Karen Bradley's Speech to the Finance Services’ Cybercrime Summit
Speech delivered by Karen Bradley on Tuesday 15 July at the America Square Conference Centre
83% of households in the UK have access to the internet, and 3 in 4 adults use the internet every day.
We’re doing our supermarket shopping on our smartphone on the train, booking a summer holiday on our tablets, and talking to colleagues and friends across the world over the internet. This provides amazing opportunities for us all, both in our personal and professional lives.
And more and more people are using the internet. In 2012, 33 million people in the UK went online every day. That is more than double the level six years before.
More people use the internet, and new and easier ways to get online are being constantly developed.
As a result, there’s more personal and sensitive data being sent out across the web. Businesses which are not already online are getting online.
This means that there’s increasing opportunities for criminals to access our data and cause havoc to businesses and individuals. These cyber criminals are often incredibly well organised, and highly sophisticated.
Collectively, we are faced with an enormous challenge of how to protect ourselves and our businesses from cyber attacks, and how to catch those who commit these crimes. I am Karen Bradley, the Minister responsible for Serious and Organised Crime, leading the UK Government’s work on cyber crime and I’m here to tell you what the Government is doing to tackle cyber crime.
Threat
We know that cyber crime undermines confidence in our communications technology and online businesses.
Cyber criminals are not only taking money from businesses through their attacks, but these attacks have a terrible impact on consumer confidence in using internet companies. What we need to do is to work together to make sure business online is safe and secure, and that people carrying out business online are protected. You’ll hear about the specific threats to the financial sector from the next speaker, Ciaran Martin, GCHQ’s Director General for Government and Industry Cyber Security. What I want to tell you about is the Government response, and how you can help.
National Cyber Security Programme
Government has a key role to play in tackling cyber crime, and improving cyber security.
The National Cyber Security Strategy was launched in 2011, and one of its four objectives is to make the UK one of the most secure places in the world to do business in cyberspace.
The National Cyber Security Programme underpins the strategy and delivers its objectives.
We have dedicated £860 million over five years to deliver a real improvement in the UK’s cyber capabilities.
The Programme is in its fourth year and has made significant steps.
Notably, the creation of the National Cyber Crime Unit, (the NCCU) within the National Crime Agency (NCA); the launch of CERT-UK, the UK’s first single computer emergency response team for national cyber incident management; and, the launch of the Cyber Security Information Sharing Partnership (the CiSP) now part of CERT-UK, the first secure government-industry forum for information sharing on key cyber threats.
Serious and Organised Crime Strategy
On 7 October last year we launched the new Serious and Organised Crime Strategy. The Strategy refines the approach to tackling serious and organised crime, based on the framework of the Counter-Terrorism Strategy, CONTEST. There are four areas of focus: Pursue, Prevent, Protect and Prepare.
PURSUE – prosecuting and disrupting organised crime gangs. In others words, catching the bad guys. PREVENT - stopping people from becoming involved in and remaining involved in, serious and organised crime. In other words, stopping the bad guys from being bad guys. PROTECT - reducing our vulnerability to harm from these groups by strengthening our systems and processes and providing advice to the private sector and the public. In other words, helping you avoid becoming a victim of the bad guys. And PREPARE – reducing the impact of serious and organised crime when it happens. So, helping victims and wider communities to recover when the criminals strike. I will focus today on the PURSUE and PROTECT areas of our work.
Pursue
The Government is changing the way cyber criminals are pursued. We know that law enforcement needs to have the right skills and tools to respond to the changing ways in which crime is being committed.
To successfully tackle cyber crime, police need to have the knowledge and skills that cyber criminals are themselves equipped with.
The NCA leads the crime fighting response to the most serious incidents of cyber-dependant and cyber-enabled crime through NCCU and its commands including the Economic Crime Command.
The NCA is working with regional and local policing, in particular through the network of Regional Organised Crime Units , or ROCUs, which have been set up to work across local police force boundaries to provide new ways of working.
Through increased investment, dedicated cyber and fraud units are being developed within these regional teams.
And through the College of Policing, we are also working to improve cyber knowledge in local police forces with a dedicated training programme.
There are real opportunities for industry and law enforcement to work together to build skills to tackle cyber crime, and to understand the changing threats.
The ROCUs are establishing relationships with businesses in their regions, and the NCCU is sharing information on cyber attacks with the private sector. But this is just a start. There is much more that can be done by working together.
In addition to increasing law enforcement capabilities, we want to make the legislative response stronger. The Serious Crime Bill was published in June, and is now progressing through Parliament.
This Bill contains amendments to existing legislation, which will mean that those who are found guilty of committing cyber attacks which cause serious damage, including to the economy, face lengthy prison sentences.
Pursue International
However, the UK cannot tackle cyber crime alone. Cyber crime is a global problem. Those committing the crimes are operating across international borders, making it incredibly difficult to bring them to justice. We need to work with our international partners in order to find a global solution.
That is why at the heart of the NCA’s approach to cutting cyber crime is international collaboration, through its relationship with the European Cyber Crime Centre in Europol, and working closely with other international law enforcement agencies.
