SpeechesTechnology

Tom Tugendhat – 2023 Speech to CYBERUK

The speech made by Tom Tugendhat, the Security Minister, in Belfast on 20 April 2023.

Thank you. It’s an enormous pleasure to be here with you today in Belfast.

It is also an incredible honour to be here in Belfast on this auspicious occasion. Not just to be here at this conference, but 25 years ago there was the extraordinary moment of the signing of the Good Friday agreement. That wonderful moment that gave hope to a new generation and demonstrated this country, the whole of the UK and the whole of these islands can move on from a difficult past to a much better future.

It’s a reminder that peace can never be taken for granted, and that service, debate and compromise define what is at the heart of our peaceful and democratic system, and together they must never be neglected.

It also makes me particularly mindful of my role today. I stand before you as Security Minister of the UK.

In one respect, that is quite a simple job: keep Britain safe. Of course, that clarity marks a complexity of the challenges we face from terrorism and state threats to organised crime and distributed attacks.

Those attacks are more your field and its there in the cyber world that the UK faces some of its sternest tests.

A quick look at the basic figures is enough to bring home the scale and severity of the issue we face.

New findings released just yesterday from the Cyber Security Breaches Survey show that 32% of businesses experienced at least one cyber breach in the last 12 months.

This year, for the first time, the survey also tells us how many of these breaches resulted in a cybercrime being committed.

We can now estimate that 11% of businesses were victim to at least one cybercrime. That cost each of them around £15,000 in the past year.

We must never lose sight of the fact that behind each of these online statistics is a real-world victim.

Each is a grandparent defrauded, and stripped of their savings.

Each is a small business held to ransom, and jobs lost.

Each is public money stolen, and the taxpayer short-changed.

The cyber-threat doesn’t just come from criminals. The ongoing war in Ukraine is a constant reminder of the threat we face from hostile actors. Russia has been trying to invade Ukraine’s cyberspace as much as its physical space, threatening critical information, critical services, and critical infrastructure.

The threat of further cyber fallout from conflict is very real to the United Kingdom and to all our allies.

At home we are seeing the overlap of state threats, terrorism and organised crime brought together online and off.

Against this troubling background our mission is clear. We must crack down on cybercrime, we must protect the United Kingdom from the most capable cyber adversaries – states, criminals and terrorists – all are trying to hurt us and all have made the online world work for them, delivering offline political gain and criminal profit.

That is no small brief, and it is not one any department, certainly not one Minister, can achieve alone.

That’s why this event is so important to me. This is why I’m so grateful to Lindy for inviting me and so grateful for the opportunity to speak to you. Because what we can achieve together is an all round ecosystem of cyber security built on the UK’s world class foundations of education, expertise, technology and capability.

The task of cyber security falls to government of course, but also to individuals, law enforcement, and to you, business.

Now today, I’d like to reflect on how far we’ve come, and where we need to go. Above all, I want to stress the core message, exemplified by those extraordinary events of 25 years ago – that only by working together can we collectively be safe.

I’d like to briefly outline my priorities in cyber policy, before affirming areas in which government and industry partnerships must go further if we are all going to succeed.

The government has already made phenomenal progress in building resilience and countering the threat from our adversaries.

The latest iteration of the National Cyber Strategy set out the UK’s role as a responsible and democratic cyber power, and laid down the framework on which the UK’s security and prosperity can depend.

It’s the bedrock of everything we do to keep the UK cyber safe.

It also important that our laws, the software of our society, are updated.

That’s why we recently published a consultation on improving the Computer Misuse Act, which is an important part of deterring those who would commit crime, and equipping law enforcement to carry out their duties.

That consultation is for you to contribute to and I look forward to hearing your thoughts.

We are proposing to include powers to take control of domains and IP addresses used by criminals and enable action against individuals in possession of or using data obtained through the criminal actions of others.

But I say again, your thoughts matter and I’m looking forward to your input.

We’re building the National Cyber Crime Unit to take on serious cyber criminals.

Its operational resources must deliver arrests and disruption, and build on the NCA’s enhanced intelligence picture to target criminals where they are most vulnerable.

We recently helped to dismantle Genesis Market – one of the biggest online marketplaces selling stolen logins and passwords to criminals across the world.

We’ve built a network of Regional Cyber Crime Units, ensuring that police units have access to specialists and capabilities.

I must also mention Ransomware attacks, where the National Cyber Security Centre assesses to be in the top tier of online threats to the UK.

Ransomware criminals cause harm and hurt. They cost more than cash. Hospitals and their patients in a pandemic were targeted, putting people and lives at risk.

Now this is a global problem, we are working with global partners.

With the US and others, the UK is a leading member of the international Counter Ransomware Initiative, and together we are going after these criminals.

Recently we sanctioned seven Russian cyber criminals who were behind some of the most damaging ransomware attacks in the UK in recent years.

With those priorities in mind, let me now turn to your role in the cyber community. Against this array of challenges, collaboration between government, law enforcement and industry is key.

I’d like to propose three areas where we must go further and faster, together.

First, prevention is always better than a cure.

Sometimes cyberattacks are sophisticated – but the vast majority are in fact simple, and can be easily prevented by a few simple steps.

