It is a pleasure to be here and I am honoured by the invitation.
Estonia is a relatively new but increasingly important partner for the UK not just in cyber security, but in all things digital.
Your admirable leadership of digital government is something we have been delighted to join with you in pursuing. We are, frankly, in awe of your two decades of global leadership in the social delivery of technology.
Moreover, we have a strong and developing security partnership with Estonia; the UK Foreign Secretary visited last week and saw the 800 UK troops currently stationed here in support of your security.
Given all this, it is only right that we face up to the threat side of the digital revolution together.
So, thank you for having me.
I acknowledge the unusual position I am in today as the representative of a member state that is due to leave the European Union in around a year and a half’s time. So, as you discuss the next phase of a digital single market it is in the knowledge that the UK’s legal order will in the future be separate from that of the European Union and that single market. It is therefore, to my mind, even more important that we engage in this dialogue.
It is a dialogue, I hope, that we can continue as friends. Looking around the room I can see individuals representing organisations that we at the UK’s National Cyber Security Centre, a part of GCHQ, call friends.
Indeed, I see some individuals from other countries that over the course of three and a half years heading the UK’s cyber security effort I have come to value as personal friends; who have reached out to help in times of difficulty, and whom we have been glad to help too.
Over the past decade or so, as the West has begun to treat cyber security with the seriousness it deserves, we have forged deep and operationally powerful partnerships with some of the member states represented here today.
We have also, we hope, played an important role in the development of European thinking in areas like standards and incident response. We hope we’ve helped through our work with CERT-EU on incidents and ENISA and ETSI on standards.
As the next phase of the UK’s relationship with the rest of Europe takes shape, we will want to take these partnerships further and develop new ones with the countries represented in this room.
That’s because the threat we face is a common one. We can put too much emphasis on the ‘borderless’ nature of the cyber security threat – nations will have their own interests and their own approach to critical networks – but it is beyond doubt that there is a common threat to us in the West.
There is a common threat to our shared values of freedom, democracy, and prosperity through free enterprise, all underpinned by the rule of law.
That is why the threat that comes our way in cyberspace affects us all. Over the past year or so, four major aspects of the threat have been all too visible:
- most importantly, the threat to our democracies from attempted outside interference in free, democratic electoral processes;
- the threat to our critical services. In the UK, even a relatively unsophisticated attack like the WannaCry ransomware caused difficulties for the provision of healthcare, which, thanks to some excellent work by health service professionals supported by us and partners internationally and in industry, thankfully was contained. But there are even more significant threats out there;
- the threat to our prosperity from the large-scale theft of intellectual property from other states, be that from universities, companies, or elsewhere; and
- the threat to our citizens from the constant, unsophisticated but prolific attacks from criminals that threaten confidence in our digital economy. This threat is constantly underplayed. But the average European citizen is much more likely to be affected by a criminal cyber attack than he or she is to be at the epicentre of one that is state sponsored.
Faced with these threats, I come here today with two messages for European friends.
First, our security is indivisibly linked to that of the rest of Europe and that includes cyber security, where we must remain a strong and committed partner.
On Tuesday, the UK government published a paper setting out what the defence and security relationship with the European Union and European nations could look like after we leave. Launching the paper, senior Ministers described our support to European security as an “unconditional commitment”.
A significant chunk of the paper dealt with cyber security.
It contained four specific pledges. I will read them out in their full technocratic glory:
- first, to collaborate closely through participation in the CSIRT network and Cooperation Group, to share relevant threat information, joint analysis and, through coordinated investigations, to improve our shared ability to prevent, detect and attribute attacks and prosecute those responsible. The National Cyber Security Centre will be the designated CSIRT for the UK so I can recommit to this pledge here;
- second, to continue to work together to promote strategic frameworks for conflict prevention, cooperation and stability in cyberspace, and to ensure the continuation of a free, open, peaceful and secure cyberspace that supports our common prosperity and social well-being;
- third, to continue to work together to develop effective cyber security legislation and international standards, for example on products and encryption, to work collaboratively to promote their adoption in relevant international bodies, and to adopt a mutually consistent, robust public stance to deter harmful activity in cyberspace; and
- and fourth, if you’re still with me, to continue to encourage the development of the cyber security industry across borders, and collaboration on research and development.
This is dry, technocratic language. I’m sure we all recognise it and have written stuff like that ourselves for government papers. It’s good, useful stuff, but it can’t capture how we feel about the commitments we want to make.
So, among friends here today let me say what I hope this will feel like in practice.
In the UK, we are proud – and I think with some justification – of many of our capabilities, of our people, and of our record, and we have big ambitions for the future in cyber security.
