Publication Digital Machinery of government 20 July, 2015

Cyber security: assurance, resilience, response brochure

Read the full report  

Reform publishes “Cyber security: assurance, resilience, response” conference brochure with articles by Curtis Baron, Chris Gibson, Mandy Haeburn-Little, Janet Hughes, Mark Hughes, Dr Ian Levy OBE, Jonathan Lloyd White, Chi Onwurah MP, Dr Jamie Saunders, Ed Vaizey MP, Steve Wood.

The UK has positioned itself strongly in the global digital economy with world-leading communications services, including software development, wireless technology and data analysis. The cyber security industry alone is worth over £6 billion. Cyber resilience is the key to maintaining, or indeed extending, this lead and benefitting from the vast opportunities of the digital economy.

Everyday 350,000 new pieces of malicious code are written, and 30,000 legitimate websites infected with malware. Yet 74 per cent of recently surveyed organisations had no response plan in place for cyber security breaches (NTT Com Security Global Intelligence Threat Report, 2015). Awareness of cyber security risks is in short supply. For the UK public sector, this is a particularly pertinent issue. According to the same survey, public bodies were the primary target of malware attracting 40 per cent of such attacks, three times as many as the second-most targeted sector, insurance.

The first panel will explore the enabling effects security technology can have to help unleash innovative digital service delivery in the public sector. The Coalition Government undertook to digitise public services with 25 ‘exemplars’ while the Verify identity assurance scheme aims to ensure that citizens can engage securely with such transactional digital public services. Yet there is still a sense of ‘digital discomfort’ whereby citizens are reluctant to trust private and public providers with their personal data. Indeed, according to one survey, UK citizens are more concerned about privacy and security than any other nation. 91 per cent believe that privacy and security assurance is of critical importance to digital public service delivery (Digital at depth, Accenture, 2015). A key enabler for successful digital transformation of public services, therefore, will be effective principles for ownership of personal data and for data sharing.

The second panel will consider how we can promote a cyber resilient UK, and how Government and industry can work together to achieve this. The Coalition Government in 2011 launched the National Cyber Security Programme, which aimed to increase the country’s resilience to cyberattacks. While the programme has been lauded, the National Audit Office has flagged concerns about the Government’s understanding of cyberthreats to public services and suggested that it must do more to raise awareness among business and the wider public to mitigate risks. The right balance must be found, whereby regulatory interventions and legal obligations do not merely become a cost to business but fosters cyber security savviness. The emergence of a cyber insurance industry, with all the actuarial challenges this entails, offers an opportunity to approach cyber resilience as a business risk, rather than a technical issue, by placing a cost on an organisation’s cyber risk, while also providing insight into cybercrime. Yet just two per cent of large businesses and virtually no small businesses have explicit cyber cover (UK cyber security. The role of insurance in managing and mitigating the risk, HM Government, March 2015).

Detecting increasingly complex cyberattacks, understanding their impact and co-ordinating a fast, effective response is critical. Yet, very few public sector organisations have holistic, proactive cyber security management and intelligence-led co-ordination and control in place. The third panel will consider how comprehensive threat intelligence, allied to sophisticated analytics can be harnessed to both protect organisations and to identify cybercrime patterns, pinpointing the risks to both public sector bodies themselves and to potential victims of crime. It can also be used to detect cybercriminals, who are becoming increasingly sophisticated and organised. However, according to HM Inspectorate of Constabulary just three out of the 43 police forces have comprehensive cybercrime strategies in place, and less than two per cent of policing staff have undertaken relevant training. This begs the question of whether the UK has the right institutions, skills and mechanisms in place to detect and address the rapid escalation in cyberthreat and cybercrime and how any gaps should be addressed.

The cyber risk to the UK economy as a whole, as well as public and private sector bodies individually, is substantial. Yet so is the prize, if we get it right. As then Minister for the Cabinet Office Francis Maude wrote in March: “Working in partnership, the Government and industry have done much to improve understanding of cyber attacks and how to reduce their impact, yet more needs to be done.”