Browse content similar to Cyber Security Committee. Check below for episodes and series from the same categories and more!
Line | From | To | |
---|---|---|---|
Thank you for coming on the committee is grateful for you for | :00:14. | :00:19. | |
coming and to give evidence to us. We are fortunate to have a lot of | :00:20. | :00:23. | |
written evidence as well, so we have quite a lot to chew on. If we can | :00:24. | :00:29. | |
begin, what I'd like to do right at the beginning, because this is our | :00:30. | :00:34. | |
enquiry, is to put on record at the enquiry, is to put on record at the | :00:35. | :00:41. | |
start of the evidence taking some simple contexts suggesting | :00:42. | :00:48. | |
questions. You will know that the national security risk assessment | :00:49. | :00:53. | |
characterises cyber as a top tier threat. If you think that is | :00:54. | :01:04. | |
justified, what would you say is the nature of the threat to the United | :01:05. | :01:09. | |
Kingdom and how might it be made manifest, and are there any threats | :01:10. | :01:12. | |
to which either government or the private sector are particularly | :01:13. | :01:15. | |
vulnerable, and if so, what are they? I can start. That is a fair | :01:16. | :01:25. | |
assessment as to what the threat is today. Where it manifests itself, | :01:26. | :01:31. | |
much is made of the nation state capability, and we do have | :01:32. | :01:34. | |
aggressors that are targeting the UK and the private sector. Similarly we | :01:35. | :01:40. | |
should not underestimate the force with which organised crime is | :01:41. | :01:46. | |
embracing cyber capability, and for various reasons. So to gain direct | :01:47. | :01:54. | |
economic benefits from activities, second wary to that, by proxy, | :01:55. | :02:01. | |
supporting certain nation states by creating some clear water, shall we | :02:02. | :02:07. | |
say. Anyone else? I am dubious to the idea that it is a tier one | :02:08. | :02:11. | |
thread. I think it has been overhyped. We do have intense worry | :02:12. | :02:18. | |
about cyber espionage and Internet warfare, but the probability | :02:19. | :02:20. | |
critical infrastructure attack would critical infrastructure attack would | :02:21. | :02:23. | |
only be very likely under the context of a global war, so that is | :02:24. | :02:28. | |
something that is a bit beyond the normal consideration. Most cyber | :02:29. | :02:33. | |
aggressors use it for information advantages, and that is the nature | :02:34. | :02:41. | |
of the cyber threat right now. I would suggest it would be | :02:42. | :02:43. | |
a tier one threat largely because it a tier one threat largely because it | :02:44. | :02:47. | |
has so much impact on the other category one threats to the UK. I | :02:48. | :02:53. | |
guess that cyber is something that can happen directly, but it can also | :02:54. | :02:58. | |
have an impact on public health, on terrorism and it can be an enabler | :02:59. | :03:02. | |
for military conflict, and because of that it would make sense that it | :03:03. | :03:06. | |
would be classed alongside as a tier one threat. The other way of looking | :03:07. | :03:11. | |
at this is that we often talk about what it means Drame nation to nation | :03:12. | :03:15. | |
perspective. We should not lose track of the fact there is a real | :03:16. | :03:20. | |
threat to members of the population through ransom, where we are now | :03:21. | :03:26. | |
seeing organised crime units trying to monetise attacks by targeting end | :03:27. | :03:33. | |
users, encrypting their laptops and having an impact that is probably | :03:34. | :03:38. | |
seen much more frequently on a day-to-day basis. I would come at it | :03:39. | :03:46. | |
from the consideration of exposer. We are a digital society, whether we | :03:47. | :03:50. | |
like it or not, and will no everything that is physical has | :03:51. | :03:54. | |
digital processes behind it, so we are vulnerable to those digital | :03:55. | :03:58. | |
processes and data flow being interfered with. Much of what we do | :03:59. | :04:03. | |
in society depends on whether it could be physical things in | :04:04. | :04:06. | |
hospitals, but there are scheduling, blood ordering, and all things go on | :04:07. | :04:12. | |
in the background that our digital processes, and without those digital | :04:13. | :04:15. | |
processes a lot of the physical world will deteriorate. So I think | :04:16. | :04:18. | |
it is absolutely a tier one threat less because of the threat to date | :04:19. | :04:23. | |
but because of the vulnerability and the possibility a could materialise | :04:24. | :04:26. | |
quickly. Having established that three of you think it is a tier one | :04:27. | :04:30. | |
threat, although you have some doubts about it, without wanting to | :04:31. | :04:37. | |
scaremonger, what is the worst-case scenario for cyber attack on this | :04:38. | :04:41. | |
country, and how likely is it? As you all know, the whole point about | :04:42. | :04:46. | |
the risk register is a mess -- mix of impact unlikelihood. -- and | :04:47. | :04:53. | |
likelihood. Getting into the specifics of what could happen, you | :04:54. | :04:59. | |
could see a very likely scenario where our ability for the financial | :05:00. | :05:05. | |
markets to operate and for much of the health systems, and the | :05:06. | :05:11. | |
infrastructure to function, that could be disabled. That could be | :05:12. | :05:17. | |
severely impacted. Many of the adversaries who might want to do | :05:18. | :05:23. | |
that until now, there are other geopolitical boundaries around that | :05:24. | :05:27. | |
might cause them not to do so. But as capability becomes more and more | :05:28. | :05:33. | |
accessible then I think we could see criminals and terrorists becoming | :05:34. | :05:41. | |
more capable and then you have less political and diplomatic bounce | :05:42. | :05:45. | |
around behaviour and constraint. I would agree with that. If we look at | :05:46. | :05:52. | |
the UK by virtue of our maturity, we adopted technology very early on, | :05:53. | :05:56. | |
and by virtue of that we have some legacy systems which will run some | :05:57. | :06:00. | |
quite key elements of our country, and that in itself provides some | :06:01. | :06:07. | |
unique challenges where we have some ageing systems coupled with an | :06:08. | :06:11. | |
increasing capability, which we might not intend to take them down, | :06:12. | :06:15. | |
but through their own exploration and success in compromise have an | :06:16. | :06:20. | |
inadvertent outcome on the systems. If the worst does happen it might | :06:21. | :06:24. | |
not always be intentional as well, so that is something to bear in | :06:25. | :06:30. | |
mind. My comment would be is to use your imagination in terms of what it | :06:31. | :06:34. | |
might entail. What do I mean by that? Anything that draws upon data, | :06:35. | :06:42. | |
information or anything that touches currency and trading. I read an | :06:43. | :06:46. | |
article last week on the BBC website about how even farmers are now using | :06:47. | :06:53. | |
data to make decisions about how much fertiliser to put onto their | :06:54. | :06:58. | |
crops. The suggestion was that if a hacker could get access to some of | :06:59. | :07:02. | |
the systems and manipulate the information you could have a | :07:03. | :07:09. | |
scenario where where the levels of crops being produced might result in | :07:10. | :07:13. | |
some form of famine. You might come up with another form of famine that | :07:14. | :07:21. | |
says many of the industrial consoled -- control systems now touch data | :07:22. | :07:24. | |
networks, so if somebody could straddle a data network and from | :07:25. | :07:32. | |
there get action -- access to control systems. There are all sorts | :07:33. | :07:35. | |
of different things the individual might be able to do. We have seen | :07:36. | :07:40. | |
some of that both out in the Ukraine and in some other countries over the | :07:41. | :07:45. | |
last two years. The problem is we cannot make policy based on | :07:46. | :07:49. | |
worst-case scenarios, and we need to do it on probabilities what is | :07:50. | :07:53. | |
likely to happen. Aggressors have had the technology for 30 years and | :07:54. | :07:56. | |
they have been generally restrained in using it for aggressive purposes. | :07:57. | :08:00. | |
Terrorists are not so restrained they don't necessarily have the | :08:01. | :08:05. | |
capabilities. So the real difference between who is the aggressor, what | :08:06. | :08:08. | |
is the target and what are the goals? We have to worry about a | :08:09. | :08:13. | |
general societal programme to promote resilience in the state to | :08:14. | :08:17. | |
recover from possible cyber attacks, but the probability of a dramatic | :08:18. | :08:20. | |
cyber attack is only highly likely in the context of a major war with | :08:21. | :08:25. | |
Russia or China and that's not necessarily on the table. Will it | :08:26. | :08:28. | |
happen any time soon? That is something out of the imagination and | :08:29. | :08:32. | |
that is not how we should govern. We need government based on what is | :08:33. | :08:37. | |
likely to happen. We have not seen cyber technology used for massive | :08:38. | :08:40. | |
effect so far and we are unlikely to. We have seen sabotage but that's | :08:41. | :08:44. | |
generally been done by nation states to attack launch capabilities to | :08:45. | :08:50. | |
prevent other countries from acquiring certain technologies but | :08:51. | :08:53. | |
we've not seen any great devastation so far and I don't think we are | :08:54. | :08:56. | |
likely to any time soon. If I may counter that slightly, one thing we | :08:57. | :09:04. | |
cannot say from a policy perspective is say we can deal with it when it | :09:05. | :09:08. | |
becomes an issue. We are building the digital society today. If in ten | :09:09. | :09:12. | |
years' time we find ourselves in a conflict situation we won't rewind | :09:13. | :09:16. | |
the clock ten years and say we can build a secure digital society. I | :09:17. | :09:21. | |
think there is a policy imperative to build a secure society, without | :09:22. | :09:28. | |
necessarily trying to anticipate what the threat may be or may become | :09:29. | :09:31. | |
in the next five or ten years because we have to build today for | :09:32. | :09:36. | |
the future. The word resilience was used there, and I think that is an | :09:37. | :09:41. | |
important word. The free market, if left to its own devices will make | :09:42. | :09:46. | |
money, which is a wonderful thing but security is, to a greater or | :09:47. | :09:52. | |
lesser extent not seen by buyers as a key point at the moment in terms | :09:53. | :09:57. | |
of their purchasing decision, so our resilience is probably not where it | :09:58. | :10:04. | |
should be, and that is where the national cyber strategy outlines the | :10:05. | :10:06. | |
levers and incentives, and this is where we need to take a very long, | :10:07. | :10:11. | |
hard look on how we increase that resilience. Would I be exaggerating | :10:12. | :10:18. | |
if I was to say, from what you have said, that if you had to say where | :10:19. | :10:22. | |
the balance of investment should go, you would put it into resilience | :10:23. | :10:27. | |
rather than the offence, stopping attacks? We recognise now that the | :10:28. | :10:33. | |
concept that you are either secure or not secure as a binary state has | :10:34. | :10:38. | |
long gone. You need to be able to deal with successful attacks of | :10:39. | :10:41. | |
varying degrees of impact and be able to recover accordingly with a | :10:42. | :10:45. | |
minimum level of disruption, which is why resilience is a key concept | :10:46. | :10:50. | |
now in cyber security. We throw this term around without really defining | :10:51. | :10:54. | |
it and without really saying what needs to be done. The key thing | :10:55. | :10:59. | |
would not be investing in their private and public partnership but | :11:00. | :11:02. | |
investing in education and from the ground up. The other thing we need | :11:03. | :11:06. | |
to start to invest in is the public and promoting how they might react | :11:07. | :11:11. | |
away cyber threat or rape cyber attack. -- a cyber attack. We did | :11:12. | :11:15. | |
that in the nuclear error but we are not developing these programmes to | :11:16. | :11:18. | |
manage the emotional reactions of what happened because of the | :11:19. | :11:21. | |
