A speech from the Chancellor of the Duchy of Lancaster Oliver Dowden at CyberUK in Belfast on Apr. 19, 2023
‘Last year’s CyberUK was held in Wales, & in the years before that, in Scotland & in England.
So it’s great to complete the full Union set with Northern Ireland – & it’s yet more proof that we have strong cyber talent in every corner of our country.
But of course this city was a natural choice to hold a cyber conference: It has become a global hotspot for cyber & tech companies – including IBM Security, Microsoft & Nvidia…
…& we’re meeting at a very interesting time for cyber in the UK.
Interesting because we have a PM & a Govt. that is deeply passionate about science & tech, & has put it front-&-centre of our agenda.
Interesting because we have a thriving tech sector to match, & because government & industry are building a strong partnership including through the new National Cyber Advisory Board, which I am co-chairing again this afternoon with Sharon Barber from Lloyds.
But it’s also an interesting time because of the world we live in today.
The last time CyberUK was held, last May, attendees were gathering in the shadow of Russia’s unprovoked invasion of Ukraine.
And the brutal reality is that a year on, we continue to live in a more dangerous, more volatile world – one that has far-reaching consequences for the British people.
Now that’s partly a consequence of Russia’s aggression.
It’s partly because of the growing economic coercion of other countries.
And it’s also because of the way that climate change & technology continue to transform & disrupt our world.
All of those things are putting our systems under more pressure than ever before.
And so in Govt., we are devoting a lot of time & energy on how we can improve our overall resilience of the Govt. in the face of those & future challenges.
Now many of you will have seen that a few weeks ago the Govt. published a refresh of our defence & national security strategy – the Integrated Review – setting out how we intend to fortify our national defences against the challenges both today & tomorrow.
And it’s something the PM has asked me to lead on at the Cabinet Office – particularly when it comes to economic security & bolstering our national resilience.
So I wanted to use this opportunity to take you through how that applies to cyber-security;
where I think we are as a country;
& what the government intends to do to make sure we stay ahead of our adversaries every step of the way.
THE CYBER THREAT
It’s been a couple of months since the world was gripped by the progress of that Chinese balloon floating across the skies of the United States.
Now I’m sure you will recall that spy balloon dominated the headlines because it was a very visible symbol of America’s borders being breached by an uninvited guest.
And yet every day, a combination of criminals, spooks, hacktivists & cyber soldiers silently & invisibly breach our digital defences – both in the UK & in the rest of the world.
And we saw it earlier this year with Royal Mail, when a ransomware attack disrupted overseas deliveries for weeks.
And last Aug. when an attack on a 3rd party supplier caused severe disruption to NHS 111.
So what does the overall cyber threat to the UK look like today?
Well, according to the latest assessments from the National Cyber Security Centre, the most acute state threats in cyberspace continue to come from those usual suspects – Russia, China, Iran & N. Korea.
The NCSC are also devoting a lot of their energy today to defending democracy…
…including by tackling threats against both the Conservative Party leadership contest last year and the recent Scottish National Party leadership contest – both of which took place online.
And there is another new front opening, as we see more & more adversaries able to buy & sell sophisticated cyber tools & spyware like Pegasus.
These are the types of tools that we used to only see in a handful of powerful state actors, & which can cause serious damage.
So it’s something we are taking very seriously, & to which we are responding with our international partners.
Meanwhile, cyber-crime is estimated to cost the UK billions of pounds each year.
According to new figures published today, 32% of UK businesses & charities suffered a cyber breach or attack in the past year.
That is a 3rd of our businesses.
And ransomware continues to run rampant.
And as President Biden rightly recognised a few weeks ago, thanks to its scale & impact, ransomware is no longer just a crime.
It is a national security threat – & our response needs to reflect the severity of that threat.
These are attacks on our citizens, our businesses & our democracy. They are an attempt to undermine our society.
And we are determined to stop them, with your help.
GOVERNMENT RESPONSE
In the UK we grasped the need for urgent action early, & we’ve been doing a lot over the past few years to strengthen our cyber defences.
We have published the National Cyber Strategy…
…& we have a new and effective cyber sanctions regime, which we recently used for the 1st time against a group of Russian cyber criminals as part of a joint campaign with the US.
And we are working closely with international partners to tackle the proliferation of sophisticated commercial cyber tools.
At the same time, the Govt. itself continues to face a range of attacks, including ransomware & espionage – & so we are constantly looking to strengthen our cyber defences.
As part of that, today, I can announce that we are launching GovAssure, a transformational new cyber regime for the whole of Govt.
GovAssure will be rolled out across Whitehall. It will be used to assess every department’s cyberhealth on an annual basis, against stringent new measures…
…so that Govt. can better identify the risks we face, & make sure we are protecting systems that help us run public services.
So with each day, as the threat evolves, so does our response.
NCSC THREAT ALERT
But a new adversary has emerged.
Over the last 18 months, the National Cyber Security Centre has seen the rise of several Russian-aligned groups sympathetic to Putin’s invasion of Ukraine.
Now these are fringe state threats – the cyber equivalent of the Wagner Group – & initially these groups focused their attacks on Ukraine & the surrounding region.
But recently, they have begun to turn their attention to the UK & its allies.
They are now seeking opportunities to compromise our Critical National Infrastructure.
We have experienced attempted attacks in the past – but these groups operate differently.
Instead of seeking to profit or spy on us, their primary motive is to disrupt or destroy our infrastructure.
These adversaries are ideologically motivated, rather than financially motivated.
Secondly, though these perpetrators are aligned to national actors, crucially, they are often not controlled by those foreign states.
