Karen Bradley Speech on Managing Cyber Risk
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
Speech by Karen Bradley at BBA Conference on 10 June 2014.
Verizon reported last year that most cyber attacks on a system take a matter of hours. Many take minutes or even seconds. Taken alone, that is concerning. But consider then that the same report found that 2 out of 3 attackers stayed in the system for months before discovery, and it took weeks, even months for the victim to be able to get rid of the hacker.
That is absolutely staggering. Think of the damage that can be done by that attack, in that time. Think of the loss caused by that attack, and the potential impact on reputation and prosperity.
This is why cyber security, including cyber crime, is a top threat to UK national security. It is up there with international terrorism. Today, I will tell you about what this government is doing to counter these threats.
For those who don’t know me, I am Karen Bradley, the Minister responsible for Serious and Organised Crime, and my job is to oversee our national approach to the threat of the cyber crime.
Cyber crime is a global threat. Cyber criminals operate across international borders. The UK is threatened from many locations in many countries, which makes it extremely complicated to tackle.
And that is why you are all here today, to discuss the threat, to think about how best to protect yourselves against it, and take action against those who commit it. Throughout today you will hear many facts and figures on the cost of cyber crime to your industry. I’m not going to repeat them here. Not because I do not think they are important.
Of course you need to know what cyber crime costs you, and I hope you already do. And the figures are astonishingly large. But what I want to focus on is what cyber crime means for economic and social prosperity.
We know that cyber crime undermines confidence in our communications technology and online economy.
One report estimated that internet based companies are worth 7-8% of UK GDP. That means that cyber crime is affecting our economic prosperity. Cyber criminals are not only taking money from business through their attacks, but attacks have a terrible impact on consumer confidence in using internet businesses.
Think about the recent attack on Ebay. We should applaud Ebay for putting information into the public domain, and managing the situation as they did. But I wonder how many users will have been concerned about using the site and other sites in the days after the attack?
We all rely on the internet. We are conducting an increasing amount of our professional and personal lives online whether its our supermarket shop, or ordering a last minute father’s day gift. We’re sending our personal data out into cyberspace all day every day, through emails, passwords and via our bank accounts. More and more people are using the internet.
In 2012, 33 million people in the UK accessed the internet every day. That is more than double the level six years before.
And the methods for access are also rapidly changing, with those using a mobile device to go online more than doubling over the two years from 2010 to 2012 [24% to 51%].
So we’re accessing the internet more and more, using a variety of different methods to do so. This provides new opportunities for cyber criminals, and a challenge as to how we protect ourselves from attack, and pursue those who commit the crime.
The internet is now an integral part of our lives, and I think most would feel lost without the benefits it affords. But we need to make every internet user aware of the need to be careful and intelligent about they way they act online.
What we need to do is to work together to make sure business online is safe and secure, and that people doing business online are protected.
National Cyber Security Programme
We know that government has a key role to play in tackling cyber crime, and improving cyber security.
The National Cyber Security Strategy was launched in 2011. And one of its four objectives is to make the UK one of the most secure places in the world to do business in cyberspace.
The National Cyber Security Programme underpins the strategy and delivers its objectives. We have dedicated £860 million over five years to deliver a real change in the UK’s cyber capabilities.
The Programme is in its fourth year and has made significant steps.
Notably, the creation of the National Cyber Crime Unit, (the NCCU) within the National Crime Agency; the launch of CERT-UK, the UK’s first single computer emergency response team for national cyber incident management; and, the launch of the Cyber Security Information Sharing Partnership, the first secure government-industry forum for information sharing on key cyber threats.
Serious and Organised Crime Strategy
On 7 October last year we launched the new Serious and Organised Crime Strategy.
We have taken the framework of our Counter-Terrorism Strategy, CONTEST, and refined our approach to tackling serious and organised crime into four areas of focus: Pursue, Prevent, Protect and Prepare.
PURSUE – prosecuting and disrupting organised crime gangs. In others words, catching the bad guys.
PREVENT - stopping people from becoming involved in and remaining involved in, serious and organised crime. In other words, stopping the bad guys from being bad guys.
PROTECT - reducing our vulnerability to harm from these groups by strengthening our systems and processes and providing advice to the private sector and the public. In other words , helping you not to become a victim of the bad guys.
And PREPARE – reducing the impact of serious and organised crime when it happens. So, helping victims and wider communities to recover when the criminals strike.
I will focus today on the PURSUE and PROTECT areas of our work.
We are changing the way we pursue cyber criminals. We know that law enforcement needs to have the right skills to respond to the changing ways in which crime is being committed.
To successfully tackle cybercrime, law enforcement needs to have the knowledge and skills that cyber criminals are equipped with.
The National Crime Agency leads the crime fighting response to the most serious incidents of cyber-dependant and cyber-enabled crime through its National Cyber Crime Unit (NCCU) and Commands including the Economic Crime Command.
The NCA is working with regional and local policing, in particular through the network of Regional Organised Crime Units , or ROCUs, which have been set up to work across local police force boundaries to provide new ways of working.
Through increased investment, dedicated cyber and fraud units are being developed within these regional teams. And through the College of Policing, we are also working to improve cyber knowledge in local police forces with a dedicated training programme.
There are real opportunities for industry and law enforcement to work together to build skills to tackle cyber crime, and to understand the changing threats. The ROCUs are establishing relationships with businesses in their regions, and the NCA’s NCCU is sharing information on cyber attacks with the private sector. But this is just a start.
In addition to increasing law enforcement capabilities, we want to make the legislative response stronger. We published the Serious Crime Bill last week. This contains amendments to existing legislation, which will mean that those who are found guilty of committing cyber attacks which cause serious damage, including to the economy, face lengthy prison sentences.