dependency on digital. It's a very good point. I will speak to Mr | :11:22. | :11:31. | |
Cooper, then Lord West. We spoke about the cyber threat to the public | :11:32. | :11:34. | |
infrastructure and the private sector, but in the light of the | :11:35. | :11:38. | |
experience of the US elections, what is your assessment of whether or not | :11:39. | :11:45. | |
there is any sort of cyber threat to British democracy, either to | :11:46. | :11:47. | |
democratic institutions, electoral systems, political parties or | :11:48. | :11:55. | |
Parliament and so on? If we look at what happened in the United States | :11:56. | :11:59. | |
in the primary means taken in terms of manipulation of the message and | :12:00. | :12:02. | |
trying to influence public understanding of the situation by | :12:03. | :12:07. | |
virtue of having a free and open media, which in a highly connected | :12:08. | :12:12. | |
society we are obviously susceptible to. To say they would be able to | :12:13. | :12:15. | |
influence how somebody cast their ballot through pen and paper that we | :12:16. | :12:21. | |
still employ, that would be going too far, but in terms of leaking or | :12:22. | :12:27. | |
manipulation and propaganda, we have to accept that that is a practical | :12:28. | :12:36. | |
means that they can employ. There is a really important general principle | :12:37. | :12:41. | |
about how attackers think in that is illustrated by the question around | :12:42. | :12:45. | |
elections. We see whether it is online banking or all different | :12:46. | :12:48. | |
attack scenarios, the attackers will not target the core system you are | :12:49. | :12:54. | |
trying to defend itself, but attack the inputs and manipulate the input | :12:55. | :12:57. | |
is going into it and therefore get a different result. The discussion | :12:58. | :13:03. | |
around elections, and we know the head of the NCSC has reached out to | :13:04. | :13:06. | |
political parties to talk about their security, is so really | :13:07. | :13:10. | |
important principle. You might not be able to influence the casting of | :13:11. | :13:16. | |
votes itself, but if you can influence the dates that the | :13:17. | :13:19. | |
decisions are made, you might be up to influence it and that is an | :13:20. | :13:22. | |
important principle for how the attackers attack in this space. If | :13:23. | :13:27. | |
political party's e-mails are leaked and then selectively leaked to | :13:28. | :13:30. | |
present a coloured view of what the party stands for, or the individuals | :13:31. | :13:34. | |
stand for, that is the kind of concept that is often used in cyber | :13:35. | :13:39. | |
attacks. We have to be clear about the US attack. It was mainly done | :13:40. | :13:43. | |
through third-party applications, third-party e-mails, people changing | :13:44. | :13:48. | |
e-mail passwords. It was the least of the least in terms of cyber | :13:49. | :13:52. | |
attacks. The real problem with the American electoral system is the | :13:53. | :13:55. | |
lack of trust in the media and that's a question you have to ask | :13:56. | :13:58. | |
yourselves internally. Do we trust the BBC and the media? In America | :13:59. | :14:05. | |
they did it, and they trusted Russia today quite a bit to the tune of 9 | :14:06. | :14:09. | |
million views of Hillary Clinton making money from a foundation, | :14:10. | :14:12. | |
which wasn't true. It a question of trust and where people get | :14:13. | :14:16. | |
information from and how are they educated to take in end education. | :14:17. | :14:22. | |
We'd tell the story of the dramatic Russian hack, but it was simpler | :14:23. | :14:25. | |
than that. Lord West and Lady Faulkner. I'm interested in this | :14:26. | :14:32. | |
take. I put a huge amount of working with the Americans on Y2K. An | :14:33. | :14:36. | |
immense amount of work. And it never really quite came to what we | :14:37. | :14:40. | |
thought, although some things we did good. It was thousands and thousands | :14:41. | :14:42. | |
of man-hours on it. We had some information when | :14:43. | :14:54. | |
suddenly he lost cashpoints including by foot, which I think can | :14:55. | :14:58. | |
be used in the context of what happened in a cyber attack. My | :14:59. | :15:08. | |
question is, resilience and recovery, do you believe there is | :15:09. | :15:12. | |
sufficient money being spent by commercial companies in terms of | :15:13. | :15:18. | |
their recovery for when start to go wrong, and even think there is any | :15:19. | :15:24. | |
legislation that forces companies to have proper recovery mechanisms in | :15:25. | :15:29. | |
place? There is a will and that is what were concerned about in the | :15:30. | :15:34. | |
cyber Security industry that has popped up. That is regulated at the | :15:35. | :15:41. | |
moment. We need to ask if they are encouraging good practices. We do | :15:42. | :15:45. | |
not really talk about that, we do not talk about how companies use IT | :15:46. | :15:50. | |
departments to handle their security when they really need is cyber | :15:51. | :15:54. | |
Security group now. We need to understand the nature of the threat | :15:55. | :15:58. | |
and how to respond to it. I worry that we are focusing too much on the | :15:59. | :16:03. | |
fencing we are not thinking about the defence perspective first. Going | :16:04. | :16:10. | |
back to the earlier point, the impression one got from you about | :16:11. | :16:17. | |
the interference with democracy and electoral systems, the implication | :16:18. | :16:23. | |
was that it was a manipulation rather than a direct impact. Angela | :16:24. | :16:31. | |
Merkel has come out three times to warn off interference in the | :16:32. | :16:35. | |
forthcoming German elections. Why is she so concerned? Any of you? The | :16:36. | :16:43. | |
Russians have been engaging in this activity for a long time in Europe. | :16:44. | :16:50. | |
She is making sure the population do not respond to this information | :16:51. | :16:54. | |
attacks. In America that is a lack of trust in Government, hopefully | :16:55. | :16:59. | |
Germany has more trust and they will fight back against the attacks that | :17:00. | :17:05. | |
will come. The German intelligence agency said the date -- said that | :17:06. | :17:14. | |
they caught a Russian group tried to compromise on various systems, which | :17:15. | :17:18. | |
is where her concern will have come from. The three bustling companies | :17:19. | :17:25. | |
that deal with threats and respond to incidents when they happened. It | :17:26. | :17:32. | |
is real. You cannot deny the fact that there are people all over the | :17:33. | :17:38. | |
world whose day job it is, and they work 9-5, and they go on holiday, it | :17:39. | :17:45. | |
is their job to get into networks and compromise digital processes for | :17:46. | :17:51. | |
whatever means it is, if they are criminals for financial gain, as | :17:52. | :17:54. | |
they are nation states it is still a back door as they can exploit in the | :17:55. | :17:58. | |
future to get information out, but there are armies of people out there | :17:59. | :18:07. | |
for whom this is their job. We're focusing on the Government's | :18:08. | :18:10. | |
national cyber Security strategy. What would you see as being the key | :18:11. | :18:17. | |
lessons learnt from the 2011 shattered Gia and whether it was | :18:18. | :18:20. | |
effective and do you think those letters have been sufficiently | :18:21. | :18:27. | |
addressed in the 2016 strategy? There are two key things come out of | :18:28. | :18:31. | |
the recent strategy that our portent. One is the that there may | :18:32. | :18:39. | |
need to be regulation, incentives as you might freeze it, and the other | :18:40. | :18:43. | |
is capacity building in terms of skills. What we have already seen in | :18:44. | :18:47. | |
terms of that policy being enacted around getting to the younger | :18:48. | :18:56. | |
generation, we are talking 11-15, that will benefit us in six years | :18:57. | :19:03. | |
when they enter the workforce, that is absolutely key. I think it did | :19:04. | :19:09. | |
address a lot of the shortcomings. I was in the Cabinet Office in 2011. | :19:10. | :19:17. | |
The thought process back then in 2011 was very much that the | :19:18. | :19:23. | |
Government could encourage the private sector, upon which much of | :19:24. | :19:30. | |
the dependency for action sets on, to understand the risk and take | :19:31. | :19:34. | |
action appropriately. What has become clear is that maybe the | :19:35. | :19:38. | |
Government needs to be a bit more active and take a bit more | :19:39. | :19:44. | |
intervention. Things like the establishment of the national cyber | :19:45. | :19:47. | |
Security Centre, that is a very welcome initiative, it jive some | :19:48. | :19:54. | |
innovation and working together with infrastructure providers in the UK | :19:55. | :19:59. | |
to tackle a lot of the noise at source, remove a lot of the | :20:00. | :20:03. | |
low-level activity that is going on so people can focus on the more | :20:04. | :20:09. | |
sophisticated activity. I would agree with that. One of the | :20:10. | :20:14. | |
challenges were cyber is now left to market forces sometimes you do not | :20:15. | :20:18. | |
get the results that you might imagine. Often cyber security is | :20:19. | :20:24. | |
regarded as a lemon market, that is asymmetry of information between the | :20:25. | :20:28. | |
people who buy services and sell services. If you are a seller you | :20:29. | :20:32. | |
might understand the acronyms and did complex details, while if you | :20:33. | :20:39. | |
are a buyer a lot of those things are confusing and difficult to | :20:40. | :20:44. | |
understand. It is one of those ramps were market forces alone do not come | :20:45. | :20:48. | |
up with an appropriate level of response. We are seeing a greater | :20:49. | :20:56. | |
need for some kind of regulation to try and define bars for people to | :20:57. | :21:06. | |
strive towards. Where we talk about regulation, we do not see it as | :21:07. | :21:11. | |
being universal. It has to be proportional to the criticality of | :21:12. | :21:15. | |
the firm in the services it provides to the nation. As long as we take | :21:16. | :21:20. | |
that into account, and we're seen regulators take lead on this and | :21:21. | :21:23. | |
take a proportional approach, that is where we see a good response and | :21:24. | :21:32. | |
an improvement. You are all saying the market has not delivered in this | :21:33. | :21:37. | |
area, either because the vendors selling people products they do not | :21:38. | :21:42. | |
need or understand, or whatever else. Is that how we should | :21:43. | :21:46. | |
interpret the emphasis on extra cyber offence? Is it an admission | :21:47. | :21:51. | |
that the existing strategy is not working or is not going to work? It | :21:52. | :21:58. | |
addresses to problems. It helps those who cannot help themselves. It | :21:59. | :22:07. | |
is a complex subject. It is an assumption that they have the | :22:08. | :22:12. | |
skilled people. The majority of the France United Kingdom are SMEs and | :22:13. | :22:16. | |
they cannot retain the skill set. Cyber defence provides those firms, | :22:17. | :22:23. | |
some meaningful defence against these actors in the real world. Can | :22:24. | :22:31. | |
I have swore generally about whether or not the 2016 strategy is robust | :22:32. | :22:37. | |
enough for the protection of the UK critical national infrastructure? | :22:38. | :22:40. | |
We're seen recent attacks in Ukraine and in France. Has this latest | :22:41. | :22:48. | |
strategy led the right lessons from those major attacks. You will | :22:49. | :22:53. | |
probably have seen the recent US science board report essentially | :22:54. | :23:00. | |
said actors on behalf of the Russians and Chinese had effectively | :23:01. | :23:05. | |
penetrated the US's key critical infrastructures to the extent that | :23:06. | :23:14. | |
given the opportunity to switch off that infrastructure, which has | :23:15. | :23:19. | |
bigger locations for American society. I we facing the same level | :23:20. | :23:25. | |
of threat? Has our ambition should be penetrated to that extent and, if | :23:26. | :23:30. | |
so, what can we do to deal with that, given that the US defence | :23:31. | :23:35. | |
science board was saying that it would take at least ten years for | :23:36. | :23:41. | |
