Good morning everyone. Thank you to The Times for this invitation – it’s a real privilege to be here.
I looked at the agenda and thought it is tremendously exciting, with things like AI, skills, diversity that I serve a government that is passionate about technology and seizing these opportunities for the future. As a securocrat, my job is to enable this – not to sound unnecessary warnings about the future, but to make sure we are embracing these opportunities safely.
Before we get to that and seize these opportunities, we have a few problems first. That’s why we want to fix some things in the present – then that will enable us to embrace these huge, big ideas about where we are going.
Right now, we are facing, as a nation, two significant groups of threats in cyber space. The first is hostile states. The Prime Minister sent Russia a clear message on Monday night – we know what you are doing, and you will not succeed.
I can’t get into too much of the details of intelligence matters, but I can confirm that Russian interference, seen by the National Cyber Security Centre, has included attacks on the UK media, telecommunications and energy sectors. That is clearly a cause for concern - Russia is seeking to undermine the international system. That much is clear. The PM made the point on Monday night – that international order as we know it is in danger of being eroded.
No system in the world is completely invulnerable from attack, but during our first year in operation, we have made strides to make sure the country is as secure as possible from the substantial threats posed. This included responding to more than 600 significant incidents. Some of those relate to that first group of threats from hostile states, but the second relates to what I would call ‘rampant criminality’ in cyber space.
That’s more likely to affect each and every one of us in our corporate and individual lives than the big state threats. What they do have in common is that they exploit basic weakness – some criminal attacks, but mostly state attacks, are extremely sophisticated. But even the most sophisticated exploit basic vulnerabilities. So my point today is before we get onto things like robots reading books on trains, we need to understand stuff like this. We need to think about attacks that do damage to individual corporations and people’s confidence in the digital economy.
I want to try something out on you today – and I am trying this out on you as technology leaders so I do want your feedback. It is a series of practical messages we give to corporate leaders and say ‘you know the answers to these’, because until you are able to answer these questions you won’t be able to seize those opportunities of the future. Then I’ll talk about what the government is doing.
When I’m approached by a CEO who may say "I’m very fearful about the subject and I don’t understand it", the very first thing I’m going to do is ask them questions:
Can you operate your own security features or do you get somebody else to do it for you?
If someone spear-phished you as a CEO or an executive, what would they get? What data would they have access to? If you had an insider threat – and you may, from a disgruntled employee – what will they have access to? The big thing we talked about during the WannaCry crisis – people asked 'what is ransomware and how can I defend myself against it?' We said a very simple thing that everybody can understand – back it up, therefore it can’t be held to ransom.
What did your last pen test tell you? That’s fairly straightforward. People tell us about the test they did on their own employees with fake emails and how many people clicked on the links. “It was 55% last year and it’s 25% this year – isn’t that great progress?” It could be, but it depends who those 25% are. If it includes your system administrators, it doesn’t matter. Which people clicked on the link – do you understand this? These are questions we should be encouraging directors to ask.
What did your last anomaly detection report tell you? What did it tell you about what attackers were doing – and did you know what they were doing?
And finally, if something does happen, how are you going to cope with it? What is your incident management plan – who are you going to put out on the media who will authoritatively tell people what you do or don’t know.
These are basic things. Some of them may be incomplete – tell us, because we need to ensure that as CTOs and as technology leaders and CIOs, we can channel your experiences into practical advice. The government is prioritising cyber security because we care so much about the digital future of the country. We’re doing it broadly on the themes that will come up today – defend networks, deter attackers and develop the skills base.
There are two basic aspects – I think people talk too much about the first one, which is us. Yes, we have unified responsibility for cyber security under a single organisation. But the second thing we’ve done is look really hard at things like economics and behavioural science and try to figure out this perplexing conundrum - given people are aware of cyber security and the threat, and there is money to invest, why aren’t those simple defences being improved to the extent they need to be?
I’m not saying that no progress has been made, but there are basic things still not being done. Part of our answer is technical defences at scale where we do things, we try to work to make the digital environment safer and simpler to use so they can stay safe.
I’ll give you some examples of things we are doing. First, we are pioneering the implementation of the DMARC protocol on government networks freely and publishing how we do it. Spoofing is one of the biggest aspects of the cyber attack eco-system, but the organisation being spoofed tends to suffer no damage.
The example we always use is HMRC. It was the most spoofed brand in the UK for obvious reasons, but it made no impact on the tax take. It was still a law that you have to pay tax, so HMRC themselves were not affected but, for the public good, they worked with us to implement DMARC, and in the first year they blocked 300 million attempts.
We simplified password guidance, and the official guidance coming out of the US in the initial part of this century has been rescinded because it was too hard to follow. We are doing things where, as government, when we send a message asking people to take down phishing sites - they do that. We have automated that, in partnership with a great company called Netcraft in Bath, where they take down phishing sites at scale. The average phishing site in the UK used to be up for 27 hours, but it is now up for around an hour. This is an active, real, automated measure that really makes a difference.
To conclude, I would leave you with a few key messages. Encourage your organisations to get these basics right. Tell us whether we are giving the right advice and doing the right things to fix the digital environment. We will then implement those measures, and give out that advice, to improve the basic levels of cyber vulnerabilities in the UK and make us less vulnerable to attack. That will leave us with more capability to focus on the state threats that only the government can deal with.
If we do that then we have a brilliant platform for a secure digital future, and what a great opportunity for the UK.