Sophisticated cyber attacks against the government and businesses are “constant and relentless”, according to Cabinet Officer minister Matthew Hancock.
“Massive security breaches are happening more and more often. Sony, TalkTalk, the US Office of Personnel Management,” he said.
“These are some of the more high-profile cases but what you don’t hear about in the headlines is the constant, relentless bombardment.
“As digital progress has grown so the risks too have grown and this is no longer an issue for the IT department, it is a boardroom issue and it is a Cabinet table issue.”
Hancock was speaking at IA15, the UK government’s flagship security conference that brings together key figures from government, industry and academia.
During his keynote speech, he said the scale of cyber attacks against each of these sectors has never been higher.
“Last year, 90 percent of large businesses reported an information security breach. But it’s not just business. On average, 33,000 malicious emails are blocked at the gateway to the government’s secure internet every single month,” he revealed.
According to Hancock, the economic damage attacks cause is also mushrooming, with the average hack against big companies now costing £1.5m to deal with, up from £600,000 last year.
“In fact, the real figure may be higher than that, because we are also told that 70 percent of UK businesses didn’t disclose their biggest security breach last year,” he said.
Hancock warned that failure to effectively combat cyber crime would derail the UK’s growing digital economy.
“[The UK] has one of the most digitally advanced economies in the world and the digital economy depends on trust. If people don’t trust their data will be safe then they won’t do business online. Secure networks and secure data are both critical for securing public trust,” he said.
The minister said that government is now treating cyber security as a “core responsibility” and is putting more effort into ensuring its systems are kept up to date.
“Many successful attacks exploit out-of-date systems and government technology used to date very quickly indeed,” he said, adding that these legacy systems are now being phased out by the government.
“Some of our legacy systems were designed even before the invention of the web. Security therefore had to be bolted on top rather than built in as an intrinsic part of the system.
“We are phasing out long and inflexible IT contracts that locked us into aging technology and instead building agile and adaptive systems that allow us to respond rapidly to threats.”
The digital economy rises
However, it’s not all doom and gloom. Baroness Shields, the UK government minister who prior to her current role has sat in the boardrooms of both Facebook and Google, said that over the past five years the UK has “transformed” in terms of the digital economy.
“I think the UK is leading the world in many respects,” she told AI15 conference attendees.
“We often hear of comparisons with Silicon Valley but when you look at the percentage of gross domestic product (GDP) now compared with other countries we are punching way above our weight. Over 10 percent [of UK GDP] is attributed to the digital economy.”
Shields, who recently made headlines just before the publication of the Investigatory Powers Bill proposals by claiming that government has “no intention” of banning encryption, used the IA15 stage to urge businesses and government to work together.
“If you look at the size and scale of these businesses and platforms that we all use every day, they are connecting billions of people and in many cases they resemble a state, so we need them to cooperate and ensure safe spaces for people in our country,” she said.
Shields did concede that a “globally connected internet economy” faces a number of challenges that can only be overcome with help from industry and security specialists.
“The two areas that I’m working on are really tough problems that no government alone can solve. They include combating online child exploitation and also understanding online extremism, and in both cases it requires not just a robust response from one government but also [collaboration] from the technology industry,” she said.
During IA15, the UK government launched an initiative called CyberInvest that aims to support and fund cyber security research. To date, 18 companies have signed up to the programme including BT, HP and IBM.
Meanwhile, in a separate move designed to help curb the rising tide of cyber attacks, prime minister David Cameron recently agreed a so-called cyber peace treaty with the Chinese government aimed at putting a stop to cyber espionage activities and theft of intellectual property.
GCHQ charm offensive
The Information Assurance conference is usually shut off from media but this year most of it was opened to the press as part of a move by GCHQ to increase transparency into its operations.
“This is a more open event than we have had in previous years and this is quite deliberate,” said Ciaran Martin, director general for cyber security at GCHQ.
“We are no longer able in cyber security just to talk within the community of government and the bits of industry that have historically operated in this space.”
On the second day of the conference, which press was not invited to attend, GCHQ director Robert Hannigan criticised the wider cyber security for a lack of ceherence in its approach to tackling cyber threats.
“Standards are not yet as high as they need to be. Take-up of the schemes is not as high as it should be so something is not quite right here,” he said.
“The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear.
“The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature, and what’s also clear is that we cannot as a country allow this situation to continue.”
In his keynote, Hannigan claimed GCHQ is a fan of encryption and has no desire to circumvent it – in most cases.
“We advocate encryption. People and business in the UK should use encryption to protect themselves,” he said.
“All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, judicially warranted reach of the state when the need arises. That isn’t a new requirement.”
Hannigan also denounced the “myth” that GCHQ wants backdoor access to popular software platforms.
“Products should be secure. We work with companies to help make them secure. So on this I agree with Tim Cook. And I can reassure him and others that the new [Investigatory Powers] Bill does not seek to build in back doors,” he said.
Recently, Apple CEO Tim Cook warned of “dire consequences” should UK cyber spies be given access to the encrypted communications of the public.