the US to rectify that position? The honest answer to your question is | :23:42. | :23:46. | |
that no one knows. You can take some confidence and things that happen, | :23:47. | :23:53. | |
but with the US, they did not know what had happened until it became | :23:54. | :23:58. | |
clear. Part of the challenge for the national shattered G is that this is | :23:59. | :24:05. | |
an area that is very fast and one thing that needs to be thought about | :24:06. | :24:09. | |
in the context of the national strategy is the five-year cycle may | :24:10. | :24:15. | |
not be rapid and off to deal with the world as it develops. Our | :24:16. | :24:20. | |
dependencies in the digital world as they develop is much faster than | :24:21. | :24:24. | |
that five-year rhythm. We might need to think about a new more agile | :24:25. | :24:30. | |
approach to revisiting the strategy. I have a different perspective which | :24:31. | :24:35. | |
is that a lot of the things we are calling for, new regulation or extra | :24:36. | :24:40. | |
cyber defence, take a while to build. There will always be in | :24:41. | :24:50. | |
anxiety. If you shorten the life cycle, you will not have data on | :24:51. | :24:55. | |
whether they will work and deliver. That would be shrinking it to | :24:56. | :25:01. | |
something like three years. It's critical national infrastructure | :25:02. | :25:04. | |
compromise to the same extent? I don't think the companies would be | :25:05. | :25:09. | |
willing to comment on client relationships, but it is courtesy | :25:10. | :25:16. | |
that most organisations, when facing threat, will face some incursion. | :25:17. | :25:23. | |
These actors have many cyber operatives and they will target | :25:24. | :25:25. | |
everything, so we need to be prepared for that. I don't know if | :25:26. | :25:31. | |
we are doing the stress tests we need to do to make sure we are | :25:32. | :25:37. | |
prepared. We cannot survive major rainstorm sometimes, so can we | :25:38. | :25:41. | |
really survive is possible attacks? I do not think they are likely, but | :25:42. | :25:47. | |
they are possible. We always have to come to a mindset where we accept | :25:48. | :25:53. | |
that at some point we will be compromise, still a mindset nuisance | :25:54. | :25:57. | |
are looking at how you respond to those kind of attacks. The aggressor | :25:58. | :26:03. | |
only missed event when we enter an organisation, the defendant is to | :26:04. | :26:08. | |
defend against every single attack, so there is asymmetry there. When | :26:09. | :26:15. | |
the debt landscape as much as cover technology but also people and | :26:16. | :26:18. | |
process, that is a really large landscaped to try and protect. We | :26:19. | :26:24. | |
are targeted as employees of the organisations that we work for, but | :26:25. | :26:30. | |
also people in the community, our wives and children, are also | :26:31. | :26:35. | |
targeted. If you take that as a starting point, assuming someone was | :26:36. | :26:43. | |
surely a day would get in, the focus would be on that ability to detect | :26:44. | :26:50. | |
and respond. Those of you who are working closely with the private | :26:51. | :26:54. | |
sector, some of whom are infrastructure providers that many | :26:55. | :26:58. | |
of whom are supplies to the infrastructure, water should | :26:59. | :27:02. | |
experience of the extent to which, without breaching confidentiality, | :27:03. | :27:10. | |
what is the extent to which you find they are already harbouring things | :27:11. | :27:15. | |
under systems that they may not know about and can do much about. Supply | :27:16. | :27:24. | |
chains since it gets very murky. The firm has to report to regulate, but | :27:25. | :27:28. | |
you can report what you know is true. What we are increasing see is | :27:29. | :27:34. | |
that they're looking at their supply chain as an area of risks to them. | :27:35. | :27:43. | |
How do they have the confidence that the smaller firm they have engaged | :27:44. | :27:46. | |
with connectivity into their environment will not launch an | :27:47. | :27:52. | |
attack? Today, that is where it is found wanting in many suppliers, the | :27:53. | :27:58. | |
reason is that they supply and magic widget, something very niche, but | :27:59. | :28:02. | |
they'd not have a fully fledged system because they are a | :28:03. | :28:12. | |
multidisciplinary firm. There is a supply chain that is a worry and a | :28:13. | :28:18. | |
lot of what we do is stand for a cost benefit analysis, and sometimes | :28:19. | :28:21. | |
you need to spend a lot more to ensure security. We feel are back | :28:22. | :28:30. | |
where often. To what extent are larger companies putting in criteria | :28:31. | :28:33. | |
for small suppliers to meet their obligations. Is being used by some. | :28:34. | :28:42. | |
There are contractual obligations but it is a written world card with | :28:43. | :28:51. | |
-- it is the written word, but then you can have any obligation to | :28:52. | :28:54. | |
inform if you wish but if you do not know you cannot tell them. The | :28:55. | :29:01. | |
reality is, you will not. You are outsourcing to them because they're | :29:02. | :29:06. | |
cheaper, or the very specialise, you're not contribute your own | :29:07. | :29:08. | |
requirements on them that will erode the saving you may make. Some | :29:09. | :29:17. | |
organisations are rethinking their organisational decisions. Cyber | :29:18. | :29:22. | |
security may not be a technical issue is much as how you structure | :29:23. | :29:27. | |
your processes. The number of dependencies you have on others is a | :29:28. | :29:33. | |
key part of your risk. Some of the outsourcing and supply chain | :29:34. | :29:35. | |
decisions that have been made in the past, which have been driven by | :29:36. | :29:40. | |
cost, some of those will need to be rethought and organisations will | :29:41. | :29:43. | |
need to reconfigure themselves so they have more control over those | :29:44. | :29:47. | |
processes end to end. They will never be able to eliminate supply | :29:48. | :29:53. | |
risk, and the comment feature of all cyber attacks is that they go for | :29:54. | :29:58. | |
the suppliers and suppliers to suppliers, that can be a part of | :29:59. | :30:00. | |
that thinking. What we've seen over the last three | :30:01. | :30:09. | |
years is more intelligence led assurance frameworks, so rather than | :30:10. | :30:12. | |
looking at organisations straight on, we try to look at the other | :30:13. | :30:16. | |
interconnecting elements around the organisation. Maybe not as | :30:17. | :30:19. | |
far-reaching as supply chain, but certainly looking outside | :30:20. | :30:23. | |
conventional tech within the UK. We will also see a growing number of | :30:24. | :30:29. | |
attacks that have relevance to the UK that target subsidiaries and | :30:30. | :30:32. | |
other operating functions of the national organisations that are | :30:33. | :30:38. | |
outside of the UK. Doctor Morrison and Lord West. With General data | :30:39. | :30:44. | |
protection regulations changing next year and the big fines that some | :30:45. | :30:48. | |
will potentially introduce, will that affect the supply chain that | :30:49. | :30:53. | |
has been discussed, and will it alter behaviour significantly or | :30:54. | :31:02. | |
not? Yes, I think there are certain firms today that are very anxious | :31:03. | :31:07. | |
about GDP are becoming active, and that will drive more of an invasive | :31:08. | :31:17. | |
look at certain suppliers that process personally identifiable | :31:18. | :31:24. | |
information, definitely. One of the things to watch, in general data | :31:25. | :31:29. | |
protection, it provides a strong regulation of personal information, | :31:30. | :31:35. | |
though many of the cyber attacks that my concern this committee from | :31:36. | :31:38. | |
a national security perspective might be less about consumer | :31:39. | :31:42. | |
information and more about attacking infrastructure and military | :31:43. | :31:45. | |
processes and disrupting processes. So there is a strong regulatory | :31:46. | :31:50. | |
regime around consumer information and we need to watch it does not | :31:51. | :31:56. | |
skew co defences do over focus on that and not thinking about | :31:57. | :32:01. | |
disruption to processes. Would there be public health problems in | :32:02. | :32:04. | |
accessing data? Absolutely there would be. I should declare an | :32:05. | :32:11. | |
interest that I am chairman of a company that works in the cyber | :32:12. | :32:16. | |
area. And I also speak a lot on cyber as well, for which I get a bit | :32:17. | :32:21. | |
of loot, which is quite nice. The question Lord Harris was asking, and | :32:22. | :32:27. | |
the report, and I read it as well, is actually saying there are lines | :32:28. | :32:32. | |
of code already in masses of the software within whole areas of the | :32:33. | :32:42. | |
US that can be sparked but we don't know how. What I want to run on from | :32:43. | :32:46. | |
there is, how dangerous do you think it is that switching pieces of gear | :32:47. | :32:53. | |
are incorporated in masses of systems and we don't know how the | :32:54. | :32:57. | |
upgrades go unless we put people onto it to look at it closely, but | :32:58. | :33:04. | |
now Chinese firms are taking the largest data centre in the UK may | :33:05. | :33:08. | |
have taken over the largest CCTV company in Europe, and with the | :33:09. | :33:13. | |
Internet of things, we know what you can do with CCTV remotely. How much | :33:14. | :33:20. | |
of a threat or danger does the panel see that as, particularly when one | :33:21. | :33:23. | |
takes into account these lines of code which we find at times, we go | :33:24. | :33:28. | |
in and say we did not know it was there, so how much of a threat do we | :33:29. | :33:36. | |
think this is? Pure software quality will outstrip by an ordinary | :33:37. | :33:42. | |
magnitude, so any back door being introduced into the line of code, | :33:43. | :33:45. | |
the number of unintentional weaknesses present in software and | :33:46. | :33:48. | |
hardware systems today far outweigh them, and that again is it as | :33:49. | :33:56. | |
economics driving it, quality assurance, good architectural | :33:57. | :33:58. | |
principles, all of these things in a lot of cases don't make sound | :33:59. | :34:03. | |
commercial sense, so we can attribute that to malice, but | :34:04. | :34:07. | |
sometimes we can attribute it to pure neglect. You did not quite | :34:08. | :34:11. | |
answer my question about whether these companies not doing this is an | :34:12. | :34:15. | |
issue? I think it is an issue but for those capable of bringing that | :34:16. | :34:22. | |
force, those same systems will be vulnerable to many, many other | :34:23. | :34:24. | |
things which were not introduced by those actors and I would be more | :34:25. | :34:29. | |
worried about that, especially when we talk about the Internet of | :34:30. | :34:33. | |
things, because those products we expect to have a half life of | :34:34. | :34:36. | |
between three or ten years on the outside, a very cheap price point. | :34:37. | :34:42. | |
Where do we think firms can produce to that point? They don't have sound | :34:43. | :34:46. | |
security and engineering, which is why we are seeing almost the | :34:47. | :34:49. | |
regression of what we have learned over the last 30 years in terms of | :34:50. | :34:55. | |
security design being undone with the advent of IOT because we are | :34:56. | :34:59. | |
moving away from three or four massive multinationals that can | :35:00. | :35:02. | |
invest in cyber security implementation too many smaller | :35:03. | :35:07. | |
manufacturers churning products out as quickly as they can. So there is | :35:08. | :35:11. | |
not one company held to account and you are not going to cut off an | :35:12. | :35:14. | |
entire country from supplying you today. I think you can assume there | :35:15. | :35:21. | |
is definitely a threat from the lines of code as you describe it. | :35:22. | :35:26. | |
But there is equally a thread from people and process. If you look at | :35:27. | :35:30. | |
the worm that targeted a load of IOT equipment at the end of last year, a | :35:31. | :35:34. | |
lot of what it did to propagate initially was just use weak | :35:35. | :35:40. | |
credentials. So when we are faced with problems of people choosing bad | :35:41. | :35:45. | |
