Safety, Security and Resilience in Cyberspace

The government’s Digital Britain Strategy showed very clearly just how critical cyberspace is to the underlying health of our nation.[1] The £50 billion of online consumer sales and purchases that take place on a yearly basis illustrate how vital the new technology of cyberspace is to our national prosperity. Cyberspace increasingly underpins the business of government, the work of organisations across all sectors, and the activities of individual members of the public, including banking, social networking and shopping online, to name but a few examples. These networked, digital activities offer a phenomenal number of benefits and opportunities, and we need to ensure that the UK is well placed to take advantage of them. We also have to recognise, however, that balanced against the opportunities are a number of real and rapidly evolving threats; there are people who would seek to do us harm through cyberspace. What is more, technological developments and changing patterns of utilisation make cyberspace a dynamic and challenging environment: we have to keep pace. That is why the UK government has produced a Cyber Security Strategy that sets out the actions being taken to ensure that the risks are minimised and the most is made of the opportunities, now and in the future.

Evolving Threats, Growing Expertise

The low cost and anonymous nature of cyberspace makes it particularly attractive for use by malicious actors. A low barrier to entry, coupled with the difficulties associated with detection and attribution, mean that organised criminals, hostile states and terrorists can and do exploit cyberspace for their own ends. We must be alive to the fact that a number of actors have a level of intent and capability that amounts to a real threat to our security and prosperity. People will often focus on sophisticated state-led cyber espionage, and this is of course a serious issue; but we must also keep in mind that criminals continue to exploit vulnerabilities in government, corporate and personal IT systems using a range of methods, from phishing to the use of malware. Aside from the financial harm for which online fraud is responsible, there is also the fundamental issue of making sure people have the confidence to live and work online. So we must consider and pre-empt attacks on government systems and its essential infrastructure, and attacks on individuals and businesses.

The publication of a new strategy should not detract from the substantial amount of effort, resources and expertises already devoted to UK cyber security. This is not a new problem, and the UK Government has been taking action to secure cyberspace for several years now, on a number of different fronts. The 2003 National Information Assurance Strategy^[2] addressed the first steps for the UK in assuring the integrity, availability and confidentiality of information and communications technology systems and the information they handle: the Cyber Security Strategy builds on this work. There is a good deal of work already going on to protect the UK from cyber threats – in government and in conjunction with industry and other sectors.

The Home Office, Serious Organised Crime Agency (SOCA) and the police all work to combat the activities of criminals in cyber space. Recent initiatives have seen the formation of new units dedicated to tackling online crime: the Child Exploitation and Online Protection Centre and the Police Central e-crime Unit. Earlier this year, the Association of Chief Police Officers published an e-crime strategy that will form the basis for a more consistent operational approach by increasing skills and capacity, and by bringing e-crime into mainstream policing and law enforcement.[3]

The Centre for the Protection of National Infrastructure (CPNI) provides advice on electronic or cyber protective security measures to the businesses and organisations that comprise the UK’s critical national infrastructure – the nine sectors that deliver essential services: energy, food, water, transport, communications, government and public services, emergency services, health and finance. CPNI also runs a Computer Emergency Response Team service that responds to reported attacks on private sector networks.

All government departments have access to the Government Secure Intranet, which securely connects around 200 government departments and agencies. CESG (the National Technical Authority for Information Assurance and part of GCHQ) provides government departments with advice and guidance on how to protect against, detect and mitigate various types of cyber attack. CESG runs GovCertUK which provides warnings, alerts and assistance in resolving serious IT incidents for the public sector.

A Shared Responsibility

All users of cyberspace have a part to play in safeguarding it. The onus is on government and business to work together to provide more secure products and services, to operate their information systems safely and to protect individuals’ privacy. The individual member of the public also has a responsibility to take simple security measures to protect themselves, their families, and others in society. Take, for example, an unpatched home computer that is infected with malware, harnessed as part of a botnet[4] and used to attack institutional targets, thus illustrating the interconnected nature of networked threats. This highlights the importance of getting the message out that cyber security is something that can only succeed through a collaborative approach. This is why the government co-sponsors the joint public and private sector initiative Get Safe Online, which aims to raise awareness of internet safety amongst the general public and small businesses.