However, the UK cannot tackle cyber crime alone. We need to work with our international partners in order to find a global solution. That is why at the heart of NCA’s approach to cutting cyber crime is international collaboration, through its relationship with the European Cyber Crime Centre in Europol, and working closely with other international law enforcement agencies.
I hope you saw the NCA’s alert last week on the two week window to protect yourself and your business against two variants of malware, known as GameOverZeus and Cryptolocker. And I hope you protective yourself as a result of this alert, and encouraged your customers to do the same.
This NCA alert is part of one of the largest industry and law enforcement collaborations attempted to date. This is a fantastic example of how we work with our international partners to pursue cyber criminals across borders, and to protect the public and private sector from attacks.
You will hear much more about the NCA’s international work on cyber crime from Andy Archibald, head of the NCA’s NCCU, this afternoon.
I am sure you would agree that it is better to protect ourselves and our systems from an attack than wait until our data, finances and confidence is stolen and compromised. That is why Protect is a fundamental part of the government response to the threat of cyber crime.
GCHQ estimates that 80% or more of successful attacks could be defeated by implementing simple best practice cyber security standards. We all have a responsibility to ensure we understand what can be done to protect ourselves at an individual and company level.
And there is some good work taking place. This year PWCs Global State of Information Security Survey shows that the number of companies which have adopted an overall information security strategy has increased by 17.5%.
Almost 64% of security professionals in the UK report directly to the board or CEO, only 54% of European organisations do the same. This is great news, but there is clearly more to be done.
Last week we launched the Cyber Essentials Scheme, an industry-led organisational standard for cyber security, which gives a clear baseline to aim for in addressing cyber security risks to your companies. It is available on the Gov.UK website.
Cyber Essentials is relevant to all your organisations. It applies to all businesses of any size, and any sector. We want to see all organisations adopt the requirements to some degree. And this is not just for the private sector. It applies to academia, charities and the public sector.
Cyber Essentials sits alongside other existing products to help business build their protection against cyber crime. We have guidance for industry Chief Executives and board members, and last year we published tailored guidance for SMEs.
I encourage you all to use the guidance available. They are simple steps that can make a considerable reduction to your cyber vulnerability.
We are listening to what industry needs. We are helping industry to ensure that they have competent cyber security professionals, and that internal cyber security courses are consistent with government standards. GCHQ’s Communications-Electronics Security Group (or CESG) Certified Professional scheme is building a community of recognised cyber security professionals from both public and private sectors. Over 900 professionals have been certified so far, and we intend to develop the scheme further in line with industry requirements.
And the CESG certified training programme enables training providers to have their cyber security courses assessed against approved standards. This provides assurance to organisations and individuals that they have a quality course.
We are also supporting the growth of the UK cyber security industry, with an emphasis on increasing exports. We have set a target to increase cyber security exports to £2bn by 2016. We have a programme of initiatives to support this including help to overcome barriers for entry into key markets.
And work is also underway with industry to jointly develop a cyber security showcase, offering industry a Central London venue to demonstrate their products.
The public are the users of your products and services and their cyber security vulnerabilities can increase the threat to your business. And we all should take responsibility for reducing our personal cyber vulnerabilities.
We are helping to do this, by raising awareness of how to stay safe online.
Be Cyber Streetwise is the government’s first national cyber security awareness campaign, helping individuals and small business to understand what they should do to enhance their security online. We are continuing to promote this with a further phase of the campaign later this year to reach as many people and as many small businesses as possible. We want people to know the key things to do in order to act safely online, and to make it second nature to do these things.
Protection is vital in the fight against cyber crime, but attacks will unfortunately still happen. So what can you do if you are attacked? We need you to share what you know.
The information about that attack is important. It could help to protect another company from suffering the same. Sharing that information will help law enforcement to understand the evolving threat picture, and take the appropriate action against the criminals.
The NCA has a dedicated intelligence capability, which produces threat assessment and targeted alerts and disseminates these to industry.
But the private sector holds a huge amount of information that will help to build a better threat picture. We need you to help.
We want companies to share information with each other. And we have developed a platform to do this.
The Cyber Security Information Sharing Platform (or CISP) provides a secure space for companies to share information on cyber threats, and to work together to protect their systems, which means business can take action to mitigate their vulnerability to attack.
CERT-UK, the UK’s national Computer Emergency Response Team, launched this year, and now houses CISP. This will further build on the success of CISP, and add in an international element for its information and analysis function.
And CERT-UK will be working collaboratively with industry, government and academia to enhance UK cyber resilience. It will be working closely with critical national infrastructure companies, providing guidance and advice as well as helping those companies to respond to cyber incidents.
Cyber criminals are organised, highly skilled and numerous. But look at the wealth of resources we have in front of us, in business, law enforcement and across government.
As a group we have incredible expertise, thousands of highly skilled individuals and a vast amount of information. We can get ahead of cyber criminals. We can stop them. We just need to work together to share what we have and what we know.
What I want you to take away from this is to know that we, the government, see tackling cyber crime as a top priority. We are committed to working closely with you to reduce the threats from cyber crime.
We will continue to build our law enforcement capabilities to pursue cyber criminals, and disrupt their activities. We will work with our international partners to tackle the global threat.
We will provide you with alerts and threat assessments. But we need your help. We need you to share what you can with each other so you can protect yourselves. And we need you to share it with us so we can understand the evolving problems and work with you on how to protect your business.
We need you to protect yourselves and your customers. Promote the guidance that is out there.
This event is a great opportunity to strengthen partnerships, and take stock of what more needs to be done. I hope you have a very productive day.