The recent news that Norwegian aluminium producer, Norsk Hydro, spent £45m trying to restore normal business operations after a targeted ransomware attack in March demonstrates the costly threat from cyber-crime to industry. Closer to home, the National Police Chiefs’ Council have had to create a national emergency team to manage an escalating backlog in national forensics casework, following a ransomware attack against the UK private forensics firm Eurofins that led to the suspension of all police work with the company. The cost, therefore, of cyber-crime is not just financial, but detrimental to the UK’s local and national security.
While the threat from cyber-crime and cyber-attacks is growing, the UK has not been standing still. Recent speeches by the Director of GCHQ, Jeremy Fleming, and the Chief Executive of the NCSC, Ciaran Martin gave valuable insights on the UK’s approach to cyber-security, our current strengths and vulnerabilities, and the role of industry in protecting the UK’s cyber-space. Both emphasised that while the UK Government and its agencies has a unique role to play in protecting the UK’s cyber-space, society, academia and industry must also play their part in a so-called ‘Team Cyber’, to deliver a whole-of-nation approach.
The UK’s current national cyber security strategy runs until 2021, but the work on its replacement has already started. Put simply, the strategy of 2009 took the approach that the Government should focus on raising awareness of the cyber threat and improving information sharing from the private sector. The current strategy (2016-2021) took an altogether more interventionist approach, recognising the unique role that Government can play in the national security space, within a legal framework. The next strategy will most likely consider how to ‘mainstream’ current cyber-security initiatives through developing long-term, sustainable capabilities that are independent of Government.
There remains a plethora of interesting questions about the UK’s future approach to cyber-security. For instance, Ciaran Martin has repeatedly posed challenging questions about market failure in delivering cyber-security, which industry must engage with responsibly. While the UK’s privately owned Critical National Infrastructure (CNI) currently shares ownership of its cyber risk with the Government, he believes there may be a case for statutory regulation. Elsewhere, the Government recognises that, where appropriate, it must improve its rapid disclosure of sensitive information about tactical cyber-threats to industry, as well as strategic information on malign actors. Finally, the debate regarding the Chinese telecommunications firm Huawei has sometimes generated more heat than light, but it does pose important questions about the right balance between economic, security and strategic considerations.
ADS and its member companies, in part through its Digital Information and Systems Integrity Group, stand ready to be part of Team Cyber: improving the UK’s average digital literacy, national cyber security hygiene and protection of critical assets.