passwords and bad user are not putting any kind of security | :35:46. | :35:48. | |
configuration onto devices, that is where we should be focusing. That is | :35:49. | :35:53. | |
the low hanging fruit. We need to think about the coward that powers | :35:54. | :35:56. | |
the systems but it's more than technology alone. Why did the | :35:57. | :36:02. | |
Americans say they would not use it? Why do Australia say that? If it is, | :36:03. | :36:06. | |
as you say, they are both buffoons and they are not doing it correctly? | :36:07. | :36:14. | |
The UK did a compensating control by creating the Secure site. Week at a | :36:15. | :36:19. | |
commercial agreement with Huawei to have UK people to do the diligence | :36:20. | :36:26. | |
on the code -- week at a commercial agreement. So instead of cutting off | :36:27. | :36:30. | |
entirely, we realised the benefits but there was a compensation in risk | :36:31. | :36:35. | |
controls by having those individuals being British National is reviewing | :36:36. | :36:37. | |
the products that they are producing. Just a very quick point. | :36:38. | :36:48. | |
Do you think it is possible that American concerns about some Chinese | :36:49. | :36:53. | |
companies like Huawei are caused by competition factors, and they don't | :36:54. | :36:57. | |
really want Huawei in the market? I take silence as consent. There is a | :36:58. | :37:04. | |
certain amount of prudence in avoiding the mistakes of the past | :37:05. | :37:07. | |
that we have done in terms of the intelligence of the past and making | :37:08. | :37:11. | |
sure we do not diversify that much. That has been the path forward, to | :37:12. | :37:15. | |
be careful about what we let in, and I'm not so much worried about lines | :37:16. | :37:19. | |
of code, I'm worried about the hardware, something we are reluctant | :37:20. | :37:26. | |
to change through time. I think we need to recognise from a national | :37:27. | :37:29. | |
security strategy perspective, in the UK this is an area where we are | :37:30. | :37:33. | |
in a position of weakness because we don't have our own technology supply | :37:34. | :37:37. | |
base in the UK manufacturing the core infrastructure we need, and | :37:38. | :37:40. | |
other countries have the luxury of having that supply base. The | :37:41. | :37:50. | |
strategy contains a list of categories of cyber threats, so | :37:51. | :37:54. | |
cyber criminals, states and state-sponsored threats, terrorists, | :37:55. | :38:00. | |
hacker activists and what I gather are known as script kiddies. I would | :38:01. | :38:05. | |
be interested to hear the views of all of you as to whether it is | :38:06. | :38:09. | |
usable to categorise the threats in that way. Yes, in so much in that it | :38:10. | :38:16. | |
makes it real for both businesses and users, I guess, and maybe to | :38:17. | :38:20. | |
understand who they are trying to defend against and their motives. We | :38:21. | :38:24. | |
need some form of categorisation. That relatively core set is a good | :38:25. | :38:31. | |
measured balance from the archetypal teenager in their bedroom who is a | :38:32. | :38:36. | |
bit bored but massively inquisitive, through to what we see in the | :38:37. | :38:38. | |
Hollywood movies in terms of a nation state threat. It's really | :38:39. | :38:43. | |
critical in terms of method and target. Each threat will have | :38:44. | :38:50. | |
different methods and targets, so you could focus on critical | :38:51. | :38:54. | |
infrastructure attack, and that will be their target, information and | :38:55. | :38:57. | |
architecture. That division tends to be useful from passing out what we | :38:58. | :39:02. | |
need to protect and what is more critical and more important. Of | :39:03. | :39:06. | |
course the nation state is our more capable actor than the terrorist, | :39:07. | :39:11. | |
then the criminal, then the script kiddie, and the basic chaos person. | :39:12. | :39:16. | |
The only caveat their eyes I would mention the nation state. When we | :39:17. | :39:21. | |
communicate with clients we differ between established nation states | :39:22. | :39:25. | |
that understand the international norms of using this capability and | :39:26. | :39:29. | |
emerging nation states, those rapidly developing cyber capability, | :39:30. | :39:33. | |
who maybe not use the sanctions or anything else being placed on them | :39:34. | :39:36. | |
when they go too far or have other sticks wielded at them will stop | :39:37. | :39:41. | |
that is an important one, because the disincentives for those, as we | :39:42. | :39:47. | |
have seen in certain instances like Sony pictures, they will be quite | :39:48. | :39:52. | |
happy to use that capability with an aggressive affect. The only thing I | :39:53. | :39:56. | |
would caution is seeing them as two distinct. This is an area where | :39:57. | :40:02. | |
essentially it is a marketplace of anniversaries, and if you were a | :40:03. | :40:05. | |
nation state with a hugely sophisticated armoury and you wanted | :40:06. | :40:09. | |
to get access to a company, the first thing you might do is go via | :40:10. | :40:18. | |
access of a criminal forum. We see quite a lot of that potential | :40:19. | :40:26. | |
activity happening. We need to recognise that this is a marketplace | :40:27. | :40:30. | |
and the nation state can deploy a tool, and within days that tool can | :40:31. | :40:34. | |
be available for criminals to buy and use. We saw that with poison ivy | :40:35. | :40:36. | |
many years ago. That anticipates my many years ago. That anticipates my | :40:37. | :40:42. | |
next question and I'd be interested to hear from the rest of the panel | :40:43. | :40:45. | |
as the way you think the key overlaps are between the categories. | :40:46. | :40:50. | |
One of the things to pick up on an earlier point is the overlap is | :40:51. | :40:56. | |
definitely significant. It's becoming more and more significant. | :40:57. | :40:59. | |
The modus operandi might remain distinct, but the level of | :41:00. | :41:01. | |
sophistication and capabilities continually grow. So in the security | :41:02. | :41:10. | |
strategy will make reference to different levels of capability, and | :41:11. | :41:14. | |
you might say that organised crime units have a different level of | :41:15. | :41:16. | |
capability compared to nation states. But the gulf between those | :41:17. | :41:25. | |
is beginning to blur. What you might assume is that that will continue to | :41:26. | :41:29. | |
blur down, and when we look at people like script kiddies, who | :41:30. | :41:34. | |
today might be regarded as having on sophisticated tooling, they can | :41:35. | :41:37. | |
still have a significant impact on infrastructure. If we look at one of | :41:38. | :41:44. | |
the large breaches that took place against a telecoms provider a couple | :41:45. | :41:47. | |
of years ago, that was disproportionately devastating for | :41:48. | :41:52. | |
them from somebody who would have been regarded as a script kiddie but | :41:53. | :41:57. | |
had a large financial impact on that telecommunications provider. So I | :41:58. | :42:01. | |
don't think we can just assume that nation states are the only types of | :42:02. | :42:05. | |
entities that can inflict significant damage. The reality is, | :42:06. | :42:10. | |
all of them can. I would agree. On a technical level, organised crime and | :42:11. | :42:16. | |
the others are getting very close, if not the same in terms of what | :42:17. | :42:21. | |
they can unleash. The differences, generally, planning, coordination | :42:22. | :42:25. | |
and capacity to launch that is the difference when we talk about nation | :42:26. | :42:29. | |
states above organised crime. But on a purely technical level, going on | :42:30. | :42:34. | |
one engagement, they can be approximately level. They are not | :42:35. | :42:38. | |
getting that close. The real issue with Russia and China is they will | :42:39. | :42:41. | |
identify and utilise those people who have those capabilities and they | :42:42. | :42:45. | |
will identify them early and pull them out and tell them, if you don't | :42:46. | :42:48. | |
work for us, in addition to what you do in your day job, you will have | :42:49. | :42:53. | |
trouble. That is the real thing. There is no mythical cyber criminal | :42:54. | :42:56. | |
that just has these dramatic capabilities. Quite often what they | :42:57. | :43:01. | |
do, generally falls in line with what we call shrinkage, losses by | :43:02. | :43:06. | |
revenue or volume, so these dramatic attacks on looking at the American | :43:07. | :43:09. | |
cases that happen in the last ten years, the only one that went beyond | :43:10. | :43:13. | |
the shrinkage calculation was the Target attack. Can I stop you there? | :43:14. | :43:20. | |
I'm afraid we have a division in the Commons. I do apologise. Order, | :43:21. | :43:24. | |
order, I am adjourning the committee for 15 minutes. Mr de Villiers you | :43:25. | :43:31. | |
are cut off, but had you almost finished your questions? -- Mrs de | :43:32. | :43:38. | |
Villiers. Could I ask those briefly? A lot of the material I've seen so | :43:39. | :43:44. | |
far indicates that terrorists, while they have malevolent intent have | :43:45. | :43:49. | |
limited capacity in relation to cyber attacks. And yet we have these | :43:50. | :43:57. | |
relatively low-tech script kiddie type categories. How come those kind | :43:58. | :44:03. | |
of individuals, teenagers in their bedrooms can inflict harm that seems | :44:04. | :44:08. | |
to elude terrorist groups? Is there more scope for them? Should we be | :44:09. | :44:15. | |
worried about that overlap between the two categories in cyber security | :44:16. | :44:20. | |
responses? Are blue one reason historically attributed is | :44:21. | :44:27. | |
stability. Terrorists have instabilities in the lives of | :44:28. | :44:30. | |
physical environment which don't allow them to get access to the | :44:31. | :44:33. | |
education required all the facilities to do these things. But | :44:34. | :44:37. | |
you are right to say or highlight the risk. As we assume with | :44:38. | :44:44. | |
organised crime, young, capable individuals that are persuaded, | :44:45. | :44:47. | |
cajoled and otherwise influenced to undertake the activities at somebody | :44:48. | :44:51. | |
else's behest is a risk, and that is where we have to look at the | :44:52. | :44:54. | |
National Crime Agency and what they have been doing there in terms of | :44:55. | :44:57. | |
intervention, where they capture or identify young people that may be on | :44:58. | :45:02. | |
the wrong path, and they sit down with the parents or send a letter to | :45:03. | :45:06. | |
the parents to say, do you know what your son and daughter are up to, and | :45:07. | :45:09. | |
maybe you need to be a better parent? | :45:10. | :45:14. | |
If these individuals are successful that says more about our defects | :45:15. | :45:21. | |
than their success usually. These enterprises by young people, it is | :45:22. | :45:28. | |
like that is competition, but they're injuring nature of attack is | :45:29. | :45:35. | |
not their convicted terrorists. Terrorists have a problem with | :45:36. | :45:40. | |
infrastructure and education. That is a difference in terms of modus | :45:41. | :45:49. | |
operandi to this different groups. Often children want to attack | :45:50. | :45:51. | |
systems, but they do not care what the system is, they just want to try | :45:52. | :46:00. | |
it out to gain peer notoriety. That is slightly different to a terrorist | :46:01. | :46:04. | |
group that may have a specific focus on a specific set of end goals. It | :46:05. | :46:09. | |
is reasonable to assume that as technology develops and the people | :46:10. | :46:18. | |
who are practising these attacks develop their techniques, we will | :46:19. | :46:23. | |
see more terrorist attacks. One last question that takes you back to the | :46:24. | :46:28. | |
first questions you were acid the start of the session, which of the | :46:29. | :46:33. | |
categories in the 2016 review poses the biggest threat? Is that the | :46:34. | :46:39. | |
criminals, the state actors, or the other categories? In terms of | :46:40. | :46:48. | |
availability, long-term financial health, the United Kingdom, you have | :46:49. | :46:51. | |
to take each of those on their merits. Patient states and long-term | :46:52. | :46:59. | |
viability of the nation, but it will be someone left field that will | :47:00. | :47:02. | |
