Cyber Security in a changing and complex world
It's great to be back here at RUSI (albeit virtually), at the world’s oldest independent defence and security thinktank. It’s a real privilege to be giving the second Annual Security Lecture. And a particular privilege to follow the deeply impressive Dame Cressida Dick, who last year talked about the increasing influence and opportunity of data and technology in modern policing – at a time where a growing proportion of crime in the UK is either digitally enabled or committed entirely online. We work in close partnership with law enforcement, so it won’t surprise you that my lecture today will also look at cyber threats and opportunities. But I also look forward with hope to the day soon when it's unremarkable to have two senior women giving a lecture on national security. We're on our way but not there yet.
I’m also very proud to be here as the second head of the National Cyber Security Centre, which after only five years plays a key role in the UK's national security.
Its creation in 2016 showed real foresight and is widely recognised as an example others want to emulate – a partnership of government, law enforcement, intelligence and the private sector. And we have achieved a huge amount since then.
We have dealt with over 2,000 significant incidents.
We have protected the UK at scale through Active Cyber Defence – taking down more than 700,000 online scams in the last year alone, 80,000 of which were new tip offs from the British public through the hugely successful Suspicious Email Reporting Service.
We have raised resilience in all sectors of our critical national infrastructure, and built coalitions with businesses, charities and education to develop accessible and actionable cyber security tools and advice.
Over 55,000 teenagers have participated in the CyberFirst Girls competition and our cyber security courses.
And we have made the internet safer and easier to use for UK citizens through our Cyber Aware campaign, challenging password culture and victim blaming.
So I'm not sure if you planned it like this, but this feels like a really important moment to be talking about cyber security - and about cyber security as an international and not just a national issue, as an issue of mainstream national security policy. As the Attorney General said in his landmark 2018 Chatham House speech on international law in this area, the influence of cyberspace on international relations is ‘growing not shrinking.’
Of course the UK has seen cyber security as a mainstream national security issue for some time, key to our strategy, statecraft and the expression of our national values. This was clear in the 2016 Cyber Security Strategy, which drove institutional change and investment. But the recent Integrated Review of Security, Defence, Development and Foreign Policy was even clearer on the importance of cyberspace in protecting our core interests of sovereignty, security and prosperity. It outlined a vision of the UK, more robustly resilient to the threats of a competitive world, but also better able to take advantage of its opportunities, and working with allies to shape that world for the benefit of all. Don’t just search for the ‘cyber’ section of the integrated review – stand back and understand how fundamental the ability to operate in cyberspace is to the whole vision, underpinned by investment in the UK as a global science and technology and responsible cyber power. You will have heard key interventions by the Foreign Secretary and Home Secretary last month at the NCSC’s flagship CYBERUK conference – livestreamed on YouTube – and still available – and seen many interventions just in the last week from the Foreign Secretary, Defence Secretary and alumni of the national security community.
What is changing is that the international consensus on this is building. You can see that today as NATO leaders meet to agree how to adapt further to cyber challenges and how to strengthen the resilience of the alliance, in the language used by leaders at the G7 summit at Carbis Bay in Cornwall, and in the prospect of a G7 Future Tech Forum. The G7 and like minded partners are both calling out cyber threats and promising to work together on cyber opportunities like future technical standards that are in line with our core values.
This is particularly true of the incoming Biden administration, one of whose very first national security challenges was the response to the SolarWinds intrusion, and who in recent days have, in the words of Deputy National Security Adviser Anne Neuberger ‘stepped up’ their response to ransomware in the face of live examples of the cyber threat to critical national infrastructure like the Colonial Pipeline, issuing a wide ranging cyber Executive Order. We have seen the nomination of influential experts like Chris Inglis, author of the Cyberspace Solarium Commission report, and Jen Easterley, to key positions in the new administration. And a recognition that cyber security requires the same kind of joined up, nationally coordinated whole of government response as counter terrorism – although the threats are very different.
