Speeches recovered from the Conservative party’s online archive More…

Pauline Neville-Jones: We need a new Cyber Security Strategy

The impression one gets from the existing Cyber Security Strategy is that the Government lacks conceptual understanding of cyberspace. 

But if a strategy is to set direction and guide others, it should be grounded in the fullest possible understanding of the environment and the risks that that environment poses.

There are some fundamental questions that do not seem to have been looked at - or, if they have been looked at, they have not been answered fully.  For example:

  • Where does cyberspace begin and end?  In other words, what is it?
  • What is a cyber attack?
  • How should the UK use cyberspace?
  • What is meant by cyber security?

The Government's Strategy defines cyberspace as 'the new domain of computer facilitated communication that is essential for the economic, social and political health of advanced nations'.  It also goes on to outline the importance of cyberspace to the UK, quoting various figures for the volume of consumer purchases and transactions through e-commerce, the use of cyberspace by businesses to co-ordinate supply chains, the reliance on cyberspace for the delivery of essential services and so on.

The importance of this domain to the UK is not disputed, and the threats to it are numerous.  Analysts have tried to classify the different threats in cyber space.  As an example, consider the following categories:

  • State sponsored cyber aggression, for example the denial of service attacks against Estonia and Chinese and Russian attacks.
  • Ideological and political extremism: it has been postulated that future conflict will be in or over ungoverned spaces, of which the internet is one.
  • Serious and organised criminality.
  • Low-level individual criminality, such as lone hackers.

A broad range of challenges.  But what is evident when looking at these categories, is that the Government's Strategy does not cover all national instruments.  I am thinking in particular of law enforcement, diplomacy and the military.

Just take the military as an example.  In a recent talk to RUSI, Major General Paul Newton, the Assistant Chief of the Defence Staff for Development, Concepts and Doctrine, said that the lack of constraints on cyber space and its ready availability meant that cyber was likely to become a very powerful threat.  He went on to say that cyber attacks are likely to be carried out on mass scale. 

Given the dependence of the armed forces on technological enablers like Intelligence, Surveillance, Target, Acquisition and Reconnaissance assets, what would the effect of attacks on these systems be?  Are contingency plans in place to allow our servicemen and women to operate effectively in the absence of these assets?  Furthermore, if platforms like ships, aircraft and ground vehicles are dependent on electronic and computer systems to operate, what would the effect be if these systems were disrupted?  Does that change the calculus for defending, for example, an aircraft carrier - should there be a battle group, or should investment also be put towards other forms of defence?

What I am driving at is that a Cyber Security Strategy needs to cover all the constituent parts of national security and needs to think through the implications of cyber dependence in each of these areas.

Furthermore, the example of the military begs another question: how does the UK use cyber space and how does this relate to the cyber security agenda?

The Government defines 'cyber security' as 'both the protection of UK interests in cyber space and also the pursuit of wider UK security policy through exploitation of the many opportunities that cyber space offers'.  It is vital that the opportunities cyber space presents, as an enabler of capabilities for both national security and society, are not neglected or closed off by excessive focus on protection.  And here I take issue with the Government's definition of cyber security in that it does not include the human factor.  Protection is not sufficient: cultural change is important and a key part of ensuring effective security that does not limit opportunities.

<h2>Labour's Cyber Security Strategy</h2>

Quite apart from this porous understanding of cyber space, what does the Government's Strategy actually do?

The Strategy places most emphasis on the need for improved organisation and co-operation to build up a picture of the challenges faced and to direct the response to these challenges.  This is certainly necessary but having new organisations and structures are not, by themselves, sufficient. 

The first point I want to make about the Government's Strategy, and as I have already indicated, is that it does not link up with the comprehensive concept of a 'national security approach' that has developed over the past few years.  For example, law enforcement was given just one brief mention and it was left to the Association of Chief Police Officers to develop an e-crime strategy.  ACPO has now published their strategy, but how does it link with the overarching Cyber Security Strategy?  Likewise, I have illustrated how the military is ignored.

Let me reiterate: a Cyber Security Strategy needs to cover all constituent parts of national security.

The second point I want to make is related to this.  As I have mentioned, analysts - and the Government - have tried to classify the different threats in cyber space.  But it is increasingly difficult to distinguish between state and non-state actors in cyber space.  Just as in the conventional military domains of land, air and sea, in cyber space non-state actors are rapidly reaching the level of capability once the preserve only of states.  Similarly, states can use non-state actors as proxies.

What this means - and again I come back to the comprehensive concept of 'national security' - is that no one department or agency can be tasked with tackling one of these types of threat in isolation from others.

Thirdly, it is obvious that cyber insecurity is not just limited to government.  The existing Strategy recognises this and calls for partnerships with the private sector and international collaboration.  My question would be: how can these partnerships and forms of collaboration be constructed, and what should they aim to achieve?

The final point I would make, relates to the place of the 'human in the system'.  Much work is ongoing on the Information Assurance agenda, even if it is somewhat dispersed, and how does this link in to the Office for Cyber Security and its Strategy? 

