1 June 2011
Francis Maude, Minister for the Cabinet Office and Cyber Security, delivered a keynote speech at a conference in London.
Ladies and gentlemen,
I realise that I’m joining you at the end of a long day of speeches and discussions, and that you’ve now only got me and one other speaker to go before drinks and dinner. So I shall be brief.
It’s a real pleasure to be here this afternoon, and to have the opportunity to share with you a little of the UK’s perspective on cyber security, and to explain where it fits alongside my existing responsibilities as Minister for the Cabinet Office. First, though, I’d like to pay tribute to the UK’s previous Cyber Security Minister, Baroness Pauline Neville-Jones.
I’m aware that Pauline is well known to many of you; either in person or by reputation. She has a wealth of cyber security experience and a real passion for the subject, and has done a great deal in the last year to push it up the UK’s national agenda. We are indebted to her for her efforts; my challenge is to take things to the next level. I’m also delighted that she has accepted the Prime Minister’s invitation to take up a new role as the UK government’s Special Representative to Industry on Cyber Security, and I am sure that we are all looking forward to working with her in this new capacity.
The policy wonks among you may already know that as Minister for the Cabinet Office I am principally responsible for the public sector efficiency and reform agenda, a key part of which is the drive towards government transparency – in other words, the opening up of every sort of government-held information to public scrutiny and commercial enterprise. To all this, computing and the internet are absolutely fundamental. Technology on its own, though, is not enough; it needs to be underpinned by genuine confidence in its use. Confidence that it will work, confidence that it is resilient and confidence that it is secure. Furthermore this confidence has to be shared equally by the providers of these services - the government - and the consumers of these services - industry and the general public.
A century ago, the invention of the motorcar spawned an age of mass travel – of freedom to explore, investigate, widen horizons and become intimate not just with one’s immediate locality, but with a whole world beyond. It transformed everything about our society, overwhelmingly for the better. It also, of course, brought road accidents, and to reduce them a whole panoply of new rules and regulations. The superhighways of the internet are similarly transformative for the good, but similarly need their speed cameras and crash barriers – not so as to stop people travelling, but to allow them to do so safely.
Identity assurance is one such measure that we shall be championing as we head towards an assumption that government services should be digital by default, and in this respect I am very much indebted to the work of Martha Lane-Fox, founder of one of Britain’s pioneering internet businesses, the discount bookings company Lastminute.com. The work done in recent years to put the services of the DVLA – Britain’s vehicle licensing authority - online is a great start, but we must go wider and deeper, while at the same time assuring the public that we are not creating a Big Brother state.
I hope that you can see that my new responsibilities for cyber security are a good fit with my existing portfolio; albeit that my cyber security remit goes far beyond underpinning the essential confidence in the UK government’s specific slice of cyberspace. When it comes to delivering the government’s National Cyber Security Programme, the emphasis is on the word ‘National’; it is about underpinning confidence that the UK is a safe place to do business in cyberspace and that in turn means engaging with the public, with industry and with other countries to ensure that we all benefit from a safe, secure and resilient cyberspace.
To achieve this we need to tackle the insidious nature of cyber-crime and the near industrial scale of cyber-espionage. Exact figures are hard to pin down, but a recent study suggests that cyber-crime now costs the UK £27billion annually - £2.2 billion of this to government, £3.1 billion to individuals, in the form of fraud and ID theft, and by far the largest portion - £21 billion – to industry, in the form of theft of intellectual property, customer data and price-sensitive information. These are only rough estimates, but they give and idea of the vast scale of the problem. I wouldn’t like to hazard a guess as to the global cost of such criminality but it is clearly a major inhibitor of international growth and prosperity.
It is heartening to see that this is now being acknowledged at the highest levels. During President Obama’s state visit to UK last week he and the Prime Minister issued a joint communiqué on cyber security, and it was discussed again the next day, at the G8 meeting in France. I would like to quote just one sentence from the final communiqué at the end of last Wednesday’s meeting here in London between President Obama and Prime Minister Cameron, which sums up our joint approach very neatly:
The UK and the US will work together to nurture and accelerate the opportunities and growth that cyberspace offers the global economy by building international consensus on the broad principles that will sustain and enhance the prosperity, security and openness of our networked world.”
It was with exactly this aim in mind that, when he spoke at the Munich Security Conference in February, my colleague William Hague outlined seven principles for behaviour in cyberspace, and offered to host a conference in London this autumn, to help develop the international consensus referred to during last week’s state visit. Planning for the London International Cyber Conference is now underway, at which work will begin on fleshing out the Foreign Secretary’s seven principles into a set of workable, agreed norms. In addition to senior government figures from around the world, representatives of the private sector, civil society and academia will be invited, so as to ensure that a wide spread of voices is heard.
It is all very well talking internationally about the future shape and nature of cyberspace, but we also need to act now to secure what we have achieved thus far. The Budapest Convention on Cybercrime, designed to speed up the investigation of computer crime that crosses national borders, is currently one of the primary weapons in our international armoury in this respect, and I am pleased to say that the UK has just joined the growing list of countries that have ratified this convention.
I am delighted to be able to say that after a year’s preparatory work the UK’s new National Cyber Security Programme (NCSP) has gone live, with £650m of new funding allotted to it over the next four years. Designed to tackle cyber crime and industrial espionage as well threats to national security, its remit is broad. New money will go to GCHQ – that’s Britain’s electronic surveillance headquarters at Cheltenham - and to a new cyber capability within the Ministry of Defence. But it will also go into the police, into developing formal training courses in schools and colleges, into a public awareness campaign, and into learning from the private sector, which is often far in advance of government in this field.
Cyber crime, let me repeat, is something that concerns all of us. Year by year, the internet becomes ever more integral to our societies – to the way we chat, do business, shop, learn, pay our taxes, find the best surgeon for an operation or the right school for our child. Whole new communities, businesses, ways of becoming better informed or simply having fun exist on the back of a technology that is still only twenty years old. As for the early motorists, there’s still a long, long way to go, and all we can say for sure about the journey is that we will get to places that today we can’t even imagine. For that to happen, though, the highway needs rules and policing, not so as to restrict its use, but so as to keep it safe, reliable and open for all.
Keeping that highway open isn’t only the task of governments. State-sponsored internet attacks – ‘cyber warfare’ in the slang – get most media time, as do governments’ moves – like our new cyber-capability within the MoD – to combat them. But this isn’t just James Bond territory. As I pointed out earlier, here in Britain the large majority of financial losses attributable to cyber-crime – an estimated £21billion out of £27 billion - are borne not by government, but by industry. How to get those numbers down should be on the agenda not just of politicians, but of CEOS; it’s a subject for the boardroom, not just the Cabinet Room.
Making it happen means working together; forging relationships not only between government departments and agencies but between public and private, across borders and with wider society, right down to each individual one of us, sitting at home in the glow of our all-enabling laptops. The internet is an amazing, wonderful thing, and we want to keep it that way. We are playing our part, and we invite you to join us in playing yours.