Last month, Jim Murphy, Shadow Defence Secretary, and I launched our defence review. The first stage of this review is to measure the threats facing the UK and assess our capability to respond.
The cyber threat
Our society’s reliance on networked systems means those who would seek to do us harm have unprecedented reach and ability to strike at the heart of our interests at home and abroad. The cyber threat has transformed over recent years from what RUSI has termed “spotty adolescent hackers making mischief” to the “game changing” feasibility of state-sponsored cyber attacks which could constitute an act of war.
The UK is ranked 6th in the world as a hotspot for malicious cyber activity, with thousands of malicious emails on government networks every month. There are many examples of the impact of cyber attacks from around the world, including cutting entire countries off from the internet and covertly re-routing military and civilian data. Perhaps the most well known example is the Stuxnet worm that targeted industrial control systems and was called a “paradigm shift” in threat by the European Network and Information Security Agency because it altered real world equipment involved in Iran’s nuclear programme without operators knowing.
Who poses the threat?
The majority of those who seek to use cyberspace to attack the UK are based outside of our jurisdiction and can be grouped into three categories. There are foreign states, who regard cyberspace as providing a way to commit hostile acts against the UK ‘deniably’, and the Security Services estimate that at least twenty foreign intelligence services are operating against the UK’s interests. They can launch highly sophisticated attacks in an attempt to compromise our government, military, industrial or economic assets.
The term ‘Hacktivists’ is used to describe activist groups who use cyberspace to further their political campaigns by causing disruption to gain publicity.
Terrorist organisations can use cyberspace to cause massive disruption to the UK and provides a platform to magnify the potential impact of ‘lone wolves’ or small groups from anywhere in the world. As well as stealing vital information and shutting down critical systems, a cyber assault could weaken our ability to deal with a combined physical attack. The possible scenarios are endless and frightening – just imagine if a physical terrorist incident in a UK city was combined with a cyber attack on medical records to change all our blood types or on the communications network to severely hinder our response. This isn’t the land of science fiction, it is a real threat today.
Improving our cyber response
While the government’s Cyber Security Strategy should be welcomed as a step in the right direction, a number of significant concerns and questions remain that Labour’s defence review will seek to discuss and improve upon.
The vast majority, around 80%, of our critical national infrastructure is privately owned and nearly two-thirds of critical infrastructure companies report regularly detecting attempts to sabotage their systems. Currently, there is much concern within the security sector that businesses underestimate the scale of the cyber threat and are underprepared to deal with it.
Any cyber security strategy is meaningless unless it helps improve business preparedness and the government’s strategy does not go far enough. It is focused on the high level security apparatus and, while important, our national strategy must work from the ground up. We need a much bigger effort to bring private and public sector together to easily share threat information. While corporations are understandably sensitive about sharing data, the only way to combat the threat is a united response and our review we engage with business to discuss how best to do that.
Individual users also play a big part in our security strategy and we must improve public knowledge of the risk. To date, our national response mechanism has been fractured and incoherent and there are too many sources of information. Government can help by providing a single authoritative source of comprehensive information that filters details down to all levels quickly.
Finally, the absence of tangible goals in the cyber security strategy makes it is difficult to assess progress. Cyber security is such a fast evolving area that clear metrics are required to measure how well the strategy is performing.
The need for a cyber security culture
The cyber threat is one that we are, arguably, already playing catch up with. We cannot afford to be left further behind and the government must pick up the pace. A key test of our review, and final policy, will be making our strategy as inclusive as possible. Unlike some other aspects of the security landscape, cyber depends upon businesses, organisations and the public being active participants in the fight to keep us safe. We need to instil a cyber security culture – whether it’s in the multinational corporation, the small business on the high street, or an individual at home, we all have a part to play in keeping our infrastructure secure.
Over the next few weeks and months we want to hear as many views as possible and I would encourage you to take part in our review by visiting the website at https://labourfriendsoftheforces.org.uk/21st-century-defence/.