Furthermore, even though it is specified as an objective, how will the Government ensure the growth of skills and expertise needed in the cyber field?  And how far does the need to improve skills extend - for example, given the likely increase in the number of e-crime and other cyber security cases, does the UK need a better national digital forensics capability and more specialised parts of the Prosecution Service and judiciary?

<h2>The Conservative Party's approach</h2>

What these questions point to is a lack of clarity in the Government's Strategy.  It is not that the Conservative Party disagrees with the aims and objectives, but rather that what has been produced is not a strategy in the true sense of the term as it does not link means and ends.

So what should be done? 

First, and as I have kept saying, a Conservative Government would want a Cyber Security Strategy to cover all national security tools.  And to foster a national culture for cyber security that covers government, the private sector and the public.

How can this aim be achieved?

The cyber security agenda needs to be centrally facilitated, co-ordinated and informed by central government.  But implementation should be undertaken by departments and organisations themselves.  In other words, what is needed is a top-down framework which co-ordinates and disciplines bottom-up work.  It is not yet clear if the Office for Cyber Security will fulfil - or rise to - this task.

I would suggest that if the Office is to fulfil this function, it should be the focal point for information, standards, technical advice and assistance.  It should therefore:

  • set cyber security policy and standards for all Government Departments, suppliers to government and critical infrastructure operators, and develop a programme for verification and validation to ensure these standards are met;
  • provide advice to government, suppliers, critical infrastructure operators and also businesses on computer security, network security, information security and information assurance;
  • develop a cross-government framework for testing system vulnerabilities and for training that all departments can utilise;
  • develop a cyber security exercise programme, similar to the national counter terrorism exercise programme that exists;
  • develop a capability that can be deployed to support the response to cyber disasters.  Related to this, I would add that Labour's Strategy fails to look at the question: what does the UK do if attacked, and who (organisationally) should do it?  Granted this is a difficult area but the Conservative Party recognsies the need for an active defence and will make it a national priority for government and the private sector to joint develop an operational capability to defend the country;
  • finally, the Office should not just champion training within government and its partners, but also champion the development of skills nationally.  For example, the Office could support a Cyber Challenge in the UK, modelled on the Challenge that is already up and running in the US which aims to generate enthusiasm, develop talent and encourage young people to develop skills and take up employment in cyber-related roles.  I know discussions on a UK version of the Challenge are ongoing with the private sector at the moment; I would encourage this initiative and think government should also support it.

If the Office is going to be able to do all this, three things are needed.

First, the range of strategic and policy level work in the cyber security area that is currently dispersed across government - for example, in the Centre for the Protection of National Infrastructure, CESG and the Information Security & Assurance Unit in the Cabinet Office - should be consolidated.  The Office would certainly have to capitalise on existing skills across government and in agencies, through things like secondments. 

Secondly, to enable its work, it might also be necessary to consider designating cyber itself as part of the critical national infrastructure.

Thirdly, a common operating picture for all departments, agencies and essential sectors needs to be established that feeds into the Office. 

In many ways cyber space mirrors the situation in relation to the terrorist threat before the creation of the Joint Terrorism Analysis Centre, when no agencies or departments shared a common operating picture or threat assessment.  A Conservative Government would want to see a 'Cyber Threat and Assessment Centre' established, modelled on JTAC, certainly to provide a common operating picture, threat assessment and situational awareness.  To do so it should act as the single reporting point for all cyber-related incidents.  The Cyber Security Operations Centre might, when it is up and running, be akin to this.

The two final areas I want to touch on are international engagement and partnerships with the private sector.

Nobody has yet thought in detail about the level and scale of international collaboration that can take place or what this collaboration should or can realistically achieve.  For example, should collaboration aim at situational awareness or easing the investigation of electronic forensic trails?  How do international law and agreements like NATO's Article 5 interact with efforts to defend against cyber threats?  If the Office for Cyber Security is the locus for strategic activity across government on cyber space, it should co-ordinate such international engagement and collaboration.

Finally, let me look briefly at partnerships with the private sector.  Public-private partnering is, of course, the theme that has run throughout this conference.  By private sector I mean companies, academia and NGOs, and I would suggest that each of these actors is likely to have much more experience and expertise than government in every area I have talked about this afternoon.  Take businesses as an example.   The profit making imperative requires that they be at the top of their game when it comes to the resilience and security of their systems and data, and monitoring cyber threats to them.  Government must draw on this existing knowledge and expertise: public-private partnership will underpin the delivery of a Cyber Security Strategy.

<h2>Conclusion</h2>

It is difficult to have a full grasp of the cyber domain, not only given its trans-national nature and its sheer scope and scale at this very moment, but also because it is a dynamic environment that is constantly evolving and expanding.  But I hope I have given you some sense of how a Conservative Government might approach this challenge: at what changes government needs to make, and how government needs to work with and capitalise on the experience of others.

Keyboard shortcuts

j previous speech k next speech