Security and freedom in the cyber age - seeking the rules of the road
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
In a speech to the Munich Security Conference, Foreign Secretary William Hague said that Britain is "ready to play its part" in responding to the security challenges.
It is a pleasure to be here at the Munich Security Conference and to share a platform with two such distinguished speakers. It is one of the first principles of security that you must look ahead to anticipate the evolution of future threats, even during times of austerity, which is why I would like to speak today on the subject of cyber security.
Cyberspace is changing the way we view and conduct foreign policy as well as transforming our everyday lives.
The political upheaval in Egypt is a recent example. The Egyptian government tried to shut down the internet and mobile phone networks and broadcasters like Al Jazeera. The CEO of Vodafone called me just before to discuss the attempt made yesterday by the Egyptian authorities to send messages to all their supporters via the Vodafone network. Twitter and Google created a ‘speak-to-tweet service’ so that Egyptian citizens could circumvent government controls. And NGOs like Amnesty International sent live updates about casualties via Twitter. There are also reports of authorities in third countries blocking internet searches for the words “Egypt” and “Cairo”.
The internet, with its incredible connective power, has created opportunity on a vast and growing scale; unlocking economic potential, revolutionising access to information and requiring democratic governments to be more transparent.
It has transformed traditional notions of hierarchy and authority.
It blurs geographical boundaries, allowing people on opposite sides of the world to communicate at the speed of light and to organise themselves around a sense of anger or common identity. As a colleague of mine Lord Howell has written, “for better or worse we are destined to be all connected, rich and poor, developed and developing, benign and malign, small and mighty”.
But there is a darker side to cyberspace that arises from our dependence on it.
We rely on computer networks for the water in our taps, the electricity in our kitchens, the ‘sat navs’ in our cars, the running of trains, the storing of our medical records, the availability of food in our supermarkets and the flow of money into high street cash machines.
Many government services are now delivered via the internet, as is education in many classrooms. In the UK 70% of younger internet users bank online and two thirds of all adults shop on the internet. This is not a phenomenon confined to any one part of the world. In less than 15 years the number of web users has exploded from 16 million in 1995 to more than 1.7 billion today, more than half of whom are in developing countries. By 2015, it is said that there will be more interconnected devices on the planet than humans.
Along with its numerous benefits, cyberspace has created new means of repression, enabling undemocratic governments to violate the human rights of their citizens.
It has opened up new channels for hostile governments to probe our defences and attempt to steal our confidential information or intellectual property.
It has promoted fears of future ‘cyber war’.
It has enabled terrorist networks to plan atrocities, flood internet chat rooms with their ideology and prey on the vulnerable from thousands of miles away.
And it provides rich pickings for criminals. On-line criminals steal the identities of ordinary citizens. They empty bank-accounts, extort money from firms and defraud government departments, and cost the global economy as much as $1 trillion annually.
The intelligence reports I see as Foreign Secretary show that just one criminal computer programme can harvest over thirty gigabytes of stolen passwords and credit card details from over a hundred countries in a matter of days, causing millions of pounds worth of fraud. Over 40,000 pieces of sensitive information and financial data are traded on the online black market every day, amounting to 13.2 million criminal transactions every year.
Government systems are being targeted too. ZEUS is a well-known piece of malware that attempts to steal banking information and other personal details. In late December a spoofed email purporting to be from the White House was sent to a large number of international recipients who were directed to click on a link that then downloaded a variant of ZEUS. The UK Government was targeted in this attack and a large number of emails bypassed some of our filters. Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common.
Last year the national security interests of the UK were targeted in a deliberate attack on our defence industry. A malicious file posing as a report on a nuclear Trident missile was sent to a defence contractor by someone masquerading as an employee of another defence contractor. Good protective security meant that the email was detected and blocked, but its purpose was undoubtedly to steal information relating to our most sensitive defence projects.
And last month three of my staff were sent an email, apparently from a British colleague outside the FCO, working on their region. The email claimed to be about a forthcoming visit to the region and looked quite innocent. In fact it was from a hostile state intelligence agency and contained computer code embedded in the attached document that would have attacked their machine. Luckily, our systems identified it and stopped it from ever reaching my staff.
We have excellent defences and protective security is a fundamental part of cyber security. But these are the kinds of threat we are now facing every day, and our concept of what it means to be ‘secure’ must adapt in response.
Defences at home
As a new Government we have moved quickly to counter these threats.
We have produced a new National Security Strategy which ranks cyber attack and cyber crime in our top five highest priority risks.
We have provided £650 million of new funding for a national cyber-security programme, which will improve our capabilities in cyber-space and pull together government efforts.
We have established a new Ministerial Group on cyber security which I chair.
And we have boosted the UK’s cyber capabilities with the establishment of a new Defence Cyber Operations Group, incorporating cyber security into the mainstream of our defence planning and operation.
Cyber space presents new opportunities to those who seek to act against us, but it also gives us new means of protecting our interests. We are working with the private sector, to ensure secure and resilient critical infrastructure and the strong skills base needed to seize the economic opportunities of cyber space, and to raise awareness of online threats among members of the public.
Need for agreed international norms in cyberspace
But being global, cyber threats also call for a collective response.
In Britain we believe that the time has come to start seeking international agreement about norms in cyberspace.
Cyber-security is on the agendas of some thirty multilateral organisations, from the UN to the OCSE and the G8. NATO’s Lisbon Summit in November launched a new programme to defend NATO’s communication systems from cyber attack. But much of this debate is fragmented and lacks focus.
We believe there is a need for a more comprehensive, structured dialogue to begin to build consensus among like-minded countries and to lay the basis for agreement on a set of standards on how countries should act in cyberspace. How this dialogue is organised is up for discussion. But we need to get the ball rolling faster.
To this end, the UK is prepared to host an international conference later this year to discuss norms of acceptable behaviour in cyber-space, bringing countries together to explore mechanisms for giving such standards real political and diplomatic weight.
We do not underestimate the difficulties ahead. Many countries do not share our view of the positive impact of the internet, and others are actively working against us in a hostile manner.
However as liberal democracies we also have a compelling interest in supporting democratic ideals in cyberspace, and working to convince others of this vision. When we talk about defending ourselves against cyber threats, we also mean the threat against individual rights to freedom of expression that is posed by states blocking internet communications. The free flow of ideas and information is an essential underpinning of liberty. The UK is determined to be at the forefront of efforts to safeguard freedom of expression on the internet, working with industry and likeminded governments.
So in Britain’s view, seven principles should underpin future international norms about the use of cyberspace:
The need for governments to act proportionately in cyberspace and in accordance with national and international law;
The need for everyone to have the ability - in terms of skills, technology, confidence and opportunity - to access cyberspace;
The need for users of cyberspace to show tolerance and respect for diversity of language, culture and ideas;
Ensuring that cyberspace remains open to innovation and the free flow of ideas, information and expression;
The need to respect individual rights of privacy and to provide proper protection to intellectual property;
The need for us all to work collectively to tackle the threat from criminals acting online;
And the promotion of a competitive environment which ensures a fair return on investment in network, services and content.
We are open to the ideas of others and we have already begun to discuss cyber with our allies in Washington, Paris, Berlin, Canberra and elsewhere. We must widen the debate over the coming year. We have a major opportunity to promote the Budapest Convention on Cyber Crime, which the UK will look to do when we chair the Council of Europe from November. Here, as in every debate about how to fashion collective responses to the security challenges of our time, Britain is ready to play its part.