Cyber security an economic opportunity, says UK government

Cyber security should not be seen as a necessary evil, but an economic opportunity, says UK government

“Cyber security should not be seen as a necessary evil,” says Francis Maude, minister for the Cabinet Office.

“It is a growth business in its own right and can be a strength for the UK,” he told the opening session of IA14, the government’s annual cyber security and information assurance event in London.

This year’s event is focused on public-private partnerships around cyber security and is expected to include an announcement of a GCHQ pilot on sharing declassified information on cyber threats, and GCHQ plans to share declassified intellectual property to support new business ventures.

Considering the UK is one of the fastest growing economies in the developed world, Maude said the UK not only needs to increase efforts to make the it one of the safest places in the world to do business, but also seize the opportunity that cyber presents for innovation, jobs and prosperity.

However, he said that in meeting these challenges, businesses and government are better off working together.

“Pulling in the same direction, with the same goals, makes us stronger and more aware, and leaves us far better placed to mitigate against the threats and maximise the opportunities that cyber presents, he told decision makers from central government, the wider public sector, industry and academia.

Reviewing the progress made in the National Cyber Security Programme, which has been backed by £860m over five years, Maude highlighted the 10 Steps for Cyber Security guidance published in 2012, the launch of first national Computer Emergency Response Team (CERT-UK) in March, and the Cyber Essentials Scheme (CES) launched on 5 June.

The CES is aimed at providing businesses with clarity on good basic cyber security practice to provide protection against the most common threats.

Maude emphasised that the CES also provides a certification process to enable businesses to show they have the right measures in place by displaying the Cyber Essentials badge.

“From October, the government will require all suppliers bidding for certain personal and sensitive information handling contracts to be Cyber Essentials certified,” he said.

Since the launch of CERT-UK, Maude said hundreds of incidents have been reported, of which more than 80 required engagement from CERT-UK. 

The government’s Cyber Security Information Sharing Partnership (CISP) now falls under CERT-UK, and has grown from an initial 100 members to more than 450.

“Cyberspace is simply too big for any organisation to have sight on everything that’s going on and so there is a massive need to pool our information for mutual benefit,” said Maude.

“CISP enables government and business partners to exchange information on threats and vulnerabilities as they occur in real time,” he said.

Every day, CISP notifies members of around 215,000 abused IP addresses, so they can be blocked or dealt with. “The secret of its success is very simple. It is about trust,” Maude said.

“CISP works because it has government involvement, but it is business-led. Companies are under no compulsion. Information is shared voluntarily,” he said.

In one instance, Maude said CERT-UK shared data with BT about UK servers that could be used to perform a distributed denial-of-service attack. This meant BT was able to assess the threat to its own networks.

“The information originated from a separate CERT in Germany and may not have reached BT had it not been relayed by CERT-UK,” he said.

By working together we will maximise the opportunity that cyber presents to business throughout the UK

Francis Maude, minister for the Cabinet Office

The value of CISP was really brought to the fore in responding to Heartbleed because members were warned of the threat and provided with tools that could be used to detect abuse.

“BT has since told us that among all the media frenzy surrounding Heartbleed, CISP provided a haven where members could cut through the noise and exchange meaningful updates and intelligence with each other,” he said.

Maude said the pattern for success involves governments and businesses working together to pool expertise, learn lessons, share capabilities and coordinate action. 

“By working together we will also maximise the opportunity that cyber presents to business throughout the UK.

“Cyber security demands technical innovation and entrepreneurial ambition, backed by world-class skills and research – all of which the UK has in spades,” he said.

Maude said cyber has the potential to create new businesses, and to turn small companies into large ones.

“Take the Phoenix IT Partnership as an example. Just over 15 years ago it had a turnover of £26m a year and 500 staff,” he said.

But after winning a contract from Northrop Grumman to help provide automated fingerprint ID services to police forces across England and Wales, the company now has 2,300 staff, in 20 UK locations, with a turnover of more than £230m.

“We want to support precisely these kind of companies, which is why we’ve produced the first ever Cyber Exports Strategy,” said Maude.

The strength of our partnerships, and the trust that enables us to share information, will allow us to build a safe and secure economy

Francis Maude, minister of the Cabinet Office

In terms of the strategy, government is aiming at more than doubling current exports of products and services to reach a total of £2bn by 2016.

“The strength of our partnerships, and the trust that enables us to share information, will allow us to build a safe and secure economy, and grasp the opportunity for future growth, so everyone can prosper from the digital age,” said Maude.

Karen Bradley, minister for organised crime described how the government’s Serious and Organised Crime Strategy is prioritising work with key partners to ensure the UK is a safe place to do business online.

She said there are real opportunities for industry and law enforcement to work together to build skills to tackle cyber crime and understand the changing threats.

“I see the expertise, the commitment and the access to thousands of highly skilled individuals we need to outwit the criminal gangs and shut them down,” she said.

These sentiments are expected to be echoed by Iain Lobban, director GCHQ, when, on the second day of the conference, he confirm’s GCHQ’s involvement in the global operation to disrupt the botnet behind the GameOver Zeus Trojan and Cryptolocker ransomware.

GCHQ plans to share IP on a broad range of technologies through joint ventures

Lobban is also expected to announce a pilot in which GCHQ will commit to sharing its classified cyber threat information faster and more frequently than it does currently to help communications service providers protect their customers.

The pilot will start with suppliers to government networks and then move on the other sectors of critical national infrastructure. 

This initiative will use GCHQ's unique capabilities and insights gleaned from its intelligence and security work to illuminate the critical threats in cyberspace, officials said.

Lobban is also expected to describe GCHQ’s contribution to a new programme of work known as Promoting Innovation in the Digital Economy. 

This will examine how GCHQ’s cyber security work can better support UK’s economic objectives, including boosting high-tech small and medium-sized enterprises, the official said.

Lobban is expected to announce that GCHQ is looking at whether limited amounts of intellectual property can be declassified to support the development of new business ventures.

GCHQ plans to share IP on a broad range of technologies through joint ventures, unclassified expert seminars and through making things available through open source, officials said.

Read more on Hackers and cybercrime prevention