2011/07/05 - Cyber Security: An all of Society Approach
Speech delivered by Minister for the Armed Forces at the GovNet National Security Conference 2011, Queen Elizabeth II Conference Centre, London on Tuesday 5 July 2011.
INTRODUCTION
“Careless Talk Cost Lives” - that was the mantra during the Second World War.
When the nation’s war effort was a whole of society endeavour, this iconic information campaign sought to change people’s behaviour - to get them to think carefully about the information they possessed, and where and with whom they shared it.
Last month the Ministry of Defence launched a new campaign to remind Armed Forces personnel, their families and friends about keeping a close hold on information - not just relating to work, but to personal lives too.
In the 21st century this is not just about trying to change the behaviour of people having a conversation on the bus or in the pub.
The warning is this: You don’t know who could be watching you in cyber space so think before you tweet, blog, update, tag, comment, upload, text or share.
The information you put on the net can potentially be seen by anybody, at any time.
In this digital age, changing people’s behaviour online - wherever they happen to log on - is key to the pursuit of our national security.
Today, I don’t want to restrict myself to simply talking in my capacity as a Minister in the MOD.
Instead I want to set the scene for this conference by talking about how this pursuit of national security needs to be a whole of society effort - not just a few academics who study these matters, not just a few departments in government, or a few parts of industry - but all of government, all of industry - and indeed the common sense application of cyber security at home too.
I want to talk about the need to redefine what we mean by the critical infrastructure of the nation and rethink how we protect it in the digital age.
The very nature of cyber space expands what we need to protect, deepens the need for partnership and broadens the pool of those who need to co-operate.
Let’s just dwell for a minute on the nature of the threat.
THE ANATOMY OF CYBER THREATS
The internet and digital technology have an incredible capacity to increase the freedom and opportunity available to our citizens - to enhance people’s ability to control their own lives, make their own choices and expand their horizons.
In government and business, it is leading to revolutionary ways of delivering services.
A recent report from McKinsey suggests that small and medium sized businesses who invest heavily in new web technologies grow and export twice as much as those who don’t.
In countries with mature cyber societies, it is estimated that online businesses create more than 2 jobs for every traditional job lost.
So, for me, there is no question of the overall benefits to Britain of continuing to pursue these digitals models in government, business and more widely.
But cyber space is a distinctly human environment - shaped by people - and abused by people.
Shaped by people because the human desire for information and access is driving the technology - not necessarily the desire for security.
Abused by people because cyber crime, cyber espionage, cyber terrorism, cyber vandalism - even the use of cyber in warfare - are all just human pursuits - simply crime, espionage, terrorism, vandalism and conflict by another means.
The difference is the method - not the outcome or the intent -stealing money is stealing money regardless of whether it is done by pick-pocketing or hacking.
So I do not agree with those who say we need a massive raft of new criminal offences relating to the internet.
What we do need is to become smarter in preventing, detecting and prosecuting the use of cyber space for criminal ends.
This is why we are investing in capabilities that enable law enforcement agencies to combat criminal activity in cyber space.
Let me be clear about what I mean.
This isn’t about acting like a ‘Big Cyber Brother’ - it isn’t about curtailing the joyously irreverent bottom up nature of cyber space.
This is about catching and prosecuting real world criminals who are using the internet - paedophiles, fraudsters, thieves - and protecting the system which people now rely on against those who want to crash it.
CYBER HYGIENE
A great deal of the current threat can be dealt with through the application of what I’d call basic ‘cyber hygiene’.
This is the commonsense application of security measures that are simple to follow and easy to implement:
- Keep your anti-virus software up to date
- Regularly scan your computer for viruses
- Don’t post sensitive personal information on open sites
- Don’t open email attachments from senders you don’t recognise
- Don’t download files you are unsure of
Cyber hygiene needs to be applied both at home and at work because what cyber space is doing is breaking down the barriers between someone’s job and their personal life.
