This morning there was the launch of a major report into cyber security and the roles of responsibility of company boards. The report was coordinated by CityUK which brings together financial services companies from all over Britain. I was very honoured to be asked to give a keynote speech at the launch. I chair the All Party Parliamentary Group on Cyber Security and if you are interested in this subject, I have included a draft of my speech below.
Thank you for inviting me to speak today.
We are in the middle of the fourth industrial revolution—a time of huge technological, demographic and environmental change—and the decisions we make now are crucial to our future.
Earlier this year I visited the Large Hadron Collider at CERN. This is the place that invented the World Wide Web 29 years ago. Few could have foreseen the global opportunities that it would bring.
The ability to do business with someone on the other side of the world, instantly, at the touch of a button has brought huge benefits to our society.
But those early developers could not have anticipated the darker side of technology or the threats that it also poses.
The cyber sphere is where modern day crime is being committed and international conflicts played out.
One in ten of us have been the victims of cybercrime and these days we are 20 times more likely to be a victim of crime online than offline.
Nearly 7 in 10 large businesses have been affected, with an average cost of £20,000 per business. Some breaches leave companies on their knees.
As the Home Secretary said last week, “a major cyberattack in the UK is a matter of when, not if.”
Cybercrime can hit anyone at any time – governments, institutions, businesses and individuals.
And globally it costs billions.
Cybercrime comes in different guises:
It’s perpetrated by ruthless organised crime gangs who conduct hacking and phishing on an industrial scale and target intellectual property;
It’s sophisticated scams that can bring down businesses or wipe out life savings, with the proceeds laundered at the touch of a button.
It’s not just the Wannacrys we need to protect ourselves against, but the cyber scams that put money into the pockets of organised criminals.
The recent breach at TalkTalk is perfect illustration that Cyber breaches are serious, costly and disruptive.
The impact of cybercrime on individuals can be very significant too. Being hacked or the victim of a cyber scam or fraud can be frightening, expensive and humiliating.
This is why I am so pleased to be here for the launch of this important report today and to be chairing the All Party Parliamentary Group on Cyber Security.
Last week in Parliament I hosted a meeting to launch a study into the Dark Net.
Another subject I wanted to touch on just briefly was the Dark Net.
Data stolen in cyber breaches often ends up for sale on the Dark Net.
Conventional crime, is increasingly finding an online safe haven in the dark Net. Where the anonymity provided by Tor browsers and cryptocurrencies embolden people to break the law in the most horrifying of ways.
There are sites where you can buy guns, passports, drugs and bomb making kits at the click of a button.
There are sites where Islamic State and other terror groups, using the Dark Net to radicalise and corrupt on a global scale.
There are even site streaming images of child sexual abuse as it happens live.
The Government has just announced a further £9 million to enhance the UK’s specialist capabilities to combat the criminals who exploit the anonymity of the Dark Net and I welcome this.
ROGUE STATE ACTION
There is also a broader cyber threat, often sitting closer to warfare than to crime.
Over the last year there has been a significant increase in the scale and severity of malicious cyber activity globally.
There are several established, capable states seeking to exploit computer and communications networks to gather intelligence, personal information and intellectual property from the government, military, industrial and economic targets to advance their strategic goals.
Hostile states, groups and individuals are use cyber tools to commit crimes, to project power, and to intimidate their adversaries.
They use False News, lies and propaganda to manipulate legitimate democracies by shifting the psyche of entire societies – and all this in a manner which makes definitive attribution difficult.
Time and time again, I have been told by friends across Europe how they have seen Russia meddling in elections. Last June they launched the destructive NotPetya ransomware attack.
North Korean actors operating under the guise of the Lazarus Group launched the WannaCry ransomware campaign, one of the most significant to hit the UK in terms of scale and disruption.
It disrupted over a third of NHS trusts in England and thousands of operations were cancelled.
Lives were put at risk.
And the fact is that the threat is not diminishing. Over the past six months, the National Cyber Security Centre has responded to 49 incidents associated with Russian cyber groups, some of which have hundreds of potential victims. Russian actors have systematically targeted the UK amongst others, expanding the number of sectors targeted, in addition to the energy, telecoms and media sectors.
The Government has been taking action.
Back in 2016 the it launched the five-year National Cyber Security Strategy, supported by £1.9 billion of investment.
The Strategy brings together the best from government and industry to develop new ways to strengthen our defences, deter our adversaries and develop the broader capabilities we need to respond.
Earlier this month, the government launched a Cyber Innovation Centre in London to help secure the UK’s position as a global leader in the growing cybersecurity sector.
The UK is good at Cyber Security, but there is more that needs to be done.
Last week I was with the Internet Watch Foundation, an organisation based just outside Cambridge which I have championed for many years. They are the world leaders in tackling child sexual abuse online. Last year they removed 78,000 pieces of illegal content from the internet. As a result of their action, less than 1% of the world’s online content of child sexual abuse is now web hosted in the UK. The have literally driven the perpetrators out of our country.
But this is not something that Government can take action on alone. Cyber security is a whole economy challenge.
I was glad to see the subtitle of your report was “a guide for company boards”. Cyber Security, alongside Data Protection must now be at the top of the agenda of boardroom matters. The cost of getting this wrong is simply too high.
Simple measures and education, both on an individual and corporate level, can make a big impact. While preparing for today’s speech I was reading report by Barclays on five actions each individual can take to protect themselves online. It is truly frightening that in today’s technologically advanced society the most commonly used password is still 123456.
Individuals and companies need to be aware of the risks and put in the processes to manage those risks. Of course, it is never possible to eliminate every risk. But it is the role of a responsible board to identify and understand the principal risks it faces and then take the actions to mitigate them.
I would like to thank the CityUK and Marsh for this extremely helpful piece of work