Cyber Resilience Supplement

CYBER RESILIENCE How to guard against the great security threat of the 21st century

NATO WILL DEFEND ITSELF JENS STOLTENBERG

THE AGE OF CYBER WARFARE ALEX DEAN

SECURING BRITAIN’S NETWORKS NIGEL ADAMS

THE FAKE NEWS THREAT KARIN VON HIPPEL AND JONATHAN EYAL

OCTOBER 2019 | IN ASSOCIATION WITH

Cyber Security.indd 1 23/08/2019 15:40 Cyber Security.indd 2 23/08/2019 15:41 OCTOBER 2019 | PROSPECT CYBER RESILIENCE 1

CONTENTS HOW TO STOP THE

2 SECURING BRITAIN’S NETWORKS HACKERS Give businesses the protection they need Criminals and aggressive foreign states are wreaking havoc NIGEL ADAMS online. Can the UK defend itself?

4 NATO WILL DEFEND ITSELF The alliance could invoke collective defence ritain is confronted with a new Omand, the former intelligence chief, is JENS STOLTENBERG threat. The rise of the internet among them. A category-one attack could has brought benefits but also do immense damage, as our interview on 6 INTERVIEW: EX-GCHQ CHIEF dangers. Cyberattacks now rank p6 makes clear. Critical infrastructure is vulnerable among the most pressing security There is certainly more work to do on Bthreats we face, with risks to personal data, the domestic front, with extra investment, DAVID OMAND SPEAKS TO ALEX DEAN critical infrastructure and even democratic effective collaboration between the 10 WHEN, NOT IF elections. The challenge—and focus of this government and business, even a A category-one attack is just a matter report—is how to secure the perimeter and dedicated cabinet minister responsible of time keep Britain safe. for cyber all advocated for in these pages. The government has begun to wake up Most important of all is acknowledging the MARGARET BECKETT to the danger. In 2016 it launched a new danger; hopefully the furore over technology 12 INTRODUCING CYBERNOMICS cybersecurity strategy, accompanied by giant Huawei has pulled the issue up the Proper defences pay for themselves a dedicated new cyber centre under the agenda in the UK (p13). umbrella of GCHQ. Its director of operations, But of course, the cyberthreat is cross PAUL WALLACE Paul Chichester, told Prospect the focus is border, meaning international collaboration 13 KEEP HUAWEI OUT on ensuring “the UK’s digital homeland is as will also be crucial. Jens Stoltenberg, The telecoms giant is not a secure as possible.” Nigel Adams, Minister Secretary General of Nato, explains how of State at the Department for Digital, the North Atlantic Alliance is preparing safe partner Culture, Media and Sport, puts forward the (p4). Alarmingly, he says Nato suffers ISABEL HILTON government’s plan himself on p2. cyberattacks “every day,” while warning that But will it be enough? Other contributors a serious breach could trigger the collective 14 THE AGE OF CYBER WARFARE to this report are not convinced. Margaret defence commitment, where an attack on A new kind of conflict Beckett, former foreign secretary and Chair one ally is treated as an attack on all. Such is ALEX DEAN of the Joint Committee on the National the scale of this new threat. Security Strategy, condemns what she Criminal activity has evolved. True, we 16 CYBERCRIME: THE NUMBERS views as worrying complacency from a have a strong intelligence apparatus on Businesses are exposed and government that’s still underprepared (p10). our side and are well placed to adapt if we criminals are profiting Others warn simply of the danger if move fast enough. But the years ahead will we don’t get our approach right—David be critical. 18 DONT FORGET DIVERSITY Provide cyber jobs for marginalised groups JO PLATT

20 WHEN MISINFORMATION REIGNS Fake news corrodes democracy KARIN VON HIPPEL & JONATHAN EYAL

This report forms part of Prospect’s work on cybersecurity. For more information on this report and our wider programme of activity please email: [email protected]

Follow Prospect twitter.com/prospect_uk www.facebook.com/Prospect.Mag © MEDIA DRUM WORLD / ALAMY© MEDIA DRUM WORLD PHOTO STOCK

Cyber Security.indd 1 23/08/2019 16:16 2 CYBER RESILIENCE PROSPECT | OCTOBER 2019

SECURING BRITAIN’S NETWORKS— THE GOVERNMENT’S PLAN Give UK businesses the protection they need

NIGEL ADAMS MINISTER OF STATE, DEPARTMENT FOR DIGITAL, CULTURE, MEDIA AND SPORT

early every day we see a new the basics of how to protect themselves their cybersecurity as a result—but we cyberattack or data breach online in just 30 minutes. need to go further than rules which just reported in the news. The But we know there’s still more to do, cover personal data. threat is on a global scale and because our “Cyber Health Check” of Improving cybersecurity and securing shows no sign of abating. leading fi rms shows progress has not been our digital networks also relies on having a NAs our tech sector goes from strength quick enough. skilled and diverse workforce. to strength and our economy depends Just this week we announced a third more and more on digital technology round of the Cyber Skills Immediate and connectivity, we are stepping up our “THE NATIONAL CYBER Impact Fund, which is increasing the approach to cybersecurity. SECURITY CENTRE HAS number and diversity of people entering We are investing £1.9bn to help DEALT WITH MORE this fi eld of work, and the Institute of millions of people and organisations Engineering and Technology has been become more secure. Our National THAN 1,500 ATTACKS” announced as the lead for the new UK Cyber Security Strategy was published Cyber Security Council, which will help to in 2016 and since then we have set up We need to make sure our digital make cybersecurity a well-structured and the world leading National Cyber Security environment is more diffi cult to attack easy to navigate profession. Centre (NCSC). This is the frontline of our and good cybersecurity is being delivered These measures will help to ensure defences and has dealt with more than by the market as a norm. We have we have skilled people from a range of 1,500 signifi cant cyberattacks in the UK, launched a comprehensive review of backgrounds represented, increasing our while helping to take down 140,000 the UK’s cybersecurity regulations. We resilience for the future. scam websites in the past year. want to understand the best way of Good cybersecurity is at the heart of the We continue to support industry encouraging organisations to improve their government’s digital strategy. It enables in other ways. Our new Board Toolkit cybersecurity, whether this is a mixture of businesses to seize the opportunities of a provides resources to help board members laws, rules or other incentives. connected world. We see future-proofi ng take responsibility for cybersecurity and For example, we know the new GDPR our digital economy as an absolute priority, manage the risk to their organisation. The and data protection rules brought in last to help us achieve our aim of making the NCSC recently launched a new free online year have had a positive impact, with UK the best place in the world to start and training resource, for employees to learn around a third of organisations improving grow a business.

Cyber Security.indd 2 23/08/2019 15:42 ADVERTORIAL 3

PIONEERING NEW COLLABORATIONS FOR THE CYBER WORLD Working together across international borders is essential

KEITH MAYES PROFESSOR OF INFORMATION SECURITY, ROYAL HOLLOWAY, UNIVERSITY OF LONDON

ioneers are individuals or organisations that have new ideas and the strength of belief to put them into practice. The roots of Royal Holloway, University of London can be traced back to pioneers of education and equality: Elizabeth Jesser Reid, who in 1849 founded Bedford College as the fi rst UK higher Peducation college for women, and Thomas Holloway, whose vision and philanthropy led to the opening of Royal Holloway College in 1886. Moving forward a century, we fi nd a Royal Holloway pioneer celebrated in today’s Cyber World. Professor Fred Piper had been researching information security during the early eighties, when PCs were rarities, phones were not mobile and the Internet as we know it was not yet a dream. He foresaw the importance of information/cyber security and the need for academia to support industry, and so in 1990 he created the Information Security Group (ISG). In 1992 the ISG launched the fi rst UK MSc in Information Security, and these pioneering efforts were recognised in 1998 with a Queen’s award, but it took much longer for the world to fully awake to the importance of information/ cyber security.