For example, a member of the Armed Forces gossiping on MSN, posting on Facebook, or tweeting for the benefit of their family and friends needs to be aware that, because of their job, others may well be tuning in - opponents, adversaries, terrorists.
An attack on your computer at home may well be designed to hack into your personal finances, but equally you might have been targeted because of what you do for a living.
Attacks known as ‘spear-phishing’ are on the rise too.
Criminals use personal information gathered on their targets - perhaps from social networking sites - to encourage victims to open an email attachment which allow the attackers to infect their computers with malicious software or viruses.
Victims of attacks like these may end up having their computers hijacked to take part in serious Denial of Service Attacks on government or business systems.
So it is often difficult to distinguish both the intent of the threat and against whom it is targeted.
A potential adversary will go for the weakest link.
The MOD’s own networks are under daily attack as are networks across government.
Between 2009 and 2010, cyber related security incidents more than doubled at the MOD.
The MOD’s new Global Operations and Security Control Centre provides a state of the art facility in which we are able to bring together all the essential capabilities required to protect our own Defence systems, but we know we will need to do more.
We must accept that the security measures we are expected to adhere to at work apply equally, and just as importantly, at home.
This is the thrust behind the new campaign in my own department -changing behaviours, changing mindsets.
By using the advice provided through government and industry initiatives to raise awareness of internet security, such as ‘Get Safe Online’, people can learn basic cyber hygiene.
It needs to become second nature - just like ‘Careless Talk Costs Lives’ became, just like ‘Clunk-Click Every Trip’ encouraged the wearing of seatbelts.
But in the 21st century and in cyber space, the responsibility for such education campaigns cannot lie with government alone - ultimately it will be internet service providers, on-line retailers, businesses and everyone else with a stake in the integrity of the system who need to get the message across.
CRITICAL NATIONAL INFRASTRUCTURE
Of course, these are sophisticated and evolving threats that cyber hygiene will inhibit, but not stop.
So this does not absolve those of us with responsibility for national security from tackling the high-end threat or ensuring resilience and security in our critical national infrastructure (CNI).
Traditionally when we talk of our CNI we are referring to the utility network, transport systems and the energy grids that power the country and keep us going.
Protecting this has been about physical sites and physical assets around the country - power stations, reservoirs, distribution centres.
But the context has changed.
We need to think differently about what it is essential to protect and how we do that.
The digital networks which sustain our critical national infrastructure should be considered part of that infrastructure itself.
Networked telecommunications underpin the UK business and banking system, they underpin the process of government, they underpin public access to everyday services and they underpin our security posture.
Of course, we have to be smart about what we are setting out to protect.
This isn’t about ensuring that Lily Allen can tweet whenever she likes.
But it is about making sure our emergency services can effectively respond to a serious disaster situation.
It is about making sure we consider the importance of digital networks to the financial system the country relies on.
It is about making sure there is resilience in the digital networks that allow day to day governance to continue, in Westminster and across the country.
In this way cyber security is a vital part of the protection of our critical national infrastructure.
Our approach to security in the physical world and in cyber space needs to be seamless.
The National Security Strategy has made a start in this process elevating cyber attack into the top rank of threats to national security and creating the new National Cyber Security Programme.
As Minister for the Cabinet Office, Francis Maude has responsibility for co-ordinating the programme across government and with business and academia.
The MOD has created the Defence Cyber Operations Group to ensure that our own departmental work is linked in.
The new National Cyber Security Strategy currently being developed will take forward this comprehensive, cross-government approach.
Its key themes - economic prosperity, increased national security and the protection and promotion of our way of life - embrace the kind of expanded concept that I outlined earlier.
We have to be careful we don’t overextend ourselves or lose focus on what is essential to protect.
But we must do so with a new mindset, not just concentrating on protecting concrete and steel, but encompassing cyber space too.
WORKING TOGETHER AT HOME AND ABROAD
The Centre for the Protection of National Infrastructure is helping the Government and industry partners work together on this.
