GCHQ Director Jeremy Fleming gave the keynote speech at the NCSC’s flagship cyber security event, CYBERUK 2019.
Here is the seeech :-
Good morning. I would like to start by saying my thoughts are with all those affected by this weekend’s atrocious attacks on churches and hotels in Sri Lanka. It was a senseless attack and it reminds us that whilst Daesh might have lost its caliphate in Syria, there are still those who seek to destroy innocent lives with their hateful ideology. Only by working together, and with the broader international community, will we disrupt and defeat this terrible violence.
Now back to today. We are here in Glasgow for the National Cyber Security Centre’s flagship conference, CYBERUK 2019. This is the third time we’ve brought the community together in this way, and it’s a pleasure to see it growing into such an impressive and important event.
The NCSC is only a few years old but cyber security runs through GCHQ’s veins. For much of that time, it’s been the less celebrated part of our mission.
But that’s changed over the past few years. I now think of it as genuinely leading the way in how we work, how we partner and how we provide transparency.
So it’s great to have the chance to talk about the change it’s driving and in our centenary year, to bring this event to another part of the United Kingdom. We’re proud to serve the people of Scotland and it will come as no surprise to you to learn that they have played a fundamental role in our history too.
Three of GCHQ’s Directors have come from Scotland. Our first – and longest-serving – Director, Alistair Denniston, distinguished himself by playing hockey for Scotland, even winning a medal at the 1908 Olympic Games.
Scots were behind the founding of what we now call signals intelligence in the days when our principal targets were German or Soviet, and we were all using shortwave radio.
And we had a presence all over Scotland: from Kilmuir on Skye to Unst and Lerwick in the Shetland Islands, and along the East Coast, from Wick to Cupar.
So I’m very pleased to be celebrating all that history, but I’m even more focused on what the next century will bring. And whatever it holds – and none of us truly know – my bet is that technology will become even more central to our economic prosperity and to the development of our society.
As we enter the third decade of the Internet age, this technology revolution is providing extraordinary opportunity, innovation and progress – but it’s also exposing us to increasing complexity, uncertainty and risk.
So it is inevitable that this digital era also brings with it new and unprecedented challenges for policymakers as we seek to protect our citizens, judicial systems, businesses – and even societal norms.
Now some of this requires the evolution of policies and practices that have held us in good stead for generations. But other parts – particularly the way in which vulnerable people are suffering from online harms like cyber bullying and hate speech – requires new policy and a new rule book.
This is rapidly becoming one of the great themes of our age. From online crime to terrorist propaganda, and to the impact that exposure to technology has on children, liberal democracies are all trying to find the right policies.
Now the Online Harms Whitepaper – published earlier this month by the Department for Digital, Culture, Media and Sport – is a good example of how the UK is responding. It contains new thinking about where the statutory duty of care for the safety of users should lie. It places specific requirements on firms to make sure their content complies with the law relating to counter-terrorism and child abuse. And, to give the regulations teeth, it raises the potential for enforcement action – ranging from warning notices to fines.
Bringing new ways of thinking is something we’ve tried to do in the field of cyber security too.
We’ve been at it for over a decade. The UK’s first cyber security strategy was launched in 2009 – and in that period we’ve learned a lot about what works and what doesn’t.
We knew that whatever the shape of our cyber security mission, it made no sense to silo it away from other aspects of national security. To be effective, it had to be able to take advantage of high-grade intelligence and other security capabilities.
We also knew that we needed to invest more in getting the public and private partnership really working. And we needed to set even clearer lines of accountability when cyber incidents happened. These and many other structural flaws in the UK’s cyber landscape had not been fixed because there were neither the means nor the incentives to sort them out.
So in 2015, the UK government took that learning and turned it into a five-year National Cyber Security Strategy. It brought new thinking to the management of cyber incidents, led to the creation of the Active Cyber Defence programme and set the conditions for a different partnership with the private sector. And of course, much of this was given a new home in the National Cyber Security Centre, which itself, was to be part of GCHQ.
Nearly three years later, I am confident this approach has improved the cyber health of the nation. Since its formation, the NCSC has coordinated responses to some of the biggest cyber threats the country has faced. Our incident management team has worked on more than 1,500 significant cyber security incidents. And using automation, it has reduced the harm from thousands of attacks a month. And it has played a major role in dealing with the strategic threats we face from hostile states.
In short it gave GCHQ, through the National Cyber Security Centre, responsibility for a major national risk for the first time in our hundred year history.
I’m proud of the progress we’ve made, but there’s certainly no room for complacency.
There’s much to do. And as we enter the second half of the strategy’s original mandate, now is a good time to shape the direction of the nation’s cyber security in the 2020s.
To do this, I’d like to spend a few minutes situating cyber security as part of the wider cyber ecosystem.
I recently spoke about this in Singapore.
I said that to prosper in this technology age, the UK needs to pioneer a new form of security. And for that to be successful, for the UK to be considered a Cyber Power, it would need to be able to demonstrate it in three main ways:
One – it must be world-class in safeguarding the cyber health of its citizens, businesses and institutions – it must protect the digital homeland.
