The latest National Security Strategy has placed tackling the cyber threat at the top of the government's security agenda - alongside threats from terrorism, war and accidental or natural disaster. In light of the extent of the cyber threat, the Government may not have allocated adequate resources to deal with it.
It is the new technology of the twenty-first century - and it is expanding at an incredible pace. Already many facets of modern life rely on cyber space. Over the past decade computer systems and the internet have become vital to the smooth running of government, industry, finance and to our day to day lives as individuals. They are used to communicate, to control the critical national infrastructure and to handle global financial transactions.
Securing cyber space is therefore hugely important. It has been on the National Risk Register at a lower level for several years - but has now, rightly, been moved to the top tier alongside international terrorism, an international war, and a major accident or natural hazard such as floods or flu pandemic.
In many respects the cyber threat is more predictable than those other threats and can be tackled. What is needed are top quality computer experts. But the promised sum of £500 million in new money, though welcome, may not be enough. It is a small sum compared with the billions of dollars each year the USA now spends on cyber security.
The US already has hundreds of high level computer experts working on cyber issues. UK cyber security is handled by a few dozen staff at the Office for Cyber Security in the Cabinet Office and by the Cyber Security Operations Centre (OSOC) at the GCHQ - the Government's listening centre in Cheltenham. The new money will help establish a further cyber team in the soon to be formed National Crime Agency and it will be used to secure parts of the UK's critical national Infrastructure - power stations and the transport systems for example. There may not be much cash left beyond that.
The Long Term Cyber Threat
The scale of the cyber threat is undeniable and the Government is right to highlight it by putting it on the Top Tier of risks. There is strong evidence that criminals, terrorists and spies have become increasingly skilled and able to use cyber space at a time when the UK like most other countries is increasingly dependent on cyber space to function.
Indeed, Dennis Blair, Director of US national Intelligence warned a senate committee in the US earlier this year that 'malicious cyber activity is coming in on an unprecedented scale with extraordinary sophistication.' He also warned 'Al Qaeda was using it as a weapon, but that there is also evidence of widespread, state sponsored cyber attack to gain economic and industrial advantage.'
The head of GCHQ, Iain Lobban, warned in a rare speech that the UK faces a 'real and credible' threat of cyber attack, and said it was not solely 'a national security or defence issue. It goes to the heart of our economic well-being and national interest'.
He reported that each month there are more than 20,000 'malicious' e-mails on government networks of which 1,000 each month were deliberately targeted at them. 80 per cent of the threat to government systems could be dealt with through good practice but 20 per cent was more complex and could not be solved by building higher security walls.
The Director of the Office for Cyber Security, Neil Thompson, speaking at RUSI on October 13 2010, warned that 'the risk trajectories are going the wrong way' on cyber security, with criminals in particular going where the money was - and that is increasingly online - defrauding businesses and individuals of cash and identities.
He has a valid point. 90 per cent of high street purchases use credit and other cards which operate through cyber space. 65 per cent of homes are connected to the internet. Businesses and energy, food and other supply chains increasingly rely on cyber communications and transactions. Cyber theft - that is stealing money or the identities of people in order to steal money from organisations - is estimated by the Association of Chief Police Officers to cost some £52 billion a year globally.
Reducing cyber crime would bring substantial economic dividends. The average cost of an information security incident to a small company is £10,000-£20,000. For a large company, with more than 500 employees, it can be £1-2 million.
The threat goes wider. The number of attempts to break into government, military or industrial cyber systems is increasing. This is in part due to state-sponsored espionage. In 2007 the head of MI5 Jonathan Evans warned 300 UK businesses that they were being attacked for industrial secrets by China. The MI5 website still warns that in today's high-tech world, the UK is a 'high priority espionage target' as intelligence services are targeting commercial enterprises far more than in the past. He went on to estimate that 'at least twenty foreign intelligence services are operating to some degree against UK interests. Of greatest concern are the Russians and Chinese':
In 2008 A RUSI Policy Paper produced for NATO Allied Command Transformation, reinforced this view. It argued that over the next five to ten years NATO allies will become increasingly vulnerable to cyber-crime and cyber-attacks, which may be perpetrated by state or non-state actors, and are difficult to trace. Notably, it warned that 'the damage inflicted by a large scale cyber-attack on a NATO ally could be as devastating financially as a 9/11 style attack.' The incidents of cyber attacks is markedly more visible. China recently has accused the United States of fermenting unrest in Iran through cyber activity via internet sites like Facebook and Twitter. Work at one of Iran's nuclear plants was recently disrupted through cyber attack - with speculation this could have come via the USA or Israel. As RUSI's paper notes, 'increasingly the fear is that such attacks will amount to cyber warfare - where states bring down the defences of other states through cyber attack.'
Cyber Threat to the Olympics
There is a further, pressing reason why the Government is right to focus on the cyber threat now. Its cyber security must be resilient ahead of the 2012 London Olympic and Paralympic Games. Terrorist or criminal attack, or a natural disaster, could all cause substantial cyber problems. A Cyber attack or a cyber failure could hinder ticketing, the transport network around the games, and stop food and energy supply routes. It could affect the computer systems dealing with the function of the actual sporting events, and it could plunge London into darkness. Even plans to control red traffic lights to ensure the Olympic torch and athletes can move round London more smoothly, could be threatened.
The most likely risk is that posed by Cyber fraud, to ticketing. An unprecedented nine million tickets are to be issued. A report in November, 2009 for 'Which? Computing' magazine stated that: 'Criminals are limbering up for a spate of Olympic-related crime. Several websites are amazingly already promising tickets that don't exist. There needs to be much stronger regulation of this area to stop conmen running off with our money.'
Warnings on the extent and increasing scale of the cyber threat have been surfacing for several years. The Government has rightly highlighted the problem - and ear-marked extra resources. But it would be wise to draw more heavily on private industry, not just because private businesses are also being targeted, but because much of the UK's Critical National Infrastructure is privately owned. The input of the huge knowledge on cyber space in the private sector will be vital in keeping the UK safe.
The challenge will be to convince businesses they can enter partnerships with government, without undermining their own commercial interests. What's more, the UK will need to work with partners abroad in government, law enforcement and private industry, to deal with those maliciously hacking into UK networks from elsewhere. This will involve some diplomacy - the records of countries like China and Russia are complex when it comes to cyber security - but the UK would be better served if they were also persuaded to become partners on this front.