CyberUK 23: NCSC CEO calls for collaboration and warns against complacency

NCSC CEO Lindy Cameron has opened the agency’s annual CyberUK conference in Belfast with a call for collaboration across the industry and a reminder not to succumb to complacency, saying that the many of the collective challenges we face in cyber security are not focused on how we secure today, but on how we secure tomorrow.

Cameron spoke of the multiple cyber security challenges posed by a multitude of different issues and trends, from the growth in emerging technologies such as AI and quantum computing, to insecure hardware and software design processes and the rise of China, and and urged people to come together to address them.

“Collaboration is one of the keys to our success. It’s the USP of our free culture, and only through collaboration between industry, government and academia will we maintain a cyberspace that is a safe and prosperous place for everyone,” she said.

“We as a community…are responsible for our individual and collective actions and must ensure that new capabilities are produced and used in a way that is legal, responsible and proportionate. Together we can and will continue to secure cyber space so that it remains free, open and democratic.

“Focused investment and intervention by industry, government and academia will nurture and grow the talent needed to innovate and build the technologies that underpin our values, and make us resilient to future threats, risks and vulnerabilities.”

Cameron spoke in particular of China’s technological ambitions – which she said differ vastly from those of Western liberal democracies.

“[China] has an aspiration to become a world leader in setting technological standards. We need to be clear – China is not just pushing for parity with Western countries, it is aiming for global technological supremacy,” she said.

She spoke in particular of China’s cyber capabilities, notably its ongoing campaigns of cyber-enabled espionage, and recently-signed laws that require security researchers working in China to disclose vulnerabilities to Beijing before the wider world.

“Bluntly, we cannot afford not to keep pace with China, otherwise we risk China becoming the predominant power in cyber space. Some of you might think that’s far-fetched or scaremongering, but it’s a risk I want you to take seriously and think about how it is we avoid complacency,” said Cameron.

“We have a legitimate concern about whether the technology China is producing will allow us to secure ourselves effectively in a way that means we can do cyber security in 10 years’ time.

“We want to make sure that people developing these technologies are thinking about how they can be used safely for genuine public benefit, not just national strategic advantage. We possess huge advantages that give me confidence that we will keep pace – our liberal economy, our democratic values, and our collaborative allies,” she added.

During her keynote, Cameron also reflected on the past year in cyber security and what she described as the profound importance of resilience.

“Russia’s horrific and illegal invasion of Ukraine has seen them maintain a high operational tempo in cyber operations, with the GRU taking a leading role,” she said. “But a significant collaborative effort mounted by Ukraine’s cyber defences with support from foreign governments and the cyber security industry has been fundamental in reducing the effectiveness of Russian offensive cyber activity. On a personal note, I’m really proud of the role the NCSC played.

“If there is to be a single takeaway from the Russia Ukraine conflict, it’s the importance of effective cyber resilience. But I don’t think we’re yet doing enough to protect our infrastructure from the cyber threats emerging from Russia-aligning groups.”

She said that if the government is to realise its ambition to make the UK the safest place to live and work online, cyber resilience needs to urgently move to the top of the shopping list – not just in the context of the high-profile cyber threat presented by Russia, but in the wider context of cyber criminality and digitally-enabled fraud.

“We can’t simply hope everything is going to be okay,” she said. “We’ve got to do more to make the UK as unattractive as possible for cyber criminals.

“We’re encouraging all businesses to consider Cyber Essentials certification as part of an annual cyber MOT. We know that organisations that implement Cyber Essentials controls are 80% less likely to make a claim on cyber insurance than organisations that don’t.”