David Lidington – 2019 Speech at CYBERUK Conference

Below is the text of the speech made by David Lidington, the Chancellor of the Duchy of Lancaster, at the CYBERUK Conference held in Glasgow on 25 April 2019.

Good morning.

It’s a pleasure to be with you in Glasgow, and it is appropriate that we’re meeting here. This is a city with a rich history of innovation, the home of the Scottish Enlightenment, the home of inventors like James Watt and the first Industrial Revolution. And today, Scotland is also home to a growing cyber community– there are three times as many cyber companies today than there were just a few years ago.

So it’s fitting to be here in Glasgow, and to look at what’s coming next in cyber security. But I’d like first, I’d like to look back 30 years to November 2, 1988, when one of the first recognised cyber attacks, the Morris worm, wreaked havoc and crippled the fledgling internet for several days.

Today, it seems a bit quaint to consider that a worm could take down a few thousand computers. It is two years ago since WannaCry, which affected over 100 countries and did an estimated billions of pounds in damage to the global economy. Although we’ve not seen anything quite on that scale since, there are a some concerning global trends that stand out.

We’ve seen critical national infrastructure threatened by attacks like the short-term disruption at Bristol airport in September. We’ve seen private information comprised in large-scale data breaches of businesses like Marriott and Equifax. And we’ve seen consistent levels of attacks via company supply chains, like the infection of tens of thousands of Asus computers. And supply chains seem very much in the eyes of both criminals and hostile states as the soft underbelly of the private sector and providers of critical infrastructure.

The threat continues to evolve rapidly. But thankfully, the UK is a global leader in the fight against cyber attacks. We have stood strong with our international partners to call out cyber attacks, to attribute where there is evidence so to do, and to set the standard for hardening national cyber defences.

The National Cyber Security Strategy has revolutionised the UK’s fight against cyber threats as an ambitious, deliberately interventionist programme of action. During the last three years, we have put in place many of the building blocks to strengthen our cyber security and resilience, backed by an investment of £1.9 billion pounds.

In 2016, we set up the world-leading National Cyber Security Centre to act as our single authority on cyber security. Countries around the world, including the US and Australia, have recognised NCSC as a global centre of excellence and many countries are now copying our model for cyber security.

That also includes setting the standard in protecting our critical national infrastructure.

I want to be very clear in the light of reports in the last 24 hours on one point in particular. The UK takes the security of our telecoms networks extremely seriously. We have rigorous and tested procedures in place today to manage risks to national security.

Next generation networks like 5G raise security risks as well as opportunities for prosperity. That’s why the government commissioned a comprehensive review of the telecommunications supply chain. This is a serious study, based on evidence and expertise, not supposition or speculation.

The government is committed to strengthen significantly this country’s security framework for telecoms. We will take whatever steps are necessary to ensure the secure roll-out of 5G and full fibre network. We will not countenance high risk vendors in those parts of the UK’s 5G network that perform critical security functions.

The government’s approach is not about one company or even one country. It’s about ensuring stronger cyber security across telecoms, greater resilience in telecoms networks, and more diversity in the supply chain. We shall want to work with international partners to develop a common, global approach to improving telecoms security standards.

As with any other review, certainly one of this complexity and this scale, the decisions will be announced in due course, and to Parliament first.

We have also invested in cyber capabilities within law enforcement. National Cyber Security Programme funding has helped to train and equip staff at the National Crime Agency’s National Cyber Crime Unit, and has established dedicated cyber capability in all nine Regional Organised Crime Units.

Meanwhile, our Active Cyber Defence programme is making good progress in automatically protecting UK internet users. Last year, it took down nearly 140,000 UK-hosted phishing sites.

And we’re protecting the public sector, checking more than 4 billion queries to the internet every week, and blocking more than 1 million that are malicious. These are the kind of crude, high-volume attacks that have impact on people’s everyday lives, that compromise their identities and undermine the individual security of their bank accounts.

So we’ve made considerable progress in government. More to do, yes, but considerable progress. But to build on this success, we need to demystify cyber security for the average citizen. We need to get away from the outdated image of WarGames and begin thinking more about botnets and malvertising.

There remains a deep lack of awareness about these threats. Too often, in the corporate world, cyber resilience is seen as the responsibility of an IT department, when cyber security needs to be everyone’s responsibility.

We saw, from WannaCry in particular, how a low-level lapse in cyber security can risk the compromise of a much wider network.

The vast majority of cyber attacks can be prevented by putting basic cyber security measures in place. But nationally, only about a third of businesses and charities have a board member or trustee with specific, designated responsibility for cyber security. And even fewer have a system in place for when a cyber attack occurs.

So all of us, including we in government, need to improve our efforts. That’s why, last month, I asked all government boards to appoint a representative for cyber security.

