In recent months public attention has been on state-led cyber attacks, from the drama of Russian aggression to crude North Korean online bank heists. Of course these matter and we have recently written to UK political parties to warn them about current threats, but this should not become a distraction from the much broader cyber challenge for western countries.
The British government has radically changed its approach to cyber security in the past few years, but we now need an accompanying shift in culture and skills across the private sector if we are to address the rising tide of cyber incidents. The challenge for business is to engage, understand more, and update corporate governance for the digital era.
There is a generational gap at the heart of this. In boardrooms cyber security is now acknowledged as important, but is still seen as a baffling problem for IT experts to fix, or an unavoidable cost of doing business. For the innovators and disrupters, who understand it better, this is someone else’s problem and far less exciting and profitable than the technology they are creating.
The key for both groups is to see this as primarily a problem about data, not IT. Everyone understands the importance of data to their business, but not enough senior people are truly engaged in understanding which data are most precious to them and how it is handled, stored and protected.
Nervousness in the face of technology prevents business leaders from applying the forensic interest they would have in financial or legal areas. Corporate governance structures are not up to the task: how are investors to know whether a potential investment, acquisition or shareholding is managing its cyber risk properly?
This will become even more critical as the internet of things moves from largely pointless gadgets to being hard wired into every area of the economy, with billions of new devices producing ever richer data. From healthcare to travel, education to food, every sector that depends heavily on data will begin to face problems already familiar to financial services.
Nor is theft or destruction of information the greatest worry. Integrity is. If businesses cannot be confident that their data has not been changed maliciously or accidentally, they will simply become paralysed.
In the UK the government’s response has been twofold. First it has rationalised the smorgasbord of organisations involved in cyber security by creating the new National Cyber Security Centre. More importantly, by making it an operational arm of GCHQ, Britain’s electronic intelligence agency, it has put world-leading technologists at the heart of both advice and operations. We have learnt from the tech sector that expertise needs to be at the heart of strategy. Relying solely on the well-meaning generalist, which has not served government policy well in computer science since the 1950s, is not enough.
More significant than any new structure is the determination to take more of the strain at a national level. This means developing with industry innovative defences at scale, using technology to defeat technology threats. Criminal and state cyber attacks are inevitably part of an arms race moving at dazzling speed, but western governments and industry together can stay ahead.
At its most basic, this can simply mean preventing criminals posing as organisations such as the tax officials at HM Revenue & Customs, or filtering out those countless “spear phishing” emails that clog our inboxes. In a few years I suspect the public will wonder why service providers did not do this at a national level a long time ago. The answer, of course, is that the internet was not designed with security or crime in mind. It evolved in a wonderful collaboration of academia and industry.
But these and other more sophisticated measures will not absolve the private sector from building sensible security into their new products, their business models and their corporate governance at every level. Others have begun to regulate to achieve this, notably New York state, which just introduced tough cyber accountability for Wall Street chief executives. Critically, they will also be held responsible for good security in their supply chain.
Finally, at the heart of our generational problem on cyber is a shortage of skills. We cannot wait for this to fix itself. Alongside all the new initiatives to promote cyber skills, those in senior positions and responsible for corporate governance should educate themselves and overcome their fear of cyber.
If we get this right, there are enormous opportunities for the UK, not only to become the safest place to live and do business online — but to export some of the solutions.
The writer is head of GCHQ
Letter in response to this article:
Get alerts on Cyber Security when a new story is published