cause the unforeseeable to happen and stop nation states of the most | :47:03. | :47:10. | |
capable but the probability of those people targeting us is very low. The | :47:11. | :47:18. | |
main threat is cybercrime. What people are not talking about is what | :47:19. | :47:25. | |
we will do after Brexit. That is a question we need to dive into and I | :47:26. | :47:29. | |
have not seen a lot of positions on the impact of regulation, use of | :47:30. | :47:43. | |
Interpol and things like that. Given that there are so many signatories | :47:44. | :47:46. | |
to Interpol who are not member of the European Union, who else would | :47:47. | :47:57. | |
be affected? Idle what the impact of Brexit will be on Britain's cyber | :47:58. | :48:08. | |
security. To what extent do you think it is possible to distinguish | :48:09. | :48:12. | |
the source of cyber attacks? You have touched upon it already in some | :48:13. | :48:16. | |
of the remark she made. It is important obviously these sorts of | :48:17. | :48:24. | |
interventions and has a bearing upon what remains do collectively and | :48:25. | :48:33. | |
otherwise it is very dangerous to rely a natural Grecians and cyber | :48:34. | :48:38. | |
for doing that. It is a very hard problem to solve. Today we have | :48:39. | :48:47. | |
levels of confidence, we cannot say categorically that we now they | :48:48. | :48:55. | |
attributed these traits and modus operandi, but these are easy to | :48:56. | :49:04. | |
copy. Just because these things are coming from a country, it doesn't | :49:05. | :49:09. | |
mean it isn't coming from a person. I would always caution at your | :49:10. | :49:16. | |
patient. -- attribution. Adapters are no overstatement. Responsibility | :49:17. | :49:25. | |
is difficult. Finding the leader will very rarely be there. It is not | :49:26. | :49:35. | |
clear what that was. We have got good at getting better at and should | :49:36. | :49:40. | |
you should through the years. We are seeing more cyber attacks being used | :49:41. | :49:44. | |
to signal that states want is to know what they are doing so they can | :49:45. | :49:48. | |
push of the now certain way. I do not worry too much about | :49:49. | :49:56. | |
attribution. Tenet on individuals is very difficult, especially in Russia | :49:57. | :50:02. | |
and China. It is very difficult to attributed attacks. It is easy to | :50:03. | :50:12. | |
subvert a responder and point them in the wrong direction. If we look | :50:13. | :50:17. | |
at the attacks that occurred this year, and initially there was | :50:18. | :50:22. | |
narrative that looks like it was Russian and the rationales was that | :50:23. | :50:26. | |
there were some Russian words in some of the cold. The reality is | :50:27. | :50:32. | |
that it is not difficult to insert Russian code to make it look like | :50:33. | :50:39. | |
someone from another nation state. Things like are used -- things like | :50:40. | :50:49. | |
Tor are used to hide the people are coming from and proxies are common. | :50:50. | :50:55. | |
Sometimes it is only possible to attributed an attack back because | :50:56. | :50:59. | |
the hacker made a mistake. If the work effectively that is very | :51:00. | :51:04. | |
difficult. I would reflect those comments and see that it is an | :51:05. | :51:09. | |
intelligence activity that comes with varying degrees of confidence. | :51:10. | :51:16. | |
None of you will be recommending that we extend article five to the | :51:17. | :51:24. | |
sphere? There are numerous issues that would need to be worked through | :51:25. | :51:28. | |
and that is a hard area to work through. One possibility might be | :51:29. | :51:35. | |
that you'd respond like for like. It could be made more explicit that | :51:36. | :51:41. | |
anything one finds as a result of the intelligence that we have that | :51:42. | :51:46. | |
we believe is reliable, that a state actor in particular vision is | :51:47. | :51:50. | |
possible for something we have picked up. That is one possibility | :51:51. | :51:54. | |
because then you avoid the danger of the spiral effect. The Americans | :51:55. | :52:05. | |
respond with sanctions, they do not necessarily respond back with cyber | :52:06. | :52:08. | |
attacks because that might open Pandora's box. We do not want to do | :52:09. | :52:21. | |
that ourselves. Red-mac I do not want to be too pessimistic about | :52:22. | :52:33. | |
Article five if a country was to continue its assault, then it is | :52:34. | :52:38. | |
right for countries to get together. We can put on sanctions or other | :52:39. | :52:47. | |
things. Including cyber in article five is very sensible, sidled why | :52:48. | :52:53. | |
there is such an objection to it. Another view to consider, from the | :52:54. | :52:58. | |
British perspective, if a criminal organisation in the UK launches an | :52:59. | :53:04. | |
attack against a foreign entity and the UK was held responsible for it | :53:05. | :53:08. | |
rather than it being seen as criminal activity, then we might | :53:09. | :53:13. | |
feel differently. I hope that we would feel very guilty and get to | :53:14. | :53:19. | |
the bottom of who was doing it. In article five the should be physical | :53:20. | :53:25. | |
violence attack ATTACHED to it. If that was to happen then it would be | :53:26. | :53:33. | |
worth doing, at moment it is conjectured. One of the problems is | :53:34. | :53:43. | |
that the whole of the need to resume in general UN Security Council | :53:44. | :53:48. | |
resumed is built around more conventional warfare, though it has | :53:49. | :54:00. | |
adapted. What I would like to hear from you is to what extent, | :54:01. | :54:08. | |
alongside attribution, do you believe that the environment has | :54:09. | :54:19. | |
become safer through the inclusion of collective defence under an | :54:20. | :54:22. | |
enlarging Nato since the inclusion of cyber Cayman? Is seen to me out | :54:23. | :54:28. | |
of the last year at the Warsaw Summit. Factor defence leads to | :54:29. | :54:40. | |
collective goal fence, which leads to escalation. They should be at | :54:41. | :54:45. | |
individual country. That is a threshold I hope we do not get far | :54:46. | :54:50. | |
enough to talk about. There is a case to be made because power is | :54:51. | :55:00. | |
generated in other places off the island. I climb to strategy make | :55:01. | :55:04. | |
sure that the country functions for certain things. -- a collective | :55:05. | :55:12. | |
strategy. Food and so forth can be impacted by cyber defence, so we | :55:13. | :55:17. | |
should look to take a collective approach. I wonder if it would be | :55:18. | :55:22. | |
possible to break down the different cyber threats into certain | :55:23. | :55:28. | |
categories. I have come up with three, but this may be inadequate | :55:29. | :55:33. | |
and I wonder if you think I'm missing anything here. The first | :55:34. | :55:39. | |
category is using cyber for the gathering of intelligence, whether | :55:40. | :55:48. | |
commercial or political or military. That is clearly something that | :55:49. | :55:52. | |
requires defending against, making sure your systems are as well | :55:53. | :55:58. | |
protected as they can be. The second is what was being talked about in | :55:59. | :56:01. | |
terms of the US election which is the use of cyber importers issue | :56:02. | :56:08. | |
additional methods with regard to any medication system for the | :56:09. | :56:09. | |
dissemination of propaganda and this dissemination of propaganda and this | :56:10. | :56:19. | |
information and misinformation. Your best weapon there is to get your own | :56:20. | :56:24. | |
messages out and expose the fact that your opponents have been doing | :56:25. | :56:30. | |
dirty tricks. The third one, which is the one that most concerns us in | :56:31. | :56:35. | |
relation to Nato, because the other two are bound to go on as long as | :56:36. | :56:39. | |
there is a cyber sphere, our tax that could paralyse societies and | :56:40. | :56:45. | |
for those, although you may try to prevent them, that is where the | :56:46. | :56:51. | |
concept of deterrence and the threat of retaliation would come in and | :56:52. | :56:54. | |
then I'm inclined to think that the doctor is right that they got to the | :56:55. | :56:59. | |
stage they would probably be conventional military action going | :57:00. | :57:04. | |
on at the same time anyway. Have I missed anything in terms of the | :57:05. | :57:08. | |
spectrum of threats that would not fall into one or other of these | :57:09. | :57:13. | |
categories? I've been writing a book on this topic. We divided cyber into | :57:14. | :57:24. | |
the activities, you included cyber information which is not | :57:25. | :57:27. | |
traditionally a part of it. In terms of cyber tactics, we divided by | :57:28. | :57:35. | |
espionage and manipulation of information. People can be looking | :57:36. | :57:44. | |
to destroy or sabotage the targets. That seems to be pretty | :57:45. | :57:47. | |
comprehensive in getting most nation state based cyber attacks. When you | :57:48. | :57:54. | |
get into the criminal sphere you're going to have different impacts, | :57:55. | :58:01. | |
equally large... I want to concentrate on defence because then | :58:02. | :58:04. | |
the issue arises of how you do something like this and the only way | :58:05. | :58:10. | |
to deter something is to have a threat of retaliation, which is both | :58:11. | :58:19. | |
unacceptable and unavoidable. Here it is not now and in the past, for | :58:20. | :58:25. | |
example, when the two new wars it was thought that the great threat | :58:26. | :58:30. | |
was gas warfare and saw a lot of resilience was Putin and every | :58:31. | :58:36. | |
household had a gas mask. It is accepted that why it did not happen | :58:37. | :58:40. | |
in the end is that the threat of massive retaliation by this country | :58:41. | :58:46. | |
was an effective deterrent. Can you envisage a threat of massive cyber | :58:47. | :58:56. | |
attack that would be effective in determining that third category that | :58:57. | :59:00. | |
I talked about, attacks that are intended to paralyse societies. In a | :59:01. | :59:10. | |
short word no. Academics disagree that it has never worked. The | :59:11. | :59:15. | |
problem is that you need to have credibility, you need to have some | :59:16. | :59:19. | |
sort of assurance that if someone does this there will be a response. | :59:20. | :59:23. | |
The main problem with cyber is that there is a lack of utility because | :59:24. | :59:27. | |
those weapons can be used against you. There is no issue of | :59:28. | :59:36. | |
retaliation. We can have cyber resiliency, we can have assurance | :59:37. | :59:41. | |
that there would be a response to any attack, but to ever be able to | :59:42. | :59:46. | |
prevent a cyber attack is almost impossible given those conditions | :59:47. | :59:51. | |
and what deterrence as an academic term arrears. | :59:52. | :59:57. | |
Just to last point is, when you say there is a belief deterrence has | :59:58. | :00:03. | |
never worked, I hope you're not suggesting in any field whatsoever, | :00:04. | :00:06. | |
because there is a strong belief that deterrence in form -- the | :00:07. | :00:13. | |
former Nato was effective for half a century, so if you're throwing out | :00:14. | :00:16. | |
is that you don't believe in deterrence in any sphere at all, you | :00:17. | :00:19. | |
are wasting your time with this audience. I hope that wasn't what | :00:20. | :00:28. | |
you were doing. But in terms of dealing with this particular | :00:29. | :00:41. | |
construct, surely the notion that a massive attack was taking place that | :00:42. | :00:45. | |
was trying to bring down a country, if that was going hand-in-hand with | :00:46. | :00:53. | |
conventional warfare, as you seem to think it would, then surely that | :00:54. | :00:57. | |
solves, for this category, the problem of identifying where the | :00:58. | :01:01. | |
massive attack is coming from, because of its part and parcel of a | :01:02. | :01:06. | |
conventional attack then the secrecy around where the cyber attack is | :01:07. | :01:09. | |
coming from will presumably have disappeared because we will know | :01:10. | :01:15. | |
whose tanks it is well simultaneously attacking. The real | :01:16. | :01:21. | |
problem with the military is a lack of one to use cyber tools because of | :01:22. | :01:25. | |
the risk involved. There's a low probability of using cyber tools in | :01:26. | :01:28. | |
