The UK government believes collaboration between the public and private sectors is critical to success in cyber security.
Governments can lead the way, but they cannot deal with cyber threats alone, according to Mark Sayers, deputy director, cyber and government security directive, at the Home Office.
We need the support of industry and academia to help us respond at the scale and the pace required, and to forge strong partnerships around the globe,” he told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.
“This is not just about addressing the immediate need to make the internet more safe and secure; this is about ensuring that we can maximise the opportunities and minimise the threats from new and emerging technology.”
Sayers praised Sinet for acting as a catalyst for exchanging ideas across disciplines and international boundaries.
In a whistle-stop tour of the UK National Cyber Security Strategy, he outlined the main elements of the strategy and associated initiatives.
“Our lives rely absolutely on trusted and secure communications, with the UK accounting for the highest use of the internet among the G7 countries,” said Sayers. “Our digital industries are driving significant growth, we are among the world leaders in digital government, and we are among the world leaders in internet shopping.”
UK businesses under attack
And as the internet of things (IoT) becomes the internet of everything, he said the scale of vulnerabilities and frequency of attacks are increasing at an “extraordinary” rate.
This is underlined by the fact that in the past year, one in three small firms and more than six in 10 large firms in the UK reported a cyber breach or attack.
“The impact on organisations can be significant,” said Sayers, citing as examples the recent WannaCry ransomware attacks, the Mirai botnet-driven distributed denial of service (DDoS) attacks, and the massive data breach at communications service provider TalkTalk.
“Not only did it cost TalkTalk £65m, but 95,000 customers. And while financial losses can be made back over time, things like reputation and trust are very hard to recover,” he said.
Sayers said the strategy was built around the core pillars of defending UK citizens, deterring adversaries and developing capabilities.
Making security simple
Although awareness around cyber security is rising, he said translating that general awareness into behavioural change was “exceptionally difficult”.
The government has 250 public and private sector partners which are helping to take these messages to their customers and inspire them to take action. Sayers said it was initially focusing on boards and larger companies, and has published 10 steps they should be taking to ensure they manage their cyber risks and invest appropriately.
“We have paid special attention to our critical national infrastructure to provide additional sector support and guidance,” he said.
The Cyber Essentials Scheme is focused more on small and micro businesses, to help them to understand what they need to do to make themselves more cyber secure, said Sayers. “This can also be used by larger companies to secure their supply chain, and we are mandating this scheme to drive that behaviour for any company that wants to get a government contract,” he added.
Active cyber defence
Because it only takes one person in an organisation to click on a malicious link or document to make it vulnerable, Sayers said the government was also developing its “active cyber defence” capability.
“That is about operating at a network level to filter out malicious content and links, for example, before they get anywhere near anyone’s inbox,” he said. “This is about government building the tools and testing them on our own networks first, before we roll them out for the wider public sector and the private sector to deliver what we need to do at scale.”
The UK National Cyber Security Centre is a key element of the strategy’s defence aims, said Sayers, because it brings together the UK’s best intelligence and expertise into a single national technical authority to drive this work.
Deterring and disrupting adversaries, he said, is about making the UK a more difficult and less attractive target by pushing up the cost of carrying out attacks.
Active cyber defence seeks to reduce the success of attacks and make cyber attack tools much less effective. At the same time, the strategy focuses on improving the UK’s intelligence-gathering capabilities.
“We also want to lower the reward, so we have increased our law enforcement capability. We need to focus on enabling our agencies to pursue those who persist in attacking us wherever they are,” said Sayers.
To this end, the UK is collaborating with Europol, Interpol and the US Federal Bureau of Investigation (FBI) on the WannaCry ransomware attacks.
“We also want to deter young people from being attracted to or getting involved in cyber crime by not only highlighting the real-world consequences of their actions, but also by channelling that intellectual curiosity and talent by showing them there are different career pathways,” said Sayers.
Building on cyber skills
Developing the UK’s cyber capabilities is important, he said, in the face of the worldwide skills gap, with demand outstripping supply.
“We also need a much more diverse workforce. Less than 11% of cyber security professionals are women. Along with other under-represented groups, that represents a huge pool of untapped talent,” said Sayers.
In response, the UK government has been scaling up a range of initiatives across academia and the education sector, including a new schools programme, a degree sponsorship programme, an apprenticeship programme, and a re-training programme for people from all walks of life.
Mark Sayers, Home Office
In addition, the strategy is aimed at developing a pipeline of cutting-edge cyber security companies to help meet the scale of future challenges.
“We have launched a number of initiatives to help incubate and accelerate, such as the academic startup programme to turn the best ideas in our universities into commercial reality, and our innovation centre in Cheltenham has cyber startups working with experts in government to develop those cutting-edge technologies to keep the UK at the forefront of cyber security technology,” he said.
Although ambitious, Sayers said he was personally optimistic that the National Cyber Security Strategy would be successful.
“I am optimistic because more and more people every day recognise that increasingly our individual freedoms and economic freedoms need action to protect, and this cuts across geographic and political boundaries,” said Sayers.
“Finally, we need to demystify what cyber security is. It is often seen as too technical, too difficult, and as somebody else’s problem.
“So, in the end, it is up to all of us to take personal responsibility, to talk about what cyber security means to us, and to be at our most collaborative and most creative so we can respond to the challenges that we all face.”