© MHK PHOTOGRAPHY Information security is actually a topic that is thousands of years old and has always involved people, behaviours and processes, as well as Royal Holloway is a Founding Charter Member of the International Cyber available technology. When the term Cyber Security became in vogue, Security Centre of Excellence (INCS-CoE) new entrants to the subject focused on technology alone and now view the importance of human aspects as a revelation. Nevertheless, case, we should not limit our endeavours to a single region of the world, encouraging multi-disciplinary collaborative efforts is essential for the as there are technical, cultural and educational benefi ts from looking future, enabling academia to help solve real-world problems. further afi eld. It is vital that UK academia excels and collaborates in Information/ Pioneering academies have taken the initiative, with the creation of Cyber Security, because it is an important part of our expert capability to the International Cyber Security-Centre of Excellence (INCS-CoE). This safeguard our country and its critical infrastructure, and it directly impacts was originally an inspiration from Keio University in Japan; to assemble on parts of our society, from e-commerce and online banking to social the world’s elite cyber security institutions from trusted countries, to networking, used daily by billions of people. advance cyber security research, training and collaboration. The concept has gathered support since 2016, and has led to a more formal governed “INFORMATION SECURITY IS ACTUALLY A entity, announced recently. The structure is founded (but not limited) on three core countries; Japan, USA and UK, and two institutions from TOPIC THAT IS THOUSANDS OF YEARS each country committed to establish the governing Charter Agreement. OLD AND HAS ALWAYS INVOLVED PEOPLE, These institutions are Keio University, Kyushu University, The University BEHAVIOURS AND PROCESSES” of Maryland Baltimore County, Northeastern University, Imperial College and Royal Holloway. INCS-CoE was formally established in July 2019 This is evident in the strategy of the UK National Cyber Security and is intended as a stimulus for collaboration and as an umbrella for Centre (NCSC) that created the Academic Centres of Excellence in Cyber individual research projects, as well as an organisation for student/staff Security Research (ACE-CSR) programme, endorsed specialist Masters exchanges and capture-the-fl ag events. The plan is now to sign up more degrees, and more recently undergraduate degrees with cyber security academic institutions, extend affi liate membership to non-core countries specialisms, to train the talent of tomorrow. The UK strategy has also and to build industry support. developed themed research centres and centres for doctoral training. As pioneering ventures go, it is attracting a promising level of early The UK NCSC approach has much to commend it, however it is interest from insightful companies offering fi nancial support for the a national model, whereas cyber security is international and our running of INCS-CoE, including CISCO, Adobe, Hitachi, NEC, Fujitsu adversaries can be nation states or criminals who respect no borders. and Northrop Grumman. Therefore, our strategy should be international, especially when We would very much like to hear from UK industry and government large corporations operate across multiple countries and much of our willing to support INCS-CoE, and especially sponsors for research projects infrastructure and supply chains are globally dispersed. including UK INCS-CoE members. The conclusion for academics is that we should collaborate on an international scale. In the UK, the situation is especially acute, as much of UK international research collaboration has been dominated by European funded programmes, which are uncertain post-Brexit. In any www.royalholloway.ac.uk/ISG

Cyber Security.indd 3 23/08/2019 15:44 4 CYBER RESILIENCE PROSPECT | OCTOBER 2019

NATO WILL DEFEND ITSELF The alliance will guard its cyber domain—and invoke collective defence if required

JENS STOLTENBERG SECRETARY GENERAL, NATO

t takes just one click to send a cyber virus spreading Global Coalition to Defeat the Islamic State (IS). It across the globe, but it takes a global effort to stop it was able to suppress IS propaganda, disrupt their from wreaking havoc—and Nato is playing its part. recruitment of foreign fi ghters, and degrade their ability In just minutes, a single cyberattack can infl ict to co-ordinate attacks. billions of dollars’ worth of damage to our economies, By strengthening their cyberdefence capabilities, Ibring global companies to a standstill, paralyse our improving their legal and institutional frameworks, and critical infrastructure, undermine our democracies and increasing resources—both people and money—devoted cripple our military capabilities. We have seen much of to confronting cyberthreats, allies have reduced the this happen already. And the reality is that cyberattacks vulnerability of their networks and infrastructures. are a threat we will need to contend with in the As a result, we are tackling increasingly complex decades to come. cyberthreats faster and more effi ciently, and we are all Cyberthreats to the security of our alliance are more aware of—and resilient to—attacks. This was becoming more frequent, more complex and more demonstrated last October, when authorities in the destructive. They vary from low-level attempts to Netherlands, with the help of British experts, foiled an technologically sophisticated attacks. They come attack by Russia on the Organisation for the Prohibition from state and non-state actors, from close to home of Chemical Weapons in The Hague. We must remain and the other side of the world. Malicious actors can vigilant and prepared for whatever lies ahead of attack anything automated and networked, including us in cyberspace. the mobile phones in our pockets or the computers For this, we must work ever more closely together and controlling our critical systems and infrastructure. Attacks leverage our unique network of allies, partner countries can affect every one of us. In the United Kingdom, the and organisations. No single country alone can secure 2017 WannaCry virus crippled computers in hospitals cyberspace. But by co-operating closely, sharing expertise, across the country, cancelling thousands of scheduled we will not only survive, but thrive in the new digital age. operations and costing the National Health Service The more information we have, the more prepared we millions of pounds. Even Nato is not immune to are. By working with the European Union, strengthening cyberattacks and we register suspicious activity against the ways in which we share information, train, educate, our systems every day. and conduct exercises together, we will ensure that To keep us all safe, as it has been doing for 70 years, we have the most robust tools possible for responding Nato is adapting to this new reality. For Nato, a serious to the growing cyberthreat. This autumn, EU staff cyberattack could trigger Article 5 of our founding treaty. will again take part in Nato’s own Cyber Coalition— This is our collective defence commitment where an one of the largest cyberdefence exercises in the world Did you know? attack against one ally is treated as an attack against all. to test and train experts in their ability to defend We have designated cyberspace a domain in which Nato Nato and national networks. will operate and defend itself as effectively as it does in At the same time, we must strengthen our relationship the air, on land, and at sea. This means we will deter and with industry to take full advantage of innovation and We can help protect defend against any aggression towards allies, whether it keep pace with technological advances. This will takes place in the physical world or the virtual one. improve our cyberdefence capabilities. Industry creates, operates and innovates in this space so this relationship your entire business “A SERIOUS CYBERATTACK COULD will only become more important as we transition to the “internet of things,” with more smart devices embedded Threats to your organisation are growing TRIGGER ARTICLE 5, WHERE in our everyday lives, and to the greater use of artifi cial AN ATTACK AGAINST ONE ALLY intelligence, machine learning and quantum computing. more sophisticated every day. We have the IS TREATED AS AN ATTACK As we look ahead, we must continue to build a technology and the intelligence to spot and strong and diverse workforce of future cyber defenders. tackle cyber dangers before they become AGAINST ALL” The UK has already started doing this with “CyberFirst,” a programme aimed at supporting and preparing the stuff of headlines. We are establishing a new Cyberspace Operations undergraduates for a career in cybersecurity. We must Centre in Mons, Belgium, to increase our military be smart about recruiting, training and retaining highly commanders’ cyber situational awareness. We can now skilled cyber experts, and make sure their skills are kept For more information visit also draw from allies’ national cyber capabilities for Nato sharp through regular exercises, as we do, for instance, missions and operations. through our Cyber Coalition exercises. bt.com/security Alongside Nato’s multilateral efforts to tackle the Cyberspace is the new battleground and making Nato cyberthreat, individual allies are boosting their own cyber ready—well-resourced, well-trained, and well- cyber systems. We saw, for example, how some nations, equipped—is a top priority as we look towards the Nato not least the UK, successfully used cyber within the summit in London in December and beyond.

Cyber Security.indd 4 23/08/2019 15:45 01947_Britcham_Ball_Cyber_Security_Ad_275x210.indd 1 23/08/2019 14:26 Did you know? We can help protect your entire business Threats to your organisation are growing more sophisticated every day. We have the technology and the intelligence to spot and tackle cyber dangers before they become the stuﬀ of headlines.

