The Minister for the Cabinet Office Matt Hancock spoke about how the government is working with other sectors to improve cyber security.
There are many advantages to living in a city. Cities allow for complex trading networks, economic specialisation, jobs, prosperity, a chance to get on. But for most of human history life in a city also involved a high level of risk: from fire, from crime and most of all from disease.
The point is this: economic progress always creates new risks. No sooner had the first coins been minted than people began to clip off the edges or dilute them with lower value metals. Insider trading is as old as the stock market.
And once it became possible to store information on a digital network it was inevitable that people would try to break in and steal it.
You might remember that famous episode of BBC Micro in 1983. The hosts logged in to one of the first commercially available email accounts, only to find it had been hacked on air. And as digital progress has grown, so the risks have grown.
This is no longer an issue for the IT department. It’s a boardroom issue, a cabinet table issue.
And here’s why it matters. We have one of the most digitally advanced economies in the world, and the digital economy depends on trust. If people don’t trust that their data is safe they won’t do business online.
And it matters for government too because we’ve begun to upload the state. We have one of the most digitally advanced governments in the world. And secure networks and secure data are both mission critical for securing public trust in what we’re trying to do.
The scale of the threat
Any response must begin with a clear-eyed assessment of the threat.
Let’s look at the evidence. Massive security breaches are happening more often. Sony, TalkTalk, the United States Office of Personnel Management – these are just some of the more high profile cases.
What you don’t hear in the headlines is that this is a constant, relentless bombardment. Last year 90% of large businesses reported an information security breach.
Nor is it just business. On average, 33,000 malicious emails are blocked at the gateway to the Government Secure Internet, every single month. Last summer GCHQ responded to around 200 incidents. This summer it was around 400.
And the economic damage is growing. For larger companies, the average cost of the most severe breaches starts at £1.5 million, up from £600,000 last year.
The real figure may be much higher. One survey found that 70% of UK businesses didn’t disclose their biggest security breach last year.
But it’s not all doom and gloom. I’m an optimist, and just as we’ve tamed city living and currency security I think we are equal to this challenge.
Again, let’s look at the evidence. We are the country of Ada Lovelace, Alan Turing and Tim Berners-Lee. Today our universities produce cutting-edge research in crypto, network security and information assurance.
We’re one of the top 5 exporters of security services, with an industry that’s growing at 15% a year.
And we’re leading the world in the digital transformation of government – even exporting GovTech as other countries borrow our code and methods.
Seventy years ago we cracked the Enigma code, at a time when real bombardments were raining down on our cities. It didn’t just help win the war, it also led to huge advances in computer science.
In securing our defences, we too have an opportunity. Not just to avert disaster, but to grow our economy and make government work better for the citizens we serve.
So today I want to talk about what we can do as a government, and what we can all do together.
What we can do as a government
I’ll start with government. Our goal is to make Britain one of the safest places in the world to access public services or do business online.
In 2011 we launched the UK’s first National Cyber Security Strategy, setting out how this would be achieved.
Since then, we’ve invested £860 million in cyber security.
- risk reviews of Critical National Infrastructure companies
- establishing the National Computer Emergency Response Team
- setting up a Cybercrime Unit in the National Crime Agency
- creating Cyber Essentials to show businesses how to get the basics right
- funding cyber-skills at every level of the education system; and
- leading on this agenda internationally
But it’s more than that. We’re also fundamentally rethinking the way we design and build digital public services. This is mission critical when money is tight and the public’s expectation for those services is higher than ever.
So this is the approach we will take.
First, we’re treating security as a core responsibility, rather than outsourcing it to our suppliers.
Many successful attacks exploit out-of-date systems and GovTech used to date very quickly indeed. Some of our legacy systems were designed before the invention of the web. Security had to be bolted on top, rather than designed in from the outset.
So we’re now phasing out the large inflexible contracts that locked us into aging IT. And we’re building iterative, adaptive systems, which allow us to rapidly react to new threats.
We can change the code that runs GOV.UK within an hour for example. We now need to embed this approach across Whitehall.
Second, we now recognise that modern data security and effective data management go hand in hand.
We’ve come a long way since 2007, when HM Revenue & Customs was posting CDs with everyone’s child benefit details in unrecorded packages. Departmental data is not only more open and more shared but better organised and better audited.
Modern data usage is essential to better data security. Knowing exactly what data you own makes it more secure and easier to rationalise, cutting out duplication and bringing us closer to canonical datasets – the foundation of sound data infrastructure.
We also know that it sometimes makes more sense to decentralise citizen data. Look at Verify, our new ID platform, which allows you to prove who you are so you can access services safely online.
It offers a level of identity security which wasn’t previously possible online, yet it doesn’t rely on a central database containing all the user’s details. Instead you choose a certified company, then a range of certified ID assurance providers can vouch for you by verifying your identity to a level of security that meets published government standards.
Third, we’re treating usability as a security feature.
The biggest weakness in any system is a human being. We are all fallible creatures, programmed to take shortcuts, prone to find the path of least resistance, if not all of the time then at least some of the time. If you don’t think that’s true, ask someone who’s married.
If your system demands too many long, complex passwords people will just write them down on a post-it and stick it on their monitor.
When security trumps usability, people just find new ways to use technology. Following the user need itself improves security.
What we can do together
So government action is vital, but we can’t do this on our own. This is already a tight-knit community, with well-established collaborative networks between industry, government and academia.
And I want us to go further. Further on skills. We all need to work together to deliver both a ready supply of talent and a basic level of knowledge among UK citizens.
As a government, as well as putting coding in the curriculum from age 8, we will make sure that all young people leave education with a basic understanding of cyber security and how to stay safe online.
We’re expanding the STEM subjects that open doors to a career in this field – from school to postgraduate level.
We need businesses to offer more training and apprenticeship opportunities.
In the last Parliament GCHQ launched its own apprenticeship programme, 80 have already graduated and we’re making an additional 140 placements available over the next 2 years.
But we need more businesses following our lead, and I’m pleased to see that BT are already recruiting more cyber security apprentices.
We also need to go further on research.
This is a constantly evolving field and everyone has a duty to keep themselves informed of the threat, to scan the horizon for trends, and to act on them.
We know that businesses want to invest in research, but some find it difficult to target the right opportunities and where investments are made they’re not always visible and focused.
So today we’re launching CyberInvest, a new public-private partnership, bringing together government and industry to invest in and support the development of cutting edge cyber security research.
And we need to go further on the tech itself.
Open and collaborative development between government and the leading industry players means we can build products quickly and cost-effectively, and then share the results of our innovation.
I want to end where I began, with the city. Because if the story of the nineteenth century was one of migration from country to city, the story of this one is about migration from an analogue to a digital world.
And just as then, we’re capable of evolving and adapting. Confronted with urban squalor, our forebears tunnelled and pumped and engineered their way to a solution. Now we too must harness human ingenuity in the service of our nation: with modern cyber security, modern information security and modern, effective use of data.
It’s critical that we succeed. Everyone has a part to play. And I look forward to working with you to make it happen.