Protecting critical national infrastructure, indeed national security as a whole, has always required partnership.
For many decades, much of what we have defined as critical has been in private ownership - such as the railways or the energy grid.
Working with certain business sectors has long been natural.
The public too recognise their responsibilities.
Take the current threat from terrorism which we face - reporting abandoned bags or being more alert to suspicious behaviour is, sadly, now part of every responsible commuter’s routine.
But because the cyber challenge has further blurred security boundaries, it means we have to break out of our silos, break down barriers and break new ground in the creation of a new security partnership between government, business, academia and private citizens.
The recent high profile cyber attacks on Google, Lockheed Martin, the IMF, Sega and Sony have shown that we cannot rely on one sector to take up the security slack for others.
The reality is that all parts of government when placing public contracts will increasingly take account of how seriously suppliers take cyber security.
There is a wide range of capabilities across the private sector.
Areas such as defence, telecoms and banking have been in general more aware of the threats from cyber crime and have developed their own expertise.
But I do not believe that a complete picture exists, either in Government or in the private sector, of both the threats and the capabilities available to tackle them.
The first step to improving national cyber security will be to get organisations properly sharing information on common threats so that combined responses can be made.
This was the theme of the meeting that the Prime Minister held in February with a cross section of Chief Executive Officers.
To be successful this project must cover as many sectors of the UK economy as possible.
I know that a number of companies represented here today are deeply involved in this process and are determined to make it work.
Government will help support this initiative, but to be successful it must be industry-led, so thank you for your efforts.
But even this national partnership I have talked about today - between government, industry, academia and private citizens - will be insufficient.
National borders in cyberspace are virtually non-existent.
Building a national Maginot line will not work.
Just as with the physical original - a way around it will be found.
We cannot guarantee our national security in cyber space without international action.
We need to think and act internationally because cyber space is international space.
There is a lot of work being done bi-laterally and multilaterally to develop common understanding and common positions with other countries and international organisations.
For instance, the importance of cyber has been reflected in recent discussions we have had with the US, Australia and France amongst others.
My department has been working closely with allies to develop enhanced Cyber relationships and there will be important announcements in the coming months.
The UK has also now ratified the Budapest Convention on Cyber Crime which is a good example of a multilateral organisation making a real contribution in the way in which we can work together.
But all this work needs to be guided by discussion of how states should act in cyber space.
The international cyber conference which the Foreign Secretary announced the UK will host later this year will be an important first step in beginning the process of establishing principles that all nations should adhere to in cyberspace.
CONCLUSION
In conclusion ladies and gentlemen, the cyber challenge is genuinely everyone’s problem.
In order to protect our national security and our critical national infrastructure we need to think differently and act differently.
We need a new whole of society endeavour:
- The application of basic cyber hygiene by all citizens both at home and at work.
- A new national partnership between government and industry to protect our critical national infrastructure which needs to be more widely defined in the digital age
- Broad engagement with allies and friends abroad to establish the principles of international action.
The digital age should be seen as an opportunity for Britain - an opportunity to lead in the development of new technology - to lead in developing systems that both empower and protect - to show how we can be both connected and safe.
So let me finish with one final thought.
In 1860, the Pony Express fast mail system was set up in the United States.
It revolutionised cross-continental communication - reducing time it took messages to travel from the Atlantic to the Pacific to about 10 days.
The Pony Express has since been mythologised in print and film - the bravery of the riders, the romance of the Wild West.
But do you know how long this iconic system actually lasted?
18 months - 18 months before the ponies were replaced by the telegraph.
My point is this - technology moves quickly.
No matter how we protect ourselves today - we cannot stop thinking about how we protect ourselves tomorrow.
In an era of cloud computing where there is an app for every occasion - where we can’t always predict what the next big thing will be - we will need to be adaptable, flexible and fast off the mark to protect national security
We will need to be open to new opportunities, but ever aware of the dangers we will continue to face.