Last month the NCA issued an alert to protect yourself and your business against two variants of malware, known as GameOverZeus and Cryptolocker. I hope you took protective action yourself as a result of this alert, and encouraged your customers to do the same.
Early indications show the success of the operation - a marked increase in downloads of malware removal tools and a significant drop in breaches attributable to this malware.
Data from industry partners suggests that there has been a 32% reduction in UK GameOverZeus infections. This is a great result.
NCA are not just part of this collaborative international effort.
They are leading the way.
You will have heard last week about Project Disputed. In the first project of its kind for a UK law enforcement agency, the NCA have led the investigation targeting Shylock malware, and bringing together partners from across law enforcement and industry to disrupt the servers that the malware relies on. These partners include GCHQ – Ciaran will tell you more about the vital part they play in this operation.
These are fantastic examples of how we work with, and lead our international partners to pursue cyber criminals across borders, and to protect the public and private sector from attacks.
Protect
Of course, it is better to protect ourselves and our systems from an attack than wait until our personal and business data, finances and confidence is stolen and compromised. That is why Protect - stopping business and individuals becoming victims of cyber criminals - is a fundamental part of the Government response to the threat of cyber crime.
GCHQ estimates that 80% or more of successful attacks could be defeated by implementing simple best practice cyber security standards. We all have a responsibility to ensure we understand what can be done to protect ourselves at an individual and company level.
Just last month we launched the Cyber Essentials Scheme, an industry-led organisational standard for cyber security, which gives a clear baseline to aim for in addressing cyber security risks to your companies.
Cyber Essentials is relevant to all your organisations. It applies to all businesses of any size, and any sector. We want to see all organisations adopt the requirements to some degree. And this is not just for the private sector. It applies to academia, charities and the public sector.
Cyber Essentials sits alongside other existing products to help businesses build their protection against cyber crime.
We have guidance for industry Chief Executives and board members, and last year we published tailored guidance for SMEs.
I encourage you all to use the guidance available. These are really simple steps that can make a considerable reduction to your cyber vulnerability.
The Government has listened to what industry needs. We are helping industry to ensure that they have competent cyber security professionals, and that internal cyber security courses are consistent with Government standards.
We are also supporting the growth of the UK cyber security industry, with an emphasis on increasing exports.
We have set a target to increase cyber security exports to £2bn by 2016, and we have a programme of initiatives to support this including help to overcome barriers for entry into key markets.
Awareness Raising
Every internet user needs to think about the way they act online, whether they are daily users or not. We are all responsible for reducing our personal cyber vulnerabilities. We are committed to helping to do this, and are working to raise awareness of how to stay safe online. Cyber Streetwise is the Government’s first national cyber security awareness campaign, helping individuals and small businesses to understand what they should do to enhance their security online. We are continuing to promote this with a further phase of the campaign later this year to reach as many people and small businesses as possible.
We want people to know the key things to do in order to act safely online, and to make it second nature when using the internet.
Information Sharing
Protection is vital in the fight against cyber crime, but attacks will unfortunately still happen.
So what can you do if you are attacked?
We need you to share what you know.
The information about that attack is important. It could help to protect another company from becoming a victim. Sharing information will help police understand the evolving threat picture, and take the appropriate action against the criminals.
The NCA has a dedicated intelligence capability, which produces threat assessment and targeted alerts and disseminates these to industry.
But the private sector holds a huge amount of information that will help to build a better threat picture. We need your help.
Companies need to share information with each other to help build protective security. We have developed a platform for you to do this.
The CISP provides a secure space for companies to share information on cyber threats, and to work together to protect their systems, which means businesses can take action to mitigate their vulnerability to attack. But the information is only as good as the information you, as industry, share. Its success is driven by you.
CERT-UK, the UK’s national Computer Emergency Response Team, launched this year, and now houses the CISP.
This will further build on the success of the CISP, and add in an international element for its information and analysis function.
And CERT-UK will be working collaboratively with industry, government and academia to enhance UK cyber resilience. It works closely with critical national infrastructure companies, providing guidance and advice as well as helping those companies to respond to cyber incidents.
Cyber criminals are organised, highly skilled and numerous. But look at the wealth of resources, skills and experience we have in front of us, in business, law enforcement and across government.
As a group we have incredible expertise, thousands of highly skilled individuals and a vast amount of information. We can get ahead of cyber criminals. We can stop them. We just need to break out of our silos and work collaboratively, and cleverly.
Conclusion
What I want you to take away from this is to know that we, the Government, see tackling cyber crime as a top priority. We are committed to working closely with you to reduce the threats to you. We will continue to build our law enforcement capabilities to pursue cyber criminals, and disrupt their activities. We will work with our international partners to tackle the global threat. We will provide you with alerts and threat assessments. But we need your help. We need you to share what you can with each other so you can protect yourselves. And we need you to share it with us so we can understand the evolving problems and work with you on how to protect your business. We need you to protect yourselves and your customers. Promote the guidance that is out there. I hope you have a productive day, and I look forward to learning about what you discuss. Thank you.