliance on the internet is expanding at pace.
The Office of National Statistics reported that in 2012, approximately 85% of the UK population used the internet.
Of these, 33 million people accessed the internet every day, more than double the level six years before.
And the methods for access are also rapidly changing, with those using a mobile device to go online increasing by over 50% in two years from 2010 to 2012 [24% to 51%].
These evolutions create new challenges for investigation, as well opportunities for criminality.
The sheer scale and reach of the internet allows criminals to stretch their influence further than ever before - and to cover their tracks.
Today, one of the key threats we are facing is the ability of traditional crime groups to use the ‘as a service’ nature of the criminal marketplace to buy the skills needed to commit crimes that they had not been able to achieve.
We are concerned about the large scale harvesting of data to commit fraud against individuals and organisations.
And, we are concerned about the targeted compromise of UK networked systems to modify or steal data: to gain competitive advantage; gain control of infrastructure or, inflict reputational damage.
Law enforcement must develop and embed a new set of research, investigation and evidential skills, in order to respond.
National Cyber Security Programme
So, what is the government doing on cyber security, and where does industry fit in?
The National Cyber Security Strategy was launched in 2011.
Through the Programme, which underpins this strategy, we have dedicated £860 million over five years to deliver a step-change in the UK’s cyber capabilities.
The National Cyber Security Programme, about to move into its fourth year, has already delivered significant changes to the landscape on cyber.
Notably, the creation of the National Cyber Crime Unit within the National Crime Agency; the development of CERT UK to be launched in the coming weeks, the UK’s first single computer emergency response team for national cyber incident management; and, the launch of the Cyber Information Sharing Partnership, the first secure government-industry forum for information sharing on key cyber threats.
The national roll-out last year of Action Fraud also provided for the first time, a single reporting mechanism for cyber and fraud.
This has allowed us to improve significantly the number of reports of this type of crime, which we always believed were under-reported.
Between September 2012 and September 2013, the number of reports rose by over 30% from 150,000 to over 200,000.
It also makes links between different frauds, where people and businesses across the country are targeted by the same scams.
These changes, alongside the analytical capability of the NCA’s Intelligence Hub, greatly increase our understanding of the threats that we face.
Serious and Organised Crime Strategy
On 7 October last year we also launched the new Serious and Organised Crime Strategy.
Taking the framework of our Counter-Terrorism Strategy, Contest, our approach has 4 areas of focus: pursue, prevent, protect and prepare.
Pursue – prosecuting and disrupting serious and organised crime.
Prevent – stopping people from becoming involved in, and remaining involved in, serious and organised crime.
Protect – reducing our vulnerability by strengthening our systems and processes and providing advice to the private sector and the public.
Prepare – reducing the impact of serious and organised crime, ensuring major incidents are brought to effective resolution and supporting victims and witnesses.
I will focus today on the pursue and protect areas of our work.
With the launch of the National Crime Agency, and by increasing law enforcement capability at regional and local force level, we are changing the way that we pursue cyber criminals.
Through its new National Cyber Crime Unit and the Economic Crime Command, the National Crime Agency unifies the national crime-fighting response to the most serious, organised and complex cyber and cyber-enabled crime.
The NCA is also forging strong, direct relationships with industry. It will support both proactive investigations and a fast-time response to the most serious incidents.
The NCA will reach through to regional and local policing, in particular through the network of Regional Organised Crime Units - set up to work across local police force boundaries.
Following increased investment this year, dedicated cyber and fraud units are now being developed in each of these regional teams.
Through the College of Policing, we are also working to drive up cyber skills at the local level with a dedicated training programme. We expect 5,000 officers and staff to be trained by 2015.
This is part of a wider programme of work to support the increased capability and capacity of forces to investigate the online elements of crime.
As Andy mentioned yesterday, there are real opportunities for cooperation between law enforcement and Industry on skills.
We all need to keep pace with the technical changes that evolve and ensure all our organisations have the right skills to respond.
I think there is much that we can do together in this respect.
But the UK clearly can’t tackle this global threat alone.
Cyber criminals pay scant attention to international borders and can threaten the UK from locations across the globe.
As Andy noted yesterday, international collaboration is therefore at the centre of the NCA’s approach to cutting cyber crime, such as through its relationship with the European Cyber Crime Centre in Europol. We are also working closely with partner Governments worldwide.
