On July 16 Reform think tank partnered with BT and KPMG to host a half day conference on cyber security. “Cyber security: assurance, resilience, response” sought to identify how the new Government can help to ensure that the digital economy is as safe and secure as possible. The conference drew speakers from across the public and private sectors to explore new strategies for protecting against and responding to cyber security threats.
Minister of State for the Digital Economy, Ed Vaizey MP, opened the conference stating that the digital economy is central to growth and productivity. He argued that “good cyber security” was therefore crucial as it “underpins the entire digital economy”. Through his speech he outlined the need to ensure that the right infrastructure and processes were in place, and that the country has a highly-skilled cyber workforce.
Cyber security and central government
Working together, looking ahead: IT partnering for the post election era
The Minister highlighted key infrastructure that had been put in place during the previous Parliament and used the conference platform to make a series of announcements, including launching a new online cybersecurity portal “Inspired Careers”. With online courses, training and qualifications the new site is intended to encourage new talent into the cyber security profession. Other announcements included a £1 million fund to provide Cyber Security Innovation Vouchers to SME’s and £0.5 million to encourage partnerships between academia and cyber security companies.
Identity assurance and sharing of personal data: enabling digital
Panellists agreed that digital technologies continue to provide a huge opportunity to transform public service delivery. Panellists and attendees alike were clear, however, that this required appropriate legal frameworks to be in place.
Shadow Minister for the Cabinet Office, Chi Onwurah MP, stated that the current legislation on data is “a mess”. She argued that it is crucial that individuals own their own data and understand how it is stored and who can access it. Steve Wood, Head of Policy and Delivery at the Information Commissioner’s Office, pointed out that senior policy officials have patchy understanding of data protection. Janet Hughes, Programme Director at Gov.UK Verify, described the “privacy by design” approach Verify has taken, but highlighted the “massive gulf” between what people say they care about and what they actually do about online security. Panellists agreed that citizens need a better understanding of the importance of maintaining basic “cyber hygiene” – such as using anti-virus software and regularly changing passwords – to help reduce the threat of cybercrime.
Risk and resilience: protecting against security breaches
Panellists highlighted that the cybersecurity threat is increasing, but that the majority of breaches are unsophisticated and could be easily countered. Natalie Black, Director of the Office of Cyber Security and Information Assurance in the Cabinet Office, argued that businesses can do more to protect themselves, but they must also have structured incident responses for when breeches do occur. Layering protection mechanisms and multiple data storage locations were recommended by the panel. Ruth Davis, Head of Programme Cyber, Justice and Emergency Services at Tech UK, pointed to access rights as key to minimising the impact of breeches.
Panellists were also keen to highlight the fact that cybersecurity is about people. Jonathan Lloyd White, Director of Security and Information at HM Revenue and Customs, talked about the initiatives in the department to build resilience amongst staff. This included sending phishing emails to employees that when clicked on redirected them to a cybersecurity training package. Natalie Black noted that behavioural insights research could prove a useful resource.
Detection, intelligence and control: responding to the cyber threat
A key theme of the final panel was the need to better understand the scale of the cybersecurity threat and to act on the intelligence that is gathered. Scaremongering about the issue was seen as extremely damaging. Mandy Haeburn-Little, Director of the Scottish Business Resilience Centre, argued that fear can have a paralysing effect on businesses and Dr Ian Levy, Technical Director at CESG (the information security arm of GCHQ) called for a rational conversation on cybercrime. Levy argued that government and business needs to be realistic about adversaries, make security a core business issue and take sensible steps to build defences to ensure “vulnerability tolerance”. Mark Hughes, Chief Executive Officer at BT Security, described how cybersecurity is a key board-level issue for the company and well thought through response “play books” are vital to mitigating impact.
The role of law enforcement was also a hot topic, with discussion focusing on police reporting and response. Haeburn-Little argued that understanding the problem required increased cybercrime reporting, but that a debate is needed on what the appropriate policing response is. Dr Jamie Saunders, Director of the National Cyber Crime Unit at the National Crime Agency, also argued for greater clarity on the respective roles of businesses and the police. Panellists recognised that a key challenge for policing was capability, with Saunders highlighting the need to upskill officers for the digital world and, for smaller forces, pool resources.
Over all, the key messages of the conference were optimistic: much of the threat is low level which basic “cyber hygiene” can counter, the scale of the problem is more manageable than sometimes expressed and the right infrastructure is being put in place to tackle it. Challenges do, however, remain, including ensuring clarity on data ownership and use, increasing awareness and capability, and defining the police response.
The conference was held by Reform and kindly supported by: BT and KPMG