The cyber threat continues to evolve rapidly, but the UK is a global leader in the fight against attacks, says David Lidington, minister for the Cabinet Office.
“We have stood strong with our international partners to call out cyber attacks, to attribute where there is evidence so to do, and to set the standard for hardening national cyber defences,” he told the CyberUK 2019 conference in Glasgow.
Lidington, who is responsible for the National Cyber Security Strategy, said the strategy has “revolutionised the UK’s fight against cyber threats as an ambitious, deliberately interventionist programme of action”.
In the past three years, the strategy has seen many building blocks put in place to strengthen the UK’s cyber security and resilience, including setting up the National Cyber Security Centre (NCSC), which Lidington said has been recognised as a global centre of excellence, with many countries copying the UK model for cyber security.
Another key achievement of the strategy, he said, is setting the standard in protecting critical national infrastructure, and, in a brief allusion to the controversy surrounding 5G network security, he said the UK takes the security of its telecoms networks extremely seriously.
Lidington also highlighted government investments under the strategy in cyber capabilities within law enforcement, and progress being made by the NCSC’s Active Cyber Defence programme.
“It is making good progress in automatically protecting UK internet users,” he said. “Last year, it took down nearly 140,000 UK-hosted phishing sites, and we are protecting the public sector, checking more than four billion queries to the internet every week, and blocking more than a million that are malicious.”
But despite “considerable progress”, there is more to do to build on this success, said Lidington. “We need to demystify cyber security for the average citizen. There remains a deep lack of awareness about these threats.”
Turing his attention to the corporate world, Lidington said cyber resilience is too often “seen as the responsibility of an IT department, when cyber security needs to be everyone’s responsibility”.
Citing WannaCry as an example, he said a low-level lapse in cyber security can risk the compromise of a much wider network.
“The vast majority of cyber attacks can be prevented by putting basic cyber security measures in place,” he said. “But nationally, only about a third of businesses and charities have a board member or trustee with specific, designated responsibility for cyber security. And even fewer have a system in place for when a cyber attack occurs.”
There are thousands of organisations outside government that can benefit directly from government expertise, said Lidington. “So, a few weeks ago, I launched a new Board Toolkit designed by the NCSC to help FTSE 350 companies encourage discussions on cyber security between organisations’ board members and their technical experts.”
But there is more that can be done, he added. “That’s why, today, I am announcing that the NCSC will launch a new exercising initiative, called Exercise in a Box, designed to help organisations test their cyber resilience,” he said.
The tool is designed to help organisations increase their resilience by using real-life scenarios based on common cyber threats facing the UK. Organisations can practise these in their own time in a safe environment and as many times as they like, using either technical simulations or tabletop discussions.
The tool will enable organisations to establish how effective their current defence and response mechanisms are, test and check their existing policies and procedures, improve internal relationships and skills, identify areas for further improvement, and access bespoke guidance.
With the first version tested by local government, small businesses and the emergency services, the tool is also designed to complement existing cyber security measures, including Cyber Essentials and the NCSC’s Small Business Guide.
“But improving cyber security is not, and never will be, an exact science,” said Lidington. “It relies on partnerships to achieve lasting change. The geopolitical, technological and threat environment is constantly evolving. And we are seeking to meet these challenges by building resilience regionally, nationally and internationally.
“Regionally, the UK government is working closely with the devolved administrations in areas like cyber skills and local government cyber resilience. That’s why, in the spirit of highlighting collaboration across the devolved administrations, I am pleased to announce today that CyberUK 2020 will take place in Wales.
“By sharing our expertise and helping to build vital skills together, we are working together to protect the whole of the UK from the threats of both today and tomorrow.”
The UK is promoting its cyber expertise internationally, said Lidington. “We have worked with allies to counter malicious cyber activity, and we’ve called out unacceptable behaviour, joining 19 countries, Nato and the EU, to attribute a range of cyber attacks to the Russian and the Chinese governments during the course of 2018.
“We are sharing best practices with allies, and across government departments we are funding projects in more than 40 countries to help them defend themselves from emerging cyber threats.”
Spirit of preparedness
Looking to the future, Lidington pointed out that the current National Cyber Security Strategy runs to 2021. “But, in the spirit of preparedness, we need now to consider our vision beyond then, and how we sustain long-term change,” he said.
“First, we want to reduce the risk from high-volume, low-sophistication cyber attacks. We need to build security right into internet-connected devices, systems and networks. And we must create a culture of cyber resilience among consumers themselves.”
Lidington also highlighted the importance of continuing to tackle the most sophisticated and serious threats from both hostile states and organised criminals.
“This means ensuring our agencies and law enforcement partners have the capabilities to counter malign activity, and modernising our deterrence posture so the UK is seen as a hard target,” he said. “And we will continue to take a leading role in promoting a free, open, peaceful and secure cyber space.”
In conclusion, Lidington said the task facing the UK is great, with cyber threats evolving every day. “But this is the same country whose citizens invented programming, the first computer and the World Wide Web,” he said.
“We are up to the challenge – but we cannot do this alone. Partnerships are the key to the UK’s cyber security. This government considers industry and academia to be the catalysts in delivering long-term, effective, cultural change.
“We need partners like the ones here today, to be engaged, open and willing to work with us for the safety and security of all. So thank you for all you have done, and for all you will be doing in the future, to ensure that we remain stronger, together.”