Thanks Tom, and good morning – I’m enormously pleased to be here in the City but before I start I want to offer an apology: it’s my fault that you are sitting down so early instead of relaxing over coffee and cake. I have to leave to fly to Estonia in two hours and even now I know there are at least two people who think I’ve already been talking for too long.
A huge thank you to the organisers for allowing me to come along anyway, and I wish I could stay to enjoy such a comprehensive agenda. Every aspect of cyber security is covered and every aspect is important.
I am privileged to be the first head of the UK’s new National Cyber Security Centre, a part of GCHQ, based not far from here. We were opened formally by HM The Queen in February this year. We are bringing together, in a single place, the UK’s operational cyber security work. It’s not easy. But it’s essential.
That’s because we face a strategic challenge at global level – hence the summit in Estonia – but also at national level. And that really means national – it means everyone with a role to play, whether that’s government, industry or the individual. I am going to talk about each of those three in turn.
One thing that’s common to all three is the importance of asking questions.
When I joined GCHQ three and a half years ago my learning curve was steep. The organisation is jam packed full of bright, creative, intuitive people who had forgotten more than I knew about cyber security. I asked questions, constantly. Even now I am often puzzled, but mostly and regularly blown away by the brilliance of the people that work for me and the innovative solutions they find so effortlessly to the largest of problems.
Then we as a government started asking questions. Why do we care about cyber security at a national level? What is the role of government? Which part of our society is key to our cyber defences in what ways? Why haven’t normal market forces taken care of more of the problem?
This was nothing less than questioning a Western consensus on cyber security that had been around for nearly a decade. It said, roughly:
- Governments should look out for the high end national security risks;
- Governments should form (rather vaguely described) partnerships with the private sector;
- Information sharing should be encouraged because it was the answer to most of the problem;
- The market would take care of the rest.
But a lot of this wasn’t happening. The partnerships were there but weren’t achieving much in some cases. Information sharing uptake beyond the finance sector was poor. Corporate defences were weaker than they should be.
So, the result of this questioning was the launch of the National Cyber Security Strategy last year. It said we cared about cyber security for two reasons:
First, high end national security, threats to our way of life or our critical services.
Second, the threat to prosperity from an aggregation of cyber attacks that would damage consumer confidence.
And it set up the NCSC to deliver the response to the first threat and to provide the infrastructure for addressing the second.
I think the past year has shown that this is the right framework.
First, and most obviously, the big state threat, traditional espionage with a modern twist that can now affect our democracy, our critical national infrastructure and the lens through which we view the world. The age-old national security dangers: classic enemy tactics with brand new shiny tools.
Second, the threat to our economic prosperity. According to the most recent Cyber Security Breaches Survey, just under half of UK businesses identified a breach, or attack, in the last twelve months. That is file loss. Systems, corrupted. Accesses denied. Personal data, stolen. *Just under half*. The UK is one of the most digitally advanced and digitally dependent economies in the world. The government must manage public confidence in the digital economy. If trust in online services is lost, or if hundreds of thousands of data breaches become commonplace, that confidence is undermined, permanently and fatally.
The WannaCry attack that affected the NHS in May was an example of the more severe end of the threat – the sheer scale of the attack globally even if, as an attack designed to gain money, it appears to have been unsuccessful – and the wider impact cumulative attacks can have (the damage to relatively small NHS bodies in various parts of the country).
And we’ve seen the attack on Equifax in the US. With the Information Commissioner, we are examining its impact on the UK and will provide a full update as soon as we can.
So, this brings me to the UK’s response to these two areas of risk.
What more should we – government, business, the user – now be doing to have the devastating return effect?
Let’s start with government. I am a civil servant, after all, so consider this my pitch. You’ll wish you’d had that coffee.
There is a global cyber security industry of more than $100 billion per year. So, the government shouldn’t just do exactly what the private sector does. GCHQ’s secret intelligence capabilities alongside the ground-breaking partnerships with law enforcement, other governments and global industry have helped produce one of the most capable defences around. We are still vulnerable, and major attacks will happen. But we have made very significant progress on national cyber defence at the top level.
Then there is regulation. I am delighted that the Information Commissioner is here to set out how she will approach these changes, and we are working closely with her.
This week the new Data Protection Bill will be introduced into Parliament, which will bring the EU’s General Data Protection Regulation (GDRP) into UK law by May 2018.
The GDPR will require organisations that handle personal information to evaluate the risks of processing that sort of information and put in place appropriate measures to mitigate those risks. For many organisations, such measures will likely need to include effective cyber security controls.
A new obligation under GDPR will also require organisations to inform individuals of data breaches where significant personal information has been lost.
The effects of this are at least two-fold. Firstly, it levels the playing field of data loss. Too often a company will fall back on their wits and their fear of shareholders, and breaches will go unreported, will be reported late, or will be reported fixed before the full spectrum of checks has taken place. Under GDPR, the increased financial penalties for personal data breaches should be a call to action for organisations to protect themselves, and their customers, from cyber attack. And the fear that a competitor might be disguising the same issue will necessarily be removed.
Secondly, we believe that the requirement under GDPR to report breaches will provide a reliable source of data on the nature and scale of cyber incidents that the government and market can use in identifying attackers, providing a more robust insurance framework and implementing stronger protections.
Then there is international partnership. The forthcoming discussions in Estonia are important for a number of reasons. As the government said in its paper on post-EU exit defence and security, our commitment to European security is unconditional. And cyber security is a key area where we have much to offer.