For more information visit bt.com/security

Cyber Security.indd 5 23/08/2019 15:45 01947_Britcham_Ball_Cyber_Security_Ad_275x210.indd 1 23/08/2019 14:26 6 CYBER RESILIENCE PROSPECT | OCTOBER 2019

IS CRITICAL INFRASTRUCTURE NOW VULNERABLE? An ex-GCHQ chief says power grids and telecoms have been “pretty well reconnoitred” by hostile states

ALEX DEAN COMMISSIONING EDITOR, PROSPECT

ritain faces a new kind of threat. The digital by attempts to knock out the adversary’s air defences and world has given hostile international actors an sensors through some kind of cyberattack.” entirely new toolkit. Cyberattacks are now one of The urgent question is how you defend yourself when the foremost security risks. The consequences hacktivists, aggressive fi rms, criminal gangs and foreign range from disruption to compromised states are attempting to infi ltrate your digital systems. Binformation and even physical harm. Targets have Omand said: “international collaboration is obviously included banks, the NHS, power systems and notoriously, essential, because most of the problems that we’re democratic elections. discussing don’t originate inside the UK.” One aspect The furore over the involvement of Chinese technology might be “tracking attacks, which may well be bounced giant Huawei in Britain’s telecoms infrastructure brought off servers in innocent institutions in a number of different the cybersecurity issue to national attention. Yet foreign countries—universities are a favourite with attackers— state interference is only one aspect of a multifaceted before they reach the intended target. threat. What precisely does that threat look like? And how “Leaving the European Union makes all this Below: GCHQ can Britain best secure its networks? harder when dealing with certain very serious kinds turns 100 this Few people are better placed to answer than David of cybercrime. As far as I know, nobody’s come up year. Opposite: Omand. He was head of GCHQ, the government’s with a legal mechanism to allow the UK to remain a cameras were central intelligence, security and cyber agency, as well full member of Europol (the European Agency for Law allowed inside as the UK’s fi rst intelligence and security co-ordinator Enforcement Co-operation) after Brexit.” The agency for the fi rst time and permanent secretary at the Home Offi ce. He spent explicitly focuses on terrorism and cybercrime. “European in 2015 seven years on the Joint Intelligence Committee and is now a visiting professor in war studies at King’s College London. We met at the Prospect offi ces in June and started by discussing the most serious threat: rogue governments. As the number of “cyberattacks by hostile states has gone up,” Omand said, leaning back in his chair, there is a “recognition that with modern attack methods, you can’t guarantee to keep the bad guys outside the perimeter.” He spoke slowly, pausing sometimes to choose his words carefully, as befi ts a former intelligence chief. The classic high-level threats include sabotage, espionage, theft and also the distribution of misinformation intended to confuse. “The digital age we’re in makes it easier and cheaper. The risk is going up. And the cost to the nation doing this to us is going down.” Alarmingly, “there is evidence that critical infrastructure, power grids, telecommunications and so on, have been pretty well reconnoitred by states like Russia and China. That is certainly true of the United States. And so the possibility of sabotage arises.” There could be very real-world consequences. At the most serious end, for example with attacks on a hospital, there could be loss of life. Would we in the UK ever respond to a cyberattack with conventional weapons? That “depends what damage [has been done]. If people are dead as a result of some serious cyberattack, then the response has got to be proportionate,” said Omand, and “the attacker has got to recognise that.” “The US has already made its deterrence stance clear: any serious attack on US critical infrastructure will be regarded not just as sabotage, but potentially as an act of war. The response might be a fl ight of cruise missiles.” The nature of confl ict is changing. “I can’t imagine

any serious armed conﬂ ict that will not be accompanied © SHUTTERSTOCK

Cyber Security.indd 6 23/08/2019 15:48 OCTOBER 2019 | PROSPECT CYBER RESILIENCE 7

security authorities would love us to be The threat then is not confi ned to any has updated software before they are fully engaged with them… but if we insist one domain. The extent of the danger allowed to connect. Such 24/7 security is on fully removing ourselves that may be varies, but digital tools are ubiquitous and expensive, it might indeed involve replacing problematic.” that makes it extremely diffi cult to guarantee old networks entirely. But if you don’t do it, The problem of course is not always at safety. For Omand the principle of “active then you are vulnerable.” the nation state level. Omand explained cyberdefence” can help shore up security at “At the moment, the UK is engaged in a “there are also hundreds of thousands all levels. very interesting trial of the concept of active of attempts to attack British government defence. It’s being led by the National Cyber departments and databases, mostly “AS FAR AS I KNOW, Security Centre,” which falls under GCHQ’s criminal, mostly in search of ways of NOBODY’S COME UP remit. “Anyone with the email address committing fraud.” ‘gov.uk’ is part of this. And what has been “To counter the most serious criminal WITH A LEGAL shown over the last year or so is a dramatic attacks, which are as sophisticated as MECHANISM TO reduction in the number of attack attempts.” anything that can come out of the state… ALLOW THE UK TO “If you can do that with government you probably need to enter the intelligence REMAIN A FULL departments, can you do it with space, you need to understand who it is companies? Could you even do it with the that’s attacking, how they’re going about it, MEMBER OF EUROPOL” United Kingdom itself, so the ‘.uk’ domain and track their movements.” is protected in that active way?” Everyday cybercrime meanwhile can “I’m not talking here about offensive That is an interesting thought. More be extremely disruptive for individuals cyber,” he said, “going out deliberately to innovation is needed and at the highest and fi rms. “On protection of personal attack somebody else’s network. It’s about levels. For the truth is that cyber is the new data, recent cases have demonstrated recognising that you have to be proactive in frontier. From individuals to companies that companies are still not properly the face of these attacks. Companies and all the way up to national governments, encrypting the personal data of their departments can monitor streams of data preparation is essential. customers.” For individuals there is also coming into and out of a network, you We are in a race to keep up. Yet Britain basic cyber hygiene such as keeping can identify the profi le of malware that is remains a leading intelligence power. We secure passwords for bank accounts intended to harm and block it, dangerous have access to fi rst rate equipment. Our and internet purchases. “Over time, and websites can be identifi ed and taken security services are among the best in the starting in schools, teaching people to be down… you can make sure that anyone world and have risen to the occasion before. safe online is going to have to be a major trying to connect to your network is a trusted The expectation is that they will do so again. educational theme.” party. And what’s more that their machine But the stakes could not be higher.

Cyber Security.indd 7 23/08/2019 15:49 8 ADVERTORIAL

CYBER SECURITY AT SELLAFIELD Playing a crucial role in keeping the nuclear site safe and secure

eeping Sellafield site safe and secure is a nationally important “The training received by the team is intense, and covers areas such priority and governs the decisions that Sellafield Ltd makes as network intrusion and detection, hacking techniques and exploits and every day. incident handling. Also, each member of our team has their own area of The West Cumbrian site is one of the biggest environmental specialism to ensure we have the widest range of skills available. remediation challenges in Europe. Covering two-square miles “A unique aspect to Sellafield is the range of technologies in use. Kand home to more than 200 nuclear facilities and over 1,000 buildings, Given that many of our plants were the first of their kind, built before the company’s focus is moving towards environmental remediation and digital technology, we have an unusual balance of analogue, early digital accelerated clean-up of the site. technologies and modern sophisticated systems with varying degrees of Playing an absolutely critical role in keeping the largest nuclear site in isolation and connectivity. Britain secure is cyber security. Mark Neate, Sellafield Ltd’s Director of Environment, Safety and “EACH MEMBER OF OUR TEAM HAS Security, describes how the company and its partners across the nuclear THEIR OWN AREA OF SPECIALISM TO sector are protecting the country’s assets, including Sellafield, with the ENSURE WE HAVE THE WIDEST RANGE crucial input of cyber security. OF SKILLS AVAILABLE” Neate joined the company in 2012 following a diverse military career—from Parachute School to a Master’s Degree in Military Strategy— “Our cyber security team work alongside our engineers and experts, while spending a considerable time abroad as a specialist adviser. drawing on a variety of sources of technical and threat information to He said: “Our business is nuclear and we obviously place security, ensure that our systems are not exploited. including cyber security at the forefront of everything we do. “By working together, we ensure that layers of protection are in place “At Sellafield we operate a world-class team of cyber analysts and so that we have the right systems, train our teams across the site regularly responders constantly monitoring our systems night and day. Operating and everyone understands their role in keeping Sellafield safe. a sophisticated array of sensors and tools, they monitor vulnerabilities “Our cyber security is also integrated into our wider emergency in systems, hunt for potential adversary activity based on global response and physical security resources and business continuity intelligence feeds. planning; other industries are learning a lot from this integrated approach.”

