Speech on second anniversary of the Cyber Security Strategy
Francis Maude spoke at the second anniversary of the Cyber Security Strategy, providing a forward look and discussing achievements so far.
Thank you all for being here today to give us the chance to talk a bit about where we are, what we鈥檝e done and what we鈥檙e going to do.
Most of what I do in government is about stopping people spending money. I鈥檓 kind of 鈥淢inister No鈥� or 鈥淒r No鈥� 鈥� the 鈥渁bominable no-man鈥�. Last financial year we saved through cutting out waste over 拢10 billion and we鈥檝e just announced fairly recently in the first half of the current financial year we saved 拢5.4 billion 鈥� which is a 70% increase on the savings from the year before. So I鈥檒l just get that plug in while I鈥檝e got you here.
Read the Cyber Security Strategy and progress against its objectives since its publication in December 2011.
But the background to that, why are we doing it? It鈥檚 because of the really difficult fiscal situation where the outgoing Chief Secretary said in May 2010 that there is no money. So we need to be able to spend money on the things that absolutely matter and one of those is cyber security.
So against the incredibly tight financial constraints we decided to increase spending on cyber security and a lot of credit for that decision goes to Baroness Neville-Jones, who was Minister for Security at the beginning of the coalition government, for whom this was a hugely important commitment.
And the government has backed that commitment with 拢650 million of investment over 4 years. We increased that earlier this year to add another 拢210 million for the out year 2015 to 2016 鈥� and that tells you I think how highly cyber security ranks in our priorities. We鈥檝e put it I think to good use.
2 years ago there wasn鈥檛 a clear law enforcement lead for tackling cybercrime.
Today, as you鈥檝e heard, the National Cyber Crime Unit is the UK鈥檚 centre of expertise, providing resources, intelligence and guidance to police forces.
Frankly, 2 years ago our understanding of cyber security was relatively low and there wasn鈥檛 actually, in a sustained way, the means of expanding that knowledge. That鈥檚 changed now. A long way to go, but today we have 11 new Academic Centres of Excellence in Cyber Security Research, there are 3 new Research Institutes, 2 centres for doctoral training.
2 years ago there wasn鈥檛 a clear means of sharing information in real time between industry, government and the law enforcement agencies. Today the Cyber Security Information Sharing Partnership (CISP) that you鈥檝e just been hearing about is up and running with over 250 businesses as members.
I recall when we launched CISP Howard Schmidt, the former White House cyber security tsar, commenting on how much the UK had achieved in a short space of time.
And I think that鈥檚 true. It鈥檚 very easy when we talk about the things we鈥檝e done to sound as if we鈥檙e complacent. We鈥檙e absolutely not. This is incredibly fast moving and we need to be moving fast all the time.
But there are new structures, more resources, better intelligence: across the board our capability has been transformed.
You鈥檝e heard some examples this morning of the law enforcement operations and arrests which are the practical results of that. We鈥檝e got some laurels, but we absolutely can鈥檛 rest on them. We will either continue to get better or we will get worse. And we can鈥檛 risk that.
The 拢860 million that we have to spend goes along way for sure.
But it鈥檚 not limitless - which is why partnerships are absolutely at the core of Britain鈥檚 National Cyber Security Strategy.
The internet is fantastic. When we talk about cyber security it sounds dark and threatening and we鈥檝e done our best here to make people鈥檚 flesh creep. But why is cyber security a risk 鈥� because something absolutely brilliant has happened that has transformed businesses, people鈥檚 lives and has been a huge, huge upside.
But there are risks that come with that and so there鈥檚 a shared responsibility to make it safe. When government, businesses, individuals and families all take steps to protect themselves, our collective cyber security gets enhanced.
And this event really illustrates that partnership - and I鈥檓 going to outline some the ways we are planning to strengthen that collaboration and cooperation during 2014.
Partnership with business
Central to our approach is the desire to make the UK a safe place to do business.
So in September last year, 2012, we published the 10 Steps to Cyber Security and at Davos this year it was cited as an example of best practice.
And it鈥檚 being used 鈥� and used a lot - a recent survey indicated that the number of UK companies who have actively considered these lessons has leapt from 21% in July to 67% in November.
But the need to raise awareness is continuing. It will never end, because when you get yourself up to speed at one stage, the next day you are probably out of date. This is real time - changing all the time.
So we are developing an industry-led kite mark-style standard for cyber security. The focus is on essential steps that all businesses 鈥� whether they are corporate giants or start-ups 鈥� should be taking to protect themselves from low level threats.
