A speech from the Chancellor of the Duchy of Lancaster Oliver Dowden at CyberUK in Belfast.
I’m delighted to be here in Belfast.
Last year’s CyberUK was held in Wales, and in the years before that, in Scotland and in England.
So it’s great to complete the full Union set with Northern Ireland – and it’s yet more proof that we have strong cyber talent in every corner of our country.
Now, Belfast is clearly a very popular destination right now. You had President Biden visiting last week, along with the Prime Minister.
The Clintons yesterday.
The Prime Minister liked it so much he’s back again this week.
And me today – lucky you.
But of course this city was a natural choice to hold a cyber conference: It has become a global hotspot for cyber and tech companies – including IBM Security, Microsoft and Nvidia…
…and we’re meeting at a very interesting time for cyber in the UK.
Interesting because we have a Prime Minister and a government that is deeply passionate about science and tech, and has put it front-and-centre of our agenda.
Interesting because we have a thriving tech sector to match, and because government and industry are building a strong partnership including through the new National Cyber Advisory Board, which I am co-chairing again this afternoon with Sharon Barber from Lloyds.
But it’s also an interesting time because of the world we live in today.
The last time CyberUK was held, last May, attendees were gathering in the shadow of Russia’s unprovoked invasion of Ukraine.
And the brutal reality is that a year on, we continue to live in a more dangerous, more volatile world – one that has far-reaching consequences for the British people.
Now that’s partly a consequence of Russia’s aggression.
It’s partly because of the growing economic coercion of other countries.
And it’s also because of the way that climate change and technology continue to transform and disrupt our world.
All of those things are putting our systems under more pressure than ever before.
And so in Government, we are devoting a lot of time and energy on how we can improve our overall resilience of the Government in the face of those and future challenges.
Now many of you will have seen that a few weeks ago the government published a refresh of our defence and national security strategy – the Integrated Review – setting out how we intend to fortify our national defences against the challenges both today and tomorrow.
And it’s something the Prime Minister has asked me to lead on at the Cabinet Office – particularly when it comes to economic security and bolstering our national resilience.
So I wanted to use this opportunity to take you through how that applies to cybersecurity;
where I think we are as a country;
and what the government intends to do to make sure we stay ahead of our adversaries every step of the way.
THE CYBER THREAT
It’s been a couple of months since the world was gripped by the progress of that Chinese balloon floating across the skies of the United States.
Now I’m sure you will recall, that spy balloon dominated the headlines because it was a very visible symbol of America’s borders being breached by an uninvited guest.
And yet every day, a combination of criminals, spooks, hacktivists and cyber soldiers silently and invisibly breach our digital defences – both in the UK and in the rest of the world.
And we saw it earlier this year with Royal Mail, when a ransomware attack disrupted overseas deliveries for weeks.
And last August when an attack on a third party supplier caused severe disruption to NHS 111.
So what does the overall cyber threat to the UK look like today?
Well, according to the latest assessments from the National Cyber Security Centre, the most acute state threats in cyberspace continue to come from those usual suspects – Russia, China, Iran and North Korea.
The NCSC are also devoting a lot of their energy today to defending democracy…
…including by tackling threats against both the Conservative Party leadership contest last year and the recent Scottish National Party leadership contest – both of which took place online.
And there is another new front opening, as we see more and more adversaries able to buy and sell sophisticated cyber tools and spyware like Pegasus.
These are the types of tools that we used to only see in a handful of powerful state actors, and which can cause serious damage.
So it’s something we are taking very seriously, and to which we are responding with our international partners.
Meanwhile, cyber crime is estimated to cost the UK billions of pounds each year.
According to new figures published today, 32% of UK businesses and charities suffered a cyber breach or attack in the past year.
That is a third of our businesses.
And ransomware continues to run rampant.
And as President Biden rightly recognised a few weeks ago, thanks to its scale and impact, ransomware is no longer just a crime.
It is a national security threat – and our response needs to reflect the severity of that threat.
These are attacks on our citizens, our businesses and our democracy. They are an attempt to undermine our society.
And we are determined to stop them, with your help.
In the UK we grasped the need for urgent action early, and we’ve been doing a lot over the past few years to strengthen our cyber defences.
We have published the National Cyber Strategy…
…and we have a new and effective cyber sanctions regime, which we recently used for the first time against a group of Russian cyber criminals as part of a joint campaign with the United States.
And we are working closely with international partners to tackle the proliferation of sophisticated commercial cyber tools.
At the same time, the government itself continues to face a range of attacks, including ransomware and espionage – and so we are constantly looking to strengthen our cyber defences.
As part of that, today, I can announce that we are launching GovAssure, a transformational new cyber regime for the whole of government.
GovAssure will be rolled out across Whitehall. It will be used to assess every department’s cyberhealth on an annual basis, against stringent new measures…
…so that government can better identify the risks we face, and make sure we are protecting systems that help us run public services.
So with each day, as the threat evolves, so does our response.
NCSC THREAT ALERT
But a new adversary has emerged.
Over the last 18 months, the National Cyber Security Centre has seen the rise of several Russian-aligned groups sympathetic to Putin’s invasion of Ukraine.
Now these are fringe state threats – the cyber equivalent of the Wagner group – and initially these groups focused their attacks on Ukraine and the surrounding region.
But recently, they have begun to turn their attention to the UK and its allies.
They are now seeking opportunities to compromise our Critical National Infrastructure.
We have experienced attempted attacks in the past – but these groups operate differently.
Instead of seeking to profit or spy on us, their primary motive is to disrupt or destroy our infrastructure.
These adversaries are ideologically motivated, rather than financially motivated.