Cyber Security.indd 8 23/08/2019 15:50 ADVERTORIAL 9

and its businesses, with apprentices learning the latest in cyber safety and IT. Neate said: “The new programme demonstrated a long- term commitment from the NDA on cyber security and it is looking to invest £80 million over the next fi ve years in cyber safety. “The knowledge and expertise of these home-grown apprentices will go a long way in helping to keep the NDA and its subsidiaries such as Sellafi eld Ltd, safe from the growing cyber threat, and supports the resource requirements for the nuclear industry in this market place.” The NCSC is supporting Sellafi eld Ltd with its cyber journey and the mutual learning across the organisations, alongside the company’s supply chain, is helping to set industry standards. Neate, who is a member of the Civil Nuclear Police Authority board said: “I’d like to highlight the benefi t of extending the cyber threat, vulnerability and mitigation aperture to refl ect a holistic approach which mirrors and complements the layers of ellafi eld Ltd also works alongside the Nuclear safety defence in depth. Decommissioning Authority (NDA), its parent company, “Without such an approach, cyber solutions are potentially S in developing its cyber posture and is also very heavily ineffi cient—effectiveness is achieved through realising the engaged with the National Centre of Cyber Security (NCSC). benefi ts of ‘safe and secure’ by design. One aspect of this “Joint working, advancing technology and learning from consolidation is how at Sellafi eld we have embedded our Cyber other attacks all help us become more secure, and we work Security Operations Centre, not as a stand-alone capability, but with our partners across the nuclear industry, including within our wider emergency planning and response construct. Below: Cyber security our owners the NDA and with central government and the “In conclusion, I can’t stress enough the importance of is protecting the security agencies. This means we are supported by other cyber security to any business, and I’m delighted at the work country’s national security experts.” we are carrying out at Sellafi eld, alongside the NDA and many assets, including Building on the work undertaken by Sellafi eld Ltd, as part other partners, in helping to keep our industry safe and secure.” Sellafi eld. Above, of the training for future cyber security professionals, the NDA Mark Neate, Sellafi eld co-funded the fi rst Cyber Lab classroom in Workington through Ltd’s Director of its Cyber Security and Resilience Project. Environment, Safety This forms part of an NDA cyber programme that is and Security designed to grow capability and capacity for the NDA estate

Cyber Security.indd 9 23/08/2019 15:50 10 CYBER RESILIENCE PROSPECT | OCTOBER 2019

WHEN, NOT IF A category-one attack is coming and the government is not prepared

MARGARET BECKETT FORMER FOREIGN SECRETARY AND CHAIR OF THE JOINT COMMITTEE ON THE NATIONAL SECURITY STRATEGY

category-one cyberattack on the UK is a matter of “when, not if”—that is the view of Ciaran Martin, head of the UK’s National Cyber Security Centre. AHe said this several months after the 2017 WannaCry ransomware attack, which disrupted NHS services across the country. This year he confi rmed that the risk of such an attack has not receded. In other words, we should expect worse to come. Cyber resilience is a key strand of our country’s security. In the 2018 “National Security Capability Review,” the government pledged to “continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.” Ensuring our critical national infrastructure (CNI) is resilient to future attacks through driving change across Whitehall, with 2016, the government now cannot “judge a regulatory framework is part of the UK’s suffi cient momentum to deliver a sustained the value for money” of its delivery. preparation for national resilience. impact on the public or private sector. Perhaps the most disturbing aspect That is why the parliamentary committee Whether this will improve under the new of the whole story is that the government of which I am chair, the Joint Committee on administration remains to be seen. appears almost wilfully myopic about the the National Security Strategy, conducted We exposed a signifi cant cybersecurity scale of the challenge it faces. How many an inquiry into the cybersecurity of the UK’s skills shortage that is already preventing times do we need to repeat our message? CNI. And in July, we returned to our work CNI operators, regulators and the One small step forward came in May, on the “National Security Capability Review” government from recruiting the expertise when the government issued a progress and the Modernising Defence Programme, they need to keep the UK secure. The report. Since the last annual report on with a follow-up report. We repeated our shortage in specialist skills and deep cybersecurity appeared in 2016, this is to concerns that the cornerstones of the UK’s technical expertise is one of the greatest be welcomed. However, this new report national security are being undermined as challenges in cybersecurity, but we argued paints a rosy picture which is utterly at the government fails to keep pace. that the government had no real sense of odds with the fundamental concerns Critical infrastructure is, by defi nition, the problem, let alone of how to address it. outlined by my own committee and the a priority for the UK. CNI comprises 13 PAC. It states that the 2016 strategy has sectors including energy, health services, “THE GOVERNMENT “driven transformational changes across transport, communications and water— APPEARS ALMOST government and society” in its fi rst three much of this is privately-owned. It is, years, and has “helped to establish the UK therefore, not within the government’s WILFULLY MYOPIC as a world leader in cybersecurity.” direct gift to deliver change. But we were ABOUT THE CHALLENGE” There have been some promising fi rst struck by its lack of urgency in addressing steps but nothing which amounts to this the cyberthreats to those services that are The House of Commons Public “transformation.” The government would essential to the functioning of daily life. Accounts Committee (PAC) published its do well to remember that it is not enough Despite some important steps— own report on “Cyber security in the UK.” to be a world leader in cybersecurity if that including establishing the National Cyber This strongly echoed our own fi ndings but is an extremely low bar over which to leap. Security Centre in 2016 and introducing suggested the situation is even worse than Instead, it must do much more to more robust regulation for some (but not all) we had feared. The PAC concluded that the embed cyber resilience into the workings of CNI sectors—we found that the government government is only just beginning to make the UK economy, and particularly, its CNI. must do much more. Only then will we progress in delivering its key objectives on Only this will keep the UK’s increasingly achieve the leap forward that will thwart the cybersecurity, set in 2016, “after a poor digital society secure in the long term. We cyber-enabled espionage, disruption and start.” It “has not yet been clear what the have recently recommended an increase destruction that both states and organised strategy will actually deliver by 2021.” in the defence budget. The MoD must be crime groups can now use against us. And it “lacks the robust evidence base it supported by the Treasury in its efforts to At the heart of the problem, we identifi ed needs to make informed decisions about harness new technology and innovation. a lack of political leadership. We did not cybersecurity.” Having failed to produce a My committee will be fi rmly on repeat see a central force within the government business case for its fi ve-year strategy in until the government gets the message.

Cyber Security.indd 10 23/08/2019 15:51 ADVERTORIAL 11

BT IS IN A UNIQUE POSITION TO TACKLE CYBER THREATS Securing information, data and communications has been part of our DNA for over 70 years