Two – it must have the legal, ethical and regulatory regimes to foster public trust – without which we just don’t have a licence to operate in cyber space.
And three – when the security of the nation is threatened, it has to have the ability – in accordance with international law – to project cyber power to disrupt, deny or degrade our adversaries.
I’ll come back to 2 and 3 at a later date, but the point I want to make today is that cyber security is an essential part of a wider Cyber Power framework. Indeed, I’d argue that it’s the most important part. Without it, the other two parts just don’t work.
So if that’s true, getting cyber security right is critical for the UK’s future.
And whilst I think we’ve made a good start, the next stage of our strategy is even more critical. And it’ll need a national effort if it’s to succeed.
The first priority is to make the strategy more citizen facing and more citizen relevant.
Earlier this year, the NCSC, Department for Digital, Culture, Media and Sport, Cabinet Office and the Home Office commissioned independent research to better understand how the UK public think about and act on cyber security.
The findings of the ‘UK Cyber Survey‘ have been published this week – they highlight the scale of the challenge we face.
The Internet is an important part of all of our lives, and we need to help British people make the most of it. The research showed that 89% of Brits use the Internet to make online purchases – and 24% do so on a daily basis.
Yet only 15% said they knew how to protect themselves online. And this lack of awareness was particularly marked amongst older people. The most regular concern is still that money would be stolen – with 42% feeling they will be a victim by 2021.
Additional analysis we’ve published this week found that 23.2 million victims of hacks used the password 123456 to protect their accounts.
These findings underline the scale of the challenge we face. And they show that now is the right time to ask ourselves, as cyber experts, what more can be done to prepare the citizens for the challenges this new landscape brings.
Of course, this isn’t a greenfield site – we’ve already come a long way working with partners across government and academia.
We’ve developed guidance that reduces the onus on individuals to spot fake emails in the hundreds they receive every day.
I think we’ve led the way in helping people make sensible, informed, evidence-based decisions about what protections are appropriate for them, how to manage their cyber security risk and how to make their behaviour online secure.
We have reached out to schools to get cyber security into our education system and encourage the development of critical cyber and STEM skills.
And it is now easier than ever to access all of this advice including on the NCSC’s relaunched website.
All of this important work needs to be developed and broadened.
So, looking ahead, we intend to do more to take the burden of cyber security away from the individual. In particular, we will work closely with device manufacturers and online platform providers to build security into their products and services at the design stage.
We will work with ISPs to enhance the security of internet-connected devices in the home. And we will share intelligence with banks to enable them to alert customers close to real time.
Ciaran Martin and the NCSC team will expand on these ideas later in the Conference.
We’re optimistic they will make a major difference to the user and by de-mystifying cyber security we will encourage many more people to adopt good cyber security measures.
But threats to the citizen do not always come directly at them. That is why another major priority is to ensure our national infrastructure has the best defences in the world.
Cyberattacks have the potential to critically disrupt the lives of our citizens by undermining the national infrastructure on which we all depend. We suffer attacks every day – and while we have not faced a Category 1 attack, we must continue to plan for when it happens.
We think the 2020s bring an opportunity to fix our critical national infrastructure. In part this comes from the potential to bake in cyber security as new systems are brought in to replace aging legacy systems. Once again, security by design must be our aim.
But changes to regulation offer real opportunities too. The NIS Directive that came into effect last year will force the UK’s most critical industries to ensure their cybersecurity is adequate or risk hefty fines.
We know that regulation can be a powerful driver of change and welcome the investment our industries are making to meet the new requirements.
And as NIS beds down, we’ll want to ensure we’re learning lessons and optimising its scope and application. But I think we also need to be open to a debate about what further legislation or regulation might be required to ensure cyber standards right across the CNI.
If we get this right, we will build resilience into our most critical systems for decades to come.
So that’s why the NCSC is prioritising its support to both regulators and regulated organisations, and providing tailored advice, technical guidance and targeted intelligence to them.
In some sectors we can already see things moving. The telecoms industry and the current debate on the UK’s approach to 5G is a good example.
Now I don’t need to rehearse the importance of 5G to this audience. We know it’s going to be one of the most important and impactful technologies of this or any era.
And like many countries, the UK is looking at the right policy approach to 5G security. That policy process is being led by Deparment for Digital, Media, Culture and Sport. And the review provides advice on a full range of options and is being considered by the Government. Once concluded, and quite properly, it will be announced by Secretary of State Jeremy Wright in Parliament.
Now GCHQ and the NCSC’s role has been to offer expert, objective, technologically literate input into the security considerations around 5G. When we analyse a company for their suitability to supply equipment to the UK’s telecoms networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks. The flag of origin of 5G equipment is an important, but it is a secondary factor.
It’s a hugely complex strategic challenge which is going to span the next few decades. How we deal with it will be crucial for prosperity and our security. And it’s yet another demonstration of how significant cyber security is becoming to a nation’s cyber power.
The third area for priority action is to expand the cyber security ecosystem – and by that I mean taking a bold, interventionalist approach to involve a wider set of stakeholders in protecting the nation’s cyber security.