Because we practice what we preach, next year all central government departments will be expected to adopt this standard for their own procurement. We don鈥檛 want it to be ridiculously onerous 鈥� especially for SMEs, we are opening up our procurement much more to SMEs right across the piece - so we will use the kite mark in a way that is proportionate and relevant, but it is important for us in ensuring the security of government supply chains.
We鈥檙e also grateful for the role that businesses are themselves playing to raise awareness.
So I鈥檓 pleased to announce today that 6 of the UK鈥檚 leading internet service providers (ISPs), working with the government, have co-developed a series of principles to guide how they inform, educate and protect their customers online. Early next year we will launch a new campaign to encourage the public to make simple changes to their online behaviour. Government funding of 拢4 million is being supported by around 拢2.3 million in financial and in-kind support from industry sponsors, including Facebook, Sophos, RBS Group, Trend Micro and Financial Fraud Action UK.
Many thanks to those here today - we would certainly welcome others on board for that initiative.
Partnerships for growth
Better cyber security shouldn鈥檛 be viewed as a necessary evil 鈥� it鈥檚 also an opportunity. The internet remains obviously a rich frontier for enterprise and innovation. The global cyber security market is growing 鈥� and growing fast - by more than 10% a year and Britain we鈥檙e good at this stuff so it鈥檚 an opportunity for us; we have firms with deep expertise in this area.
In the past year, I鈥檝e visited large firms, like Sophos in Abingdon; I鈥檝e visited SMEs like Titania, which supplies products to organisations in over 50 countries. That鈥檚 1 of 40 small cyber security companies clustered around Malvern, rather improbably, in Worcestershire.
These are the industries of the future that can help the UK achieve strong lasting growth and compete and win in the global race.
The Cyber Growth Partnership includes techUK, which now represents over 850 technology organisations, and we will do everything we can to help them succeed. I know that Ian Livingstone, who has just taken up his role 鈥� I think he鈥檚 on his third day - as Minister for Trade, former chief executive of BT, is passionate about this industry and indeed was a leader when he was at BT and will being doing a lot to support these companies.
A new Cyber Security Suppliers鈥� scheme will enable businesses to use an exports badge to demonstrate to potential customers that they are a supplier of cyber products and services to us, the UK government.
Today I can tell you we鈥檝e set a new target for cyber exports.
We aim to be exporting 拢2 billion worth of products and services by 2016 鈥� that鈥檚 a sharp increase on the 拢850 million that we sold last year.
And I know that can be achieved because I鈥檝e seen with my own eyes the brilliance of some of these companies. So when I meet my counterparts in other countries my message is simple: we鈥檙e open for business and we want to trade overseas.
GCHQ and the Security Services are also looking to Britain鈥檚 SMEs to encourage innovative solutions for their own technical needs. I was recently able to attend an event at Cheltenham racecourse 鈥� not on a race day - designed to introduce some of these firms to the opportunities that are available.
Cyber security isn鈥檛 鈥� and mustn鈥檛 be - a barrier that prevents our security community from accessing the very best and newest ideas. For the same reason, better cyber security supports our digital-by-default agenda for public services. Digital public services that are simpler, faster and cheaper obviously also need to be secure, but useable. And too often we don鈥檛 strike the right trade off, between security and usability and that鈥檚 something we鈥檙e addressing rapidly.
Just as consumers need to know their money is safe when shopping or banking online, people also need to be confident that their data will be protected when they are applying for a passport or renewing their car tax over the internet.
That鈥檚 why we鈥檙e providing funding from the National Cyber Security Programme to support the work of the Government Digital Service to develop a new identity assurance scheme that will enable people to verify their identity so that they can use online services.
It鈥檚 easier for countries that have a national identity card and identity database. We don鈥檛, we鈥檙e not going to. But we are developing an identity assurance scheme that will obviate the need to develop one. It鈥檚 being followed very closely elsewhere 鈥� the United States is going down the same path as we鈥檙e going down but we鈥檙e obviously very sorry to say they are someway behind us. No doubt they will try to catch up.
Improving the UK鈥檚 resilience
On our resilience, we have to build our own sovereign capability to detect and defeat cyber threats and we have constantly to be looking for ways to stay ahead of those who might try to attack our systems and networks. A new research institute is going to be created at Imperial College focussed on the security of the industrial control systems that drive our power stations and transport networks.