Our aim is to make the UK the safest place to be online, and that starts with all of us working to ensure that everyone understands how to protect themselves.

The NCSC’s Cyber Aware campaign and the work of City of London Police leading this work, is I hope, of use to you all in providing advice that is simple, consistent and based on our collective latest understanding of the threat picture.

This room is filled with experts so please be active in shaping the guidance so that your staff and customers can avoid becoming victims in the first place.

Second, our most capable adversaries will only get better.

Malign states and crime gangs will look for chances in an open internet. We’ve got to do the same to protect ourselves.

Five years ago, WannaCry wreaked havoc in the NHS, leading to cancelled appointments and postponed operations on a huge scale.

North Korea’s cyber weapon was heralded in a new business model for criminals around the world.

Today, Ransomware is a chronic threat and is sold as a service to groups without cyber skills. The barriers to entry have come down. This is a democratisation of crime, just as much as any other.

The question that we should all be asking is: what next?

Breaking the future cyber-criminal business model – and understanding tomorrow’s state action in cyber space is key to pushing for more responsible, democratic behaviour.

The enemy will evolve and so must we.

Third, new technology will change the world we think we know.

Dawn has broken on the age of Artificial Intelligence. We’ve only just begun to wake up to the opportunities that will be unlocked in the coming years, and can only guess at the ways in which they’ll transform our world.

This speech wasn’t written by ChatGPT as you can probably tell. You’re not supposed to laugh at that. Very soon we are going to see Large Language Models such as Open AI’s ChatGPT which are already able to ace the bar exam and indeed write better speeches than this, and suggest new avenues for drug discovery. They’re not thinking yet, it is more pattern recognition and repetition than real thought, but the game is changing already.

The goal that many are working towards – an Artificial General Intelligence, or AGI – is looking more open and more possible.

It’s difficult to overstate what this would mean to all of us. Super intelligent computers that learn and develop autonomously would transform our society and our world, and more than almost any other advancement in human history.

Even in these early stages, AI can enhance our security but it can also threaten it. Our AI capabilities will be at the heart of our mission to protect the UK.

In Ukraine, AI is already being used to identify malicious Russian behaviour by analysing patterns of activity at huge scale, they are not just finding needles in the haystack but finding out what the haystack itself is saying.

At home and across our homes in the UK, AI could protect children from predators, unlocking advanced tools and techniques to identify potential grooming behaviour at scale and uncover rings of offenders right across the net.

However, in our line of work opportunity often comes hand in hand with risk, and AI is no different.

We already know because we’ve seen it, the cost of the advancement of technology and the challenge it has brought in biological space and we know because we’ve seen it the risks that a pathogen can cause to our world. We need to make sure that we do not see the same risk from AI.

It’s not hard to see future AGI coding weapons, even now there are threats we must guard against.

Cyberattacks work when they find vulnerabilities. AI will cut the cost and complication of cyber attacks by automating the hunt for the chinks in our armour.

Already AI can confuse and copy, spreading lies and committing fraud. Natural language models can mimic credible news sources, pushing disingenuous narratives at huge scale. And AI image and video generation will get better – so called ‘deepfakes’ – which make the danger to our democracy even greater.

Given the stakes, we can all understand the calls to stop AI development altogether. But the genie won’t go back in the bottle anymore than we can write laws against maths.

As Robert Oppenheimer once said, ‘technology happens because it is possible’.

Putin has a longstanding strategic interest in AI, and has commented that ‘whoever becomes leader in this sphere will rule the world’. And China, with its vast data sets and fierce determination is a strong rival.

But AI also threatens authoritarian control.

Other than the United States, the UK is one of the only a handful liberal democratic countries that can credibly help lead the world in AI development.

We can stay ahead but it will demand investment and cooperation and not just by government. Only by working together can we keep Britain in the front rank of AI powers and protect ourselves and our businesses.

As for the safety of the technology itself, it’s essential that by the time we reach the development of AGI we are confident that it can be safely controlled, and aligned to our values and interests.

Solving this issue of alignment is where our efforts must lie – not in some King Canute like attempt to stop the inevitable, but in a national mission to ensure that when super intelligent computers do arrive, they make the world safer and more secure.

Before I finish let me say again what a huge pleasure it is to join you for this outstanding event.

Last night at dinner I wasn’t with you in the Titanic Hall but instead at Hillsborough castle hearing those that had negotiated the complexity of the Good Friday agreement. I heard about the uncertainty and recriminations and the fear but I also heard about hope and the individual efforts by millions across Northern Ireland, and indeed across the islands of Ireland and Great Britain that changed our lives for the better.

This morning I’ve heard from others who are taking on a different challenge with its own complexity and uncertainty and indeed its own risk. But I’ve also heard the hope for a better future for us all. As we can cooperate to contain and confront the challenges, I am grateful to you all for everything you have done and continue to do in the name of keeping people safe online.

This is a ferociously difficult task. But I am constantly inspired and reassured by your talent, expertise and dedication.

I am very grateful for everything you do and I look forward to us working together to make sure that this revolution, the next revolution, serves us all and keeps us all safe.