A strategic way for us to do this is to grow the reach and impact of NCSC’s Active Cyber Defence programme. It uses automation to block attacks on an enormous scale. Its goal is to make the internet automatically safer for people to use.
One of our first programmes has continued to have a huge impact. In March, the UKhosted share of global phishing fell below 2% for the first time. When we started in 2016 it was 5.4%.
This is a really exciting innovation. It’s one we will look to expand both domestically and with international partners so that it is implemented at a scale to make a truly, nationally, and potentially internationally, transformative difference.
Our ACD programme also works in partnership with Government Departments. HMRC is an excellent case study of an organisation leading the way in protecting its customers. In 2016, it was the 16th most phished brand globally, accounting for 1.25% of all phishing emails sent. Today it is ranked at 146th and accounts for less than 0.1% of all phishing emails.
Our protective DNS system for the public sector blocked access 57.4 million times with malware such as Conficker – first seen in 2008 – still being spotted in public sector networks.
We are also working hard to put in place programmes to help small businesses. This year, we identified over 1,200 sites which were serving malicious code to illicitly copy credit card transactions. We were able to help these small businesses fix the problem and protect their customers and their reputation.
But until now, most of these services have been tried out on our own government, on our own terms. For our next chapter, we want to ask what happens when the big communications service providers start to introduce our blocking techniques at scale?
What happens when retailers take up some of the security indicators we’ve been developing with DCMS and use them to promote safety and security? Or when large corporates really get on board with anti-spoofing?
So today, I would like to encourage businesses in all sectors to work with us to find new ways of incorporating these automated services. And if enough do, the results could be truly transformational – a whole-of-nation, automated cyber defence system.
Taken together, these three priority areas – the citizen, CNI and the broader cyber ecosystem – provide a clear vision for the next stage of the nation’s cyber security approach.
It’s a vision where GCHQ uses our unique insights into the structural vulnerabilities of the internet and in partnership with business detects, disrupt and fix malicious online behaviour.
And it’s a vision with enormous potential to further deliver on the Government’s promise to make the UK the safest place to live and do business online.
But it’s only achievable if we are able to build a genuinely national effort – with more connections and deeper cooperation with the private sector and even closer working with our partners and with our allies.
With government, it means bringing our cyber security and technology expertise closer to the heart of policy making alongside DCMS. We’ve started to do this on AI, Quantum and the Internet of Things and I can already see that it’s both welcomed and needed.
And we also have an important role to help the Government secure its own networks.
With industry, it means sharing more strategic knowledge about malign actors and more tactical cyber threat information.
But knowledge sharing must go two ways. A fundamental principle of the NCSC has always been to be more open, more transparent with the information we obtain. We’re already doing that and are committed to share even more in real time, to help business and Government defend themselves and the UK.
So specifically, in the last year we have made it simple for our analysts to share timecritical, secret information in a matter of seconds. With just one click, this information is being shared and action is being taken.
In the coming year, we will continue to scale this capability so – whether it’s indicators of a nation state cyber actor, details of malware used by cyber criminals or credit cards being sold on the Dark Web – we will declassify this information and get it back to those who can act on it.
And that’s why Industry100 – the initiative which promotes close collaboration between industry and the NCSC – is being made a permanent feature. It brings challenge and collaboration to the heart of our business and we need it more than ever.
Our work with partners covers a wide range of other initiatives too.
The Small Business Guide provides quick and easy ways to improve their resilience. Our 10 Steps to Cyber Security guidance is now used by around two thirds of the FTSE350. The new Board Toolkit helps executives ask informed questions of their cyber security experts.
And our Cyber Essentials programme awards companies with a certificate when they demonstrate five key controls. When implemented correctly, we know it makes these companies much harder targets for commodity cyber-attacks.
With academia, it means solving hard problems, not admiring them. This is the aim of our four Research Institutes. They work within world-leading academic institutions to back up cyber security with real science and make people’s lives easier and more secure through the innovative use of security hardware. Their work is giving us new tools in the fight against malign cyber actors.
And with education, it means working with other government departments to give our groundbreaking CyberFirst Girls competition a truly national reach. Just last month, 40 finalists – from 40,000 participants – competed in Edinburgh to be crowned national champions.
Internationally, it is about working with our allies to amplify our strengths and mutually defend our weak spots. The core of this is work with our Five Eyes partners – you’ll hear more of them soon, but we’re also forging new partnerships with many European countries and others around the world too.
We know that whether it’s future telecommunications infrastructure, the critical national infrastructure, or digital security more generally, these national and international partnerships are critical to our cyber security and hence, the UK’s cyber power.
So to make this a success, our strongest defence and most powerful weapon is our ingenuity – our ability to imagine what has yet to be imagined. To see further into the future than anyone else. Our vision for the next stage of the UK’s cyber security strategy aims to do just that.
The prize is great – a world leading cyber security approach and as a consequence, a safer, more successful UK. I’m confident we will succeed. Because with the right mix of minds – inside and outside government – we know that anything is possible.