Speech given by James Brokenshire at the ISPA annual conference.
Thank you very much for having me here today. I welcome the opportunity to speak to you. The internet continues to be a powerful force in shaping the future UK and global economy, enabling remarkable innovation, collaboration and growth. Internet Service Providers are key players in that. You play a central role in ensuring the cyber security of the UK, so that the UK continues to be an attractive and safe place to do business, and the public are protected from those who use the internet for harmful and criminal purposes. And that will continue to be the case, as we look ahead to the future of the internet and ISPs.
Today, I would like to focus on:
- The threat we face from cyber crime
- How the government plans to tackle this threat, including through the National Cyber Security Programme, changes in the law enforcement and legal landscape and the new Serious and Organised Crime Strategy
- How government and industry can work in partnership to tackle the threat from cyber crime and reduce the vulnerabilities of businesses and individuals online.
I’ll start with the threat.
The National Security Strategy published in 2010 identifies the risk of hostile attacks on UK cyberspace by other states and large scale cyber crime as a ‘Tier One’ priority for UK national security. The risk of a significant increase in the level of organised crime affecting the UK is a ‘Tier Two’ priority.
There are two criminal activities here:
- Cyber-dependent crime, which can only be committed using computers or other information communication technology. Examples include the creation and spread of malware for financial gain, hacking to steal personal or industry data, and denial of service attacks to cause reputational damage; and
- Cyber-enabled crime, which can be conducted online or offline, but online can take place at unprecedented scale and speed. For example, cyber-enabled card-not-present fraud cost banks an estimated £140.2 million in 2012. In the same year, cyber-enabled banking fraud was estimated to have cost £39.6million.
More research is needed on the overall cost of cyber crime to the UK. So I am establishing a working group of academic experts and research partners to improve these estimates.
But recent law enforcement operations show the challenges we face. The ambition and complexity of these criminal activities was shown in the arrest, in September, of 11 men on suspicion of conspiracy to steal from Santander Bank.
And the scale can be seen in a recent operation, jointly conducted by the National Cyber Crime Unit, FBI, and other partners, which led to the arrest of 11 people for crimes that are estimated to have resulted in losses of over $200 million.
A third example shows how plausible these attacks can be. In November, six people were convicted of conspiracy to defraud after an investigation launched by the Metropolitan Police and concluded by the NCCU. The criminals posted fake job adverts on websites like Gumtree. Respondents were asked to complete an online application form, but the hyperlink downloaded computer malware which recorded the victims’ keystrokes, capturing their financial and personal data. Mobile phone and online chat records showed the group had made more than £300,000 from the fraud.
So How is Government Leading the Strategic Response to this Threat?
The National Cyber Security Strategy, launched in 2011, sets out the government’s approach to increasing the cyber security of the UK. The strategy is supported by the National Cyber Security Programme, through which the government has committed £860 million over five years (from 2011 to 2016) to protect and promote the UK in a digital world.
The Cabinet Office co-ordinates this work. The funding is distributed among government departments and agencies involved in order to help the UK to:
- Tackle cyber crime and be one of the most secure places in the world to do business in cyberspace;
- Be more resilient to cyber attacks and better able to protect our interests in cyberspace; and
- Help shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies.
This activity is complemented by other developments. In October the government launched a strategy to reduce the level of serious and organised crime, including cyber crime. It sets out how we will take action at every opportunity to prevent people getting involved in serious and organised crime; to strengthen our protection against it; to prepare how we respond; and, most importantly, to pursue the criminals, prosecuting them and disrupting their activities.
Prosecuting Cyber Criminals
I would briefly like to focus on law enforcement agencies’ efforts to disrupt and prosecute cyber criminals, and our work to help protect the private sector and the public.
The effort to relentlessly disrupt serious and organised crime and reduce the threat posed to the UK is being led by the National Crime Agency. The NCA’s Intelligence Hub has a single strategic intelligence picture of serious and organised crime threats to the UK, including from cyber crime. This picture of the threat is enabling the law enforcement community better to identify and respond to threats and vulnerabilities.
The NCA has four commands covering: Organised Crime, Border Policing, Economic Crime, and Child Exploitation and Online Protection. The National Cyber Crime Unit supports all four commands as the centre of excellence for tackling cyber crime.
Our work to improve law enforcement’s capability to tackle cyber crime goes beyond the creation of the NCCU. Half of the NCA’s 4,000 officers will be trained in digital investigation skills. We are also providing extra funding through the National Cyber Security Programme so that each Regional Organised Crime Unit will have a dedicated cyber crime unit. And the NCCU will help drive up cyber skills in local forces. Through its partnership with the College of Policing, we aim to train 5,000 police officers and staff by 2015.
I am delighted with the work already undertaken by the NCCU. For example, a young person in London was recently arrested as part of an ongoing investigation into one of the largest cyber attacks ever seen. The NCCU used sophisticated technical skills to preserve evidence and coordinated this arrest with international law enforcement partners as part of a wider investigation.
Tackling Cyber Crime Together
Of course we know that the UK cannot tackle cyber crime on its own. Cyber criminals threaten the UK from locations across the globe. International collaboration is a vital part of the NCA’s approach to cutting crime, including cyber crime. The NCCU is already working closely with a range of international partners, including the European Cyber Crime Centre in Europol.
The FBI recently described their relationship with the NCCU as “the best illustration” of the paradigm shift they have been undergoing in their engagement with law enforcement, industry, and international partners.
The UK has rightly been recognised as a leading player on cyber issues following the London Conference on Cyberspace in November 2011, and I was encouraged by the constructive discussions at the Seoul Conference on Cyberspace last month. In our international engagement, in the EU, and in multilateral fora we have continued to promote the UK’s vision of an open, vibrant and secure cyberspace.
