Some thoughts about UK Cyber Security, Critical National Infrastructure and the citizen

Citizens and businesses alike are finding bank accounts compromised, sensitive details leaked and devices hacked. According to Symantec, an estimated 12.5 million Britons fell victim to cybercrime in 2012, losing over £1.8 billion in direct financial losses.

The loss is even greater for the business sector. The latest data from the National Audit Office’s landscape review estimates that the UK suffered 44 million cyber attacks in 2011 alone, the equivalent of 120,000 a day, costing approximately £27 billion a year of which over three-quarters of the economic impact is felt by business enterprises.

The threat is persistent and constantly evolving; data breaches, identity theft and fraud are now commonplace given the UK is one of the largest internet based economies in the G20 group of industrialised nations.

Just over eight per cent of the UK’s GDP is generated through the internet, which comes as no surprise when you consider how Britons are classed as the most avid internet shoppers in the world. An average Briton will spend over £1,000 shopping online every year, almost twice as much as the average resident in France or Germany. A secure internet is therefore essential to the UK’s economic prosperity.

In recognition of this, the UK Cyber Security Strategy published in November 2011 committed an additional £650 million towards a cross-government cyber security programme through to 2015. In the face of economic austerity and spending cuts, the public sector in particular faces key challenges; most notably, raising public awareness, influencing industry to invest in better cyber defence mechanisms and addressing the UK’s current and future cyber security skills gaps, which the NAO warns could take as much as 20 years to bridge.

The successful delivery of the government’s strategy however is incremental for citizens, business and public sector alike in order for them to gain a competitive edge in the global marketplace and to be better protected against data theft and fraud.

As our dependence on cyber space grows, so the security of the digital sphere becomes ever more critical to the health of our nation. There are numerous concerns associated with cyber attacks that cannot easily be quantified. As an example, it may be easy to calculate the replacement cost of fraudulent activity but the real economic losses associated with the disruption of critical national infrastructure, in particular, the networks that control our power grids, water supplies, telecommunications and even military, are not easily quantifiable.

In the wake of several global, large-scale incidents, the UK government has committed itself to working closely with industry given that around 80 per cent of our critical national infrastructure is privately owned. The latest EU directive titled “An Open, Safe and Secure Cyberspace” introduced in February 2013 will go some way in addressing vulnerabilities that riddle the IT systems of key assets and services within the UK national infrastructure.

For the first time, companies in specific sectors like banking, energy and health will be required to ensure they have suitable IT security mechanisms in place and that they report major incidents. All this is significant when you consider how, according to Eurostat statistics, in January 2012, only 26 per cent of enterprises in the EU had a formally defined IT security policy.

While one of the strengths of the EU policy is that it is comprehensive, its stipulation that the private sector report all major breaches may be difficult in practice given business confidentiality, the extra costs associated with implementing a robust IT infrastructural framework and the possible damage to reputation for big enterprises.

One of the primary cornerstones of the directive however lies in its advocacy for the application of existing international laws in cyber space and more specifically, as Dr Marco Roscini from the University of Westminster notes, it "affirms that the laws that apply in the 'real' world also extend to cyberspace: there is no need to negotiate special cyberspace rules".

This affirmation, though holistic, invites a series of questions about the application of existing human rights laws and rules governing warfare; when can a cyber threat be considered use of force under the UN charter? Who determines proportionality and how are legally enshrined concepts like sovereignty and neutrality determined online ?

From DDoS attacks to the defacement of government websites, from espionage to the destruction of critical infrastructure, cyber attacks offer activists, criminals, terrorists and hostile states the ability to strike the soft underbelly of internet-dependent states like Britain with precision and anonymity. With national concern about cyber security greater than ever, how can public and private sector organisations stay ahead of the escalating threats?

This will be the focus of iMMGroup’s second annual cyber security conference. The all-day conference, chaired by Colonel (Retired) John Doody and composed of keynote speeches, panel discussions and seminars, will open with an address from Lord Erroll from the Parliamentary IT Committee, who will provide an overview of existing government policy and the challenges ahead.

Following on from this, delegates will hear from Nigel Harrison, Director of Cyber Security Challenge UK, on the importance of bridging the skills gap and how his organisation sets about sourcing the best cyber experts through competitive challenges. Testing entry points, scanning for weaknesses and developing strategies to best leverage resources are all instrumental in the delivery of more effective information security practices. Attendees can expect the themes from this address to be elucidated later in the day by Martin Jordan, Head of the Cyber Response Team at KPMG, in his session on modern hacking techniques and how organisations can best combat these.

Failure to achieve a robust security culture is often identified as the Achilles heel of the business sector. On account of this, the morning sessions will benefit from a presentation by Tony Neate, CEO for the government’s GetSafeOnline scheme, aimed at providing small enterprises and the general public with advice on how to secure themselves against phishing, malware and internet fraud.

The insights from this session will be embellished later in the day with a discussion on social networking led by Graham McKay from DC Thomson & CO. Social cybercrime has risen to prominence with the widespread use of social networking sites like Facebook and Twitter, but what does this mean for organisations, and how easily can social media be utilised to infiltrate organisations to extract sensitive information?

Elsewhere, the day’s proceedings will include key addresses from Chi Onwurah MP, Labour’s Shadow Cabinet Office Minister with responsibility for cyber security; Natalie Black, Deputy Director for Cyber Defence and Public Networks at the Cabinet Office; Professor Bill Buchanan and Dr Jamie Graves from Edinburgh Napier University, and Kevin Doherty from the PSN Authority at the Cabinet Office. The conference will round off with a panel presentation from Jennifer Cole and David Smart from RUSI on vulnerabilities in IT delivery, physical threats to IT infrastructure, as well as response and recovery mechanisms to protect the UK’s critical national infrastructure.

‘Cyber Security, CNI and the Citizen’ takes place on Thursday 21 March, 2013 at the Britannia Hotel in Canary Wharf, London. The event will bring together senior decision-makers from the public and private sector to deliver a wealth of insight through a full day’s programme of keynotes and technological demonstrations from a breadth of exhibitors. You can find out more at http://www.cyber13.immgroup.co.uk/