A virtual voice

Monday, November 23, 2009

With responsibility for the implementation of the UK's first cyber security strategy, the Home Office's Lord West sheds light on the work ahead in keeping cyberspace safe

The government's Digital Britain strategy showed very clearly just how critical cyberspace is to the underlying health of our nation. The £50bn of online consumer sales and purchases that take place on a yearly basis illustrates just how vital new technology is to our national prosperity. Cyberspace increasingly underpins the business of government, the work of organisations across all sectors, and the activities of individual members of the public, including banking, social networking and online shopping, to name but a few examples. These networked, digital activities offer a phenomenal number of benefits and opportunities, and we need to ensure that the UK is well placed to take advantage of them. We also have to recognise, however, that balanced against the opportunities are a number of real and rapidly evolving threats; there are people who would seek to do us harm through cyberspace. What is more, technological develop­ments and changing patterns of utilisation make cyberspace a dynamic and challenging environment; we have to keep pace. That is why the UK Government has produced a cyber security strategy that sets out what government is doing to ensure that we minimise the risks and make the most of the opportunities, now and in the future.

Evolving threats
The low cost and anonymous nature of cyberspace makes it particularly attractive for use by malicious actors. A low barrier to entry, coupled with the difficulties associated with detection and attribution, mean that organised criminals, hostile states and terrorists can and do exploit cyberspace for their own ends. We must be alive to the fact that a number of actors have a level of intent and capability that amounts to a real threat to our security and prosperity. People will often focus on sophisticated state-led cyber espionage, and this is of course a serious issue, but we must also keep in mind that criminals continue to exploit vulnerabilities in government, corporate and personal IT systems using a range of methods, from phishing to the use of malware. Aside from the financial harm for which online fraud is responsible, there is also the fundamental issue of making sure people have the confidence to live and work online. So we must consider and pre-empt attacks on government systems and our essential infrastructure, and attacks on individuals and businesses.

The publication of a new strategy should not detract from the substantial amount of effort, resource and expertise already devoted to UK cyber security. This is not a new problem, and the UK Government has been taking action to secure cyberspace for several years now, on a number of different fronts. In 2003 the National Information Assurance Strategy addressed the first steps for the UK in assuring the integrity, availability and confidentiality of information and communications technology (ICT) systems and the information they handle; the cyber security strategy builds on this work. There is a good deal of work already going on to protect the UK from cyber threats – in government and in conjunction with industry and other sectors.

The Home Office, Serious Organised Crime Agency and the police all work to combat the activities of criminals in cyberspace. Recent initiatives have seen the formation of new units dedicated to tackling online crime: the Child Exploitation and Online Protection Centre and the Police Central e-crime Unit. Earlier this year, the Association of Chief Police Officers published an e-crime strategy that will form the basis for a more consistent operational approach by increasing skills and capacity, and by bringing e-crime into mainstream policing and law enforcement.

The Centre for the Protection of National Infrastructure (CPNI) provides advice on electronic or cyber protective security measures to the businesses and organisations that comprise the UK's critical national infrastructure – the nine sectors that deliver essential services: energy, food, water, transport, communications, government and public services, emergency services, health and finance. CPNI also runs a Computer Emergency Response Team (CERT) service that responds to reported attacks on private sector networks.

All government departments have access to the Government Secure Intranet (gsi), which securely connects around 200 government departments and agencies. CESG, a part of GCHQ and the National Technical Authority for Information Assurance, provides government departments with advice and guidance on how to protect against, detect and mitigate various types of cyber attack. CESG runs GovCertUK, which provides warnings, alerts and assistance in resolving serious IT incidents for the public sector.

A shared responsibility
All users of cyberspace have a part to play in safeguarding it. The onus is on government and business to work together to provide more secure products and services, to operate their information systems safely and to protect individuals' privacy. The individual member of the public also has a responsibility to take simple security measures to protect themselves, their families, and others in society. Take, for example, an unpatched home computer that is infected with malware, harnessed as part of a botnet and used to attack institutional targets to illustrate the interconnected nature of networked threats. This highlights the importance of getting the message out that cyber security is something that can only succeed through a collaborative approach. This is why the government co-sponsors the joint public and private sector initiative Get Safe Online, which aims to raise awareness of internet safety amongst the general public and small businesses.

The cyber security strategy will help to keep the UK safe by building on existing work, identifying gaps and overlaps in work areas. It puts in place two new organisations – the Office of Cyber Security (OCS) and the UK Cyber Security Operations Centre (CSOC) – that will design, initiate and oversee a programme of work to address them. The cyber security strategy provides the strategic framework for doing this systematically, centred on clear high-level objectives: reducing risk from the UK's use of cyberspace and exploiting the opportunities that cyberspace presents. Both of these will be enabled through action to improve the knowledge, capabilities and decision-making we need. The strategy is also very clear about the need to maintain ethical safeguards – people have valid concerns about the preservation of civil liberties, and the protection of individual privacy in particular. When we launched the strategy, I made it clear that, as with all our national security activity, it is important that government powers are used proportionately and in a way consistent with individual liberty. We have committed to setting up an ethics advisory group to provide the necessary oversight for our cyber security work, to this end. When it is formed, I will be updating the House on its membership.

To make sure we progress towards the strategy's objectives, I have overseen the initial establishment of the new Office of Cyber Security that will provide strategic leadership across government, and the multi-agency Cyber Security Operations Centre in Cheltenham that will actively monitor the health of cyberspace and coordinate incident response, enable better understanding of attacks against UK networks and users and provide better advice and information about the risk to business and the public. We have made substantial progress since the publication of the strategy. The heads of both organisations have been appointed, and we are continuing to actively recruit staff from across government, even as we push forward work in the priority areas that the strategy identified as particularly urgent.

Both organisations will be working towards an embryonic capacity capable of releasing early products in autumn 2009. One early priority will be the cyber security industrial strategy, which aims to identify all the different ways in which industry and the government interact in the field, from procurement to regulation. Having identified these relationships, and looked at other industry areas for further input, the strategy will investigate how we can optimise them to suit the needs of both industry and the government. We are also progressing work on e-crime to build the most effective structure that enables close cooperation between SOCA, the Metropolitan Police and other stakeholders to tackle the threats faced. On international engagement, the UK is fully represented in all the relevant fora as cyber becomes increasingly discussed, and we are building strong partnerships with other like-minded nations. Lastly, we are examining the doctrine that underpins cyber security; it is a new area that will require careful planning in this regard.

Transnational partnerships for a transnational problem
Cyberspace is a transnational domain. Threat actors do not respect international boundaries – in fact, they often look to exploit them – so the need for international coordination of cyber security efforts with our allies is self-evident. There are strong links already in place between the UK government organisations that have a cyber security role and their counterparts overseas. Now we need to build on the existing links, bring greater coherence across them, and establish new ones where we identify gaps. The OCS will lead work on the UK's international engagement on cyber security issues, coordinating the development and deployment of the UK's key messages in key fora - this will bring greater coherence to the UK's work with overseas partners and international organisations. As part of this, we will continue to seek opportunities to meet with our key bilateral partners, particularly the United States, in order to exchange ideas and best practice.

In conclusion, we have to secure our position in cyberspace in order to give our people and businesses the confidence needed to operate safely in that environment. There is a lot to do, and I certainly do not underestimate the scale of the task ahead – but with publication of the strategy we have made real progress and built a solid foundation; now we have to maintain this momentum, and make sure it delivers.