Partnership with the private sector provides opportunities to minimise the economic impact of cyber attacks
We know that cyber attacks are a rapidly growing threat. The UK’s National Security Strategy in 2010 recognised cyber attacks as one of the top threats to UK national security alongside international terrorism. This is still the case today. The UK’s approach to tackling this threat is set out in our Cyber Security Strategy, published in November 2011, which states how the UK Government will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
We have put in place a National Cyber Security Programme (NCSP), initially backed up by £650 million of Government investment over 4 years to 2015 to help meet the objectives of the strategy. This year a further £210 million investment has been committed for 2015-16. This funding is being invested in a broad range of projects across government, industry and academia and represents a step change in our approach.
The NCSP is coordinated by the UK’s Cabinet Office and projects are delivered by several government departments, including the Government Communications Head Quarters (GCHQ) and other intelligence agencies, Ministry Of Defence, Home Office, Foreign and Commonwealth Office, Department for Business, Innovation and Skills and others. NCSP funding is allocated across the Departments with responsibility for delivering the objectives of the strategy in their areas and the allocation is reviewed on an annual basis to enable flexibility for changing priorities in this fast moving landscape.
We are investing in bolstering our ability to defend and detect cyber attacks through the security services to enhance the protection of UK interests in cyber space, making it harder for hostile states and criminals to target the UK. Cyber security is of course vital to defence and will become increasingly important going forward. Our Armed Forces depend on computer networks for command, control, intelligence, logistics and administration. Military platforms and weapon systems are highly sophisticated, computerised and networked. It is possible that the UK will be subject to attacks against our key systems and infrastructure in times of tension or conflict. We are working with industry and allies to ensure that effective security measures are in place and that we are able to co-ordinate a national response to such action by developing new tactics, techniques and plans to deliver military capabilities to confront high-end threats. The Ministry of Defence’s (MODs) work in this field is, by its very nature, classified and as such cannot be detailed here but a key principle is mainstreaming of cyber within the MOD at all levels.
Building up our sovereign UK capability to detect and defeat high-end threats is essential if we are to maintain our competitive advantage in cyberspace. But cyber security is a global issue and international cooperation is essential with the benefits of a stable and secure cyber space are a clear driver for a shared responsibility. The UK has established itself as a leading player on the international stage following the London Cyber Conference in 2011 and the Budapest Conference in October 2012 as well as now preparing for the Seoul Conference this year. These conferences have initiated important international conversations on agreeing principles for moderating state behaviour in cyberspace. We are working hard to promote the UK’s vision of an open, vibrant and secure cyberspace across the breadth of our international activity, in multilateral organisations such as the UN and at the EU, and through our growing network of bilateral relationships, including with Estonia.
As one of the leading nations in cyber-security and in online-government, Estonia is it an important operational partner as well as a key thought leader in shaping the global response to cyber security. We have close policy and operational dialogue between our governments and our Ministry of Defence has seconded a member to the NATO Cyber Defence Centre of Excellence. As in many traditional areas of defence and security, trust is built over time between partners and in alliances around common values or common threats. We are working within traditional alliances to combat cyber threats but also establishing the necessary trust in new cyber partnerships against common threats. In parallel, we are also participating in the OSCE process to develop confidence building measures (CBMs) between states where there is a trust deficit and suspicion of attacks.
But it is not just other States that pose potential risks to the UK; organised criminals, terrorists and ‘hacktivists’ are also responsible for attacking public and private computer systems to exploit cyber space to their own ends. So we are also working hard to enhance and focus specialist crime expertise, including international liaison, with dedicated units whilst also mainstreaming cyber into law enforcement. What’s clear to us is that government cannot act alone – businesses need to take the threat seriously and protect their core information assets and intellectual property. The UK Government is therefore focusing its efforts on partnership with industry, academia and international partners.
Threats to our Critical National Infrastructure (CNI) are of particular concern, and our Centre for the Protection of National Infrastructure (CPNI) has expanded its reach and is helping organisations in the CNI and beyond to build better systems. It is actively influencing standards, researching vulnerabilities and focusing on the key technologies and systems of cyber infrastructure. CPNI has also been providing cyber risk advice to private companies of economic importance to the UK – we know that industry is the biggest financial victim of crime and economic espionage perpetrated through cyberspace, with losses running into the billions of pounds. This is why we have placed such an emphasis on partnership with industry through the work that is being carried out as part of our National Cyber Security Programme.
We estimate that some 80% or more of currently successful attacks could be defeated by simple best practice and ‘cyber hygiene’, such as updating anti-virus software regularly. So the UK’s approach is not to mandate but rather to encourage businesses to develop good cyber practice or risk falling behind in the game. To this end we launched board level Cyber Security Guidance for Business, including the “10 Steps to Cyber Security” at a meeting of ministers and chairmen of FTSE 100 companies in September 2012. The booklet was subsequently cited as an example of best practice at the World Economic Forum in Davos in January 2013. Our Department for Business, Innovation and Skills this year published further tailored guidance for smaller enterprises, ensuring we are guiding business at all levels to embed cyber security and mitigate the threat.
In addition, our innovative Cyber Information Sharing Partnership (CISP), launched earlier this year supports our collaborative approach, heralding unprecedented partnership between government and industry. The CISP provides a secure, real-time online platform and also face-to-face environment for government, law enforcement and industry to share information and intelligence on cyber threats and how to combat them. Already over 150 firms and organisations, largely from sectors such as defence and energy within the Critical National Infrastructure (CNI), have been brought on board in a phased approach. It is our intention to expand the membership beyond CNI companies, including to SMEs. The CISPs “Fusion Cell”, funded by the National Cyber Security Programme and supported by GCHQ and the National Crime Agency along with industry analysts from a variety of sources, produces an enhanced picture of cyber threats facing the UK for the benefit of all partners.
This situational awareness will be feeding into the analysis work of our new Computer Emergency Response Team (CERT). The new national CERT will bring together practitioners in incident response to both improve the UK’s incident response arrangements and extend them to the wider UK economy as well as the CNI and defence supply chain. It will also provide a single point of contact for international partners in incident response.
New partnership with the private sector also provides opportunities to minimise the economic impact of cyber attacks by promoting growth and cementing the UK’s position as one of the most secure places in the world to do business. Through a Cyber Growth Partnership with trade associations and leading cyber suppliers we are looking at practical steps Government can take to support export growth, for example how businesses supplying government with cyber security products can promote this to prospective overseas customers.
Growth must be underpinned by fostering the right skills and experience and we are working with academia to improve cyber skills, education and research opportunities to improve the UK’s knowledge base and build up a skilled workforce. Almost 100 PhD studentships, 11 universities awarded Academic Centre of Excellence status, two research Institutes on Cyber Security and interactive learning materials for schools are just some of the activities being supported by the National Cyber Security Programme to draw in the stars of the future. To increase the pipeline of young people entering the profession, our experts at GCHQ have also introduced new apprenticeships, and are looking at how learning can be shared more widely so that we can continue to improve our ability to detect attacks and develop and sustain world class cyber capabilities in order to respond and give the UK a competitive edge in the global cyber security sector.