ith the advent of big data and the Internet of Things, there are now more devices connected to the network than ever before, with billions more due to come online in the coming year. In parallel, more data and applications are hosted by third party providers, and Wcyber criminals are constantly creating new forms of cyber-attacks targeted at businesses, governments, infrastructure and individuals. The security threat landscape is confusing and changing rapidly – with so much out there, how do you understand where the true risks are? For some companies, this is a ‘new’ consideration – however, for BT securing information, data and communications has been part of our DNA for over 70 years. Because of BT’s global scale and customer base, our security activities must be truly 24/7 – and across all time zones. Every day, we protect our network against more than 4,000 cyber-attacks coming from nation states, cyber criminals, hacktivist groups or rogue individuals. They’re all after the most valuable commodity of our age: data – the currency of the internet. And they’re targeting all of us - individuals, organizations, and governments are all contending with the same issue. Tackling the well-resourced nature of cybercrime will need a collaborative approach between industry and governments, one that addresses the global shortage of cybersecurity professionals and builds collective resilience as an industry. Communications Service Providers (CSPs), such as BT, are in a unique position to work closely with governments to address the issue. We work closely with the UK National Cyber Security Centre on the Active Cyber Defence programme, which aims to prevent the vast majority of Meeting the demand will also need a National Security Strategy that ‘unsophisticated’ cyber-attacks against the UK. Through this programme refl ects and reacts to the needs of the economy and well as supporting and our wider monitoring capabilities, we’re blocking around 135 million the Government’s own infrastructure aims. Incentivising and rewarding connections to malware sites on our network every month. companies that invest in skills for the UK workforce is also key. But it’s not just about partnerships between companies and governments. The scale and pace of the cyber threat also dissolves “THE SCALE AND PACE OF THE CYBER THREAT traditional barriers between competitors, which means businesses need DISSOLVES TRADITIONAL BARRIERS to change some of their normal ways of working. After all, it’s not often BETWEEN COMPETITORS” that you choose to share information that will directly help your closest competitors to improve their services. However, enhancing our competitors’ defences is not just a civic duty BT also has active relationships with leading law enforcement – it helps to build our collective resilience as an industry and as a country. authorities such as Interpol and Europol, with whom we share knowledge Making it more diffi cult for attackers to be successful will help create & technical expertise that allows us to collectively identify and respond to a safer ecosystem for UK companies & citizens. But this responsibility is cyber criminality. not ours alone. All businesses, no matter their size, have a duty to make As the importance of security and the scale of the threat grows, we’ll be sure that they are properly protecting their customer data and providing increasing the size of our security team by 25% over the next fi ve years and products and services that are safe and secure to use online. It is only raising awareness about the great career opportunities in cybersecurity. We when we all accept this responsibility and work together that we have a know that we’re not alone in expanding our security business, and that the fi ghting chance against cyber attackers. demand for cyber employees is outstripping the supply. Both industry & government share a responsibility to tackle the cyber skills gap. There are numerous initiatives which look to raise awareness among young people of careers in security and encourage them to pursue the technical skills and qualifi cations which open opportunities in the sector. We need to help people understand what roles in cyber security look like, and how to prepare for and attain one at all stages of their career journey. One of the key ways to tackle the issue is to focus on mid-career transfer and attracting people with similar skill sets and the right aptitude into the sector.

Cyber Security.indd 11 23/08/2019 15:51 12 CYBER RESILIENCE PROSPECT | OCTOBER 2019

INTRODUCING CYBERNOMICS Insurance markets are lagging behind. The best bet is to build proper defences

PAUL WALLACE FORMER EUROPEAN ECONOMICS EDITOR, THE ECONOMIST

or more than a decade the World Economic Forum at Davos in January has got the year off to a bracing start with its “Global Risks Report,” based on a survey of Fbusiness leaders, top academics and other experts. In recent years cyber vulnerabilities have consistently ranked among the main worries. The 2019 survey showed data fraud or theft, and cyberattacks, as the two most likely risks other than environmental dangers. Where there are risks, there are insurers. Providing cover against cyber breaches is the new fontier. Cyber insurance

now commonly covers costs arising ARRIZABALAGA/SHUTTERSTOCK © FACUNDO from business interruption as well as Mark Carney’s stress test: the Bank of England governor has emphasised the need for strong cyberdefences compensation for users whose data has been compromised. The global market respects they can help businesses more by Since some breaches will occur no will reach between $8bn and $9bn (of getting them to manage cyber risks more matter how robust defences appear, it is gross written premiums) in 2020—more effectively, and offering emergency help if vital to be able to respond effectively. The than double its size in 2017—according to attacks do occur. Cyber insurance can act Bank of England is conducting a pilot Munich Re, an insurance group. as “a catalyst for good security practice” stress test on banks this year based on The market is growing fast—but it is still according to the Digital Policy Alliance, a “severe but plausible scenarios” of what it diminutive given the potential risks. Cyber forum that has parliamentary as well as coyly calls a “cyber incident.” The aim is to insurance is dwarfed, for example, by the corporate members. assess if they can recover swiftly and avoid insurance markets for motor vehicles, and With or without such a catalyst, customer payments being delayed to the fi re and other property damage, worth businesses need to invest in adequate next day. $420bn and $250bn respectively in 2017 defences to ward off attacks and ensure Finance is particularly vulnerable but among the G7. As James Dalton at the recovery when they occur. Such investment cyber risks now pervade much of the Association of British Insurers pointed out differs from a customary capital project in economy. Britain is exposed because in May, “the cyber protection gap remains that it is precautionary, protecting against it is among the most digitally evolved vast,” since estimates of the total global cost potential losses rather than yielding higher countries, ranking eighth among 60 of cybercrime range “from the hundreds of profi ts—in effect improving risk-adjusted economies according to an index compiled billions to the trillions of dollars.” returns. This is one of the costs involved in by researchers at Tufts University in That gap arises because the standard participating in the digital economy, which Massachusetts. This reinforces the case insurance model, developed for risks that brings its own rewards. Whether or not it for the state to lead a national effort. can be quantifi ed and diversifi ed across relies upon outside security consultants or In principle this is exactly what the policyholders, is ill-suited for the cyber is done in-house, it will not come cheap, government is seeking to do, through a age. Potential losses from cybercrime since IT personnel are expensive. fi ve-year strategy until 2021. Helping are hard to gauge but can be massive, Of course, ensuring greater cybersecurity to drive the project is the National Cyber including harm to intangible assets such is not a matter for businesses alone. The Security Centre. However, a scathing as a company’s reputation. Attacks may state must take the lead for both strategic report in March from the National Audit hurt more than one business, creating the and economic reasons. Attacks can cripple Offi ce found inadequate progress towards danger of “accumulation risk” where losses vital national infrastructures. the strategy’s 12 goals, only three of which pile up from a single incident affecting The state is already using its regulatory were on track to be accomplished. many policyholders. Cyber underwriters leverage to beef up cybersecurity in Cyberspace has become a new theatre lack the wealth of historical data available fi nance—a particularly enticing target for of operations, where economic and for property insurance when pricing risks. malicious hackers. The Bank of England strategic warfare are fought and digital Even if they did have more information, the and the Financial Conduct Authority variations on old crimes are staged. rapidly changing forms of threat could soon (FCA) are on the case, rightly so given the Insurance can help, but the priority is render much of it redundant. quickening tempo of cyberattacks. The to invest in adequate defences. The Despite these drawbacks, insurers are number reported to the FCA jumped from government has a crucial role to play but providing greater cover against losses, 24 in 2015 to 69 in 2018; on a different good intentions are not enough—ministers especially among larger fi rms. But in many reporting basis, it rose again to 93 in 2018. must achieve concrete results.

Cyber Security.indd 12 23/08/2019 15:52 OCTOBER 2019 | PROSPECT CYBER RESILIENCE 13

KEEP HUAWEI OUT The company should not be allowed further into our critical infrastructure

ISABEL HILTON CHINA COMMENTATOR AND VISITING PROFESSOR AT THE LAU INSTITUTE, KING’S COLLEGE LONDON

oes Huawei, the Chinese The UK originally acquired Huawei functioning of critical national infrastructure, technology giant, pose a technology through inattention, when Tony including defence. security threat? As a new UK Blair ordered the modernisation of BT’s That leaves the question, if China government wrestles with the network. The post-installation monitoring wished, under some future threat 5G telecoms question, and that UK security services have conducted scenario, to exploit access to the UK’s Dthe challenge of staying friends with both ever since, as the company points out, critical infrastructure with ill intent, would the US and China, it is worth looking at a has not discovered any backdoors. But the the presence of Huawei equipment in Chinese defence white paper released in most recent report pointed to weaknesses in the network help? One answer comes July. In it, the party state lays out its view the integrity of Huawei’s code that created from an earlier age: the UK succeeded in on the evolving shape of warfare in the 21st potential vulnerabilities. Just by setting turning off some of Saddam Hussein’s key century. Technology plays a key role. up the monitoring, the UK government command and control systems because “Cutting-edge technologies such as acknowledged that Huawei equipment, a British company had installed them. To artifi cial intelligence, quantum information, manufactured by a company ultimately date New Zealand, Australia, Japan and the big data, cloud computing and the ‘internet answerable to the Chinese Communist US have banned Huawei from 5G. Other of things’ [are] gathering pace in the military Party, was an obvious security risk. countries are undecided or have upgraded fi eld,” it says. “War is evolving in form If that was true with 3 and 4G, it is their security. towards informationised warfare.” The infi nitely more so with 5G. 5G telecoms Huawei argues that it would be bad paper pledges to “develop cybersecurity and networks will support a huge number of for business to co-operate with Chinese defense means” consistent with the status connected devices and enable a massive security against the interests of its clients. of “a major cyber country.” increase of bandwidth. These characteristics But the job of a security analyst is not so Like the security services of any make the network transformative, but also much to look at what is, but to ask, “what important power, the Chinese military create a hugely expanded threat landscape. if?” In this case there are three “what ifs?” has invested heavily in both offensive and In technology there is no longer a clear that the company’s assurances fail to defensive cyberwarfare capabilities, and boundary between civilian and military use. address. What if malign intrusions went Chinese hackers have been among the After all, why launch a missile if you can undetected, highly possible given the scale most active on the planet. The list of major shut down a nation’s energy network? of 5G? What if a country that had installed a breaches listed by the Center for Strategic Huawei argues that it has no connection Huawei 5G network later discovered there and International Studies reveals a wide with China’s security services. It would be were vulnerabilities? It is unlikely to be in range of targets, from technology companies astonishing if true, but intelligence analysts a position to rip it out and start again. And in the US, the UK, Norway and Canada to do not judge the company’s account either what if Huawei’s survival depended on the EU’s information system, in search of of its structure or its military ties credible. collaboration with the Chinese state? Given access to sensitive diplomatic cables, and Besides, Chinese law obliges every citizen what we know about China’s long track military targets including the US Navy and and entity to cooperate when required. record of hacking, IP theft and espionage, Japanese security services. The list is long, 5G technology will be essential to Chinese crossing our fi ngers is not a smart and should not come as a surprise. control of information fl ows and the security policy.