Thanks to the deep expertise of GCHQ and other bodies, the UK has if not the most, one of the most sophisticated understandings of the nature of the threat anywhere in Europe.
Cyber security is a global problem that affects all the countries of Europe, whether in the EU or not. We have deep, shared economic interests in areas like finance. More practically, we have infrastructure interdependencies. And the threat to the West is one we all share.
So post-departure, the UK wants and needs to continue to be at the forefront in the defence of Europe and European values and interests from the current threat: that is what this is about, and what the Prime Minister will be emphasising when she meets EU heads of government, also in Estonia, later this month.
Finally, there is the technical aspect. We have talked a lot about the technical solutions to cyber security problems that we are starting to implement within government in what we have called our Active Cyber Defence Programme. The purpose of this programme is to give the government a framework for UK cyber security. A framework that takes away most of the harm from most of the people most of the time. It means identifying ingenious solutions to spoofing, so we can block people from pretending to be who they are not. It means innovative partnerships, like our threat-sharing with CSPs, which blocks tens of millions of attacks, automatically, every month.
It means practical impacts like that. Looking at a problem, understanding its implications, and working out how to fix it.
That’s the sort of approach we want to see in the corporate sector too, my second theme this morning.
From the corporate perspective, clearly compliance with the new regulations will be a very big priority in the coming year, as it should be.
But let’s not lose sight of what we are learning about what makes for an effective corporate response.
Companies are well used to thinking about risk and security in a very sophisticated way. But when it comes to cyber, that clear headed approach seems to disappear. There are a whole range of issues we could cover, but those are for an interactive discussion, not a speech. I’ll stick to just two: the Boardroom conversation, and staff experience.
Cyber security, we know, is still shrouded in mystique and conversations around it are designed not to dispel fear and panic. This might be why over a fifth (22%) of organisations’ senior managers are never given an update on cyber security issues.
So, let’s take the Boardroom discussion. Here are some questions you might ask at your board, or if you are CISO, ones you should expect to be asked.
- What is on our network that we most care about?
- How can the services that depend on it be disrupted?
- Who has access to it?
- Who administers it? Are they using the same Internet facing account to administer the system as they are to do normal Internet facing business (top tip: if answer is no, check. If answer is yes, count to ten and then do something about it).
- Are the data backed up?
And don’t leave the subject until you understand the answers and are satisfied with them.
You also might want to ask whether you have the right level of expertise in your team. The NCSC’s Industry 100 scheme offers the opportunity for practitioners to develop their skills and gives us a deeper understanding of your sector. Please think about joining.
For a company dealing with cyber security there are no stupid questions. Embarrassment about a lack of subject expertise must not stop us from asking the questions to which we want the answers. And often, because the topic is unfamiliar, it is easy to forget the fact that underpinning it all are humans, and human behaviour.
That leads to the final point about the importance of the individual in all this.
We haven’t always made it easy for our staff. Only 20% of all businesses have had their staff receive cyber security training, or attend seminars, in the last year.
And that isn’t a panacea. A 2014 survey found that even though 75% of its respondents ran ongoing awareness programmes, only 15% of the delegates exhibited the positive behaviours and heightened awareness the programme was designed to create.
So, let’s get serious about understanding the human being in all this. Let’s stop talking nonsense about humans being the weakest link in cyber security: it’s a bit like saying the weakest link in a sports team is all the players.
Academia is leading the way. I am an enormous fan of a study focusing on human factors by Shari Pfleeger, Angela Sasse and Adrian Furnham, which goes some way to addressing this, and I’ll lift a direct quotation from it here:
“Human Factors techniques can maximise human performance while ensuring safety and security. Their key principle is designing technology that fits a person’s physical and mental abilities: fitting the task to the human.”
The authors say you should aim to get employees to cope without training. At the very least, they tell us that what we have put in place for our staff must be usable.
And I think that is the most important shift in thinking over the past year or so, the wider recognition of the importance of the user.
In digital services in government, in fact, the UK has the lead worldwide. The Government Digital Service obliterated the policy-over-behaviour groupthink that had pervaded throughout government IT over previous decades, delivering on what was then a revolutionary promise that every official should have “technology as good as you have it at home”.
That same, progressive, creative, simplifying mindset is needed now and I’m really pleased to see Royal Holloway – one of our academic centres of excellence – featuring later in the programme. When we created the Active Cyber Defence programme, one of our drivers was that users had guidance-fatigue. There was always something they were doing wrong, hadn’t done, should be doing. Again, every solution must survive contact with the user.
That’s why we changed the unworkable password guidance, which Professor Sasse calculated was the equivalent of remembering a new 600-digit number every month; we now recommend that people protect heavily what they can’t afford to lose, and do what they can with everything else. The author of the original guidance, Bill Burr, has validated this: he couldn’t have known in 2003 that within a decade and a half we wouldn’t be able to buy a book without needing to remember which Beatles song we had plundered for unique credentials.
So, to get cyber security right, we need to connect those human factors to that Boardroom conversation.
We need to make sure that everyone using a network understanding easily how to use it safely is just as important as investing in network security technology.
Networks have users, and if users can’t do their work effectively while understanding how to do it safely, then security is reduced.
Leaders at all levels in organisations could do worse than check if they themselves could operate the sort of security policies they expect their staff to follow.
That will help us raise national defences, the most important thing we can do.
It will strengthen not just national security, but prosperity too.
The NCSC is here to help identify the right questions and provide the right framework.
It’s an ambitious mission. Of course, we won’t get everything right.
But we can, with you, make a real difference, and make the UK the safest place to live and do business online.
Please come with us on that journey.