Last December, I placed the first of my annual reports before Parliament on progress on the UK Cyber Security Strategy. I am pleased to present a second report to both Houses today.
The “Cyber-Security Strategy”, published in November 2011, set out the Government’s vision of “a vibrant, resilient and secure cyberspace”, providing a framework to guide our actions to “enhance prosperity, national security and a strong society”. To support the strategy we put in place a national cyber-security programme (NCSP) backed by £650 million of funding to 2015. This year we increased that investment with a further £210 million in 2015-16. This funding will build on existing projects and also support new investment, enabling the UK to retain its emerging reputation as a leader in the field of cyber-security.
The strategy set out four clear objectives:
Making the UK one of the most secure places in the world to do business in cyberspace;
Making the UK more resilient to cyber-attack and better able to protect our interests in cyberspace;
Helping shape an open, vibrant and stable cyberspace that supports open societies;
Building the UK’s cyber-security knowledge, skills and capability.
These objectives continue to drive our work and are as relevant today as they were in 2011 even in the face of a rapidly changing technological and threat landscape. In this report, I will highlight significant areas of progress, new announcements and our forward plans.
Making cyberspace safer for UK business
Our partnership with industry continues to advance and bear fruit to mutual benefit. In March this year, I launched the Cyber Security Information-Sharing Partnership (CISP) which we funded through the NCSP. It provides a trusted platform in which the security services, law-enforcement authorities and industry exchange information on threats and mitigations in real time. The partnership already includes more than 250 companies. In November this year, the CISP supported the financial sector’s “Waking Shark II” exercise in conjunction with the Bank of England which tested the financial sector’s ability to respond to a cyber-attack. Going forward, we plan to expand its partnership by doubling the number of members to 500 by the end of 2014.
The Department for Business, Innovation and Skills (BIS) has also worked with partners to deliver a “Cyber Governance Health Check” for FTSE350 companies and cyber-security guidance for small businesses, both of which help companies to identify and tackle cyber-risks. In addition, they have also been working closely with industry to develop an agreed “Organisational Standard”. Last month, the Minister for Universities and Science announced details of this new standard which will not only give companies a clear baseline to aim for in addressing cyber-security risks to their company but will enable them to advertise the fact that they meet a certain set of criteria on cyber-security. This provides them with an obvious competitive advantage in a marketplace that increasingly demands better cyber-security from suppliers. To reinforce this and give the standard a kick-start, we will be mandating its use in Government procurement. Its adoption will be subject to proportionality and relevance, particularly in relation to small and medium-sized enterprises (SMEs), as this is not designed to impose costs on business but rather to boost cyber-security while improving the security of the Government’s supply chain.
In concert with this, BIS has developed a new cyber-security suppliers scheme as part of the work being done in conjunction with techUK and the cyber-security sector through the new Cyber Growth Partnership. The scheme provides UK companies with a means of demonstrating, via a public list, that they are a supplier of cyber-security products and services to the UK Government. We want to help UK companies capitalise on a growing market in cyber-security products and services, and we are setting a target for future export growth. The target, the first of its kind, has been set at £2 billion worth of annual cyber sales by 2016, a significant increase on the 2012 export sales figure of £850 million.
Tackling Cyber Crime
The launch of the National Crime Agency (NCA) in October saw the establishment of the new National Cyber Crime Unit (NCCU). The NCCU brings together the skills and expertise of its precursors, Serious Organised Crime Agency (SOCA) Cyber and the Police Central e-Crime Unit, into a world-leading organisation dedicated to fighting the most serious cyber-criminals.
The NCCU has already had significant successes. Just in the past month, it issued an urgent alert to inform internet users of a risk of infection linked to a mass email spamming event aimed at millions of consumers. In addition, NCCU delivered a quick response to a threat to a bank that enabled security measures to be put in place and prevented approximately £14 million from potentially being extracted from accounts. Working closely with the Metropolitan police, six suspects were also sentenced to a total of 28.5 years after being convicted of stealing thousands of pounds from job hunters using fake online adverts for companies. The group defrauded UK financial institutions for many years and stole personal data from thousands of members of the public. We look forward to the NCA developing its capabilities further over the coming year to provide a relentless law-enforcement response to cybercrime.
Meanwhile Government Departments have also taken action to prevent cyber-fraud. A dedicated Cyber Crime Capability in Her Majesty’s Revenue and Customes (HMRC) has provided specialist advice to approximately 20 criminal cases, resulting in an overall revenue loss prevented of more than £40 million and more than 2,300 fraudulent websites have been shut down since January 2011.
Making the UK more resilient in cyberspace
Improving our resilience to and diminishing the impact of cyber-attacks is vital. Much of our national infrastructure is owned and operated by the private sector and over the past year, the Centre for the Protection of the National Infrastructure (CPNI) has further extended its range of guidance and products to help companies protect their networks from cyber-threats. CPNI’s Cyber Risk Advisory Service provides in-depth support to senior executives and boards of the UK’s most critical firms.
The safety of industrial control systems is an important element of infrastructure protection. Helping build our capability in this important area, in conjunction with the EPSRC, we are establishing a new Research Institute in Trustworthy Industrial Control Systems. This is the third such institute to be established with the aid of NCSP funding. Based at Imperial college, the institute will broaden our understanding of the threats to these control systems and find ways to enhance their security.