The National Computer Emergency Response Team, CERT-UK, is taking shape, to provide a core national incident management capability. The inaugural director, Chris Gibson, took up his post last month, with initial operational capability planned for very early next year. It鈥檚 good to see Chris here today.
Of course, a large proportion of investment goes toward ensuring that GCHQ and the Intelligence Services have the capability to protect us. And much of this is about situational awareness - without it we can鈥檛 prepare our defences; we can鈥檛 advise businesses or the public effectively. And inevitably, this work takes place away 鈥� mostly away - from public gaze. I鈥檇 like to take this opportunity to pay tribute to those on the frontline.
In October, I visited GCHQ to see their work first hand - and earlier this morning we heard from Stewart [Garrick] and Andy [Archibald] at the National Cyber Crime Unit. Their task is painstaking and as you鈥檝e heard sometimes frustrating. The hacker or the cyber-criminal only needs to be successful once, but we have to be successful all the time: our defences have to hold around the clock, day-after-day. And the work that these people and agencies represents some of the very finest I have seen in a long career in the public sector.
Skills and education
It鈥檚 now vital that we ensure we have young talent coming through the education system and into the workplace to sustain and grow the UK鈥檚 cyber capabilities. While the online world has grown exponentially over the past 10 years, our training and education provision hasn鈥檛 kept pace at nearly the same rate.
Better skills absolutely underpin the whole Cyber Security Strategy, because we simply won鈥檛 achieve our other objectives without it.
So we鈥檝e now developed cyber security content for each stage of education from GCSE through to masters degrees. The Open University is now developing a new online cyber security course which will be available free.
It鈥檚 targeted at non-specialists, but it will encourage those with an interest in the subject to take it further. It has the scope to reach 200,000 students this is a powerful way to bring high quality training to a mass audience.
And talent won鈥檛 always be found in the usual places - some of the brightest and best are self-taught. GCHQ鈥檚 new technical apprenticeship scheme is identifying gifted school leavers, just as the MOD鈥檚 Cyber Reserve will draw on skills that already exist in ordinary homes and workplaces around the country.
We want to avoid a gap in our cyber defences in 10 or 20 years鈥� time, and we need to start with younger pupils. Over the past year around 600 schools have taken part in the pilot of . We have been thrilled at the level of participation. It shows that if we make cyber skills fun, exciting and relevant, we can spark the kind of interest that I hope will grow into a career ambition. And it happens in some improbable places. I remember meeting a young apprentice at one of those companies in Malvern. He鈥檇 been thrown out of school. He wasn鈥檛 succeeding academically. He wasn鈥檛 going to. He loved computers and he鈥檚 brilliant and he is actually going to be one of the big brains of the future. So it isn鈥檛 always going the conventional academic path that will lead to the skills we need. We鈥檇 rather people with those skills were working on our side rather than the dark side.
So we are offering a further grant of 拢100,000 to the Cyber Security Challenge to expand the pilot regionally and nationally, so it can run twice yearly, and can link participating schools to local universities.
And this will help sow the seeds that will enable us to succeed in the years and the decades to come.
Lastly, the internet clearly is global. Cybercrime isn鈥檛 an issue we can solve by ourselves. As you鈥檝e heard, our higher education institutions have massive potential to develop skills abroad, not just at home.
So we are working with a number of initiatives to bring together UK academia with international counterparts. When I was in Israel earlier this year, we agreed with my Israeli counterparts that we would fund a joint UK-Israeli call for collaborative academic research between Israeli universities and ours.
And we are engaging with the Chevening, Commonwealth and Marshall international scholarship programmes, to make places available on a cyber policy course at Cranfield University.
These students have been identified as outstanding scholars with the potential to be future leaders. We want to encourage them to contribute to the development of international cyber policy, and in doing so to reinforce our reputation in the UK as a world-leader in cyber.
Conclusion
So, in conclusion, last year we were concentrated on raising awareness and understanding the threats; now our focus is on building the partnerships to deliver security, prosperity and the skills we need.
I鈥檓 proud of what鈥檚 being achieved here but this absolutely only the beginning. It is a work in progress 鈥� and frankly it will always be a work in progress. There will never be a moment when we say 鈥� when we dare say 鈥� that this is done.
We are reckoned to be in Britain already ahead of many other nations and that鈥檚 good, but we can鈥檛 even have a flicker of complacency about that.
So much remains to be done, and the partnership is crucial to this.
We are determined that Britain will have a safe and secure digital government, but also a safe and secure digital economy 鈥� we can only do that if we all work together.