Market dynamics:
stimulating cyber supply and demand
Richard Bach
Assistant Director Cyber Security
• A Tier One threat to the UK’s national security – and growth
Why does HMG care about Cyber Security?
The National Cyber Security Strategy and Programme
• Strategy launched in 2011
• “Programme” – NCSP – to support the strategy
– Duration: five years
– Originally £650m
• MoD, BIS, GCHQ, Home Office, FCO…
– Raised to £860m
– Now in its final year: what next?
UK Cyber Security StrategyOur vision
Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our
actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a
strong society.
Our objectives
Objective 1:
The UK to tackle cyber crime and be one
of the most secure places in the world to
do business in cyberspace
Objective 2:
The UK to be more resilient to cyber
attacks and better able to protect our
interests in cyberspace
Objective 3:
The UK to have helped shape an open,
stable and vibrant cyberspace which the
UK public can use safely and that
supports open societies
Objective 4:
The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives
The UK Cyber
Security Strategy
in words
Cyber security as a partnership
• The Government role
– Leadership
• Defining what good security looks like
– Bringing clarity to a confusing and complex landscape (of guidance,
standards, practices…)
• The industry role
– Insight
– Commercial understanding
– Scale
• Set the direction (mostly Government)
– Cyber Security Strategy
• Build the proposition (Government and industry)
– Standards
– Guidance
– Assured services (assurance = confidence)
• Drive adoption (Government and industry)
– Supply and demand
– Domestic market and exports
– The biggest challenge
Partnership in practice
BIS – partner examples (CS&R)Academia and skills
Oxford Global Capacity Building Centre
Institution of Engineering and Technology
Imperial College London
Warwick University
Kings College London
Royal Holloway
Cyber Security Challenge
Industry individuals
CEOs
CISOs
Consultants and auditors
Professional Bodies
Law Society
IIA
ICAEW
ICAS
CIPS
CIPD
ICSA
Trade associations
FSB
CBI
The IRM
BBA
Regulators
Bank of England
Ofcom
ICT and Cyber Security Bodies
TechUK
ISF
CREST
IASME
Law firms
Insurers
Cyber Security Firms
Think Tanks
IISS
RUSI
International partners
Others, and arms-length bodies
BSI
UKAS
InnovateUK
MOPAC
BCC
Partners:
the
national
cyber
landscape
https://www.cesg.gov.uk/publications/Documents/uk_ia_community.pdf
Supply and demand
• No single answer; what, how
• Cyber Growth Partnership
– Ministerial lead
– Members: large and small businesses
– Focus: strong domestic market; exports
• Informal: TechUK; ADS
• Badging suppliers to Government
– HMG badge
• “Ask Dave”
• Government procurement
– Template for industry
• Insurance as a “lever”
• Promotion
• Incentives
– Innovation Vouchers
– Tax incentives?
• Removing barriers
– Cohesion
• Privacy (data protection) and cyber
security
• Government partnership with Information
Commissioner’s Office (ICO – UK data
protection registrar and regulator)
• Bring clarity to confusing and complex
landscape
– What does “good” look like?
– Cyber Essentials
Incentives – Innovation Vouchers
• Administered by Innovate UK
• £5,000 to help with cyber security solutions
• https://vouchers.innovateuk.org/cyber-security
• Cyber Incident Response (CIR) companies
– A small number
– Licensed by CESG
– Respond to high-end incidents, e.g. advanced threats against Critical National Infrastructure
(CNI)
– Assured service (assurance = confidence)
• Cyber Incident Response Scheme (CIRS)
– Operated by CREST
– CREST licensed by CESG
– CIRS companies (many)
• badged by CREST
• Respond to cyber incidents
Incident response
• Cyber security: a long-term and constant activity
• Skills
– Equipping industry and government for the future
– Definition
– Guidance
• Education
– Massive Open Online Course (MOOC)
• Developed with the Open University
• Free
– Training programme for professional services
Skills and education
Cyber Security Information Sharing Partnership (CISP)
• A CERT-UK platform
• Voluntary Sharing
• Regional Nodes / SMEs
• Build/gain trust; be active!
Caveat emptor: Snake Oil
Cyber Security standards
• What does good cyber security look like?
• Have I got the basics in place?
• How can I demonstrate my cyber credentials
to customers and suppliers?
• Mandated in Government procurement (supply
chain).
– Leading companies adopting, e.g.
Barclays Bank, National Grid, HP (UK)
The threat
Nature
• complex, global and constantly changing
• perpetrated remotely
• difficult to trace
• significant impact in the longer term
Threat actors in Cyber Space
• hacktivists – to cause disruption
• criminals – financial impact
• states – conducting cyber espionage or disruptive attacks
• terrorists – physical attacks remain priority
Threat evolution
Notes
Illustrative only.
Based on multiple sources, including Symantec and MIT
Barriers to entry have reduced but actor sophistication has increased
Thre
at v
olu
me
1970s 1980s 1990s 2000s 2010s
Phone hacking –
“phreaking”
Computer
clubs
hacking
State on
state?
Crime
Hacktivism
Serious
crime
State
(industrial)
Required actor
sophistication
Sophistication
and availability
of tools
NationState
OrganisedCrime
Skilled ProfessionalHacker
Amateur Hacker, Journalist
Anyone
Everything else plus have the resources to introduce
features or vulnerabilities they can later exploit.
