Karen Bradley Speech on UK Cyber Security
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
Speech on UK Cyber Security to IA14 Conference.
Last year Verizon reported that most successful cyber attacks take a matter of hours to breach a system. Many take minutes or even just seconds.
The frightening fact for me, was that in some cases it is over a year until the compromise is discovered and in a large proportion of specific cases the victim discovers the compromise only through a third party for instance, the police, a security firm or even a competitor tells them.
We rely on the internet. We all conduct an increasing amount of our professional and personal lives online. A survey last year found that the average family owns six devices that provide access to the internet. Smart phones, tablets, laptops and TVs.
We’re sending out personal data into cyberspace all day every day, through emails, passwords and via our bank accounts to name a few.
Combined with the fact that 72% of all adults in Great Britain bought goods or services online in 2013 , up from 53% in 2008, that presents the breadth of opportunity for cyber criminals.
This is why cyber crime, is a top threat to UK national security. It is up there with international terrorism.
This evening, I am delighted to be here today to talk to you about how the Serious and Organised Crime Strategy is prioritising work with our key partners to ensure that the UK is a safe place to do business online, and what more we can do together. For those who don’t know me, I am Karen Bradley, the Minister responsible for Serious and Organised Crime and I head the team that is responsible for our work on cyber security in the Home Office.
As you heard from the Ciaran Martin earlier, Cyber crime is a global threat, operating across international borders.
Cyber crime is beginning to transform criminality in almost every country. And worse, it enables organised criminals to operate on a scale and at a pace which has previously been unthinkable.
Elaborate online markets are used to exchange information and skills that were once niche are now being exploited in the real world.
For example, last year a drugs trafficking network hired cyber criminals to alter cargo manifests at Antwerp, in an attempt to smuggle their goods in containers to the UK. It was particularly brazen since when the initial breach was discovered and a firewall installed to prevent further attacks, hackers broke into the premises and fitted key-logging devices onto computers.
Ultimately cyber crime is crime like any other. It occurs in the virtual world rather than the physical world but still impacts us directly. So how do we stay one step ahead of the cyber criminals and protect ourselves from attack, and pursue those who commit the crime?
I want to set out for you the priorities in the new Serious and Organised Crime Strategy and how it underpins activity to protect ourselves from attack, and pursue those who commit cyber crime.
Serious and Organised Crime Strategy
In October last year we launched the National Crime Agency and published the new Serious and Organised Crime Strategy.
We have refined our approach to tackling serious and organised crime into four areas of focus: Pursue, Prevent, Protect and Prepare. This follows and reinforces the previous framework of our Counter-Terrorism Strategy, CONTEST.
PURSUE – prosecuting and disrupting organised crime groups. In other words, catching the bad guys.
PREVENT - stopping people from becoming involved in, and remaining involved in, serious and organised crime. In other words, stopping the bad guys from being bad guys.
PROTECT - reducing our vulnerability to harm from these groups by strengthening our systems and processes and providing advice to the private sector and the public. In other words, helping you and others to not become a victim of the bad guys.
And PREPARE – reducing the impact of serious and organised crime when it happens. So, helping victims and wider communities to recover when the criminals strike.
I will focus today on the PURSUE and PROTECT areas of our work.
We are changing the way we pursue cyber criminals. Law enforcement needs to have the right skills to respond to the ever evolving ways in which crime is being committed.
But crime is still crime.
The National Crime Agency (NCA) leads the crime fighting response to the most serious incidents of cyber-dependant and cyber-enabled crime through its National Cyber Crime Unit (NCCU) and Commands including the Economic Crime Command. The NCA now works with regional and local policing.
Through increased investment, new dedicated cyber and fraud units are being developed in our network of Regional Organised Crime Units, or ROCUs. And the College of Policing, now has a dedicated training programme to drive up cyber skills in local police forces. We will see a significant increase in the numbers of police officers and staff who have been trained by 2015.
There are real opportunities for industry and law enforcement to work together to build skills to tackle cyber crime, and to understand the changing threats.
The ROCUs are establishing relationships with businesses in their region, and the NCA’s NCCU is sharing information on cyber attacks with the private sector. CERT UK is playing a vital role in sharing information through its CISP [Cyber-security Information Sharing Partnership] platform. But this is just a start.