Don’t get me wrong. We don’t think we’ve cracked the problem.
But we know from other countries who want to partner with us – including many here – that you see some of these strengths too.
So, we want to use what capabilities we have, to help the cyber security not just of the UK but also of our European friends.
In practice, this should mean many of you will, and in fact already do, receive some threat reporting from us, including classified threat reporting.
It means that when there is a crisis that affects you, we will be there to support you, just as European nations supported each other during WannaCry.
It means that if bodies like CERT-EU continue to want our practical help, we will give it.
It means that we’ll continue to play the leading role in NATO cyber security we’ve been doing for the last few years.
We will be there for European partners in cyber security. That is my first message.
But my second message is about the need for us all to work and think globally about cyber security.
Philosophically, if much of the threat is indeed borderless, then there is only so much any individual nation can do. But there is also only so much any group of nations, or continents, can do.
Practically, there are many examples of the global nature of the cyber security problem. I will highlight two.
The first one is something we saw earlier this year, when many EU countries including the UK, and other allies like the United States and Australia, became concerned about a global cyber attack known in the private sector as Cloudhopper.
Cloudhopper – an attack on Managed Service Providers, and through them their clients – was nothing less than an attack on the IT services infrastructure of the entire Western economy. We have all shared information on it, within Europe and beyond, and have managed the fallout as best we can.
But Cloudhopper is of profound strategic importance because it raises fundamental questions about the whole way in which cyber security standards are implemented across the West. Tackling those requires global action.
The second is about the rise in 2016 of the Mirai botnet set of attacks, denial of service or DDOS attacks on an unprecedented scale.
Mirai botnet attacks use infrastructure all over the world to attack a specific victim. The UK has developed an approach to stop our own infrastructure being used in those types of attacks. But of course, that doesn’t stop the UK being attacked. If we extended our approach Europe-wide it wouldn’t stop Europe being attacked. Any strategic solution to this problem will have to be global.
Moreover, some of the most important improvements in cyber security technology will inevitably come from the United States. The United States government alone is spending $19 billion this year on cyber security; multiples of what the UK or the EU, are spending over a five-year period. And that’s before you even begin to take into account the billions, if not trillions, invested by the US private sector.
And I could go on. The examples of global influence are endless.
Ideas, though. They are flourishing globally too.
As the UK developed a radically different, and more interventionist approach to cyber security we borrowed from some brilliant ideas on the protection of government networks from Canada, and on boosting the skills base from Israel.
We have learned much about direct threats to the UK from partners in Asia.
So, we are scouring the world for ideas and partnerships. That’s because as an organisation at the interface between government and the digital revolution we have tried to think as technologists as well as civil servants.
That’s given us the flexibility to do some of the most imaginative and innovative things under our new Active Cyber Defence programme.
Things like very large-scale blocking of attacks through partnerships with communications service providers on a scale of tens of millions per month.
Things like reducing the length of time a phishing site is up in the UK from 27 hours to less than one.
Things like, as I mentioned earlier, getting our telecoms industry to agree to update a key protocol to make it much harder to use UK infrastructure in DDOS attacks.
This is exciting stuff and there’s more to do, together.
At a European level, we now have the new cyber security package and there is much to welcome.
We know there will now be discussions, and possibly some tensions, about things like standards and certification.
For our part, as a nation with a sovereign cryptographic base we understand the need for high grade assurance at national level – expensive and time consuming though it can be – and that the case can be made at European level too.
In our experience in the UK we’ve tried to keep the definition of what needs the highest degree of protection and assurance to a minimum. This isn’t just to keep costs down, but to leave ourselves more open in more areas to the innovation and ingenuity and economies of scale that come with a global approach.
So, on standards we would encourage a continuing and strong role for ETSI, with its 68 national members driving forward better cyber security through improved telecommunications standards, alongside the good work ENISA is doing.
On certification, of course what happens at EU level is very important, given it matters to half a billion Internet users. But surely an even bigger prize is making a success of the Common Criteria Recognition Agreement, with its two and a half billion? And isn’t the biggest prize of all finding a way finally to entice China into this global agreement?
Similarly, aren’t the biggest prizes in Secure by Default, a concept with so much potential, global rather than just continental?
There is much good work in the European Union that can be developed and expanded globally. The advantages would be felt beyond Europe, of course. But they would be of enormous benefit here on our own continent, too.
Europe has so much to offer global cyber security and together we can bring about real improvements at a global level.
We want to be partners with you as we try to achieve that goal.
And we want to continue to be an unconditional, reliable and effective partner in this new domain of threat.
And so, we look forward to a continuing dialogue, to continuing operational cooperation, and to continuing mutual support and friendship.