So there is a moment now, to take our alliances in this space to a different level. And we in the UK are well positioned to play a key leading role in this. One of our strengths, in my view, is that we consistently treat cyber security not just as a national security issue but as a mainstream public policy issue, where – for example – success in the education sector is as important as more traditional national security concerns. The UK’s Integrated Review is really clear on this: it talks about “pursuing a whole of nation effort, bringing together industry and academia in partnership” and “engaging citizens, who have a central role to plan in our national security”. I see our other key strength as the centrality of resilience in our strategy – recognising that we need to ‘make the UK the safest place to live and work online’ for everyone – citizens and businesses as much as government. That is not to say we are perfect – as I have said before, there is no room for complacency, and we have much more to do. But we know our approach works, and we should bring others with us on this journey.
So it is very prescient and rather timely of you here at RUSI to choose this issue for your second annual Security Lecture. And thank you for choosing me. Those of you who know me and my background – and of course I’m not unfamiliar with RUSI and its members – will know that my entire career has been about a ‘whole of nation’ approach, whether at home or internationally. So I hope that, despite being an illustrious security and defence thinktank, you are not expecting me to see cyberspace purely as a war zone, or my lecture to be filled with gory battlefield imagery. Others can do that far better than me. My career in national security has always been about the messy reality of people’s everyday lives and the transformative potential of economic growth, even in conflict.
And that’s why, as you can imagine, when I look at cyberspace, I don’t see the threat as being confined to state actors. That is not in any way to underestimate the scale or seriousness of state activity or data theft. It consumes a very significant part of my team's most sophisticated capability. State sponsored cyber activity represents one of the most malicious strategic threats to the UK’s national interests. It is hugely important. Tracking and defending the UK from our most sophisticated adversaries represents much of our core business, usually working to support victims behind the scenes.
But it is not the only threat. And if we treated it as such, we would misrepresent the totality of the challenge and run the risk of an inappropriate response. Firstly because we all know that looking at a conflict solely through the lens of the protagonists would be to miss the inevitable opportunistic criminals exploiting the black market. And secondly because cyberspace is – primarily - a peaceful domain, of prosperity and opportunity. And that should tell us something profound about what we need to protect: the aggregation of economic harm to individuals and organisations. The UK digital sector employed 1.5m people and added £150bn to the UK economy in 2019. And that’s true not only in the UK, but internationally.
And of course – as this audience will be well aware - state actors are a reality in cyberspace. Four nation states – China, Russia, North Korea and Iran, have been a constant presence in recent years. And as I’ve said before, we face a determined, aggressive Russia, seeking traditional political advantage by new, high-tech means.
We live in a business and corporate environment where Chinese cyber attacks on our commercial interests are something our companies treat as business as usual.
And authoritarian regimes including North Korea and Iran use digital technology to sabotage and steal.
This is not a surprise, and it’s not new. Of course, you as a think tank will know this. A recent NCSC assessment of the Threat to Think Tanks noted it is ‘almost certain’ that the primary cyber threat to UK think tanks is from nation state espionage groups and it is ‘highly likely’ that they will seek to gain strategic insights into government policy, trade agreements and commercially sensitive information. So it’s not just governments that are at risk.
But it’s no longer ‘just’ espionage and data theft that is a threat. Even where it is, the complexity of modern supply chains may mean that many others can be caught in the crossfire and suffer compromises to their systems, as we saw with the recent SolarWinds Orion compromise and subsequent targeting, attributed as being ‘highly likely’ the work of the Russian intelligence services.
So although the threat has grown, our investment in cyber security means we know more about these threats now than we did five years ago when the NCSC was set up. And our world leading systems for sharing information with trusted partners means we can use this to improve the resilience of businesses and civil society, not just government and critical national infrastructure. Our ability to do this is the envy of many.