Opportunistic.computers left unlocked,
passwords on post-itseasy passwords, etc,.
Exploits knownsoftware bugs, weak
passwords and published ‘features’.
Uses commodityhacking tools.
Physical element, massive scale,
blackmail, bribery, forgery, etcDevelops bespoke
exploits, finds new software bugs, exploits
obscure features.
Who should it
be protected
from
Cyber Essentials Scheme• What it is:
– A set of technical controls to achieve basic protection from Internet-borne commodity threats
– Aimed at enterprise IT
– The start of a journey; organisations should also consider other activities
– see Government’s 10 Steps to Cyber Security for examples
– Based on government analysis of adversary cyber attacks
• What it isn’t:
– A cyber security “silver bullet”
– Aimed at operational systems, e.g. control systems, payment systems
Cyber Essentials Scheme• What:
– Requirements document. Comprises five control themes:
• Firewalls; Secure configuration; User access control; Malware protection; Patch management
• Risks: implicit assumptions of threats and vulnerabilities
– Assurance Framework, defining two assurance tiers:
• Cyber Essentials: verified self-assessment
• Cyber Essentials PLUS: independently tested
– Tests whether controls implemented are sufficient to defeat common Internet based attacks
• Who:
– Developed in collaboration with industry: IA for Small and Medium Enterprise (IASME); Information Security Forum (ISF);
British Standardis Institute (BSI)
– Endorsed by Government
– Principles applicable to all; design aim: accessible for SMEs
CES – Government and industry in partnership
National Cyber Security Strategy (2011)
Policy and Analysis (2012 - 2013)
Industry-led Review (2013)
Call for Evidence (2013)
Present findings (late 2013)
Drafting Group (2013 - 2014)
Devise Scheme (2014)
Launch/promote (2014 - )
Adopt
Industry Government
Cyber Essentials in Government procurement• Why?
– Reduce cyber risk in Government supply chains
– Leadership by Government
• Guidance
– Published as a Procurement Policy Note
• https://www.gov.uk/government/publications/procurement-policy-note-0914-cyber-essentials-scheme-certification
– Includes use cases
– Transparency: same guidance used by Government procurement staff
• Scope
– Which contracts:
• where sensitive information is handled;
• provision of certain ICT products/services
– Proportionate; reasonable expectation
• When
– In tenders advertised from 1 October 2014
CYBER ESSENTIALS
Facilitating a step change in cyber security behaviours in the UK
privacy security
What needs protectingNames
Addresses
Dates of birth
Shopping patterns
Intellectual property
Documents Credit card details
Music
Videos
Telephone calls
Presentations
TV
Customer records
Bank account details
Spreadsheets
Databases
Games
Medical recordFacebook profile
Social network activity
Privacy - data protection in the UK
• UK Data Protection Act (1998)
– http://www.legislation.gov.uk/ukpga/1998/29/contents
– Implementation of Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of personal data and
on the free movement of such data
• Regulated by the Information Commissioner’s Office (ICO)
– www.ico.org.uk
– Guidance
• Guide to Data Protection https://ico.org.uk/for-organisations/guide-to-data-protection/
• Supported by Practical Guide to IT Security https://ico.org.uk/media/for-
organisations/documents/1575/it_security_practical_guide.pdf
ICO Guide to Data Protection | 10 Steps/Cyber Essentials
Principle 1 – fair and
lawful
Principle 2 – purposes
Principle 3 – adequacy
Principle 4 – accuracy
Principle 5 – retention
Principle 6 – rights
Principle 7 – security
Principle 8 –
international
Information Risk Management Regime
Secure configuration
Network security
Managing user privileges
User education and awareness
Incident management
Malware prevention
Monitoring
Removable media controls
Home and mobile working
Principle 7 - IT Security Guide | 10 Steps/Cyber Essentials
The first step: assess the risk to your business
Use a layered approach to security
Physical security
Anti-virus and anti-malware
Intrusion defence
Access controls
Employee awareness and training
Segmentation
PoliciesDevice hardening
Keep you and your systems up to date
Information Risk Management Regime
Secure configuration
Network security
Managing user privileges
Incident management
Malware prevention
Monitoring
Removable media controls
Home and mobile working
User education and awareness
What next? The Industrial Strategy
• Long term
– Stability → confidence →
investment → growth
• Partnership with business
• Cross-party support
• The strategy
– Sectors
– Access to finance
– Skills
– Procurement
– Technologies
• Sectors– Life Sciences
– Aerospace Growth Partnership
– Nuclear Industry Council
– Oil and Gas Industry Council
– Offshore wind
– Information Economy Council
– International Education Council
– Agritech
– Construction – Leadership Council (CIC)
– Professional and Business Services Council
– Automotive Council
– Creative Industries Council
– Industrial Strategy Council
– The Electronic Systems Council
– Chemistry Growth Partnership
– Rail Supply Group
– Defence
Cyber Essentials Common Cyber At… European initiativ… UK Data Protectio…
• Partnership with audit companies (PwC, Deloitte, KPMG, EY)
• Questionnaire-based survey
– biggest 350 companies registered on the FTSE
– chairs and audit chairs
FTSE350 Health Check
Contacts
General queries: [email protected]
AB/CB-related queries: [email protected]
PPN-related queries: [email protected]