Speaking at a national cyber security event today, Chi called on the Government to show real authority leadership in tackling cyber security. She also called for specific Government action on mobile security and cyber security amongst small businesses.
Commenting after the keynote speech at the Future of Cyber Security 2013 conference, she said:
“Ministers have a £650m national cyber security programme, but as the defence select committee recently said, that only touches the tip of the iceberg. From what I have heard from industry, it is clear that Ministers are not on top of the problem, in fact I’m not even sure some of them even understand what it is.”
A transcript of the speech is below (check against delivery).
Cyber security in an ever more interconnected world
Thank you for inviting me here today.
Last month the FBI arrested their number one ‘most wanted’ cyber criminal.
He allegedly masterminded a scheme that defrauded the financial industry out of tens of millions of dollars. The FBI estimate more than $100,000,000 over the years.
His name was Tobechi Onwurhara and not, as was reported on twitter, Chi Onwurah.
So I hope nobody here came here expecting a masterclass in cybercrime.
Though I do have some form in this area: 23 years experience as a professional engineer building telecoms networks across the world. Not all of them with security built in I should say though I pretty soon learnt to retrofit it!
As Head of Telecoms Technology at Ofcom I was asked to look at internet security in 2006.
When I came back with tales of bot attacks and honey traps, DDoS and white hat wizards, Trojans and worms, phishing and pharming, I was greeted with understandable scepticism. It was as if I was describing a war in a galaxy far, far away.
But I knew it was just a matter of time before cybercrime went mainstream. Unfortunately, I was right.
Now the Cabinet Office believe that cybercrime costs the UK £27bn a year, though, given neither the Home Office nor the Justice Department collect statistics on cybercrime that is difficult to verify.
Our world is constantly becoming ever more inter-connected. Ericsson estimates that by 2020, 50 billion ‘things’ will be connected to the internet. Other analysts put the number of connected devices in the trillions.
Of course that interconnectedness presents significant opportunities for innovation and business. But it also poses a significant and growing threat.
Our national infrastructure water, gas, electricity, telecoms and financial services are all linked together and will be more than ever in years to come. Much of it is in private hands.
Our policy response must be equally joined up to meet the challenges we face.
So far I’m not convinced that the Government is up to meeting the challenge.
Last month the National Audit Office’s review into the UK cyber security strategy highlighted room for significant improvement in leadership and coordination across government.
This has been echoed by the former head of GCHQ and CESG head Nick Hopkinson, who said that the UK was lagging behind in our ability to respond to cyber-attacks because of a “lack of cohesion” across agencies.
Yet our current cyber security policy is based on a figure of £27bn that few people have any real confidence in, and on little to no understanding of how much cyber crime is happening, where and to whom.
We must build proper policy on a solid evidence base.
Whilst under-reporting is a problem especially for businesses, we must work towards a system where we better understand the threat we are facing as it evolves.
In a response to my parliamentary questions, the Home Office have said that they don’t record cyber crime separately. They don’t even have an assessment of the costs or benefits of recording cyber crime.
Right now we have a £650million national cyber security strategy up to 2015. However, 60% of that has been put into the single intelligence account,
I am not saying that the threat from governments, individuals and organised crime outside of our borders is not a significant risk.
Events in Korea this week highlight what these attacks can do.
But they are not the only cyber threat, and the economic consequences of commercial cyber warfare can be just as damaging.
We have had very little from Government in explaining exactly where the risks lie and what resources are needed to deal with each of those risks.
And even less explanation in how we would respond, who will respond, and how all those responsible will work with each other.
There are 43 police forces in England and Wales plus numerous agencies and bodies that have an interest in cyber crime. We must ensure they are all properly coordinated.
As John Colley, head of (ISC)2 said in December, the Government’s cyber security strategy is too “fixated on high-level ‘macro’ security issues”.
Government should be doing more right across the cyber security spectrum.
When I meet software and technology businesses, they are concerned about the growing threat of cyber criminals, and our response to that threat.
Yet policing, education and training got a fraction of a £650m cyber security budget. the police got just £5m – and significant cuts. Which by the way the PM himself has said should be focused on the backroom boys doing the IT rather than on the frontline. What the PM doesn’t get is that cybercrime is the frontline.
Europol recently opened a new cyber crime centre. Yet the Home Secretary wants to ‘opt out’ of cross border cooperation on crime.
SMEs are the victim of three quarters of all successful data breaches. Yet the Government has no real resources or strategy for supporting SME cyber security.
Businesses are suffering from a global shortage of information security professionals.
Yet anybody who listens to Michael Gove will know he is more interested in teaching Latin than Java
As an ex software engineer I should say that I’m still a little stuck in C++ & APL but that puts me 2000 years ahead of the Education Secretary.
We have an Attorney General that thinks tweeting is the same as “talking over the garden fence”, that’s a quote, by the way, and a Cabinet Office Minister who’s idea of secure disposal is throwing his papers into a central London park bin.
This does not fill me with confidence that Ministers across Government are on top of the problem, or even understand what it is.
And there is a chasm in their cyber strategy big enough to drive a GSM network through. Ministers claim that their strategy covers mobile devices, but it is not mentioned once in any of their documents. Not once.
We increasingly bring our own devices to work. A recent report by HP found that 48% of mobile applications were vulnerable to unauthorised access. You don’t need a crystal ball to see internet mobility will grow.
And we don’t even have a strategy?
Labour has been busy in opposition. We have been developing our ‘One Nation’ vision for the UK.
For cyber security that means real vision and leadership.
In future, “traditional crime” will increasingly be done online, it will be mobile and it will be complex.
We need to be prepared to deal with this. We need to understand the threats, and have the skills, resources and leadership to deal with them.
We must ensure that public services delivered online, like universal credit, are protected from fraud and cyber crime.
We must work with industry to develop proper security standards.
We must have high-profile and authoritative leadership.
A Government that looks out for everyone.
And a digitally literate population.
Economically, socially and geopolitically the virtual world is becoming as important and as complex as the real world.
Four thousand years ago – even further back than Gove wants to go – the earliest example of law known to historians stated that:
“The first duty of government is to protect the powerless from the powerful.”
A Labour Government would prioritise making sure our citizens can live safely in cyberspace.