We have also used this knowledge to contribute to a series of public attributions that have exposed state activity -including attributing Not Petya and the DNC hack to Russia; the APT10 intrusion set to China; Wannacry to the North Korean Lazarus Group and the Mabna Institute to Iranian actors.
Attribution is part of our approach to cyber deterrence, as previous Foreign Secretaries have laid out. We seek to discover who is behind activity; expose the detail of their action in a way which helps both public and private sector defend; prosecute where possible, and – when we choose to – respond.
Because although building cyber resilience is crucial, the government also needs the capability to take action directly to counter a range of threats – a ‘whole of cyber’ approach. And that’s why one of the range of strategic outcomes supported by the new National Cyber Force’s cyber operations is cyber security, working in close partnership with us at NCSC.
So what I find most worrying isn’t the activity of state actors. Nor is it an improbable cyber armageddon – though if you want a good description of a sort of dystopian, Blade Runner style future, check the attention-grabbing opening pages of the Solarium report. What I worry most about is the cumulative effect of a potential failure to manage cyber risk and the failure to take the threat of cyber criminality seriously. For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary threat is not state actors but cyber criminals, and in particular the threat of ransomware.
This has become more evident than ever during covid – that we need to focus on victims not just threat, and that small harms can amount to a cumulative risk of national significance. This is the most insidious cyber security risk – not the threat from, but threat to; and not the loss of data but the impact on operations, large and small, that stops people and business from being able to live their day to day lives. The sheer volume makes it the most impactful threat we face. We have seen it affect the NHS with WannaCry, prevent students accessing classes in the last few weeks, and shut down local authorities at great cost to the public purse, meaning the public cannot access services, pay their bills or, in some cases, even buy a house.
Ransomware has historically been the preserve of high-end cyber crime groups with access to advanced technical skills and capabilities based in overseas jurisdictions who turn a blind eye or otherwise fail to act to pursue these groups.
But the ecosystem is evolving through what we call Ransomware as a Service, (RaaS) and the ‘As a Service’ business model where ransomware variants and commodity listings, such as lists of credentials, are available off the shelf for a one-off payment or a share of the profits. We know that there are campaigns to recruit new affiliates. As a result, users buy from developers without the costs and risks of developing it themselves, and that enables actors less experienced in ransomware to acquire tools to conduct their own attacks.
As the business model has become more and more successful, with these groups securing significant ransom payments from large and profitable businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly ‘professional’.
If your files are encrypted by ransomware you may be offered the services of a 24/7 help centre to quickly pay the ransom and get yourself back online. The ransom note accompanying the attack gives you the contact details to use to negotiate with the attackers and unlock your files. Everything is geared to make it as easy as possible to simply pay the ransom and move on.
High end crime groups spend time conducting in depth reconnaissance on their targeted victims. They will identify your cyber security weaknesses that they can exploit. They will use spoofing and spearphishing to masquerade as internal employees to get access to all of the networks they need. They will look for the business-critical files to encrypt and hold hostage. They may identify embarrassing or business sensitive material that they can threaten to leak or sell to others. And they may even research your cyber insurance policy to see if you are covered to pay ransoms.
This process can be painstaking and lengthy, but it means that, when they are ready to deploy, the effect of ransomware on an unprepared business is brutal. Everything is taken out. Files are encrypted. Servers go down. Digital phonelines no longer function. Everything comes to a halt and your business stops in its tracks.
Some of the most powerful testimonies I’ve heard since starting this job have been from chief executives faced with a ransomware attack they were under-prepared for. We support victims of ransomware every day, but turning up to a ransomware incident as the NCSC feels like the fire service turning up to a house that has already burned down. There might be some forensic evidence that the police might pursue. Occasionally (but less so over time) there might be a flaw in the malware or its deployment that we can make the most of. Even more rarely, we just might be able to get a decryption key. But these groups know what they’re doing, and that hardly ever happens. More often than not, it’s a case of rebuilding from scratch and restoring the data – assuming you have – and please read the advice – an offline backup that can be used for this.