The government has ratified the Budapest Convention, the main international agreement on tackling cyber crime. Our ratification of the Convention signals our willingness to support other countries to tackle this international crime. All countries should put in place appropriate legislation to tackle these crimes, and the Budapest Convention is the best model for this.
We now need to focus less on international treaties and focus our collective efforts on how to improve the practical response to the threat from cyber crime, such as how the UK supports the development of capability in other countries through the Cyber Capacity Building Fund, which was announced by the Foreign Secretary at the Budapest Conference on Cyberspace in October 2012.
Of course, we also need to ensure that the UK has the right legal frameworks in place to effectively investigate and prosecute criminals online. The government is committed to ensuring that law enforcement and intelligence agencies have the powers they need to investigate cyber crimes. We are considering how these capabilities can be delivered, and will put forward proposals as soon as possible.
In addition, we will amend the Computer Misuse Act next year to implement the EU Directive on Attacks Against Information Systems.
The Role of ISPs
I have set out the cyber threat and our strategic, law enforcement and legal response. The final element I would like to talk about today is the role of industry, and particularly ISPs, in helping to improve the UK’s cyber security.
It is vital that we have effective intelligence-sharing relationships so that law enforcement agencies have the full intelligence picture and so that firms can protect their systems. It is important that you continue to report fraud and cyber crimes to Action Fraud, and share intelligence on the threats within industry.
This intelligence-sharing is supported by the Cyber Information Sharing Partnership (CISP) which launched this year. This is a secure environment through which industry can share real-time information on cyber security threats and mitigations. The security services, law enforcement agencies, and government can also share information through the CISP. Over 200 organisations are already participating.
We are also establishing a national Computer Emergency Response Team (CERT) to improve co-ordination of cyber incidents. The CERT will act as a focus point for international sharing of technical information on cyber security. The UK CERT will allow us to bring together strands of our cyber response and simplify our engagement with international partners.
This intelligence-sharing is underpinned by strong relationships. The NCA is building direct relationships with industry. It supports both proactive investigations and a fast-time response to the most serious incidents. It receives intelligence and reports from the private sector. And it produces threat assessments and targeted alerts on emerging threats to help firms reduce their risks and vulnerabilities.
Creation of Cyber Crime Reduction Partnership
I also want my own direct relationships with you. To do this, I have created the Cyber Crime Reduction Partnership with David Willets (the Minister for Universities and Science). This gives me a opportunity to hear the views of ISPA and the other sectors and academics who attend. Mark [Mark Gracey, Chair of ISPA] and Andy Archibald, Interim Head of the NCCU, jointly lead a work stream to improve cooperation between industry and law enforcement agencies. I look forward to our future work in this area.
But this is about more than the government and industry. The public is often the end user of your products and services. Their cyber security vulnerabilities can all too easily become your cyber security vulnerabilities. So we need to improve the public’s awareness of how to stay safe online.
We will shortly be running a large campaign to improve the online safety behaviours of consumers and SMEs. I thank the ISPs who have already pledged their support for the campaign, alongside a growing list of supporters from other sectors including anti-virus software companies, telecommunications firms, and high street banks. I encourage you all to consider how you can also support the campaign.
Tackling Online Child Sexual Exploitation
Another area where you can continue to help protect the public is to support work to tackle online child sexual exploitation. I know that many of you here support the work of the Internet Watch Foundation, and have helped protect children and the wider public by taking action to block indecent images based on the IWF list. As you will be aware, the Prime Minister has called for more action to tackle the availability and sharing of images, and in particular that search engines should take responsibility for ensuring that it is difficult to access illegal images through their services. The search engines have now made changes to their search functions to support this, and National Crime Agency testing of these new measures shows that they have been effective in making it harder to access child abuse images, videos or pathways.
We have also asked search engine providers to work with law enforcement agencies to develop effective deterrence messages for users who try to access child abuse images.
We have been working with industry and CEOP to develop these solutions, and I thank the firms for their support. The objective is to make it more difficult for users to access indecent images of children, whether they do so deliberately or inadvertently.
These changes will help deter the relatively unsophisticated offender, and make it harder for them to access illegal images. To tackle the more sophisticated offender, for example those who use tools such as The Onion Router (TOR), we need to engage with industry and use your skills.
On 9 December the UK Policing Minister and the US Assistant Attorney General will co-chair the first meeting of the taskforce combat online child sexual exploitation crimes. The Child Exploitation and Online Protection Command of the NCA, the FBI, and Homeland Security Investigations will all be members.
The taskforce will work hand-in-hand with an Industry Solutions Group, which will design technological solutions to these crimes. Joanna Shields, UK Ambassador for Digital Industries, will lead the engagement with this group, building upon the collaborative work already in place. Membership of the Industry Solutions Group will include technical experts from ISPs and representatives from other important online sectors such as search engines; social networks; and data storage, encryption, and antivirus software providers.
I encourage you all to consider how you can support the work of the Taskforce and its Industry Solutions Group.
Messages to Remember
So what messages do I hope you will hold onto as you head into the interesting panel discussions which follow?
We are committed to working closely with industry to reduce the cyber threats we face. We will bring all our law enforcement capabilities to bear in the relentless pursuit of cyber criminals. And we will provide support and information to help you protect yourselves against the cyber threat.
In return, I ask you to share information with law enforcement agencies and with each other so that we can reduce our vulnerabilities. And I ask you to work with us to reduce the public’s vulnerabilities to cyber crime and help protect children from online sexual exploitation.
Today’s conference asks what lies ahead for the internet industry, and I know you will have some very interesting discussions on that. As you consider the exciting future of the internet, I hope you will reflect on the need to build in cyber security from the outset.