Defence

Sir Jeremy Fleming was speaking at CyberUK, the UK’s flagship cyber security conference this week.

The full presentation is here but I’ve picked out some key highlights.

“Of course, we can count ourselves lucky compared to those caught up in wars, but we are also seeing a heightened cyber risk. Cyber criminals are consistently evolving their tactics; the lines are blurring with hostile state activity and ransomware remains a real threat.”

“Cyber clearly matters to everyone.”

“At the global level, the UK has developed as a cyber power. Alongside the more traditional forms of diplomacy and statecraft, cyber now plays a vital role in our national security and prosperity.”

A key element for me was this statement:

“And I believe that our ability to protect the digital homeland is where we must start.”

I practise both offensive and defensive cyber security capabilities and I can say that it’s a smart move to make sure you have a good defence before you charge into offense.

“However, we cannot take our current defensive strength for granted. As threats shift, as technology advances, we must constantly re-evaluate and reinvent cyber security.”

A key element here is understanding exactly what our current state defensive strength is. I’d suggest that you need to look across at different countries to put that statement into context.

Key points raised as well include the great work by the UK NCSC but also that of the National Cyber Force (NCF):

“That’s why with our partners in intelligence and MOD, we formed the National Cyber Force.  It builds out from our world class cyber defence and resilience. And, it’s brought another level to the spectrum of national security work.

The NCF is already making a big impact. From countering disinformation, to supporting the activities of our military overseas, and to helping law enforcement to go after criminal gangs, it is improving the UK’s defences and it’s imposing a cost on our adversaries.

Of course, ultimately, what sets us apart from these adversaries is not what capabilities we have but how we use them in a legally, proportionate and ethical way. The UK has led the way on this thinking and later this month, the Attorney General will set out the Government’s latest legal views on the responsible use of cyber capabilities.”

I think it’s sensible here for people to be realistic with what a legal, proportionate, and ethical UK Cyber Capability looks like. It’s easy for people to jump into the fictional world of Jason Bourne or James Bond here.

We also need to recognise that current world affairs are giving people a view on electronic, information and cyber warfare in the real world as opposed to Hollywood.

“And at the moment, that means the war in Ukraine.  It’s at the front of all of our minds.  The suffering and broader humanitarian effects are terrible and we see the implications of indiscriminate warfare and Putin’s miscalculations play out on the battlefield.

But we’re also seeing this conflict in near real time in information, cyber and technology spaces.  

It is already a remarkable feature of this war just how much information about the behaviours and tactics of the Russian forces are out in the public domain. And how much intelligence has been released by Western Allies to challenge and get ahead of Putin’s actions.

This is modern warfare influenced and shaped by the democratisation of information.  And thankfully, the Ukrainians are excelling at it – we’re proud to be playing our part in supporting their efforts.

We’re seeing it in cyber too.  Perhaps, the concept of a ‘cyber war’ was over-hyped.  But, there’s plenty of cyber about, including a range of activity we and partners have attributed to Russia.  We’ve seen what looks like some spill over of activity affecting other countries. And we’ve seen indications that Russia’s cyber operatives continue to look for targets in countries that are opposing their actions.”

Perhaps, the concept of a ‘cyber war’ was over-hyped, is a key element I noticed here. I think it’s important that again, people consider what can and can’t be achieved with packets and computer networks. That’s not to say you can’t sometimes do things that appear “magic” or aren’t significantly clever, it’s just that “cyber bullets” aren’t real.

“That’s why we have increased our efforts to ensure UK businesses and Government urgently improve levels of cyber resilience. And why, with our allies, we will continue to support Ukraine in shoring up their cyber defences.”

Again, I think it’s important here that defence is once again mentioned. The world is a far more fragile place systemically than people would probably like to admit. But also, infiltrating and taking over networks isn’t a computer game, there’s lots of factors working both for and against both the attackers and defenders.

“Alongside our partners, we have mounted operations to undermine their networks, and prevent them from profiting from their crimes as well as denying them access to their cyber tools and malware.

In real life this means tens of millions of pounds in potential fraud against the UK economy avoided.  Hundreds of thousands of stolen credit cards made worthless to the criminals, and countless potential victims of crime around the world with their data and accounts safeguarded.  That’s cyber power on an immense scale.

Just as we need a whole of society approach, the whole of society must benefit from the opportunities cyber can bring. Across our regions, we can already see that happening.”

Looking at what the NCF and the UK will be focusing on again is important. With all things in life there are objectives and constraints. Cyber omnipotence doesn’t exist, no one can see everything in real time in the world nor on the internet.

Some final key points that I think are important are the collaboration between industry and government, but I’d also add in my own part here that I’d be wanting to include citizens and the community. If we truly are looking to achieve a “whole of society approach real” then recognising how digital and “cyber” work with government, industry, education and people, to me is really important.

Summary

It’s easy to over hype cyber capabilities, but conversely, it’s easy to understate them as well. If we look back to the mid-2000s and where we are now from a “cyber” perspective things are better than they were, however this is certainly a marathon not a sprint. There are some great initiatives and successes made by the UK with regard to cyber security, safety and digital integration, but we shouldn’t sit back. There are opportunities for improvement in every sector, most organisations and people are still in a low maturity cyber state. That’s not being negative, that’s being realistic. We have a long way to go with changing the financial, legal, regulatory landscapes alongside ensuring industry and societies leadership as well as the people truly get ahead from a cyber defence perspective. I look at some of the near misses and shudder, however I’m positive for the future, there’s an amazing Cyber Community in the UK and an ocean of people who work tirelessly to help support their friends, families and fellow world citizens be safe in cyberspace.