Speech on second anniversary of the Cyber Security Strategy
This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government
Francis Maude spoke at the second anniversary of the Cyber Security Strategy, providing a forward look and discussing achievements so far.
Thank you all for being here today to give us the chance to talk a bit about where we are, what we’ve done and what we’re going to do.
Most of what I do in government is about stopping people spending money. I’m kind of “Minister No” or “Dr No” – the “abominable no-man”. Last financial year we saved through cutting out waste over £10 billion and we’ve just announced fairly recently in the first half of the current financial year we saved £5.4 billion – which is a 70% increase on the savings from the year before. So I’ll just get that plug in while I’ve got you here.
Read the Cyber Security Strategy and progress against its objectives since its publication in December 2011.
But the background to that, why are we doing it? It’s because of the really difficult fiscal situation where the outgoing Chief Secretary said in May 2010 that there is no money. So we need to be able to spend money on the things that absolutely matter and one of those is cyber security.
So against the incredibly tight financial constraints we decided to increase spending on cyber security and a lot of credit for that decision goes to Baroness Neville-Jones, who was Minister for Security at the beginning of the coalition government, for whom this was a hugely important commitment.
And the government has backed that commitment with £650 million of investment over 4 years. We increased that earlier this year to add another £210 million for the out year 2015 to 2016 – and that tells you I think how highly cyber security ranks in our priorities. We’ve put it I think to good use.
2 years ago there wasn’t a clear law enforcement lead for tackling cybercrime.
Today, as you’ve heard, the National Cyber Crime Unit is the UK’s centre of expertise, providing resources, intelligence and guidance to police forces.
Frankly, 2 years ago our understanding of cyber security was relatively low and there wasn’t actually, in a sustained way, the means of expanding that knowledge. That’s changed now. A long way to go, but today we have 11 new Academic Centres of Excellence in Cyber Security Research, there are 3 new Research Institutes, 2 centres for doctoral training.
2 years ago there wasn’t a clear means of sharing information in real time between industry, government and the law enforcement agencies. Today the Cyber Security Information Sharing Partnership (CISP) that you’ve just been hearing about is up and running with over 250 businesses as members.
I recall when we launched CISP Howard Schmidt, the former White House cyber security tsar, commenting on how much the UK had achieved in a short space of time.
And I think that’s true. It’s very easy when we talk about the things we’ve done to sound as if we’re complacent. We’re absolutely not. This is incredibly fast moving and we need to be moving fast all the time.
But there are new structures, more resources, better intelligence: across the board our capability has been transformed.
You’ve heard some examples this morning of the law enforcement operations and arrests which are the practical results of that. We’ve got some laurels, but we absolutely can’t rest on them. We will either continue to get better or we will get worse. And we can’t risk that.
The £860 million that we have to spend goes along way for sure.
But it’s not limitless - which is why partnerships are absolutely at the core of Britain’s National Cyber Security Strategy.
The internet is fantastic. When we talk about cyber security it sounds dark and threatening and we’ve done our best here to make people’s flesh creep. But why is cyber security a risk – because something absolutely brilliant has happened that has transformed businesses, people’s lives and has been a huge, huge upside.
But there are risks that come with that and so there’s a shared responsibility to make it safe. When government, businesses, individuals and families all take steps to protect themselves, our collective cyber security gets enhanced.
And this event really illustrates that partnership - and I’m going to outline some the ways we are planning to strengthen that collaboration and cooperation during 2014.
Partnership with business
Central to our approach is the desire to make the UK a safe place to do business.
So in September last year, 2012, we published the 10 Steps to Cyber Security and at Davos this year it was cited as an example of best practice.
And it’s being used – and used a lot - a recent survey indicated that the number of UK companies who have actively considered these lessons has leapt from 21% in July to 67% in November.
But the need to raise awareness is continuing. It will never end, because when you get yourself up to speed at one stage, the next day you are probably out of date. This is real time - changing all the time.
So we are developing an industry-led kite mark-style standard for cyber security. The focus is on essential steps that all businesses – whether they are corporate giants or start-ups – should be taking to protect themselves from low level threats.