The MOD continues to mainstream cyber throughout our defence forces. In May this year, the MOD stood up Joint Forces Cyber Group to deliver defence’s cyber-capability. The group includes the Joint Cyber Units (JCUs) at Cheltenham and Corsham, with the new Joint Cyber Unit (Reserve) which we announced last year. Recruitment for the Joint Cyber Unit (Reserve) commenced in October 2013 with a high number of applications received following the Defence Secretary’s announcement in September 2013. The MOD continues to develop new tactics, techniques and plans to delivery military capabilities to confront high-end threats.
An open and secure cyberspace
Complementing these domestic efforts, we have been pursuing an international agenda for an open, stable and secure cyberspace, as set out by the Foreign Secretary at the London Cyber conference in 2011. This has been advanced through subsequent conferences in Budapest in 2012 and Seoul this October, where over 85 countries were represented. In Seoul, we succeeded in getting agreement on a clear statement of the importance of maintaining an open internet for economic progress.
We are working in partnership with a whole host of nations and organisations including the G8, the UN, NATO, and the EU to help shape norms of behaviour for cyberspace while promoting the UK as a leader in cyberspace technology and policy. And we are investing in capacity and co-operation internationally by establishing a Cyber Capacity Building Fund. Through this we have supported the creation of the Global Cyber Security Capacity Centre at Oxford university this year. The fund is already helping the UK to tackle cyber-threats at source, with the arrest in June 2013 of a major global e-fraud network following UK training of partners in south-east Asia.
Cyber-security is a long-term project, so we are investing for the future with a new engagement process in which Chevening, Commonwealth and Marshall scholars from Africa, Asia, and America by selecting a number of these students to attend the annual Academic Centres of Excellence in Cyber Research conference in December and to enrol in an international cyber policy course at Cranfield university. Through this initiative, we aim to help ensure that future cadres of global leaders will have a good understanding of cyber security issues.
Education and Skills
We know that our efforts to expand the UK’s cyber-security sector mean that we need more people with the right skills and education to support this. The national cyber-security programme is working with business, academia and the education sector to ensure we have a future workforce with cyber-skills and expertise, as well as a basic understanding and awareness of cyber-security among the public in general.
We are addressing skills at every level and have funded development of cyber-security learning and teaching materials at GCSE and A-level, with further materials to be released to schools in January 2014. We are also funding initiatives at university level for graduates and post-graduate students, as well as internship and apprenticeship initiatives, such as the one being run by GCHQ to attract technically minded people.
To promote research in cyber-security, we have: set up 11 universities as academic centres of excellence in cyber-security research; established three new research institutes in the science of cyber-security; and set up two cyber-security centres for doctoral training to ensure the UK gains the high-end cyber-security skills needed to tackle current and future cyber-challenges.
For the future, with NCSP funding, the Open university is developing a massive open online course (MOOC) in cyber-security, to be run for the first time in summer 2014. The course is free and has a potential reach of 200,000 students worldwide. Through this initiative, we have a unique opportunity to raise awareness of cyber-security to a mass audience of students, not just those in courses involving it, with an ultimate aim of bringing more students into the field.
Throughout 2012-13 we have continued to fund work by the Cyber Security Challenge across the UK which runs innovative competitions to seek out talented, young people and motivate them into entering the field of cyber-security. We have also funded a new schools programme for the CSC which enabled them to run a pilot for which 562 schools have already signed up. For the coming year, we will be giving them a further £100,000 to roll out this pilot nationally.
We are also investing in public sector skills. For example, the National Archives are ensuring that staff across the public sector are trained in protecting information and have worked with National Fraud Authority to produce the e-learning course “Responsible for Information”, which has been taken by nearly 70,000 central Government staff since July 2013. It is widely available across the public sector and we will be adapting it for an SME audience in early 2014.
However, we also need to cast our net wider to ensure that people across the UK have a better understanding of potential threats and are better equipped with the necessary protection to go about their business online with confidence. To this end, BIS has been working with the UK’s internet service providers (ISPs) on a set of “Guiding Principles” for ISPs to improve the online security of their customers. The principles, being launched today, set out that at a minimum, ISPs will provide cyber-security information to their customers, or signpost to information elsewhere. ISPs will assist and empower their customers to protect themselves by offering tools and security solutions, or indicate where solutions can be accessed. If their customer does experience a problem, ISPs will support them by providing clear information about how to report the incident. They will also inform them of a potential compromise, in line with company policy, and explore ways to bring potential issues to the attention of customers. This is an important step in not only protecting people online but in helping to minimise the number and impact of cyber-attacks in the UK.
Lastly, we are investing in a major campaign to increase awareness of cyber-security among both the general public and small businesses. The campaign, led by the Home Office and backed by £4 million of funding from the NCSP, is to be launched next month. It is being supported by a broad range of organisations, including Facebook, BT, a number of anti-virus companies such as Sophos, banks and financial organisations as well as community and trade organisations. These organisations are providing financial and in-kind benefits worth around £2.3 million, which will extend the breadth and reach of the campaign and help to improve our nation’s cyber-health.
We are in a much better place than two years ago when we launched the strategy. This reflects the collective effort of numerous Government Departments and agencies, and powerful partnerships with industry, academia and international counterparts.
Today, I have also placed before Parliament a list of achievements over the past year, as well as a document which outlines our forward plans, priorities and some key initiatives we will be taking forward over the next 12 months.
There is still much work to be done, but our progress to date has put us in a strong position for the future.