Huawei founder Ren Zhengfei at the company’s Shenzhen campus © NG HAN GUAN/SHUTTERSTOCK

Cyber Security.indd 13 23/08/2019 15:53 14 CYBER RESILIENCE PROSPECT | OCTOBER 2019

THE AGE OF CYBER WARFARE Nation states have a new kind of weapon. How well is Britain preparing?

ALEX DEAN COMMISSIONING EDITOR, PROSPECT

arfare has always evolved. As weapons change so does the reality of confl ict: spears gave way to swords, Wthen to rifl es and machine guns. Horses gave way to tanks and then fi ghter jets and now drones. Each had destructive new implications. The speed at which you can develop new technology puts you on the winning or losing side. We are now into the next phase: cyber warfare. Nation states have a new weapon in their armoury. The internet provides for entirely new modes of confl ict, and it is ubiquitous. So what will this new chapter look like, and what can Britain do to prepare? Having spoken to leading military and cyber experts, my view is that cyber resilience must be a fi rst-order strategic priority. Certainly, the challenge is unlike what came before. For Malcolm Rifkind, former foreign and defence secretary, “wars of the future will not just involve the armed forces of the combatants fi ghting each other. They will include economic warfare, propaganda, armed militias, terrorists and, most especially, cyber warfare.” According to Admiral Alan West, former fi rst sea lord and chief of the naval staff, “the development of the internet, and advances in digital control of growing areas of civil and parliament, banking system and other military life, has changed things.” He added critical infrastructure. And it would not be “the damage that can be caused to civilian the last. The 2016 Russian interference in networks and infrastructure [may] be the US presidential election, and possibly in immense if not properly guarded against.” the Brexit referendum, indicated what is at That potential for damage is becoming stake. A full-scale cyberwar would be orders all too clear. Examples abound of malicious of magnitude more serious than this. GEORGE ROBERTSON, hackers infl icting harm, often on behalf Russia now has “an entire government FORMER NATO CHIEF: of a hostile state. In 2015 the group entity devoted to conducting information “spearworm,” widely thought to be acting warfare through cyber means,” explained “IF WE DON’T KEEP UP under instructions from the Kremlin, Cortney Weinbaum, an expert at the Rand WITH NEW FORMS OF hacked the Ukrainian power system and think tank. It is not just the Kremlin to disrupted the country’s electricity supply. watch however. China has a powerful cyber ATTACK THEN ALL They successfully infi ltrated three different toolkit at its disposal, while in June the US CONVENTIONAL energy systems to do their damage. It was launched a cyberattack on Iranian weapons the world’s fi rst successful cyberattack on a systems, compromising computers that SPENDING WILL JUST power grid. control rocket and missile launchers. BE WASTED” This was not the fi rst time Russia has If two nations go to war, their citizens used the cyber domain to strike against are exposed as never before. “Everything other countries. “The Russians [carried is a potential target. It’s becoming out] a massive cyberattack on Estonia increasingly impossible for anything or some years ago,” said Rifkind, referring anyone to exist disconnected from the to the 2007 attack on the Estonian grid,” said Weinbaum. “There is nothing

Cyber Security.indd 14 23/08/2019 15:54 OCTOBER 2019 | PROSPECT CYBER RESILIENCE 15

that I would not add to the list” as being (NCSC), to guard against malicious actors and the relative strength and importance potentially vulnerable. and educate Britons about the scale of the of each of these towards achieving Sneha Dawda, a cyber expert at the risk. Modernisation initiatives have been successful outcomes in confl ict, will need Royal United Services Institute, agreed that pushed, most recently by Nick Carter, to be considered.” He added: “preventative “information warfare” will play an increased the current Chief of the Defence Staff. It cyber capabilities will be key enablers, but role, with actors—including states— all represents progress. But more must unlikely to secure victory on their own.” pumping out propaganda to confuse the be done. The truth is that we need a combination civilian population. In the past it was leafl ets of long-term strategic thinking and basic dropped from the sky; now it will take political will. There are some steps place online. To an extent this is already “THE HOPE MUST politicians can take now. Tugendhat happening. ALWAYS BE THAT explained: “the government needs to Yet cyber warfare’s effects are not limited PEACEFUL DIPLOMACY [designate] a single cabinet offi ce minister to the digital domain. It has very real-world PREVAILS, YET THERE responsible for this critical issue.” What’s consequences. If you hack the systems in a more, it needs to encourage change hospital, water sanitation or nuclear facility, IS NO GUARANTEE THAT elsewhere in the system, in the “culture of you cause injury and loss of life. This is true IT WILL” critical national infrastructure operators and even with regard to rogue hackers in their their supply chains.” This is “because their bedrooms, let alone foreign states. How can George Robertson, former secretary- commercial interests do not always align we defend ourselves? general of Nato, stressed the urgency: with our collective security, and in some In the view of David Craig, former chief “continued investment in conventional sectors market forces do not provide enough of the air staff and later, the defence staff, the defence is still essential for deterrence stimulus to companies to raise their game” central point is strategy. To navigate this new but it is insuffi cient. If we don’t keep up on security. threat landscape, we must aim for control with the new forms of attack then all that As the era of cyber warfare dawns, of the cyber world just as allied forces seek conventional spending will just be wasted.” the stakes could not be higher. The superiority in traditional domains, with air I also spoke to Tom Tugendhat, Chair of 21st-century world is fractious, with great supremacy or command of the sea. This the Foreign Affairs Select Committee, who power rivalries threatening to destabilise dominance allows you to control the action said “the basic problem is that too much matters further. The hope must always be in several different spheres. of the government’s [cyber] plan appears that peaceful diplomacy prevails. Yet there “Like the well-established doctrine to come to fruition late in the 2020s. We is no guarantee that it will. of air superiority and its importance in need to move much faster than that. The “If we don’t get it right, then not only other confl ict operations on land or sea, creation of the NCSC is a welcome step: the will our military components be extremely a similar… approach to establishing and government should ringfence its budget to vulnerable, but the entire civilian sustaining cyber and digital superiority will protect it from wider pressures.” population will be extremely vulnerable,” be vital to all engaged forces in a confl ict,” Yet Britain will not want to be a passive said Dawda. he said. actor in this new reality, simply batting “A severe cyberattack on the UK—one But that is easier said than done. To away attacks. We will want to retaliate that causes a sustained loss of essential achieve supremacy, and to deter potential when we are under siege from a hostile services, severe economic or social attacks, you must invest in the right state, and have the potential there to deter consequences or loss of life—is no longer equipment and expertise. aggression in the fi rst place. At least that is a case of ‘if,’ but ‘when,’” said Tugendhat. Britain has been doing this—to the argument. When that does happen, it is essential that an extent. In 2016 it launched a new For Craig, “a mix of both offensive and Britain is prepared. Whether it will be is an dedicated National Cyber Security Centre defensive cyber and digital capabilities, open question.