Because we practice what we preach, next year all central government departments will be expected to adopt this standard for their own procurement. We don’t want it to be ridiculously onerous – especially for SMEs, we are opening up our procurement much more to SMEs right across the piece - so we will use the kite mark in a way that is proportionate and relevant, but it is important for us in ensuring the security of government supply chains.
We’re also grateful for the role that businesses are themselves playing to raise awareness.
So I’m pleased to announce today that 6 of the UK’s leading internet service providers (ISPs), working with the government, have co-developed a series of principles to guide how they inform, educate and protect their customers online. Early next year we will launch a new campaign to encourage the public to make simple changes to their online behaviour. Government funding of £4 million is being supported by around £2.3 million in financial and in-kind support from industry sponsors, including Facebook, Sophos, RBS Group, Trend Micro and Financial Fraud Action UK.
Many thanks to those here today - we would certainly welcome others on board for that initiative.
Partnerships for growth
Better cyber security shouldn’t be viewed as a necessary evil – it’s also an opportunity. The internet remains obviously a rich frontier for enterprise and innovation. The global cyber security market is growing – and growing fast - by more than 10% a year and Britain we’re good at this stuff so it’s an opportunity for us; we have firms with deep expertise in this area.
In the past year, I’ve visited large firms, like Sophos in Abingdon; I’ve visited SMEs like Titania, which supplies products to organisations in over 50 countries. That’s 1 of 40 small cyber security companies clustered around Malvern, rather improbably, in Worcestershire.
These are the industries of the future that can help the UK achieve strong lasting growth and compete and win in the global race.
The Cyber Growth Partnership includes techUK, which now represents over 850 technology organisations, and we will do everything we can to help them succeed. I know that Ian Livingstone, who has just taken up his role – I think he’s on his third day - as Minister for Trade, former chief executive of BT, is passionate about this industry and indeed was a leader when he was at BT and will being doing a lot to support these companies.
A new Cyber Security Suppliers’ scheme will enable businesses to use an exports badge to demonstrate to potential customers that they are a supplier of cyber products and services to us, the UK government.
Today I can tell you we’ve set a new target for cyber exports.
We aim to be exporting £2 billion worth of products and services by 2016 – that’s a sharp increase on the £850 million that we sold last year.
And I know that can be achieved because I’ve seen with my own eyes the brilliance of some of these companies. So when I meet my counterparts in other countries my message is simple: we’re open for business and we want to trade overseas.
GCHQ and the Security Services are also looking to Britain’s SMEs to encourage innovative solutions for their own technical needs. I was recently able to attend an event at Cheltenham racecourse – not on a race day - designed to introduce some of these firms to the opportunities that are available.
Cyber security isn’t – and mustn’t be - a barrier that prevents our security community from accessing the very best and newest ideas. For the same reason, better cyber security supports our digital-by-default agenda for public services. Digital public services that are simpler, faster and cheaper obviously also need to be secure, but useable. And too often we don’t strike the right trade off, between security and usability and that’s something we’re addressing rapidly.
Just as consumers need to know their money is safe when shopping or banking online, people also need to be confident that their data will be protected when they are applying for a passport or renewing their car tax over the internet.
That’s why we’re providing funding from the National Cyber Security Programme to support the work of the Government Digital Service to develop a new identity assurance scheme that will enable people to verify their identity so that they can use online services.
It’s easier for countries that have a national identity card and identity database. We don’t, we’re not going to. But we are developing an identity assurance scheme that will obviate the need to develop one. It’s being followed very closely elsewhere – the United States is going down the same path as we’re going down but we’re obviously very sorry to say they are someway behind us. No doubt they will try to catch up.
Improving the UK’s resilience
On our resilience, we have to build our own sovereign capability to detect and defeat cyber threats and we have constantly to be looking for ways to stay ahead of those who might try to attack our systems and networks. A new research institute is going to be created at Imperial College focussed on the security of the industrial control systems that drive our power stations and transport networks.
The National Computer Emergency Response Team, CERT-UK, is taking shape, to provide a core national incident management capability. The inaugural director, Chris Gibson, took up his post last month, with initial operational capability planned for very early next year. It’s good to see Chris here today.