In addition to increasing law enforcement capabilities, we want to make the legislative response stronger. We published the Serious Crime Bill this month. This amends existing legislation, which will mean that those who are found guilty of committing cyber attacks which cause serious damage, including to the economy, face lengthy prison sentences. The Serious Crime Bill currently before Parliament, amends the Computer Misuse Act 1990, including to create a new offence of unauthorised acts in relation to a computer that result, either directly or indirectly, in serious damage to the economy, the environment, national security or human welfare, or creates a significant risk of such damage.
The offence will carry a maximum sentence of life imprisonment for cyber attacks which result in loss of life, serious illness or injury or serious damage to national security and 14 years’ imprisonment for cyber attacks causing, or creating a significant risk of, severe economic or environmental damage or social disruption.
Although pursuing cyber criminals is important, we need to remember that behind statistics reporting billions of pounds lost from cyber attacks, are individual tragedies and victims. Whether it’s a single individual or a large corporation. A large company may be able to absorb a loss of a few thousand pounds from a cyber attack. But for an SME, that could be the difference between folding or surviving. And these businesses will form part of your supply chains, and are an integral part of the industries we all depend on.
The UK cannot tackle cyber crime alone.
We need to work with our international partners in order to pursue the criminals and prevent this crime. That is why at the heart of NCA’s approach to cutting cyber crime is international collaboration.
Through its relationship with the European Cyber Crime Centre in Europol, and working closely with other international law enforcement agencies.
You will have seen the NCA’s alert recently on the two week window to protect yourself and your business against two variants of malware, GameOverZeus and Cryptolocker.
This NCA alert is part of one of the largest industry and law enforcement collaborations attempted to date. This is a fantastic example of international collaboration to pursue cyber criminals across borders, and to protect the public and private sector from attacks.
I hope this gives you a better understanding of how we are strengthening our response to pursuing criminals who commit cyber crime. Working together with law enforcement is an important part of our work.
Although it is important to ensure we pursue criminals and their crimes, I am sure you would agree that it is better to protect ourselves and our systems from an attack than wait until our data, finances and confidence are stolen and compromised.
That is why Protect is a fundamental part of the Government response to the threat of cyber crime.
To quote from Sir Iain Lobban [Director GCHQ] “about 80% of known attacks would be defeated by embedding basic information security practices for your people, processes and technology.”
Building on that message, this month, on 5th June we launched the Cyber Essentials Scheme, an industry-led organisational standard for cyber security, which gives a clear baseline to aim for in addressing cyber security risks to you and is designed to help combat cyber threats to SMEs in particular.
As Francis Maude has said, the Cyber Essentials scheme introduces good basic cyber security practices for businesses of any size, and in any sector. It applies to academia, charities, private and the public sector.
We want to see all organisations adopt the requirements. They are simple steps that can make a considerable and important reduction to cyber vulnerability.
Of course, no matter what you do, users of online products and services are exposed to risk and their cyber security vulnerabilities can increase the threat to your business. We are helping to reduce the vulnerabilities presented by individuals by raising awareness of how to stay safe online.
Cyber Streetwise, funded through the National Cyber Security Programme was launched earlier this year and is the government’s national cyber security awareness campaign. It is helping individuals and small business to understand what they should do to enhance their security online. We will continue to promote this with a further phase of the campaign later this year to reach as many people and as many small businesses as possible. We want people to know the key things to do in order to act safely online, and to make it second nature to do these things.
Strength in numbers
Cyber criminals are increasingly organised, highly skilled and numerous. But as I look around the room tonight I see the expertise, the commitment and the access to thousands of highly skilled individuals we need to outwit the criminal gangs and shut them down.
What I want you to take away from this is to know that we, the government, see tackling cyber crime as a top priority. We are committed in our Serious and Organised Crime Strategy to ensure that the UK is one of the most secure places in the world to do business in cyberspace. But we need your help.
We need you to share your knowledge and experience and encourage others to do the same. And we need you to share it with us so we can understand the evolving threats problems and work with you on how to protect your businesses.
We need you to protect yourselves and your customers. We need you to promote the guidance that is out there. This event is a great opportunity to build on existing partnerships, and take stock of what more needs to be done. I hope your time at this event today and tomorrow is worthwhile and productive.