Secondly, though these perpetrators are aligned to national actors, crucially, they are often not controlled by those foreign states.
That makes them more opportunistic, and less likely to show restraint.
Together, those factors make the current situation particularly concerning.
And so today I can confirm that the National Cyber Security Centre is issuing an official alert to operators of our critical national infrastructure, to highlight the risk they currently face.
That alert is now live on the NCSC’s website – along with a number of recommended actions that operators should follow right now, to increase their resilience and help defend our infrastructure against these attacks.
Disclosing this threat is not something that we do lightly.
This is an unprecedented warning for businesses.
We have never publicly highlighted the threat from these kinds of groups attempting such attacks before.
And I should stress that we do not think that they currently have the capability to cause widespread damage to our infrastructure in the UK.
But we do believe it is necessary at this point in time, if we want companies to understand the current threat they currently face…
… and to take action to defend themselves and the country against such attacks.
This approach fits with that wider national security strategy.
And last year, when we saw that Russian forces were gathering at the Ukrainian border, we declassified the information to let the world see what they were doing.
Today with cyber threats you will increasingly see us say what we are seeing.
We won’t allow these groups to stay in the shadows.
We are shining a light on these threats because we need to work together to strengthen our defences. That means that businesses need to see the threats clearly, too.
And over the last few years we have done lots of things to make it easier for businesses to secure themselves…
…including issuing world-leading guidance…
…offering threat assessments underpinned by intelligence…
…and providing key services like the Early Warning system.
But given the constantly evolving cyber threat, I believe this is the right moment to look at our cyber defences more widely – particularly when it comes to those of our businesses.
The reality is that we in government can only do so much.
Businesses large and small sit on the front line of our cyber defences.
They face attacks on a daily basis – and any gap in that front line leaves us all vulnerable.
And when we published the National Cyber Strategy just over a year ago, we said we would review the government’s ability to hold operators of critical national infrastructure to account.
I’ve concluded now that we do need to go further.
So today I can confirm that I will be setting specific and ambitious cyber resilience targets for all critical national infrastructure sectors to meet by 2025…
…And that I am actively examining plans to bring all private sector businesses working in critical national infrastructure within the scope of cyber resilience regulations.
These are the companies in charge of keeping our country running. Of keeping the lights on.
Our shared prosperity depends on them taking their own security seriously – and that extends to their cybersecurity.
A bricks-and-mortar business wouldn’t survive if it left the back door open to criminals every night.
Equally in today’s digital world, businesses can’t afford to recklessly ignore cyber risks, either – to leave their digital back door open to cyber crooks and hackers.
And while we’re doing this to combat certain risks, there is also a real opportunity for our businesses.
We have a huge amount to gain by making the UK the safest country in the world to do business.
Because the fact is that in today’s modern world, prosperity and economic security go hand in hand.
You can’t have the former without the latter.
Investors want to put their money in a safe country, in businesses that take security seriously.
So the safer we make our defences, the safer we make our country – and the more attractive we become as a destination for entrepreneurs and investors all over the world.
And the fact that the UK has in the last few years taken cybersecurity so seriously already makes us one of the best places in the world to invest.
So this is my call to arms for businesses: look again at your security.
Strengthen it wherever you can.
The stronger your business, the stronger our economy, and the more prosperous we become together.
And in turn, we in government will continue to do as much as we can to support the cyber industry and businesses more widely…
…and so finally, I just want to outline how we are fulfilling our part of this partnership.
Cyber is an industry that continues to grow in every sense.
New figures show that it is worth more, it has more companies, and it employs more people than this time last year.
In 2022, revenues hit over £10.5bn, the sector attracted £300 million of investment, and it added an additional 5,300 jobs in that time.
At a time of global market uncertainty, the industry really is looking strong.
And through our Cyber Runway programme, we’ve helped over 160 cyber security companies and startups grow and develop their businesses.
And there is even more room for growth, given that we currently face a shortfall of around 14,000 cyber security professionals each year in the UK.
The jobs are there. We just need to give people the skills to fill them – which is what we’re trying to do in government through things like Cyber First and Cyber Explorers.
And indeed, I saw this with my own eyes a few weeks ago when I spent time with students at the University of South Wales’s Cyber Academy.
I watched them at their computers, going through the cyber equivalent of football drills – practising attack and defence.
And through academies like that, we are building the UK’s cyber talent pool for the future.
And on Monday the Prime Minister launched a major drive to improve maths skills across the country.
As he said in that speech, numeracy is the foundation of the modern economy…
Today, it’s just as essential as being able to read – and it is particularly vital if we want people to be able to take up jobs in cyber, tech, and beyond.
We also recognise that as a major employer of cyber security professionals across the UK, the government needs to do more to attract the very best talent.
Now, like many of you, I noted the recent debate around the salary offered for a cyber role in government. Of course, people who work for Government will always be motivated by public service.
But a cyber specialist knows they can earn five to seven times, if not more, for the same role in the private sector.
And the government needs to break through its own glass ceiling…
So I am also examining what more we can do to improve salaries and other parts of our offer, so that we can continue to attract the very best cyber experts into the civil service.
These are people protecting the systems and public services that millions of people across the country rely on every day, so we should want the very best people in charge of them.
We must be competitive to stay ahead.
So, we are keen to do our bit, and for the private sector in turn to do its bit.
To defend as one, so that we can prosper as one.
And as I have set out, the Government is clear-eyed about the challenges that we face. We need business to be clear in their determination to meet those challenges with us.
It’s not going to be easy, and these threats won’t disappear overnight. But by working together, I believe that when we meet next year at CyberUK 2024, the UK will be more resilient and more secure.