The NCSC site on Victoria Street in London © RAY TANG/SHUTTERSTOCK © RAY

Cyber Security.indd 15 23/08/2019 15:55 16 CYBER RESILIENCE PROSPECT | OCTOBER 2019

Companies experiencing a breach or attack Annual global cybercrime revenues Cyber insurance % of businesses identifying a breach in the last % of medium and large businesses with cyber insurance, 12 months 2018 vs 2019 $160bn $3bn Data trading, for example Activities involving 40 2018 of stolen financial information malicious software CYBERCRIME: 19% 31% 2019 35 THE NUMBERS 35% 30 31% Micro/small businesses Charities (income under £100,000) $1.5 trillion 25 ransformative technology... is changing 24% all our lives and societies for the better,” Total generated by 32% 20 said Paul Chichester, Director of the cybercrime 60% 19% Operations at the new National Cyber economy Security Centre, in remarks to the 15 “Teditors of this report. The problem is it “has also brought new vulnerabilities.” Medium-sized businesses Charities (income £100,000 The data opposite makes clear just how extensive 10 to £500,000) those are. The threat can no longer be ignored. So where do the vulnerabilities lie? One thing that’s clear is that businesses of all shapes 5 and sizes are at risk. Sixty-one per cent of large firms experienced a breach over the past year and with serious 61% 52% $500bn $860bn financial consequences. Smaller firms and charities were Economic espionage, Illicit/illegal online markets, 0 also frequently targeted, many of them less well-equipped IP theft for drugs and counterfeits Medium-sized businesses Large businesses to cope. This is why cyber insurance is increasingly important and the statistics in our chart on the opposite Large businesses Charities (income over £500,000) page reflect that. Of course it is not just businesses that are exposed; WannaCry and the NHS NHS trusts affected by the WannaCry ransomware attack the 2017 WannaCry attack on the NHS is thought to Average annual cost for those companies which lost Hospital trust “infected” have disrupted some 19,000 appointments. It caused data or assets after breaches widespread confusion and panic, along with millions of Other trust “infected” pounds’ worth of damage. 30,000 The precise intent then was ambiguous; sometimes Micro/small businesses Hospital trust affected, the mission is straightforward financial gain. The 34% of NHS trusts in England but not infected cybercrime economy is now worth an astronomical $1.5 Medium-sized businesses were affected by WannaCry trillion—and as the internet dominates more and more Charity Other trust affected, areas of our lives, that figure will only rise. Unless, that 25,000 but not infected is, governments, businesses and cyber experts work Large businesses together to get a grip on the problem—fast. £22,700 20,000

6,912 appointments were cancelled in the space of six days 15,000

10,000

£9,270 £9,470 19,000 appointments were 5,000 cancelled in total

£3,650 SOURCES: NATIONAL AUDIT OFFICE (NAO) “INVESTIGATION: WANNACRY CYBERATTACK AND THE NHS”; DEPARTMENT FOR DIGITAL, CULTURE, MEDIA AND SPORT CYBER SECURITY BREACHES SURVEY 2019; BROMIUM “INTO THE WEB OF PROFIT” 0

Cyber Security.indd 16 23/08/2019 15:56 OCTOBER 2019 | PROSPECT CYBER RESILIENCE 17

CompaniesCompanies experiencingexperiencing aa breachbreach oror attackattack AnnualAnnual global cybercrime revenues Cyber insurance %% ofof businessesbusinesses identifyingidentifying aa breachbreach inin thethe lastlast % of medium and large businesses with cyber insurance, 1212 monthsmonths 2018 vs 2019 $160bn $3bn DataData trading, for example Activities involving 40 2018 ofof stolenstolen financialfinancial informationinformation malicious software 1919%% 3131%% 2019 35 35%

30 31% Micro/smallMicro/small businessesbusinesses CharitiesCharities (income(income underunder £100,000)£100,000) $1.5 trillion 25 24% Total generated by 3232%% 20 thethe cybercrimecybercrime 6060%% 19% economy 15

Medium-sizedMedium-sized businessesbusinesses CharitiesCharities (income(income £100,000£100,000 10 toto £500,000)£500,000)

6161%% 5252%% $500bn$500bn $860bn EconomicEconomic espionage,espionage, Illicit/illegalIllicit/illegal onlineonline markets,markets, 0 IPIP thefttheft forfor drugsdrugs andand counterfeitscounterfeits Medium-sized businesses Large businesses

LargeLarge businessesbusinesses CharitiesCharities (income(income overover £500,000)£500,000)

WannaCryWannaCry and the NHS NHS trusts affected by the WannaCry ransomware attack AverageAverage annualannual costcost forfor thosethose companiescompanies whichwhich lostlost Hospital trust “infected” datadata oror assetsassets afterafter breachesbreaches Hospital trust “infected” Other trust “infected” 30,00030,000 Other trust “infected” Micro/smallMicro/small businessesbusinesses Hospital trust affected, Hospital trust affected, Medium-sizedMedium-sized businessesbusinesses 34% ofof NHSNHS truststrusts inin EnglandEngland but not infected but not infected were affected by WannaCry CharityCharity Other trust affected, Other trust affected, 25,00025,000 but not infected but not infected LargeLarge businessesbusinesses

£22,700£22,700 20,00020,000

6,912 appointmentsappointments werewere cancelled in the space of six days 15,00015,000

10,00010,000

£9,270£9,270 £9,470£9,470 19,000 appointmentsappointments werewere 5,0005,000 cancelled in total

£3,650£3,650

Cyber Security.indd 17 23/08/2019 15:56 18 CYBER RESILIENCE PROSPECT | OCTOBER 2019

DON’T FORGET DIVERSITY The cyber sector can deliver jobs for underrepresented groups

