Article and podcast: 10 minute read, 36 minute listen
Cyber crime is society’s new ‘fear’: the topic of hit TV dramas, Cold-War-type narratives in the press, ‘robust’ legislation on the part of the government — and yet an area of business most CEOs still delegate to the tech team.
- Is susceptibility to cyber crime a cultural or a technical issue?
- What is business’s best means of defence in the UK?
- Are we on track to be the ‘world’s safest place to do business online’?
The below article is based on a panel discussion between business leaders, tech experts, crime experts, journalists and researchers, seeking answers on these and other questions related to an ever more prevalent war on our doorstep.
Crime — with tentacles
The most talked about TV drama this winter has been the BBC’s McMafia. The ‘Mc’ refers to the ubiquitous nature of modern crime. For the modern mob, crime is carried out largely via a keyboard, enabling both global coverage and absolute precision when it comes to their targets. McMafia’s creator, journalist Misha Glenny, has spent years researching cyber crime and security.
‘At the heart of traditional organised crime has long been the threat of violence,’ Glenny has said. ‘But with the internet came the ability to move money at the touch of a button, and cyber crime fundamentally altered the rules. The new criminals ruling the world are not traditional heavies. The internet alleviates the need to deploy the same level of violence. Anyone can wage war from behind a screen.’
Nominet and Jericho Chambers recently convened an expert panel discussing the UK’s capacity develop world-leading Cyber capabilities. The panel included Glenny, representatives from Cyber Security Challenge UK, BAE Systems, London City Hall, Kroll, Nominet and others. A full list of attendees is available at the bottom of this article.
Cyber crime is everywhere — operating equally well on micro and macro levels. From individuals at home who get conned on E-bay, right up to the WannaCry malware attack of May 2017. WannaCry infected 300,000 computers in 150 countries and compromised organisations as important and diverse as the NHS, Nissan Motors, Deutsche Bahn and Telefonica.
And it’s also part of the new Cold-War narrative. The Russians currently stand accused of interfering with both the Brexit referendum in the UK and the outcome of the US Presidential election in 2016. We live in an age of extraordinary digital advance — coupled with digital anxiety.
Are business and government prepared?
Cyber security is one of those issues — on an ever-lengthening list — that senior business people know they ought to worry about and get to understand better. But until it comes up and bites (or even bytes) them, it’s often left to the CTO and his — it mostly is ‘his’ — techies in T-shirts. They speak another, often impenetrable, language and understand the arcana. (96% of digital miscreants are, incidentally, male.)
If the panel agreed on one thing it was that IT security is a matter for any board’s careful consideration. With a sense of anxiety, even fear, must come realism. We need a measured, practical approach that does not undo the huge economic benefits of doing business online.
Although relatively small, the UK punches well above its weight in the cyber security industry. The conflict in Northern Ireland and the part played during The Troubles by the intelligence and security services have left considerable pools of expertise that have proved most useful in the current era. Queen’s University in Belfast has become a global centre for cyber security research and commercial spin offs.
Likewise GCHQ in Cheltenham, which, from its Second World War, code-breaking origins at Bletchley Park now houses more than 6,000 operatives. As Russell Haworth, the CEO of Nominet, says: ‘Cyber security is critical to Britain’s digital advance. Given our nation’s heritage and skills, combined with government ambition, we have the potential to be world leaders in this field.’
Certainly the UK government makes the correct noises. Matt Hancock, the Secretary of State for Digital, Culture, Media and Sport has voiced aims to make the UK ‘the safest place in the world to do business online.’ Under the new Network and Information Systems (NIS) Directive, enforced in May 2018, organisations involved in critical industry and essential services face £17m fines if their cyber security preparations are not up to standard.
But what is working well and what needs to improve? What does the future hold — with the advent of the Internet of Things and the exponential growth of digital devices from autonomous cars to smart fridges?
Keeping up with the hackers
The massive growth in cyber crime has been made possible by its relative ease to carry out. Globally, fewer than ten countries have nuclear arms. However, any country, in theory, can have cyber arms. Realising this, the Russians developed the Gerasimov Doctrine, based on a 2000-word essay from 2013, written by Russia’s Chief of General Staff, Valery Gerasimov.
“Long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals,” he wrote in the article. “All this is supplemented by military means of a concealed character, including carrying out actions of informational conflict and the actions of special-operations forces.” For a country struggling economically, with lack of economic growth, a Computer Science graduate with a laptop is far cheaper than a tank.
Though cheap and easy to carry out for the perpetrators, for a corporate cyber crime is a very expensive business. But one thing all are agreed on is that prevention is better/cheaper than cure. It’s rather like that emergency plumber who responds to your call to fix a burst pipe at 11pm. As you stand in your kitchen, desperate and knee-deep in water, his call-out fee of £385 plus VAT cannot be realistically argued with.