Meanwhile, there are thousands of organisations outside government that can benefit directly from government expertise. So a few weeks ago I launched a new Board Toolkit designed by the NCSC to help FTSE 350 companies encourage discussions on cyber security between organisations’ board members and their technical experts.

I also asked all boards to commit to achieving minimum standards in cyber security – and I’d encourage everyone here to do the same.

We are partnering with nearly 600 private-sector organisations through our national Cyber Aware campaign to encourage citizens and small businesses to take simple protective steps that can prevent the majority of high volume, low sophistication attacks.

And we’re already hearing great results from these programmes. We were recently contacted by the managing director of a small construction company who, thanks to advice from a cyber crime officer, was able to thwart an attempted invoice fraud. Doing that saved the company £125k and a contract that they had been negotiating for months.

But there’s more we can do. That’s why, today, I am announcing that the NCSC will launch a new exercising initiative, called ‘Exercise in a Box’, designed to help organisations test their cyber resilience. This will be aimed at SMEs, at local government and the emergency services. It will be a free online tool, using scenarios based on common cyber security threats to enable organisations both to practice, and to test their responses to attacks in a safe environment.

It will also provide bespoke guidance from the NCSC to help organisations to understand better the cyber risks they face, so that working together, we can build the UK’s cyber resilience to attacks, and target-harden ourselves against adversaries.

But improving cyber security is not, and never will be, an exact science – it relies on partnerships to achieve lasting change. The geopolitical, technological and threat environment is constantly evolving. And we are seeking to meet these challenges, by building resilience regionally, nationally and internationally.

Regionally, the UK government is working closely with the devolved administrations in areas like cyber skills and local government cyber resilience. That’s why, in the spirit of highlighting collaboration across the devolved administrations, I’m pleased to announce today that CYBERUK 2020 will take place in Wales. By sharing our expertise and helping to build vital skills together, we are working together to protect the whole of the UK from the threats of both today and tomorrow.

We are working alongside FTSE 350 companies right across the UK to invest in pipelines of talent through our schools and universities. So far, more than 55,000 young people have participated in our Cyber Discovery and CyberFirst learning programmes, with a special focus on including more girls and more mid-career professionals.

And internationally, we are promoting our cyber expertise. We have worked with allies to counter malicious cyber activity. And we’ve called out unacceptable behaviour, joining 19 countries, NATO and the EU, to attribute a range of cyber attacks to the Russian and the Chinese governments during the course of 2018.

We are sharing best practices with allies. And across government departments, we are funding projects in more than 40 countries to help them defend themselves from emerging cyber threats.

Now it’s time to look to the future. Our current National Cyber Security Strategy takes us to 2021. But, in the spirit of preparedness, we need now to consider our vision beyond then, and how we sustain long-term change.

First, we want to reduce the risk from high-volume, low-sophistication cyber attacks. We need to build security right into internet-connected devices, systems and networks. And we must create a culture of cyber resilience among consumers themselves.

Meanwhile, we must continue our work to tackle the most sophisticated and serious threats from hostile states and organised criminals alike. This means ensuring our agencies and law enforcement partners have the capabilities to counter malign activity, and modernising our deterrence posture so the UK is seen as a hard target. And we will continue to take a leading role in promoting a free, open, peaceful and secure cyberspace.

Underpinning this, we want to build a sustainable ecosystem, with the companies, talent and research we need to remain world leaders in cyber security.

It’s going to take time for our long-term investments to reap benefits. But with eight years of experience in national cyber security strategies, we can now focus government’s efforts where they’re going to be most effective, and move towards a more mature partnership in the public, private and third sectors.

During the past four months, we’ve had three important reviews of the strategy from Parliament’s Joint Committee on the National Security Strategy, from the National Audit Office, and from the Infrastructure and Projects Authority. I want to say plainly that we do not shy away from constructive criticism. Criticism of that kind can only help us to strengthen the UK’s defences.

These reviews rightly said that our approach can benefit from independent external expertise, particularly from industry and the academic world. This means inviting more critical challenge at working level. It means investing more into academic research. And it means looking at the ways industry innovates against emerging threats.

One of the other points made by these independent bodies is the need for more transparency and reporting. So, in an effort to boost transparency while balancing that against the inherent restrictions that the national security considerations involve, we will be publishing an update at the end of May this year on the effectiveness and impact of our interventions under the strategy.

As Alan Turing said, “We can only see a short distance ahead, but we can see plenty there that needs to be done.”

The task in front of us is great. The threats are evolving every day. But this is the same country whose citizens invented programming, the first computer and the World Wide Web.

We are up to the challenge. But we cannot do this alone. Partnerships at the key to UK’s cyber security. This government considers industry and academia to be the catalysts in delivering long-term, effective, cultural change.

We need partners like the ones here today, to be engaged, open and willing to work with us for the safety and security of all. So thank you for all you have done, and for all you will be doing in the future, to ensure that we remain stronger, together.