But it doesn’t stop there. Over the last year or so these cyber crime groups have evolved their techniques to include data extortion. Even if you have offline backups and can get back on your feet without paying a ransom, the group will threaten to leak the data they have stolen. This can make all your business information, personal sensitive data, otherwise embarrassing content, available online for all to see. So, this is now the double whammy of ransomware; even if you have good data storage in place they can still try and hold you to ransom.
Many victim organisations in this situation feel they have no choice but to pay. It’s the same emotional blackmail technique that con-artists play on vulnerable elderly people they are trying to extract bank details from. I have huge sympathy for how that must feel. But paying a ransom in no way guarantees the return of data (which unlike a human kidnap victim, can be copied). And it funds a criminal enterprise which will be encouraged to try the same thing on others.
This isn’t a counsel of despair. In some respects, our response to ransomware is straightforward: we need to continue to build the UK’s cyber resilience so that attacks cannot reach their targets in the first place. We have great advice on how to do this with our 10 Steps to Cyber Security and we’ve made huge strides across a range of sectors. And it’s about preparing, planning and exercising, all the way up to Board level, working on the assumption that a cyber criminal will be as interested in your weaknesses as a burglar is in your open window. Reporting really matters – even if you are a victim and it’s too late to limit the damage to your business, it helps us help others. All this not only helps make businesses resilient to ransomware, but to the full range of cyber threats they face, and deters adversaries by increasing the cost of an attack.
But in many other respects it requires a whole of government response. This starts with the efforts to prevent the activities of the groups behind these damaging attacks. These criminals don’t exist in a vacuum. They are often enabled and facilitated by states acting with impunity. International and diplomatic efforts need to be coordinated to stop them. And it includes seeking the strongest criminal justice outcomes for those we apprehend. There are other players with a key role such as the cyber insurance industry which has a role to play in bearing down on the payment of ransoms and cryptocurrency entities who facilitate suspicious transactions. There will also be a role for cyber operations, taking direct action alongside law enforcement; disrupting cyber crime marketplaces where criminals buy and sell credentials, and disrupting ransomware groups. None of this is a substitute for effective cyber security, but it is an increasingly necessary part of the national toolkit and a whole of nation approach. And that national approach must be coordinated with others, as the Foreign Secretary outlined in his interview with the Telegraph last week, and indeed as the G7 communique lays out.
A coordinated response on ransomware, involving these key players, would have the added benefit of helping us meet broader national and strategic international objectives, making the UK a more resilient and prosperous place to live and do business online.
And it’s vital we recognise this - because we are at inflection point in global technology. Jeremy Fleming, Director of GCHQ, described a ‘moment of reckoning’ recently, where without action the key technologies we rely on won’t be shaped or controlled by the likeminded democracies.
We already know proliferation is a risk. We know there are companies that sell high end state-like capabilities that exploit computer networks and at the other end of the spectrum, you can buy an 8 radio SIMBox for $300 which allows you to send thousands of cyber crime SMS campaigns every hour. These things won't just matter to UK customers, they matter globally.
But we also know that in every era of the internet we have struggled to anticipate the magnitude or speed of change ahead of us. Back in the 1980s when I was loading computer games onto my ZX Spectrum+ using a cassette recorder I couldn’t have imagined a mobile phone, let alone an Apple Watch.
So that’s why the UK is leading the way in anticipating the potential scale of change in the future. And as I said, this needs to be a whole of nation approach. Let me give you three examples where government can play a role.
Firstly, the Internet of Things. On Consumer IoT devices, we have developed a cyber security standard now embedded in draft legislation that products sold in the UK will have to meet. That has become a European, and we hope, a global standard. We want to see the same radical change in assumptions about the security of internet connected devices as we’ve seen in car safety for baby seats over the last decades.