JO PLATT LABOUR (CO-OP) MP FOR LEIGH AND SHADOW MINISTER, CABINET OFFICE

he issue of Huawei’s involvement in our 5G telecoms network has prompted growing public curiosity about cybersecurity; the Chinese Ttechnology fi rm was even raised on the doorstep in my constituency a few weeks ago. We are all becoming more alert to the ways in which our lives are dependent on—and affected by—technology. From household appliances connected OF PIONEERING to public 5G networks to states developing offensive cyber-capabilities, the world RESEARCH AND around us is changing—and so is the nature YEARS of the challenge faced by the government. NEWS PICTURES/SHUTTERSTOCK © LONDON EDUCATION EXCELLENCE Questions of privacy, integrity and safety GCHQ partnered with industry to create “cyber games,” introducing young people to cybersecurity 29IN INFORMATION AND CYBER SECURITY become paramount. How can we secure our networks and take the country with us The government estimates that 54 per those with neurodiverse conditions in on that process? cent of all businesses and charities have stable, full-time work, we must do more to There is much work to do. According a basic technical cybersecurity skills gap. open up employment opportunities. to a cybersecurity study by insurance fi rm Reducing this will require the expansion of Another vital consideration is where Hiscox, seven out of 10 organisations cyber education and training. across the UK we help cyber industry fail the readiness test. Meanwhile Cyber This must deliver much-needed secure, to thrive. We must seriously consider our Essentials, the government-backed scheme skilled and well-paid employment. But post-industrial towns as the natural home to help organisations protect themselves, is we also have a duty to ensure the cyber for the economies of the future. Areas of Cyber world pioneers yet to deliver the results we need. sector is as diverse as possible. While the country still reeling from the collapse As digital technology becomes the government points to its school of the last industrial revolution must be increasingly intertwined with our critical competitions and Cyber First programme, a assisted to play their part in the birth of The world-leading Information Security Group (ISG) at Royal Holloway is national infrastructure, building a strong House of Commons committee found these the next. Cyber will be at the heart of that. domestic cyber sector is an issue of efforts far from successful—and was struck Labour’s plan for regional development dedicated to advanced research and education in information and cyber genuine national signifi cance. by an apparent lack of urgency. banks is a step in this direction, and Despite the scale of the challenge, and Women currently make up just 11 per runs counter to the Tory strategy of security, and collaboration on an international scale. its implications for national security, the cent of the global cyber workforce. We must de-investment. Indeed, since 2009/10 cyber question should be approached in commit to break down the many barriers to total public spending in the north, where a progressive and optimistic way. There entry women face. my constituency is, has fallen by £6.3bn in • UK Academic Centre of Excellence in Cyber Security Research is a great opportunity here to create jobs, real terms—more than for any other region. rebuild industry and establish international “WOMEN MAKE UP JUST More broadly, the public sector must • EPSRC Centre for Doctoral Training in Cyber Security leadership in a sector that will only continue 11 PER CENT OF THE play an active role if our cyber sector to grow in size and importance over the is to thrive. When it comes to central • MSc Information Security (FT/PT, Distance Learning and year in industry pathways) coming years. CYBER SECURITY government, I have previously advocated In this sense, Labour’s approach to WORKFORCE” for a minister specifi cally for cybersecurity, • Fully certified by the National Cyber Security Centre cybersecurity should mirror its approach to provide cross-departmental co-operation to the climate emergency. While the Tories The growth of the cyber sector with industry that the National Audit Offi ce • Founding Charter Member of the International Cyber Security Centre of Excellence are dragging their heels, insisting that presents enormous opportunities to those and Joint Committee on the National proper action on climate change will be underrepresented in the labour market. Security Strategy have identifi ed as lacking. (INCS-CoE) burdensome and costly, Labour has set out For example, BT recently told the Joint These are just a few of the ways proposals for a Green Industrial Revolution Committee on the National Security that we can begin to embrace the cyber to create thousands of new green jobs. Strategy that some of their best cyber challenge, one that is too often framed When it comes to cyber, however, we specialists were those with neurodiverse in narrow terms and disconnected from are already seeing the cost of inaction. One conditions such as autism and ADHD. questions of education, investment and Find out more: part of the Huawei scandal is that we are Cyber specialists have extreme logical economic regeneration. We must support without a home-grown tech sector capable skills and different methods of thinking emerging industries, putting the UK ahead royalholloway.ac.uk/ISG of manufacturing the infrastructure needed to resolve problems—the role becomes a of the curve, enhancing security for all and for 5G, in contrast with China, the US natural fi t for many within the neurodiverse creating opportunity for communities too and Scandinavia. community. But with only 16 per cent of often overlooked.

Cyber Security.indd 18 23/08/2019 15:57 OF PIONEERING RESEARCH AND

YEARS EDUCATION EXCELLENCE 29IN INFORMATION AND CYBER SECURITY

Cyber world pioneers The world-leading Information Security Group (ISG) at Royal Holloway is dedicated to advanced research and education in information and cyber security, and collaboration on an international scale.

• UK Academic Centre of Excellence in Cyber Security Research • EPSRC Centre for Doctoral Training in Cyber Security • MSc Information Security (FT/PT, Distance Learning and year in industry pathways) • Fully certified by the National Cyber Security Centre • Founding Charter Member of the International Cyber Security Centre of Excellence (INCS-CoE)

Find out more: royalholloway.ac.uk/ISG

Cyber Security.indd 19 23/08/2019 15:57 20 CYBER RESILIENCE PROSPECT | OCTOBER 2019

WHEN MISINFORMATION REIGNS Fake news is having a corrosive eﬀect on democracy—and the problem is getting worse

KARIN VON HIPPEL AND JONATHAN EYAL ROYAL UNITED SERVICES INSTITUTE

o much has been said about the phenomenon time. That in itself makes campaigns more cumbersome of falsehoods peddled online that it’s tempting and unpredictable: French President Emmanuel Macron’s to conclude that we all understand the 2017 campaign devoted considerable resources to problem. And so many intelligence agencies creating a permanent rebuttal team against fake online and parliamentary inquiries worldwide have material. At least in France, they were successful in Sexamined the dangers of foreign interference in domestic warding off the virtual enemy, unlike in the United States electoral processes that it’s logical to assume that we and other European countries. either have in place all the defences required, or at least And there is no question that targeting a candidate with understand what needs to be done. Yet almost every week a torrent of online falsehoods can cause damage. First, brings new revelations about just how big the challenge is, there is a natural reaction among voters to assume that and how ill-equipped democracies are to tackle it. there is “no smoke without fire,” that if an allegation is In the first quarter of this year alone, Facebook claims repeated frequently enough, there must some truth to it. to have removed a staggering 2.19bn fake accounts. So If, for instance, so many websites discuss Hillary Clinton’s much for its initial argument that the peddling of deliberate connections to a child sex ring in a pizza parlour—an falsehoods remains a “marginal” problem. actual allegation during the 2016 election—there must be Far from receding into the known-and-dealt with, the something to it. However ludicrous the claim was, it was plague of misinformation online is getting worse—along believed by one person who took action and appeared at with the plague of extreme right-wing content. A recent the pizza parlour with a gun. investigation by Germany’s Der Spiegel, for instance, Online misinformation can also accentuate the concluded that no less than 85 per cent of all content perceived vulnerabilities of politicians. Just ask US shared on Facebook originating from a German political House of Representatives Speaker Nancy Pelosi, who party is connected to the far-right, anti-immigrant AfD. The was recently hit by a three-minute doctored video clip, accuracy of much of this material cannot be guaranteed, purporting to show her struggling to finish a sentence, no to put it mildly. longer in control of her faculties. The onset of artificial intelligence has already Technically speaking, the Pelosi video wasn’t a demonstrated that bots and other proxy online actors can “deep-fake,” as such doctored products are now called. mimic actual human behaviour in more realistic ways. It used selective editing to interfere with footage that Furthermore, the technological ease with which videos already existed, rather than projecting Pelosi into an can be faked adds another layer of supposed reality to entirely new alleged environment. It was instead what such activities. The more the impact of these operations the trade now calls a “shallow-fake.” Still, the video is studied, the more it becomes clear that, even if they are clip was downloaded by almost two million people and sometimes amateurish, they do have a serious impact on shared no less than 40,000 times just 24 hours after its electoral processes. appearance on Facebook. It even attracted the attention of The purpose of peddling deliberate political fabrication @realDonaldTrump who, of course, instantly retweeted it is not necessarily to persuade people to vote for a specific to his 60m plus followers. candidate or party, but rather to destabilise an electoral It was quickly unmasked as a forgery. But it achieved its process or even a country by discrediting political purpose, drawing attention to Pelosi’s relatively advanced movements, candidates, ideas and structures. Indeed age: “you know, she’s 79 years-old, and we all age a little this was likely the ultimate motivation behind Russian differently” intoned a commentator on Fox News. He interference in the 2016 US presidential contest. Much was merely amplifying what the authors of the fake video fake material is also designed to encourage a sense of intended, turning the limelight on a politician’s supposed alienation not only from elected politicians, but from physical vulnerabilities. civil servants as well, by suggesting that they can’t act as Yet probably the most baleful impact of this impartial deliverers of government services. phenomenon is the long-term damage it could inflict on 70% In that respect, it does not matter if the conspiracy the overall politics of a country. For why would a talented of people in the theories peddled online are credible. Quantity here matters young woman or man wish to enter political life if all she UK agreed with far more than quality, and the more such fake stories or he can expect is constant hatred and insults based on the statement appear, the more people may be tempted to conclude that fabrication? Fake news could amplify a vicious circle from “I am concerned those who rule them are not merely unfit to do so, but are which democracies already suffer: an increasingly shallow about what is irretrievably biased. pool of recruits, deterring those with unique or different real and what is The wave of falsehoods heaped on candidates during talents from entering political life. fake on the electoral campaigns has a more direct impact on the Either way, the idea that in a perfectly open media internet” conduct of elections. Candidates are often thrown off market, truth will prevail may have been disproven: fake course by sudden allegations which, however scurrilous, viral stories outperform real news almost every single time. SOURCE: REUTERS DIGITAL require dispelling and therefore waste precious electoral The cost to our democracies is already being felt. NEWS REPORT 2019

Cyber Security.indd 20 23/08/2019 15:58 Cyber Security.indd 21 23/08/2019 15:59 OCTOBER 2019 | IN ASSOCIATION WITH

Cyber Security.indd 22 23/08/2019 15:59