Cybersecurity is never far from IT leaders' agendas, and its importance has soared during the pandemic. Cyberattacks, ransomware, fraud, phishing, identity theft, and other offensives have risen, with organized criminals and opportunistic hackers taking advantage of organizations' perimeters expanding to include insecure home networks and personal devices - not to mention the average worker's fears about their finances and prospects.
And if that's not enough to worry about, our exit from Afghanistan has left thousands of biometric IDs in the hands of the Taliban, according to Philip James, a security partner at law firm Eversheds Sutherland.
It has also been a period of upheaval in the British Government, with a Cabinet reshuffle moving self-styled culture warrior Nadine Dorries to the Department of Digital, Culture, Media and (for some reason also) Sport. This puts an MP who once tweeted that her staff all had access to her password in charge of the UK's cybersecurity. If Whitehall wants to terrorize people into shoring up their cyber defences, that's one way to do it.
So how does DCMS view the cybersecurity landscape today, both domestically and internationally? Is the UK stronger alone, adrift as it is from the EU and sailing away from regulatory alignment? Or is it merely all at sea? Rumours are rife that the government wants to take a hatchet to GDPR while giving the incoming Information Commissioner a remit of commercializing our data, rather than protecting citizens.
How the UK's data adequacy status with the EU would stand up to that remains to be seen. But back to cybersecurity.
Like many government figures from the Prime Minister downwards, Erika Lewis, DCMS Director of Cybersecurity and Digital Identity, chose to strike a parochial note while speaking to an audience of business and IT professionals at a Westminster eForum on cybersecurity last week - a policy that does the government no favours.
My children really love the comedy The IT Crowd - I don't know whether any of you have seen it, but I always think that tech has really kind of come out of the basement now. It's not just your IT team that's buying tech, it's also in the local authority setting, for example, your housing team, using, you know, smart methods for building housing, it's in the bottom of your dustbin. When you go to the pub these days, you get the chance of either going to the bar or scanning the QR code and ordering your drink and your food in a really different way.
Thanks, Erika. It's been difficult recently but, guess what? Some of us have actually left our houses in the past 25 years, though generally not to buy smart dustbins.
Why the government believes that adopting this tone is a good idea for ‘Global Britain' is a mystery. Perhaps Lewis was taking her lead from the Prime Minister once telling the United Nations about "pink-eyed Terminators" and Alexa "stamping her foot" while he grabs cheese from his smart fridge. Who can say?
When cyber hits the real world
The question is, why does this administration keep levelling down, making everything chummy and crass, when it is supposed to be levelling up and inspiring us with a bold future vision? This was a professional tech and business audience. They didn't need to be told how to order drinks from their phones - though, frankly, you could forgive them for wanting to get drunk.
However, Lewis had the germ of a point: many people who buy technology are far from cybersecurity experts, though I'd wager that the average 14-year-old is better versed in these things than most of the Cabinet. But in 2021, we all need to be security experts. Got it? She continued:
The National Cyber Security Centre said a couple of months ago that it had taken down more phishing scams in the last year than in the previous three years combined.
Most people have heard of the Microsoft Exchange server software vulnerability that led to over 30,000 US government and commercial organisations having their emails hacked earlier this year. These kinds of attacks, I think, are a real problem. We've also seen them in places where cybersecurity really hits the real world: local authorities, schools, and businesses have been locked out of their IT systems.
Heady stuff: government attacks are a problem - but a much bigger one for President Biden, apparently ("But his emails!"). Who knew? So, what does plucky global superpower Whitehall plan to do about it? She said:
This is the strategy bit. The integrative [sic] review of defence, security and foreign policy was published in March. It's an important document for us, because it sets out security and our vision of the whole UK role in the world in the next decade. And technology is absolutely at the heart of this.
The review describes how technology and science are moving ever closer to the heart of UK security. We think that cybersecurity is fundamental to the UK being a global cyber power. And following the review, work is now underway to publish a strategy that sits underneath this, that is the cybersecurity strategy. And that's going to align with the next spending review.
So, the strategy will itself build on the integrated review, and it will take a ‘whole of society' approach. We're not just thinking about defensive and offensive cybersecurity, but about how we can make the fundamental basis for cybersecurity in the UK much, much stronger.
Crucial to this is building our national advantage in technologies that are critical to cybersecurity, and increasing our efforts to influence the international environment around cyber, digital, data, and tech. And if we are to do this well, then we must be in the conversations where we're talking about standards across the world. And to do that we have some fundamental advantages.
We do? This is the real puzzle at the heart of UK government in 2021: practically every decision it makes tears up international agreements, undermines longstanding alliances, increases business uncertainty, puts global cooperation at risk, and shifts the UK away from international sources of security data. And yet it claims to be a cyber superpower and a global influencer. One that can't even guarantee we'll have food or electricity by Christmas.