any war game because of the risk of using them. There is no assurance | :01:29. | :01:32. | |
that the cyber tools will work so there has been yes -- less utility | :01:33. | :01:36. | |
to want to use that as a response to cyber attacks. Conventional | :01:37. | :01:43. | |
responses are something that should be made very clear, that if you do | :01:44. | :01:47. | |
this, there will be this sort of response, but no government I'm | :01:48. | :01:50. | |
aware of as clearly said that this is what will happen if there is a | :01:51. | :01:53. | |
massive cyber attack, and that's what needs to be done. If you want | :01:54. | :01:57. | |
to establish a series of workable deterrence, that is. We have seen | :01:58. | :02:03. | |
evidence of certain nation states launching attacks against particular | :02:04. | :02:12. | |
sectors. There was a country that launched a financial attack against | :02:13. | :02:15. | |
various countries, or they tried to. Surry? Are you referring to Israel | :02:16. | :02:23. | |
or Saudi Arabia? No, Iran. The concern we have when we think of the | :02:24. | :02:29. | |
responses, we have heard the word asymmetry a lot. Our susceptibility | :02:30. | :02:33. | |
versus the susceptibility of the source to a corresponding cyber | :02:34. | :02:37. | |
attack might be far less because of their own dependence on technology | :02:38. | :02:41. | |
might just be far less. That has to be a key consideration and that is | :02:42. | :02:46. | |
why would have to consider other responses be they sanctions, etc | :02:47. | :02:49. | |
because it simply won't work against the target. One final point on the | :02:50. | :02:57. | |
attribution of deterrence, if you place yourself as someone who wanted | :02:58. | :03:01. | |
to do harm to the UK you might imagine a scenario where you chip | :03:02. | :03:07. | |
away and gradually increase the level of attacks without | :03:08. | :03:10. | |
conventional attacks being part of it and you confuse the attribution, | :03:11. | :03:15. | |
so you undermined and weakened before you use other attack | :03:16. | :03:20. | |
mechanisms as well. Can I just say to everybody that we are getting | :03:21. | :03:26. | |
short of time and there is likely to be another division in the Lords, | :03:27. | :03:29. | |
and who knows if there will be another in the Commons, so good I | :03:30. | :03:33. | |
urge colleagues to make their questions and witness replies as | :03:34. | :03:39. | |
brief as possible? It is to continue with a point from Doctor Lewis. One | :03:40. | :03:44. | |
of the problem seems to me that countries don't even know what their | :03:45. | :03:48. | |
own vulnerability is. They are scared to get into the tit-for-tat | :03:49. | :03:51. | |
with other countries because they haven't really calculated what it | :03:52. | :03:55. | |
sees and the other factor seems to me is there an intelligence balance. | :03:56. | :04:01. | |
There are lots of countries in the world where we march at will through | :04:02. | :04:06. | |
their Computerworld, allegedly, and we march at will through the whole | :04:07. | :04:09. | |
thing and there is a massive intelligence balance so there is a | :04:10. | :04:12. | |
constant argument that if you don't know that bit you don't know what | :04:13. | :04:18. | |
the president is saying to his Pope, so I do agree that those | :04:19. | :04:22. | |
calculations that are tricky. -- to his Po. The first point is | :04:23. | :04:27. | |
understanding the true vulnerability today is one of the biggest | :04:28. | :04:28. | |
concerns. We've had a very interesting | :04:29. | :04:42. | |
presentation from Doctor Mc Cormack about how cyber has become a | :04:43. | :04:48. | |
military weapon, potentially. Leaving aside the various points | :04:49. | :04:57. | |
made about the unlikelihood of cyber being a principal weapon, | :04:58. | :05:02. | |
nevertheless by virtue of the fact that in 2013 the then Secretary of | :05:03. | :05:07. | |
State for Defence, Philip Hammond, announced we would gauge -- engage | :05:08. | :05:14. | |
in offensive cyber, to what extent do you think this is something, as | :05:15. | :05:21. | |
Doctor Mc Cormack suggests, should be matter of public debate bearing | :05:22. | :05:25. | |
in mind that when the Secretary of State made his remarks to the | :05:26. | :05:31. | |
Commons he said much of the action will not be in the public domain. | :05:32. | :05:36. | |
And, indeed, it's been suggested that the necessary secrecy | :05:37. | :05:40. | |
surrounding cyber weapons undermines its credibility. If it is to be a | :05:41. | :05:47. | |
deterrent, if people out there, potential enemies out there | :05:48. | :05:54. | |
understand we will retaliate with a cyber attack, it needs to be | :05:55. | :05:58. | |
credible. To be credible, it has to be known about. How do policymakers | :05:59. | :06:05. | |
managed to juggle -- juggle this? It's quite interesting, does it have | :06:06. | :06:12. | |
to be known about? Can you measure a country's or infer their cyber | :06:13. | :06:16. | |
capability by the health of its industry? If you look at Israel in | :06:17. | :06:20. | |
terms of what they are amassing in terms of the private sector | :06:21. | :06:23. | |
capability and you make the logical leap in terms of what makes the | :06:24. | :06:27. | |
skate -- state capability, can you do something similar with the UK? So | :06:28. | :06:33. | |
without having to disclose your hand entirely, by having a buoyant injury | :06:34. | :06:37. | |
-- industry that can reduce these things in the private sector you can | :06:38. | :06:42. | |
probably jump to what the adversarial is. Credibility is about | :06:43. | :06:46. | |
willingness to use a weapon and that is a major problem we have had, | :06:47. | :06:50. | |
because in the American experience they are considering using lawyers | :06:51. | :06:54. | |
with every unit because of the immense implication for civilian | :06:55. | :06:59. | |
space, so if we start to use cyber tools in the military, how much do | :07:00. | :07:03. | |
we need to train these people in terms of the legal ramifications, | :07:04. | :07:07. | |
but also the difficulties in training if the entire operation is | :07:08. | :07:10. | |
secret. They don't know how to train because there's no qualified | :07:11. | :07:13. | |
teachers to train the units at that level, so it becomes a huge problem. | :07:14. | :07:18. | |
Credibility is more about willingness to use a weapon, and we | :07:19. | :07:22. | |
really willing to use it at this level and I'm not sure the West is. | :07:23. | :07:27. | |
We also have to worry about proliferation. In terms of what we | :07:28. | :07:30. | |
are talking about in terms of a weapon, it could be hundreds of | :07:31. | :07:36. | |
thousands or millions of Americans things on a USB stick, and we have | :07:37. | :07:41. | |
seen some devastating links in the North American programmes. That will | :07:42. | :07:44. | |
always be a consideration. As you lower the bar of entry in terms of | :07:45. | :07:50. | |
who can use it in a defence force in a country, what safeguards are there | :07:51. | :07:54. | |
around it, that won't leave them open? I would just add that this is | :07:55. | :08:02. | |
an area where as soon as you publish details of your technique, you have | :08:03. | :08:08. | |
rescinded the value of that technique, so there has to be a | :08:09. | :08:12. | |
degree of secrecy around the defence of psycho -- cyber capability. And | :08:13. | :08:16. | |
some of the leaks we have talked about earlier, whilst potentially | :08:17. | :08:22. | |
very damaging to our security agencies, they have reinforced the | :08:23. | :08:24. | |
credibility of what their capability has been and buying is -- and by | :08:25. | :08:31. | |
extension continues to be. I don't think the credibility capability an | :08:32. | :08:36. | |
issue. I would add, if you have a genetic weapon, it can be there, or | :08:37. | :08:40. | |
there, but not in both places at the same time. With a cyber weapon, in | :08:41. | :08:44. | |
theory, it can exist in multiple places. We saw at the beginning of | :08:45. | :08:49. | |
March the disclosure by WikiLeaks which talked about a whole load of | :08:50. | :08:54. | |
cyber tools that had been collected allegedly by the US. And as much as | :08:55. | :09:02. | |
they might have been able to use the arsenal against their adversaries, | :09:03. | :09:04. | |
now that has been disclosed, theoretically they could be used | :09:05. | :09:08. | |
against them, and that is one of the challenges of cyber warfare. So your | :09:09. | :09:12. | |
verdict is we should be having a debate about the management the | :09:13. | :09:23. | |
weapon system? If it is to be made more widely available, then yes. | :09:24. | :09:27. | |
There is no division between military and civilian space. The use | :09:28. | :09:31. | |
of this weapon is entirely difficult and problematic because of the | :09:32. | :09:34. | |
involvement of civilians and the possibility of war crimes. That is | :09:35. | :09:43. | |
the real issue here. We hear about -- a lot about the Internet of | :09:44. | :09:50. | |
things and we did have a briefing by Melissa Hathaway who has worked with | :09:51. | :09:55. | |
President Obama and president Trump, I believe, but one of the things she | :09:56. | :10:01. | |
said which was quite amazing to me was that by 2020 is it expected | :10:02. | :10:05. | |
there will be 50 billion devices, globally, attached to the Internet. | :10:06. | :10:10. | |
People I've spoken to think this is a massive understatement. I just | :10:11. | :10:15. | |
wanted to get your reaction. Is this all hype? The prospect of our | :10:16. | :10:21. | |
televisions being a Trojan horse to spy on us, or do you take it | :10:22. | :10:26. | |
seriously? It's going to be a thing. We are seeing smart meters and other | :10:27. | :10:30. | |
benefits in this country, so now that your boiler can report that it | :10:31. | :10:35. | |
is starting to degrading performance, so when the engineer | :10:36. | :10:39. | |
comes out they just replace a part proactively, these are the upsides | :10:40. | :10:42. | |
companies will see from the Internet of things. The connected vehicles, | :10:43. | :10:47. | |
before autonomous vehicles, we are seeing a proliferation of these. | :10:48. | :10:52. | |
There are all these functionalities, so we have to accept that our lives, | :10:53. | :10:57. | |
infrastructures, CDs and buildings will be connected to the Internet -- | :10:58. | :11:04. | |
cities. I would add to that and say one thing that needs to be | :11:05. | :11:07. | |
considered as part of the security strategy going forward is a consumer | :11:08. | :11:10. | |
protection angle for these Internet of things. Much of what we bring | :11:11. | :11:18. | |
into our homes, various consumer protection legislation around it, | :11:19. | :11:21. | |
and how could it be extended to protect both of us as individuals | :11:22. | :11:25. | |
from the connected things that are going to be within our houses, but | :11:26. | :11:28. | |
they also connect society and protect them from the Mass effect. | :11:29. | :11:37. | |
One thing I can say is while there will be a proliferation of connected | :11:38. | :11:40. | |
devices, there is something to be said about complexity breeding a | :11:41. | :11:45. | |
problem and being able to attack it. Complexity can make is more safe in | :11:46. | :11:48. | |
some ways. The more things that are connected are less worried that | :11:49. | :11:53. | |
people are about things being disconnected, so that's something to | :11:54. | :11:57. | |
consider. It is inevitable, but it does not mean it is doomed. I would | :11:58. | :12:02. | |
say the risk is very different. If you look at conventional PCs and | :12:03. | :12:06. | |
laptops and smartphones, if one of those devices gets compromised there | :12:07. | :12:10. | |
is a fair chance because people interact on a daily basis they might | :12:11. | :12:14. | |
notice it is doing things that are a bit strange. If you think about the | :12:15. | :12:17. | |
connected device, video recorder, a web camera, broadly speaking people | :12:18. | :12:23. | |
only interact with them to do a specific function and if they are | :12:24. | :12:26. | |
running a bit slow it doesn't make them think it has been compromised. | :12:27. | :12:31. | |
What we see is consumers go out and buy these types of devices and buy | :12:32. | :12:34. | |