The UK government also continues to play a leading role in shaping emerging EU thinking on cyber, including on the proposed EU Directive on Network Information Security.
I know you discussed this yesterday.
We in government, strongly support the commission’s aim to raise the level of network and information security across the EU.
But, we need to make sure that this complements the good progress we have made on this issue in the UK, and that it does not discourage business from seeking help or introduce unnecessary burdens.
As you have already been considering at this congress, protection is another fundamental part of our response.
Corporate governance is key to this.
It is endlessly frustrating to hear IT security professionals complain that they are treated as being outside the core business of their organisation.
They should be at the heart of it, with the risk of cyber threat being properly managed at board-level.
I know that this will continue to form part of the discussions that you will have at the congress today.
To encourage this, the government has now launched guidance to organisations to adopt simple measures to enhance cyber security, including for SMEs and large businesses.
The 10 Steps to Cyber Security is available on the GOV.UK website.
We have also recently launched specific cyber security guidance which companies can use during financial transactions such as mergers and acquisitions.
I strongly encourage you all to read this guidance, use it and implement it in your businesses.
Following these simple steps will protect firms against the majority of cyber threats.
To complement this, we have been working with industry to develop a basic cyber hygiene standard, due for release shortly.
This will enable businesses to demonstrate that they have put a basic level of cyber security in place.
This supports work being undertaken to certify commercially-available cyber security products for use in public and private sectors.
We also want to support the growth of the UK cyber security industry, with an emphasis on increasing exports.
Government has now set a target for future export growth of £2 billion worth of annual sales by 2016.
With these initiatives, we want to make it easier for companies to negotiate the crowded market and to promote our quality exports, which I know there is a great appetite for.
Awareness raising and protecting customers
But Protect is not just about hardening our physical protective security.
We also need to increase the public’s awareness of how to stay safe online.
As the end user of many of your products and services, their cyber security vulnerabilities can all too easily become your cyber security vulnerabilities.
You’ll hopefully now all be aware of the government’s first national cyber security awareness campaign, Be Cyber Streetwise.
The campaign was launched in January to help individuals and small businesses to understand the steps that they should take to enhance their security online.
I see this as a key aspect of our work into the next year and encourage you to consider how you can also support it, if you are not already involved.
The final aspect of Protect that I would like to mention is intelligence-sharing.
We must do this more effectively, in order to be able to keep pace with the swiftly evolving threat, to protect ourselves and target our disruptive activity.
The National Crime Agency has new dedicated capability to increase intelligence sharing to and from the private sector.
It produces threat assessments and targeted alerts on emerging threats so risks and vulnerabilities can be reduced.
But, we know that the vast majority of intelligence on the threats that we face lies within the private sector.
I hope that companies will agree to share the information that they hold on threats, and support each other to protect their systems.
The Cyber Information Sharing Partnership (or CISP), provides an important platform for this activity, providing a secure space to share threat information and mitigation advice in real-time.
Following an initial focus on companies that support our Critical National Infrastructure, membership of CISP has now been extended, including to legal firms, academia and SMEs, with over 300 companies having joined.
I strongly encourage you to consider how it might support your organisations also.
CERT-UK, which will house CISP, will also have a crucial role to play following its launch later this year.
Once in place, CERT-UK will work closely with the companies that own and manage the Critical National Infrastructure to help them respond to cyber incidents.
It will also help to promote a greater understanding of the threats faced by wider industry, academia and the public sector.
So what is the message that I want you to go away with today?
I want you to know that we are committed to working closely with you to reduce the threats from cyber crime.
We will bring all our law enforcement capabilities to bear to pursue cyber criminals relentlessly.
And we will provide as much information and support as we can in helping you to protect your systems and customers.
In return, we need you to share information, within the proper legal boundaries, on what you are seeing – both with each other and with us.
You’re on the frontline. You see it every day and we need you to provide your skills and support in the fight to pursue cyber criminals.
And we need you to prioritise the protection of your systems and customers.
I was at the Security and Policing Exhibition in Farnborough yesterday and I saw many good examples of what we have to offer on cyber crime.
I know what we have in this country and that we are flourishing in cyber security. We want to help you get that to customers.
This event is an excellent opportunity to take stock of how this partnership can work.