As in the lucrative world of crisis PR where rates double and triple, stories of IT security consultants charging to up £10,000 a day are common. In 2004, the global cyber security market was worth $3.5 billion. By 2017 it was worth $120 billion.
Siloes = vulnerability
One of the problems with cyber security for corporates is that you get little praise or visible gain for not being successfully attacked. Its advocates are selling a negative. Trying to explain the RoI on a large IT security spend can be a tough business. There are never going to be any headlines saying ‘Acme PLC not victim of cyber security breach for tenth successive year due to excellent vigilance and proper levels of spending by the board and CTO.’ A screamer like ‘TalkTalk hit with record £400,000 fine after cyber attack by 15-year-old,’ is so much more readable.
The reputational damage done by appearing to treat customer data with fast and loose abandon is huge. And yet many boards still fail to grasp the importance of the issue. According to Misha Glenny, boards as a whole fail to grasp the gravity of cyber security issues. They fail to appoint someone within senior management to enable communication inter-silo. Each business needs someone at board level to communicate this and enable joined-up thinking.
‘If boards articulated cyber security risks in same way as they articulated financial risk then you’d get the right mechanisms. But this needs to come from an educated cyber leader on the board,’ says Glenny.
However, one point that should not be overlooked is that citizens and small businesses cannot afford the same cutting-edge protection used by governments and corporations. Security is supposed to be a public good administered by government, not a private good purchased in the marketplace. For all the attention given to protecting our infrastructure, GPS, banks, telecoms et al, there is a huge gap that the market will not solve by itself: citizens and small businesses.
Big, high-profile, sudden-onset attacks grab headlines. But what if it’s a relatively innocuous attack that isn’t immediately apparent. What if, for example, an attack went on quietly and unobserved for months — or years — compromising a nationally important system. According to Ipsos MORI’s 2017 Cyber Security Breaches Survey it takes businesses an average of 120 days to find out its data has been compromised.
We asked each member what would be their worst cyber nightmare occurrence and one, thoughtfully, said: ‘A state sponsored attack against government big data. An undramatic but incremental push. One that quietly and below-cover altered information telling us how many school places we need and will need. How many NHS beds. We assume these things are fine. They are not.’
Cyber security — an issue of people as well as technology
Another complication is establishing who and where the enemy is. What if, while you protect your corporate castle with high walls, a drawbridge and boiling oil ready on the ramparts to pour onto rushing enemy forces, the real enemy is within your walls and opens the gates when all the inhabitants are asleep. Literally or metaphorically.
The threat to business from insiders is very real. The same Ipsos MORI survey revealed 60% of cyber-attacks in 2016 were carried out by insiders. Several panel members suggested that HR departments need to accept an integral role in the fight against cyber crime. Cyber security is certainly an IT issue but it’s also fundamentally a people issue. We can fix all software vulnerabilities but it is easier to attack a person. People are the most common targets (72% of common breaches related to staff opening fraudulent emails), so awareness and training is all. People need to be tech aware, aware of their own footprint, and adaptable to problems. This is about skills, and education, not just awareness.
All of us want the liberty that comes with an active online life, but liberty without security is fragile, and security without liberty is oppressive. In the coming years, with a massive cyber-industrial complex set to replace the traditional military-industrial complex, there is going to be high anxiety stoked up by those who have a vested interest in the sector. The years to come will force us to balance these two as we learned to do during the Cold War.
Developing World-Leading Cyber Capabilities in the UK
The roundtable was held in London in January 2018, attended by:
- Russell Haworth, CEO, Nominet (Host)
- Misha Glenny, Journalist and Author (Speaker)
- Christine Armstrong, Co-founder, Jericho Chambers (Chair)
- Andrew Beckett, Managing Director, Cyber Security & Investigations, Kroll
- Theo Blackwell, Chief Digital Officer, Mayor of London/ London City Hall
- Mike Bray, Global Director, Information Security Governance, Risk & Compliance, Willis Towers Watson
- Andrew Gunn, Partner, Jericho Chambers
- Matthew Gwyther, outgoing Editor, Management Today
- St. John Harold, Co-founder and CTO, Cyberlytic
- Miriam Howe, Applied Intelligence, BAE Systems
- Colin Lobley, CEO, Cyber Security Challenge, UK
- Dr Stephen Page, NED, Nominet
- Dr Iain Phillips, Internet Systems and Networks Security Research Group (ISNS), Loughborough University
- Elaine Quinn, Director of Corporate Affairs, Nominet
- Theresa Regli, Digital Asset Management Expert