Although 2014 was marked by an increase in cyber attacks, it also saw a new level in international co-operation to combat them, according to a UK cyber security official.
“Over the past year we have seen substantial malicious and even destructive cyber activity,” said Natalie Black, director of the office of cyber security and information assurance at the Cabinet Office.
“But I believe we have seen steps towards change in collaboration across borders, sectors and organisations to counter it,” she told attendees of RSA Conference 2015 in San Francisco.
Black said cyber threats are global and do not respect borders and, as a result, the challenges facing the international community are similar.
“We should therefore grasp the opportunity to collaborate and learn from each other,” she said. “No country, business, civil society organisation or individual is an island in cyber space – to realise the immense benefits and opportunities of the internet, we have to work together.”
The good news, she said, is that everyone is now taking cyber security more seriously and good cyber security has become a fundamental condition for the effective functioning of society.
Black highlighted the recent launch by the UK, US and other partners of the Global Forum on Cyber Expertise in The Hague.
“This initiative aims to share knowledge among those protecting cyber space and to ensure we can come together to protect the global economy and security in general,” she said.
Joining forces to fight cyber crime
As an example of UK-US collaboration in law enforcement, Black’s US counterpart cited the international operation to take down the GameOver Zeus botnet.
Read more about the Cyber Essentials Scheme
- The Cyber Essentials Scheme is not intended to have the force of law. Instead, market forces will be left to drive compliance and adoption.
- The Cyber Essentials Scheme ensures SMEs are protected from cyber threats in a practical way.
- The UK government requires IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme.
“That effort involved five US federal agencies, the UK, 11 other governments and 13 private sector companies,” said Michael Daniel, special assistant to the president and cyber security co-ordinator at the White House.
The US and UK have also collaborated to address emergent vulnerabilities that have appeared in the underlying structure of the internet, such as the Heartbleed vulnerability and Shellshock, and to increase the level of co-operation between the countries’ computer emergency response teams (Certs).
“This includes building the capacity to exchange information in machine-readable format at machine speed so that the Certs can collaborate in a truly integrated manner,” said Daniel.
Turning to collaboration around cyber security skills development, Black said the US-UK Fulbright Commission had recently launched the Fulbright Cyber Security Award.
With funding and support from the US and UK governments, the award will provide an opportunity for some of the brightest scholars in both countries to conduct research in cyber security for up to six months.
The exchange programme will build networks and encourage collaboration between US and UK universities, bringing together world-class cyber security researchers.
Black also announced that there will be a Cambridge (UK) versus Cambridge (US) competition towards the end of 2015.
“For the UK, education has really been focused on making sure that we have interventions at every stage,” she said.
According to Black, one of the most successful initiatives so far has been the Cyber Security Challenge UK, which is both a national competition and a schools competition.
She said the competitions have been an excellent way of identifying talent from a broad spectrum of backgrounds, and the Fulbright Award is expected to deliver similar results.
Public and private sectors must work together to secure cyber space
Daniel said collaboration between the public and private sectors is another important area the US and UK are working on.
No country, business, civil society organisation or individual is an island in cyber space – to realise the immense benefits and opportunities of the internet, we have to work together
Natalie Black, Cabinet Office
“This is about collaboration between the public and private sectors, so there's a lot of figuring out how to do that in this world of cyber space.
“It is going to take time and a lot of effort on both sides because none of us can tackle this problem by ourselves,” he said.
In doing so there is recognition of the fact that many companies are multinational and, given the global nature of cyber space and the ability to sell products globally, this work has to be done in collaboration with industry.
“In many ways the discussions that we have are about how we can harmonise and synchronise the efforts of the US and UK governments to make sure we are working together and not at crossed purposes,” he said.
Developing security standards
The same approach is being applied to standards. The cyber security framework from the US National Institute of Standards and Technology (Nist) is something Black said the UK has been watching very closely.
“In the UK we have the Cyber Essentials Scheme, which is a mechanism and a process that both large corporations and small and medium-sized enterprises (SMEs) use to protect themselves,” she said.
Black and Daniel have been working on aligning the Nist cyber security framework and the Cyber Essentials Scheme to ensure that all cyber security concerns are being addressed and to make it easier for organisations that operate in the US and the UK.
Daniel said they were also focused on the issues related to the movement of digital evidence internationally, which includes updating the UK-US mutual legal assistance treaty.
“As we deepen our relationship, we are also looking towards the future by finding ways to take what we have learned from the GameOver Zeus take-down to make operations like that happen more frequently and rapidly,” he said.
There is also a focus on conducting joint exercises to learn from each other and be better prepared for events in the real world, on developing communications and processes to ensure that underlying vulnerabilities are being addressed, and on finding ways to promote desirable norms of behaviour in cyber space.