Secondly, the new Telecoms (Security) Bill will see a regulatory framework place security requirements on how telecoms operators build and run their networks. No one has taken it to this level before - it will create the toughest telecoms security regime in the world. It will provide new legal powers in two parts: a new security regime with a range of new security duties on operators and new monitoring and enforcement powers for Ofcom. And new national security powers, replacing the thus far voluntary arrangement between the government and operators, to remove and restrict use of goods, services, and equipment from vendors designated as high risk. Non-compliance could result in fines of up to 10% of turnover or a daily penalty of £100,000.
The National Security and Investment Act, the biggest shake-up of the UK’s investment screening regime in 20 years, will modernise government’s powers to investigate and intervene in potentially hostile foreign direct investment, while advancing the UK’s world-leading reputation as an attractive place to invest. Of the 17 sectors it covers, those most important for cyber security (and where we were instrumental in developing the definitions) are Artificial Intelligence, computing hardware, data infrastructure, communications, quantum technologies and crypt authentication. That helps us protect our critical services from cyber-attacks and improve the underlying security of the Internet through technological improvement.
But government cannot do this alone. We will continue to take a whole-of-society approach to improving the cyber resilience of the UK: industry, academia, and civil society all have a role to play. While government is uniquely able to disrupt and deter our adversaries, it is network defenders in industry, and the steps that all organisations and citizens are taking that are protecting the UK from attacks, day in, day out. The protection they provide is crucial to the digital transformation of the economy, and every organisation, large and small, has a role to play. We have come a long way, but there is room for improvement, and for even deeper collaboration. I hope the review of the Computer Misuse Act announced by the Home Secretary will help with this.
Yet collaboration cannot end at our borders; UK cyber resilience is not just a UK challenge. This is a global challenge and we cannot do this alone. We must continue to deepen our partnerships with partners around the world to support of our mutual resilience, both in response to the immediate ransomware threat but also to the longer term benefit of all of our economies and societies.
It’s fantastic to see the consensus building that cyber security is a leader-level national security issue, as we have done in the last few days at the G7 and Nato. There is probably a whole other speech to give on what more we can do to build on that consensus and momentum, which I don’t have time to do full justice to today. But in summary, I think what we can do is to:
Firstly, agree what's acceptable. As the G7 communique flags we need to work together to further a common understanding of how international law applies to cyberspace. We need to do the work as a global community to clarify and develop rules that are right for the digital age and the Foreign Secretary has made clear the UK plans to lead on this. I therefore welcome the UN Government Group of Experts on cyberspace reaching its first agreement since 2015, building on the global appetite for clear appetite for progress captured in the consensus report by the Open Ended Working Group earlier this year.
Secondly, we need to set standards more effectively. Whatever model of standards body we are talking about – government led, industry only or genuinely multistakeholder - they are critical to the future of technology, including interoperability and security. The UK prefers multi-stakeholder bodies because that brings balance. This is not about government control – this is about upping our engagement in a way that will benefit our prosperity and security and uphold our values.
And thirdly we need to build alliances. We already have fantastic partnerships with our 5 eyes allies and through NATO. Based on trust, collective action and a shared vision for the future. But for a whole of nation partnership approach and to deal with the challenges of cyber security in a rapidly changing world, we must also deepen our partnerships with like-minded European countries, partners in Asia and beyond.
So in conclusion:
This really does feel like the moment when the world starts to take cyber security seriously, as a national security issue and a public policy issue.
As I have been clear, I see cyberspace primarily as a domain of civic and commercial interaction that enables economic growth and wider societal benefits, and that must remain free, open, peaceful and secure.
It is a real moment of opportunity, despite the current focus on threats.
And for the UK, it is also a moment of leadership. We are ahead of the game – we have invested in cyber security and set ourselves up for success. We have a whole of nation strategy with resilience at its core and we must deliver on that.
And with our new cyber strategy this year, we will have a chance to lay out how we see the future in more detail. I look forward to NCSC playing our part in that future.