The Cyber Security Strategy

The Cyber Security Strategy will help to keep the UK safe by building on existing work, identifying gaps and overlaps in work areas. It puts in place two new organisations, the Office of Cyber Security (OCS) and the UK Cyber Security Operations Centre (CSOC), that will design, initiate and oversee a programme of work to address these aims. The Strategy provides the strategic framework for doing this systematically, centred on clear high-level objectives: reducing risk from the UK’s use of cyberspace and exploiting the opportunities that cyberspace presents. Both of these will be enabled through action to improve the knowledge, capabilities and decision-making needed. The Strategy is also very clear about the need to maintain ethical safeguards – people have valid concerns about the preservation of civil liberties, and the protection of individual privacy in particular. When the Strategy was launched, this author made it clear that, as with all national security activity, it is important that government powers are used proportionately and in a way consistent with individual liberty. An ethics advisory group is being set up to provide the necessary oversight for the government’s cyber security work.

To make sure there is progress towards the Strategy’s objectives, the OSC has been established to provide strategic leadership across government. The multi-agency CSOC in Cheltenham will actively monitor the health of cyberspace and co-ordinate incident response, enabling better understanding of attacks against UK networks and users, and providing better advice and information about the risk to business and the public. The government has made substantial progress since the publication of the Strategy – the heads of both organisations have been appointed, and the government is continuing to actively recruit staff from across government, even as it pushes forward work in the priority areas that the strategy identified as particularly urgent.

Both organisations will be working towards an embryonic capacity capable of releasing early products in autumn 2009. One early priority will be the Cyber Security Industrial Strategy, which aims to identify all the different ways in which industry and the government interact in the field, from procurement to regulation. Having identified these relationships, and looked at other industry areas for further input, the Strategy will investigate how these can be optimised to suit the needs of both industry and government. Work is also progressing on e-crime to build the most effective structure to enable close co-operation between SOCA, the Metropolitan Police and other stakeholders. On international engagement, the UK is fully represented in all the relevant forums as cyber security becomes increasingly discussed: the UK is building strong partnerships with other like-minded nations. Lastly, the government is examining the doctrine that underpins cyber security; it is a new area which will require careful planning in this regard.

Transnational Partnerships for a Transnational Problem

Cyberspace is a transnational domain. Threat actors do not respect international boundaries – in fact, they often look to exploit them – so the need for international co-ordination of cyber security efforts with our allies is self-evident. There are strong links already in place between the UK government organisations that have a cyber security role and their counterparts overseas – now we need to build on the existing links, bring greater coherence across them, and establish new ones where there are gaps. The OCS will lead work on the UK’s international engagement on cyber security issues, co-ordinating the development and deployment of the UK’s core messages in key forums; this will bring greater coherence to the UK’s work with overseas partners and international organisations. As part of this, the government will continue to seek opportunities to meet with its main bilateral partners, particularly the United States, in order to exchange ideas and best practice.

In conclusion, the UK has to secure its position in cyberspace in order to give British people and businesses the confidence needed to operate safely in the online environment. There is a lot to do, but with publication of the Cyber Security Strategy we have made real progress and built a solid foundation; now we have to maintain this momentum, and make sure it delivers.

Lord West
Parliamentary Under-Secretary for Security and Counter-terrorism

 

NOTES

[1] Department for Business Innovation and Skills and Department for Culture, Media and Sport, Digital Britain Final Report, June 2009.

[2] Cabinet Office, A National Information Assurance Strategy, last updated June 2007, www.culture.gov.uk/images/working_with_us/nia_strategy.pdf.

[3] Association of Chief Police Officers, ‘e-Crime Strategy Version 1.0’, June 2009, www.acpo.police.uk/asp/policies/Data/Ecrime%20Strategy%20Website%20Version.pdf.

[4] A botnet is a collection of software robots, or bots, that run autonomously and automatically on computers, often unbeknownst to their owners.