Chancellor of the Exchequer, Philip Hammond, today announced Britain’s new National Cyber Security Strategy, which will be supported by a £1.9 billion investment - almost double what was previously invested over the last parliament.
Hammond told delegates at Microsoft’s Future Decoded event in London this week that whilst technology presents “huge opportunities” for our economy, it too poses risks. He said that trust in the internet and the infrastructure on which it relies, is fundamental to our economic future.
Without that trust, faith in the whole digital edifice will fall away. We need a secure cyber space. And we need to work together, business and government, to deliver it.
The government has said that cyber security is “one of the greatest threats to business”, with the World Economic Forum estimating the total cost of global crimes in cyberspace to be $445 billion.
The new national strategy focuses on three key pillars - Defence, Deter and Develop.
Media reports remind us on a regular basis of the scale of the challenge that we face. Last month we witnessed a worrying increase in the scale of DDoS attacks, hijacked security cameras being exploited to launch a colossal attack on a US server company, preventing access to major websites for millions of people.
A small number of UK government digital services were affected by that attack, but because we had the right defences and contingency plans in place, we were able to swiftly to get these back online.
[There are] significant consequences, including loss of customer data, financial costs, disruption of services, reputational damage, threats to the infrastructure of the state itself. We have to respond to this threat.
The Chancellor said that because the UK started investing in cyber security over the last parliament, the government isn’t starting from scratch in building up its capability. He argued that the past five years have been spent cementing partnerships with industry, working closely on issues such as cyber insurance and establishing 13 academic centres of excellence.
And in addressing it here in the UK, we are not starting from scratch. In the last parliament we invested £860m over five years to significantly enhance our capability to protect our government networks, improve our incident response, and to tackle cyber crime.
The government’s strategic defence and security review also now classifies cyber as a tier 1 threat to the United Kingdom, which is the same level as terrorism or international military conflict. It has also established a cyber committee, which is formed of a number of cross-departmental ministers.
In recognition of the risk that cyber attacks pose, the government’s 2015 strategic defence and security review classified cyber as a tier 1 threat to the United Kingdom. That’s the same level as terrorism or international military conflict. Established cyber committee.
We must keep up with the scale and the pace of the threat we face. So today, I am launching the government’s national cyber security strategy for the next five years. The new strategy is built on three core pillars - defend, deter and develop. Underpinned by £1.9 billion of transformational investment.
Defend, deter and develop
Firstly, Britain must focus on defence against cyber crime, said the Chancellor. Work in this area is progressing, where, for example, previously a website service web-inject malware would stay active for over a month - now it is less than two days, according to the government. It also claims that phishing sites impersonating government departments would have stayed active for two days, now it’s less than 5 hours.
However, Hammond wants more investment to be made in automated defence. He said:
Equally, the Chancellor said that significant investment will go towards taking the fight to those who threaten Britain in cyber-space and to those who relentlessly pursue attacks against the UK.
In practice that means government taking a more active cyber defence approach. Supporting industry’s use of automated defence techniques to block, disrupt and neutralise malicious activity before it reaches the user. The general public have much to gain from active cyber defence, and with the proper safeguards in place to protect privacy, these measures have the potential to be transformational in ensuring UK internet users are secure by default.
This will be done in part through strengthening law enforcement capabilities to raise the cost of cyber crime, building international partnerships and being clear that the UK will defend itself. This year the government is recruiting over 50 specialist cyber-crime investigators and technical specialists, enhancing its ability to respond to the most serious incidents of cyber crime. Hammond said:
We will deter those that seek to steal from us, threaten us or otherwise harm our interests in cyber space. We are strengthening our law enforcement capabilities to raise the cost and reduce the rewards of cyber criminality. Ensuring we can track, apprehend and prosecute those who commit cyber crimes. We will continue to invest in our offensive cyber capabilities, because the ability to detect, trace and retaliate in kind is likely to be the best deterrent.
He added that if a cyber attack took out critical infrastructure and the UK hadn’t defended itself, it would be left with worse alternatives.
We would be left with the impossible choice of turning the other cheek and ignoring the devastating consequences or resorting to a military response. That is a choice we do not want to face. And a choice we do not want to leave as a legacy to our successors. That is why we need to develop a fully functioning, operational, cyber counter attack capability.
Finally, the new strategy also places strong emphasis on developing Britain’s capabilities to keep pace with changes in cyber security - where it hopes to increase investment in the “next generation” of students and experts.
For example, a new cyber security research institute has been announced, which is a virtual collection of UK universities that will look to improve the security of smart phones, tablets and laptops through research that the government hopes could one day make passwords “obsolete”.
The strategy also announces the UK’s first cyber security innovation centre in Cheltenham and there will be a Cyber Innovation Fund next year to develop new technologies and products, as well as funding for training and support for cyber start-ups. Hammond said:
We will develop the capabilities we need in our economy and in our society to keep pace with the threat in the future. To make sure we’ve got a pipeline of talented people, with the cyber skills that we need. We will increase investment in the next generation of students, experts and businesses.
These three pillars that I’ve outlined are all supported by our new National Cyber Security Centre, based in Victoria, Central London. For the first time, the government will have a dedicated, outward facing authority on cyber. Making it much simpler for business to get advice on cyber security and to interact with government on cyber security issues. Allowing us to deploy the high level skills that government has to support the development of commercial applications to enhance cyber security.
As always, when it comes to cyber security it’s hard to know exactly what’s going on and what decisions are being made behind closed doors. But the government’s decision to double its investment over this parliament, shows that it’s taking this very seriously. Chancellor Hammond finished by saying:
The strategy we are publishing today represents a major step forward in the fight against cyber attack. It is a key component of the government’s ambition for Britain to be the best place in the world to run a tech business.
We are not at all complacent.