them based on their functionality, not on security, that should in | :12:35. | :12:38. | |
theory be built into them. So really what we have is a bit of a | :12:39. | :12:43. | |
disconnect. You have manufacturers trying to produce something as | :12:44. | :12:47. | |
quickly and cost effectively as they can, and users that really care | :12:48. | :12:50. | |
about functionality and security as an afterthought, so what you see is | :12:51. | :12:55. | |
that the risk is passed on from the manufacturer onto the consumer. One | :12:56. | :13:01. | |
of the things we see as an industry, and potentially government needs to | :13:02. | :13:04. | |
look at, is worker how we can manage the risk more effectively. Whether | :13:05. | :13:09. | |
it should be kite marks or standards that manufacturers of IOT devices | :13:10. | :13:16. | |
need to strive towards. Before regulation catches up, what we | :13:17. | :13:19. | |
managed to build in the intervening period gives us a chance. Things are | :13:20. | :13:23. | |
connecting everyday and there will be a legacy to contend with. Just | :13:24. | :13:33. | |
come back to something we discussed a bit earlier, the relation between | :13:34. | :13:38. | |
government and the private sector. There is a tendency to think that | :13:39. | :13:41. | |
government should be responsible for virtually everything and I'm sure | :13:42. | :13:46. | |
you gentlemen don't believe in that since you make a living advising the | :13:47. | :13:49. | |
private sector, so you don't necessarily believe government | :13:50. | :13:52. | |
should be trampling about in it too much. There are areas where | :13:53. | :13:58. | |
government is essential, National infrastructure, intelligence is | :13:59. | :14:02. | |
another. But surely across the private sector generally, government | :14:03. | :14:05. | |
should encourage companies to take steps to protect themselves and make | :14:06. | :14:08. | |
information available, but is there really a need for much more | :14:09. | :14:13. | |
intervention than that? Do we need legislation and regulation? I would | :14:14. | :14:17. | |
suggest it is probably not necessary. I remember President | :14:18. | :14:20. | |
Reagan saying the nine most dangerous words in English is, I'm | :14:21. | :14:23. | |
from the government and I'm here to help you. I wonder whether we are | :14:24. | :14:30. | |
getting to and upon government intervention? I would agree from the | :14:31. | :14:35. | |
perspective of almost the worst outcome, that would be the | :14:36. | :14:40. | |
government setting a whole load of requirements and becomes a | :14:41. | :14:42. | |
compliance exercise because that would drive the wrong behaviour in | :14:43. | :14:47. | |
the private sector. It would drive lawyers and compliance activity | :14:48. | :14:50. | |
rather than risk management. I think the government can be demanding in | :14:51. | :14:53. | |
terms of what it expects private sector in terms of principles. There | :14:54. | :14:59. | |
are principles you can expect them to adopt and across the public | :15:00. | :15:04. | |
sector as well. And you expect a degree of responsibility in stepping | :15:05. | :15:05. | |
up to those principles. In some areas that might be embedded | :15:06. | :15:16. | |
in legislation or code of conduct. There are many policy tools | :15:17. | :15:22. | |
available. It will be unlikely to require legislation as there are | :15:23. | :15:25. | |
already many policy tools the Government can use. If you look at | :15:26. | :15:33. | |
what the Bank of England has managed to achieve with the critical | :15:34. | :15:38. | |
economic functions of our country, you do not tell them what to do, | :15:39. | :15:43. | |
they just say they want independent evidence that they are able to be | :15:44. | :15:51. | |
resilient against an attack. That is simulated every 3-4 years, but it | :15:52. | :15:55. | |
gives them the assurance that the institutions are maintaining the | :15:56. | :16:01. | |
appropriate capability. They want independent assurance that they are | :16:02. | :16:07. | |
doing the right thing. If you pick Government into private transactions | :16:08. | :16:10. | |
it becomes responsible physician 's actions and that is the problem. We | :16:11. | :16:15. | |
need clear lines of oversight and control. If this happens, this is | :16:16. | :16:23. | |
who you should consult an go to. If we look at three different | :16:24. | :16:28. | |
frameworks, some of which are regulations, we see a lot of | :16:29. | :16:32. | |
organisations looking at EPR, because it will come into effect. It | :16:33. | :16:38. | |
is driving his ear in our organisations. If it did not exist | :16:39. | :16:42. | |
some of that focus on disclosure probably would not be happening | :16:43. | :16:47. | |
today. If we look at cyber essentials, we have a great idea and | :16:48. | :16:56. | |
it is aimed at a large part of the population that has significantly is | :16:57. | :17:00. | |
a vulnerability. But the adoption levels are not where anyone would | :17:01. | :17:06. | |
want them to be. How do you bridge that gap? A lot of the organisations | :17:07. | :17:11. | |
that have gone through cyber essentials, look at it like a click | :17:12. | :17:16. | |
box exercise, I need to do this I can report I have done it. The ones | :17:17. | :17:21. | |
that have not done it, they do not understand the threat. They never | :17:22. | :17:28. | |
think they will be targeted. We need to have more of a debate about | :17:29. | :17:33. | |
is there a way of building things is there a way of building things | :17:34. | :17:37. | |
into supply chains or through procurement frameworks. We cannot | :17:38. | :17:47. | |
just have a framework that people look at and do not bother. It isn't | :17:48. | :17:53. | |
the self-interest of the company to do this. In the US, the companies | :17:54. | :18:01. | |
I'm involved with take cyber security very seriously. They are | :18:02. | :18:09. | |
not told today by the Government, they are accountable to the | :18:10. | :18:14. | |
Government. Is that the right way? It is the environment they work in. | :18:15. | :18:21. | |
We do not have a cultural mirror. If we did I think organisations we take | :18:22. | :18:23. | |
a long and hard look at themselves. Many boards around the country do | :18:24. | :18:42. | |
not understand the risk. They think it is technology centric and it is a | :18:43. | :18:47. | |
function of IT departments, when in reality it is wider than that. If | :18:48. | :18:53. | |
you understand what the rescuers, is not a surprise that they do not work | :18:54. | :19:06. | |
as well as we planned. I think one of the challenges is that as our | :19:07. | :19:10. | |
digital world involves investing money in building controls will no | :19:11. | :19:19. | |
longer be adequate and that will involve some hard decisions. That is | :19:20. | :19:29. | |
where existing mindsets where we can tell them to build a set of controls | :19:30. | :19:33. | |
and report back to us, that will not be sufficient. Just another | :19:34. | :19:40. | |
question, is the Government right to be bullying big IT companies? I | :19:41. | :19:50. | |
think the question of rule of law in the digital world jives the criteria | :19:51. | :19:58. | |
that existing balance. We need now is to protect us and in force the | :19:59. | :20:04. | |
rule of law, they need to have some terrifying capability available to | :20:05. | :20:16. | |
them but the rule of losses that is constraint and it demands its | :20:17. | :20:22. | |
misuses constraints. In the digital world you cannot Nessus violate | :20:23. | :20:26. | |
constraint the misuse of some of the capabilities that might be required | :20:27. | :20:30. | |
by law enforcement. A policeman have guns and we are grateful for that | :20:31. | :20:36. | |
and the potential for Ms Lewis -- the potential for misuse is small. | :20:37. | :20:46. | |
The potential I misuse by criminals of the vulnerabilities discovered is | :20:47. | :20:53. | |
much greater. I do not think you can look at one of those criteria in | :20:54. | :21:00. | |
isolation. I would say that goes beyond cyber. It is an ethical and | :21:01. | :21:06. | |
moral question. I have been at conferences where questions have | :21:07. | :21:08. | |
been opposed to the audience about what is more important, privacy or | :21:09. | :21:15. | |
protection. I do not think that is a clear answer. People want both. | :21:16. | :21:22. | |
Sometimes you want one more than another, but they both have their | :21:23. | :21:27. | |
place. It is called having your cake and eating it. English real they are | :21:28. | :21:35. | |
willing to sacrifice more privacy for security, but are we willing to | :21:36. | :21:43. | |
do that? If you make sure that messaging applications cannot using | :21:44. | :21:46. | |
correction, consumers are going to move to another platform, just as | :21:47. | :21:53. | |
they did when the digital music platforms, they moved to other forms | :21:54. | :21:59. | |
of communication. End-to-end encryption was weekend and cyber | :22:00. | :22:06. | |
security, the options available to cyber criminals and so on would be | :22:07. | :22:16. | |
increased. That is correct. We have one example of where a regulator has | :22:17. | :22:23. | |
taken a very assertive approach to the systems at the centre of this, | :22:24. | :22:31. | |
financial services. There are reasons why given the failure is in | :22:32. | :22:38. | |
that sphere, by the regulator has taken this approach. There is a | :22:39. | :22:41. | |
broad spectrum across other regulators as to the extent to which | :22:42. | :22:45. | |
they feel this is an issue they need to get involved with. Are there any | :22:46. | :22:50. | |
particular gaps or the regulator you can think of that should be looking | :22:51. | :22:54. | |
at this more seriously than they are at the moment? We see today that all | :22:55. | :23:04. | |
major regulators understand the challenge, but they are forming | :23:05. | :23:11. | |
their own views. They are not doing it in isolation. Everyone recognises | :23:12. | :23:16. | |
the threat, the challenge we have a certain sectors, if we take energy | :23:17. | :23:23. | |
for example, we have the National Grid comes through tyres, so there | :23:24. | :23:30. | |
will be hard decisions. Do you want more cyber security? You will have | :23:31. | :23:37. | |
two pass the cost on somewhere. Those will be some of the frictions | :23:38. | :23:43. | |
we ran into as opposed to legislators being asleep at the | :23:44. | :23:49. | |
wheel. Regulators focus on the companies that they regulate. Those | :23:50. | :23:54. | |
companies have dependencies on other companies and providers and | :23:55. | :23:57. | |
infrastructure. The attackers do not just attack the regulator company, | :23:58. | :24:05. | |
the attack everything around it. Just focusing on the regulated | :24:06. | :24:09. | |
companies is not going to drive results, it needs to be all business | :24:10. | :24:16. | |
understanding their role in society. I wonder if I could move on to the | :24:17. | :24:21. | |
question about the cyber Security Centre, because we have covered the | :24:22. | :24:28. | |
earlier question. The national cyber Security Centre has been announced | :24:29. | :24:37. | |
as the linchpin in the Government's engagement with the private sector. | :24:38. | :24:40. | |
Is the Government being realistic about what can be achieved by what | :24:41. | :24:47. | |
is at the present moment a small organisation, or does it need to be | :24:48. | :24:51. | |
expanded to taken into account all the dialogue that you think should | :24:52. | :24:58. | |
be taking place? I think they would say the same things themselves, the | :24:59. | :25:02. | |
Government has taken an innovative step into looking to allow | :25:03. | :25:06. | |
innovation to drive policy and to work in partnership with the private | :25:07. | :25:12. | |
sector and industry and the public sector organisations. This is | :25:13. | :25:24. | |
absolutely the right step. Too much too early has always been a distinct | :25:25. | :25:27. | |
risk where they were given too much Ruben Loftus-Cheek number turn on | :25:28. | :25:32. | |
investment. With the initiatives that they have the building the | :25:33. | :25:35. | |
foundations and have the foundations of what will be a critical function | :25:36. | :25:45. | |