Thousands of jobs to fill - a good thing!
Meanwhile, it puts people in charge of briefs - like the new DCMS minister - who are completely unfit for their posts. Seeing everything as a jolly jape is not a route towards influencing the planet, Prime Minister, unless the UK wants other nations to back away from it holding a broom. Lewis continued:
We know that, at the moment, the very prominent clusters for cybersecurity are in London, and around the sort of Cheltenham area [it's called GCHQ, Erika!], But there are some real, small, growing hubs of cybersecurity businesses in other parts of the UK. And what we have done this year is put in place some funding so that they can draw together and learn from one another.
We're investing over £700,000 in this to help cyber firms develop their skills and collaborate and expand their businesses. And hopefully, we'll see cybersecurity clusters popping up, and really doing well across the whole of the UK.
Hopefully, yes. But it turns out there's a problem:
But we also know that there's a 10,000-person skills gap. So, there's 10,000 jobs out there that are not being filled at the moment in cybersecurity. I think that's really good news, obviously, if you're looking for a job. But it's also quite a challenge in terms of making sure that we have got people.
Er… so, 10,000 unfilled security jobs are good news, apparently. Are all the cyber experts picking apples, cabbages, and carrots instead? Or perhaps they're driving delivery trucks? (Do let us know.) But Lewis wasn't the only DCMS spokesperson at the event to remind us of just how super the UK is at everything. Also on hand was Irfan Hemani, Deputy Director of Cybersecurity, whose topic was the UK's cyber resilience. Hermani said:
"The ambition of the UK is cyber power. But when people talk about cyber power, you're not really thinking of cyber resilience.
The UK has really high ambitions for digital to play a transformative role in the economy and society and as part of the way forward on things like Net Zero, and levelling up, and just pure, good, old-fashioned economic growth [0.1% in July].
Now being able to undercut, sorry undertake, this digital transformation requires big strides to be made in cyber resilience. Now, this is the point where I think cyber policy professionals and cybersecurity experts start to throw in doomsday scenarios of, you know, it can all go wrong. But this isn't about being fearful, it's about being relentless.
It's important to remember that cybersecurity is not an end in itself. It's there to support and achieve other objectives. But more importantly, what we've seen in the last year is that our digital economy is actually quite resilient. It's not resilient by accident, and there's a lot of hard work that's gone into this from companies and CSOs, but also from evolving business models and changes to regulatory regimes. And obviously the kind of world-class cybersecurity sector that we have in the UK.
Well, fair enough - apart from the missing 10,000 professionals, of course, and the disintegrating alliances and supply chains. On the subject of which, Hermani then talked about cybercriminals' attacks on supply chains - rather than the government's own successful efforts to put them at risk, of course.
Only 12% of businesses review risks coming from their immediate suppliers, while only one in 20 address risk coming from wider supply chains.
‘Now a top priority'
One of the main sources of these attacks has been ransomware, where systems or files are locked by attackers who demand payments with threats and menaces (and often resort to publishing exfiltrated data, even if ransoms are paid). Ransomware as a service is an established model for cybercriminals, with the scale of attacks increasing over the past two years, along with the size of victims' payments. Hermani added:
The way that we look at this in government is from a policy perspective. There are several stages of resilience: reducing the cyber risk at source, making sure that organizations are addressing any residual risk within their environments. In particular, within high-risk sectors, such as critical national infrastructure, but also in high-risk activities, such as digital supply chains. And we need to make sure that we're developing the UK cybersecurity skills and industrial base.
The government's own cybersecurity breaches survey threw up some troubling statistics: 39% of businesses suffered a cyber breach or attack in the past 12 months, and seven percent of those were ransomware attacks. Fewer businesses are now deploying security monitoring tools, and fewer businesses have up-to-date antivirus software this year compared to last year.
The good news is that 43% of businesses have cyber insurance, and 77% of organisations "consider cyber to be a high priority", said Hermani.
Now, that's obviously said slightly in jest. But what we do know, and what this does tell us. is that it is getting higher up on boards' agendas. It is becoming more important for risk and audit committees. Organizations are seriously considering how to manage that risk, even if that is transferring risk out to another organization.
What organizations struggle with are low recognition of supplier risk, limited visibility into supply chains, insufficient expertise to evaluate cyber risk, insufficient tools or assurance mechanisms to evaluate suppliers, and limitations on taking action due to structural imbalance.
A cynic might observe that this is a fairly accurate description of the Cabinet in 2021. But who's cynical anymore? Not me, that's for sure. Hermani continued:
As government, we also need to make sure that our own supply chains are secure, and the digital supplies into government maintain high standards, and that we set that standard for the rest of the economy.
At this point, please feel free to insert your own punchline, as we sail towards Christmas. At least the lights are still on. For now.