Of course, a large proportion of investment goes toward ensuring that GCHQ and the Intelligence Services have the capability to protect us. And much of this is about situational awareness - without it we can’t prepare our defences; we can’t advise businesses or the public effectively. And inevitably, this work takes place away – mostly away - from public gaze. I’d like to take this opportunity to pay tribute to those on the frontline.
In October, I visited GCHQ to see their work first hand - and earlier this morning we heard from Stewart [Garrick] and Andy [Archibald] at the National Cyber Crime Unit. Their task is painstaking and as you’ve heard sometimes frustrating. The hacker or the cyber-criminal only needs to be successful once, but we have to be successful all the time: our defences have to hold around the clock, day-after-day. And the work that these people and agencies represents some of the very finest I have seen in a long career in the public sector.
Skills and education
It’s now vital that we ensure we have young talent coming through the education system and into the workplace to sustain and grow the UK’s cyber capabilities. While the online world has grown exponentially over the past 10 years, our training and education provision hasn’t kept pace at nearly the same rate.
Better skills absolutely underpin the whole Cyber Security Strategy, because we simply won’t achieve our other objectives without it.
So we’ve now developed cyber security content for each stage of education from GCSE through to masters degrees. The Open University is now developing a new online cyber security course which will be available free.
It’s targeted at non-specialists, but it will encourage those with an interest in the subject to take it further. It has the scope to reach 200,000 students this is a powerful way to bring high quality training to a mass audience.
And talent won’t always be found in the usual places - some of the brightest and best are self-taught. GCHQ’s new technical apprenticeship scheme is identifying gifted school leavers, just as the MOD’s Cyber Reserve will draw on skills that already exist in ordinary homes and workplaces around the country.
We want to avoid a gap in our cyber defences in 10 or 20 years’ time, and we need to start with younger pupils. Over the past year around 600 schools have taken part in the pilot of Cyber Security Challenge Schools Competition. We have been thrilled at the level of participation. It shows that if we make cyber skills fun, exciting and relevant, we can spark the kind of interest that I hope will grow into a career ambition. And it happens in some improbable places. I remember meeting a young apprentice at one of those companies in Malvern. He’d been thrown out of school. He wasn’t succeeding academically. He wasn’t going to. He loved computers and he’s brilliant and he is actually going to be one of the big brains of the future. So it isn’t always going the conventional academic path that will lead to the skills we need. We’d rather people with those skills were working on our side rather than the dark side.
So we are offering a further grant of £100,000 to the Cyber Security Challenge to expand the pilot regionally and nationally, so it can run twice yearly, and can link participating schools to local universities.
And this will help sow the seeds that will enable us to succeed in the years and the decades to come.
Lastly, the internet clearly is global. Cybercrime isn’t an issue we can solve by ourselves. As you’ve heard, our higher education institutions have massive potential to develop skills abroad, not just at home.
So we are working with a number of initiatives to bring together UK academia with international counterparts. When I was in Israel earlier this year, we agreed with my Israeli counterparts that we would fund a joint UK-Israeli call for collaborative academic research between Israeli universities and ours.
And we are engaging with the Chevening, Commonwealth and Marshall international scholarship programmes, to make places available on a cyber policy course at Cranfield University.
These students have been identified as outstanding scholars with the potential to be future leaders. We want to encourage them to contribute to the development of international cyber policy, and in doing so to reinforce our reputation in the UK as a world-leader in cyber.
So, in conclusion, last year we were concentrated on raising awareness and understanding the threats; now our focus is on building the partnerships to deliver security, prosperity and the skills we need.
I’m proud of what’s being achieved here but this absolutely only the beginning. It is a work in progress – and frankly it will always be a work in progress. There will never be a moment when we say – when we dare say – that this is done.
We are reckoned to be in Britain already ahead of many other nations and that’s good, but we can’t even have a flicker of complacency about that.
So much remains to be done, and the partnership is crucial to this.
We are determined that Britain will have a safe and secure digital government, but also a safe and secure digital economy – we can only do that if we all work together.