That makes them more opportunistic, & less likely to show restraint.
Together, those factors make the current situation particularly concerning.
And so today I can confirm that the National Cyber Security Centre is issuing an official alert to operators of our critical national infrastructure, to highlight the risk they currently face.
That alert is now live on the NCSC’s website – along with a number of recommended actions that operators should follow right now, to increase their resilience & help defend our infrastructure against these attacks.
Disclosing this threat is not something that we do lightly.
This is an unprecedented warning for businesses.
We have never publicly highlighted the threat from these kinds of groups attempting such attacks before.
And I should stress that we do not think that they currently have the capability to cause widespread damage to our infrastructure in the UK.
But we do believe it is necessary at this point in time, if we want companies to understand the current threat they currently face…
… and to take action to defend themselves & the country against such attacks.
This approach fits with that wider national security strategy.
And last year, when we saw that Russian forces were gathering at the Ukrainian border, we declassified the information to let the world see what they were doing.
Today with cyber threats you will increasingly see us say what we are seeing.
We won’t allow these groups to stay in the shadows.
We are shining a light on these threats because we need to work together to strengthen our defences. That means that businesses need to see the threats clearly, too.
And over the last few years we have done lots of things to make it easier for businesses to secure themselves…
…including issuing world-leading guidance…
…offering threat assessments underpinned by intelligence…
…and providing key services like the Early Warning system.
But given the constantly evolving cyber threat, I believe this is the right moment to look at our cyber defences more widely – particularly when it comes to those of our businesses.
The reality is that we in Govt. can only do so much.
Businesses large & small sit on the front line of our cyber defences.
They face attacks on a daily basis – & any gap in that front line leaves us all vulnerable.
And when we published the National Cyber Strategy just over a year ago, we said we would review the government’s ability to hold operators of critical national infrastructure to account.
I’ve concluded now that we do need to go further.
So today I can confirm that I will be setting specific & ambitious cyber resilience targets for all critical national infrastructure sectors to meet by 2025…
…And that I am actively examining plans to bring all private sector businesses working in critical national infrastructure within the scope of cyber resilience regulations.
These are the companies in charge of keeping our country running. Of keeping the lights on.
Our shared prosperity depends on them taking their own security seriously – & that extends to their cyber-security.
A bricks-&-mortar business wouldn’t survive if it left the back door open to criminals every night.
Equally in today’s digital world, businesses can’t afford to recklessly ignore cyber risks, either – to leave their digital back door open to cyber crooks & hackers.
And while we’re doing this to combat certain risks, there is also a real opportunity for our businesses.
We have a huge amount to gain by making the UK the safest country in the world to do business.
Because the fact is that in today’s modern world, prosperity & economic security go hand in hand.
You can’t have the former without the latter.
Investors want to put their money in a safe country, in businesses that take security seriously.
So the safer we make our defences, the safer we make our country – & the more attractive we become as a destination for entrepreneurs & investors all over the world.
And the fact that the UK has in the last few years taken cyber-security so seriously already makes us one of the best places in the world to invest.
So this is my call to arms for businesses: look again at your security.
Strengthen it wherever you can.
The stronger your business, the stronger our economy, & the more prosperous we become together.
And in turn, we in Govt. will continue to do as much as we can to support the cyber industry & businesses more widely…
…& so finally, I just want to outline how we are fulfilling our part of this partnership.
OPPORTUNITIES
Cyber is an industry that continues to grow in every sense.
New figures show that it is worth more, it has more companies, & it employs more people than this time last year.
In 2022, revenues hit over £10.5bn, the sector attracted £300m of investment, & it added an additional 5,300 jobs in that time.
At a time of global market uncertainty, the industry really is looking strong.
And through our Cyber Runway programme, we’ve helped over 160 cyber security companies & startups grow & develop their businesses.
And there is even more room for growth, given that we currently face a shortfall of around 14,000 cyber security professionals each year in the UK.’
The jobs are there. We just need to give people the skills to fill them – which is what we’re trying to do in government through things like Cyber First and Cyber Explorers.
And indeed, I saw this with my own eyes a few weeks ago when I spent time with students at the University of South Wales’s Cyber Academy.
I watched them at their computers, going through the cyber equivalent of football drills – practising attack and defence.
And through academies like that, we are building the UK’s cyber talent pool for the future.
And on Monday the Prime Minister launched a major drive to improve maths skills across the country.
As he said in that speech, numeracy is the foundation of the modern economy…
Today, it’s just as essential as being able to read – & it is particularly vital if we want people to be able to take up jobs in cyber, tech, & beyond.
We also recognise that as a major employer of cyber security professionals across the UK, the Govt. needs to do more to attract the very best talent.
Now, like many of you, I noted the recent debate around the salary offered for a cyber role in Govt. Of course, people who work for Govt. will always be motivated by public service.
But a cyber specialist knows they can earn 5 to 7 times, if not more, for the same role in the private sector.
And the Govt. needs to break through its own glass ceiling…
So I am also examining what more we can do to improve salaries & other parts of our offer, so that we can continue to attract the very best cyber experts into the civil service.
These are people protecting the systems and public services that millions of people across the country rely on every day, so we should want the very best people in charge of them.
We must be competitive to stay ahead.
CONCLUSION
So, we are keen to do our bit, and for the private sector in turn to do its bit.
To defend as one, so that we can prosper as one.
And as I have set out, the Govt. is clear-eyed about the challenges that we face. We need business to be clear in their determination to meet those challenges with us.
It’s not going to be easy, & these threats won’t disappear overnight. But by working together, I believe that when we meet next year at CyberUK