Is the government taking cyber-threats – such as malware, hacking, and identity theft – more seriously now?
Very much so. This government takes cyber security extremely seriously and this is reflected in it being categorised in the National Security Strategy as one of the top four priority areas for action. £650 million is being invested in a new National Cyber Security Programme to bring about effective changes in how we handle cyber security for the benefit of the UK.
What has changed this?
A recognition that now, more than ever before, cyberspace is vital for the UK’s economic prosperity, national security and for maintaining our way of life. It brings many opportunities for businesses and individuals, but also threats from cyber crime, espionage, terrorism and warfare which must be addressed. Hence our commitment to making cyberspace as secure as possible.
What sort of attacks, and with what regularity, is the UK coming under attack? Where are they coming from?
The internet is an attractive place for criminals and for those with malicious intent to operate. Cyber is industrializing an existing criminal process – the type of fraud being committed online in itself is not necessarily new, but credentials can now be harvested en masse, sold at a profit and then easily converted to cash with little technical knowledge. Also, at present the fear of detection or prosecution is currently low. Last year almost £60 million was lost to online fraudulent scams in the UK.
We also know that the most sophisticated threat in the cyber domain is from established, capable states seeking to exploit computers and communications networks to gather intelligence on government, military, industrial and economic targets. The threat and regularity of such attacks are increasing hence the need to tackle this problem head-on with increased investment in our capability to protect vital systems.
Do you think the country as a whole needs to be taking cyber security more seriously? As the government’s expert, should the state be doing more to inform the public of the dangers?
Yes of course and getting individual internet users to be better prepared and clued-up on internet security risks is half of the battle. This is why we continue to support public awareness and education initiatives such as Get Safe Online (www.getsafeonline.org ) which do a tremendous job at drawing the publics attention to new scams and what measures they should take to protect themselves and their families online. This initiative is a joint HMG/Private Sector partnership between leading government departments and representatives of the finance, technology, telecommunications and security software sectors. Such an approach highlights that it is not just the Government that has a responsibility for responsible awareness raising of internet security risks – it is all sectors.
Is it realistic to compare cyber security with traditional security, such as nuclear defence? Should we treat them with the same gravity?
Both are real and present threats to the UK’s national security. The National Security Strategy ranked the threat of cyber attack and cyber crime alongside threats from conventional terrorism, military hostility and natural hazards (Tier One). In terms of gravity, I would agree that the threat from cyberspace to the UK is as equal to the threat from nuclear proliferation.
Could the war of the future be fought on the internet?
Obviously, the same capabilities that are at the disposal of cyber criminals could be used by nation states for military means. This is why we have established the Defence Cyber Operations Group within the Ministry of Defence. By 2015, cyber operations will have become business as usual within UK defence planning and operations with military commanders able to call on robust national capabilities and international partnerships to meet UK defence needs.
Would some form of regulation on internet usage here in the UK help the problem?
Some measures to deter criminals using the internet for harm? There already exist a number of pieces of legislation (Computer Misuse Act 1990, Serious Organised Crime Act 1995) which provide prosecutors and regulators with the tools they need to effectively manage risk on the internet and hold individuals to account if the law is broken. However, we can and should do more. This is not necessary done by creating new laws or binding business with further burdensome regulations.
We need to ‘harden the target’ and make it more difficult for criminals to access information, making their task more difficult. We also need to better disrupt criminal activity on the internet – this can be done by greater cooperation between national law enforcement agencies and by building a better intelligence picture of the problem. These are all issues which our increased investment in cyber law enforcement will seek to address.
What can the IT industry/community do to help? Is there a responsibility for it to get involved in rallying a national defence?
The Government is very aware that it cannot tackle these problems alone and will need considerable help and guidance from the IT industry. Many of the innovative solutions we need to implement are created by experts outside of Government who have a lot to offer to the national contribution.
For example, I welcome the collaborative project between Intellect (the IT trade association for the UK) and ADS (the UK’s aerospace defence and security trade organisation) trade association which is seeking to create a Virtual Task Force project, sharing cyber threat information between IT and Defence companies in order to provide common mitigation techniques against common threats. The commitment of these bodies to contribute positively to helping secure the UK’s national security is something I wish to see more of.
It’s been announced that the UK is developing cyberweapons. What form would these take and what situation would these be used? Would it be alongside conventional military measures or as standalone operations?
The Strategic Defence and Security Review made it clear that the UK government will work to develop, test and validate the use of cyber capabilities as a potentially more effective and affordable way to complement and deliver our defensive tasks. We are still at an early stage in developing such capabilities but where necessary, we will act in defence of our national interests.
We view cyberspace as a domain in which we can carry out operations to generate military effects – as we would on land or by sea and air – and we are investigating ways in which this can be achieved. Any such operations would be strictly governed under the well established Law of Armed Conflict (LOAC) and more broadly by British law. However, if cyber operations allow us to achieve military effect with a lower risk of loss of life or collateral damage, then of course the UK will consider such an option.
Germany’s interior ministry has opened a new centre for defence, following news it comes under attack every two seconds. Would such a institution here be of benefit?
The UK benefits from having established, alongside the Office of Cyber Security & Information Assurance in my department, the Cyber Security Operations Centre (CSOC). CSOC’s role is to provide greater awareness of threats and developments in cyberspace, and ensuring that the UK can respond effectively in the event of a major cyber incident and we will continue to develop its capability to meet these requirements.