within our country. It is a big aspiration but a very welcome one. | :25:46. | :25:53. | |
We have relationships with the Cabinet Office and have an | :25:54. | :25:58. | |
opportunity to engage with a part of Government that consolidates a lot | :25:59. | :26:01. | |
of ideas. That makes for much more joined up thinking. That is well | :26:02. | :26:05. | |
received. That is encouraging. Perhaps you could pick up the last | :26:06. | :26:27. | |
question? Vote where have we got to? -- where have we got to? I am keen | :26:28. | :26:36. | |
to ask number 14. When I introduced the first cyber security strategy, | :26:37. | :26:42. | |
one area I hopes to make better was using the insurance industry and | :26:43. | :26:49. | |
time that in so there was a cost aspect to it. That does not seem to | :26:50. | :26:53. | |
have happened as much as I hoped it would. Do you think it is a useful | :26:54. | :26:59. | |
and important thing to do? When I was working on the banks on the | :27:00. | :27:04. | |
stock exchanges, after the big hit on the New York Stock Exchange is, | :27:05. | :27:12. | |
we went for a double by an electric for logon. Do you think that this | :27:13. | :27:25. | |
login is a useful thing? On the cyber insurance, I would say the | :27:26. | :27:31. | |
market needs to mature. We have done quite a lot of work with insurance | :27:32. | :27:35. | |
companies and I have worked a lot with actuaries and the market is | :27:36. | :27:43. | |
quite premature. The insurance companies are still working out how | :27:44. | :27:50. | |
to set premiums. In the US, you can buy and a certain area of risk that | :27:51. | :27:57. | |
you can ensure where there are more regimented responses to cyber | :27:58. | :28:08. | |
breaches. The challenges insurance means it is insurable. Double | :28:09. | :28:16. | |
biometric, the average citizen can login... There is a huge reliance on | :28:17. | :28:24. | |
passwords and services today and we see so many attacks exploiting weak | :28:25. | :28:31. | |
people and process around passwords. The world needs to move on beyond | :28:32. | :28:36. | |
the use of passwords. Whether that is biometrics or one use passwords, | :28:37. | :28:42. | |
however it works out, stronger methods of authentication required. | :28:43. | :28:49. | |
I think there is synergy with the cyber insurance sector, however it | :28:50. | :28:53. | |
is disappointing that we have not seen much of the take up we've have | :28:54. | :28:58. | |
imagined. You would imagine an insular with care about cyber risk | :28:59. | :29:02. | |
want to mitigate against it. They would want to understand how to have | :29:03. | :29:08. | |
a robust process to measure this before issuing a policy. That is not | :29:09. | :29:14. | |
ready focus appears to be. The insurers are more interested in what | :29:15. | :29:17. | |
happens after the breach and making sure that if an organisation has | :29:18. | :29:22. | |
been compromised from a cyber security perspective may have the | :29:23. | :29:26. | |
friends of the ability to go when and discover what has happened. If | :29:27. | :29:32. | |
there was one thing to take away, if the insurance sector could work more | :29:33. | :29:36. | |
closely with the cyber industry and encourage more organisations to look | :29:37. | :29:42. | |
at vulnerabilities as part of their policy renewal creation process, | :29:43. | :29:46. | |
there would be at the chance of that happening. | :29:47. | :29:51. | |
On cyber assurance we are also seeing things like blast furnace in | :29:52. | :29:58. | |
Germany, whether or not these could be sourced from cyber defence in the | :29:59. | :30:02. | |
future, and for those large policies, they are taking a serious | :30:03. | :30:07. | |
look, and I agree the market is not massive at this time. In terms of | :30:08. | :30:12. | |
your point about double biometrics, do remember that biometrics are not | :30:13. | :30:15. | |
secret and they can be copied. We have done work around copying | :30:16. | :30:21. | |
voices, fingerprints and faces and there will always be solutions we | :30:22. | :30:29. | |
employ. But it is difficult and that is why the stock exchanges and banks | :30:30. | :30:32. | |
did that and then they sent them passwords. To give you a flavour of | :30:33. | :30:37. | |
what is possible today, taking three high-resolution photos of somebody's | :30:38. | :30:42. | |
face, we got a 3-D facemask that would satisfy the current capability | :30:43. | :30:46. | |
in terms of facial biometrics. It only takes three photos, and for a | :30:47. | :30:52. | |
pop star that has social media activity, we have to consider this. | :30:53. | :30:58. | |
It's all is the responsibility problem quite well because you know | :30:59. | :31:03. | |
what the vulnerability is, but in many ways it causes more problems | :31:04. | :31:09. | |
than it is worth because the government biometric system in the | :31:10. | :31:12. | |
US is the worst thing that could happen is if you lose your card, and | :31:13. | :31:18. | |
how long it takes to replace it. I was hoping for an unequivocal bid | :31:19. | :31:27. | |
for an identity card. I am reminded forcefully of the term yesterday | :31:28. | :31:33. | |
whatever human ingenuity can devise, human ingenuity can find a way | :31:34. | :31:39. | |
around. Lady Faulkner? It was question 17 and I will comment after | :31:40. | :31:44. | |
Mrs de Villiers. We are not doing this the way we normally do, but if | :31:45. | :31:48. | |
there is something you want a passionate pick-up on the way down | :31:49. | :31:52. | |
to question 17, I will ask Mr de Villiers do ask that, and that will | :31:53. | :31:57. | |
be the final questions. -- Miss de Villiers. Is it a realistic goal to | :31:58. | :32:01. | |
try and get international agreement on a kind of Geneva convention for | :32:02. | :32:08. | |
cyberspace, to set norms for activities by states in cyberspace | :32:09. | :32:11. | |
and what do you think should be in it? It's a realistic goal. But does | :32:12. | :32:19. | |
it matter is the other question? Countries agree to things and they | :32:20. | :32:22. | |
don't mean to follow along with them. Having some sort of shared | :32:23. | :32:28. | |
standard of behaviour and a normative baseline is something we | :32:29. | :32:33. | |
need to try for but that is tough given the differences and | :32:34. | :32:35. | |
difficulties we have with Russia and China and how they operate in | :32:36. | :32:40. | |
cyberspace, which is diametrically opposed to how we do it, so it will | :32:41. | :32:44. | |
be a tough prospect and we see that from the UN GGE which has been | :32:45. | :32:50. | |
fraught with complications and a lack of involvement with critical | :32:51. | :32:54. | |
countries. Thereafter countries today that have a private sector | :32:55. | :32:58. | |
which, in the name of defence, have some quite aggressive tactics and | :32:59. | :33:04. | |
they earn a lot of money for those countries. It's not intellectual | :33:05. | :33:08. | |
property theft, its intelligence collection happening in the private | :33:09. | :33:10. | |
sector not at the behest of the government. Again, what is the | :33:11. | :33:15. | |
commercial incentive for them to sign up to these norms in what is an | :33:16. | :33:20. | |
immature market? What have we learned about warfare over the last | :33:21. | :33:25. | |
500 or 600 years? We now have a sector that is barely 30 years old. | :33:26. | :33:30. | |
You are sounding like a global politician and I would say there is | :33:31. | :33:33. | |
no harm in striving for something because often at a bilateral | :33:34. | :33:36. | |
agreement you would form along the way can be valuable in itself and | :33:37. | :33:41. | |
you might not achieve the end goal but you will certainly make progress | :33:42. | :33:45. | |
through dialogue, and we've seen examples with the UK, the US and | :33:46. | :33:48. | |
China where dialogue has made a difference. One caution I would have | :33:49. | :33:52. | |
is where we sign up with these things. We have to think of the | :33:53. | :33:57. | |
implications it has on the economic growth prospects of the UK. As a | :33:58. | :34:01. | |
private sector firm trying to do what we are trying to do, which is | :34:02. | :34:05. | |
not offensive by any stretch, we have been caught up somehow and had | :34:06. | :34:11. | |
to seek export licences for its technology because of its potential | :34:12. | :34:17. | |
jewel use application, for example. Lady Faulkner? You have touched on | :34:18. | :34:24. | |
China once or twice. Why do you think China is keen to sign up to | :34:25. | :34:28. | |
some sort of international norms? Is it because it will help it control | :34:29. | :34:34. | |
its own domestic agenda? Is it because it is concerned that its | :34:35. | :34:40. | |
capabilities won't be able to keep up with the developments once the US | :34:41. | :34:45. | |
and other star putting real money into it? What is China's motivation | :34:46. | :34:51. | |
in that case? -- and others start. It is decidedly different to the | :34:52. | :34:55. | |
Russian approach. If I was a betting person I would say that they are | :34:56. | :34:58. | |
sensing a change in the international attitudes and that | :34:59. | :35:02. | |
people are growing tired of their behaviour and they think there may | :35:03. | :35:06. | |
be a ratcheting, so getting that taken out of the source by agreeing | :35:07. | :35:09. | |
to something is probably a prudent step before it comes back to their | :35:10. | :35:14. | |
parliament. China is as vulnerable as we are in cyberspace, as is | :35:15. | :35:18. | |
Russia, so there is an intense idea of an agreement as to how we should | :35:19. | :35:23. | |
behave. I don't really believe cyber conflict is the most important | :35:24. | :35:27. | |
thing, despite it being the basis of my academic work. I think cyber | :35:28. | :35:31. | |
aggression is more important. I'm worried about what states will do to | :35:32. | :35:36. | |
individuals. China will be willing to sacrifice an international | :35:37. | :35:39. | |
conflict for the ability to repress their population and that is what we | :35:40. | :35:42. | |
should really be worried about when that happens. And you think that is | :35:43. | :35:46. | |
a motivation in China? I think it would be a trade-off where they can | :35:47. | :35:52. | |
behave how they want to behave internally and restrict external | :35:53. | :35:54. | |
behaviour, which they have been happy to do until now. I think there | :35:55. | :36:00. | |
is the ability to verify adherence to international agreement is very | :36:01. | :36:04. | |
difficult in this space. In the nuclear world you can see nuclear | :36:05. | :36:08. | |
tests, but you can't see cyber tests. We don't have a buy in from | :36:09. | :36:14. | |
the east on the Tallin manual, and we need that if we don't want to | :36:15. | :36:20. | |
have new expectations. War and constraining behaviour as shown in | :36:21. | :36:24. | |
that way, but that would only work if the other countries agree. Just | :36:25. | :36:29. | |
in closing, we have to also think about spaces like space and the | :36:30. | :36:34. | |
International see, these have connected devices in today, and what | :36:35. | :36:41. | |
applies there? Thoughts of verification had crossed my mind. | :36:42. | :36:44. | |
Thank you very much indeed and thank you for your patience. At least we | :36:45. | :36:48. | |
were not disrupted by a second division in the Lords. But it is | :36:49. | :36:52. | |
always a problem where we have hearings. As I say, thank you very | :36:53. | :36:56. | |
much and I hope you have all found it very helpful and illuminating. I | :36:57. | :37:03. | |
just wish to declare my interest. I might not been the only one I'm | :37:04. | :37:07. | |
nonexecutive director of the cyber security challenge and I chair | :37:08. | :37:11. | |
National trading standards which supports the national trading | :37:12. | :37:14. | |
standards in crime unit and I'm UK coordinator for the electric | :37:15. | :37:19. | |
infrastructure Council. I have connections with three companies | :37:20. | :37:25. | |
which work in the cyber fielding one way or another and to institutions | :37:26. | :37:28. | |
which engaged in research on it, as I declared in my declaration of | :37:29. | :37:34. | |
interests. Thank you very much. I edited a cyber newspaper as well. On | :37:35. | :37:41. | |
that happy note, order, order. | :37:42. | :37:43. |