Whistle-blower or traitor? This is hardly a standard question at most post-conference drinks events but then few of the delegates are as equipped to answer as the attendees of the Global Cybersecurity Innovation Summit organised by Sinet (Security Innovation Network).
Sinet’s inaugural international conference held in the British Museum in London, UK, covered many of the ways in which people, companies and governments can protect themselves from the downsides of exponential IT changes. It also looked at how these same issues can create opportunities by offering this cyber-security through collaboration by all three groups and the startups that bring innovative ideas.
As Gerald Brady, head of UK relationship banking at financial services provider Silicon Valley Bank, said, cyber-security was increasing revenues by 8% a year, compared with 4% for the IT sector generally, and would be an $80bn market next year.
Vince Cable, the UK’s secretary of state for business innovation and skills, said the UK had committed £860m ($1.2bn) to cyber-security over five years but wanted the country to earn £2bn from exports of cyber-security technology and services by 2016 after recording 22% growth last year. Robert Rodriguez, chairman andfounder of Sinet, said there had been 60 acquisitions of cyber-security startups in the first half of the year and returns for venture capitalists from their investments in the space had been good.
This growth is driven by threats increasing even faster. Suleyman Anil, head of cyber-defence in the emerging security challenges division of Nato, said it had seen a seven-fold increase in cyber-attacks over the past two to three years due to three broad reasons.
There had been an increase in the number of attackers, both non-state actors finding cyber-crime both lucrative and low-risk, and state actors conducting offensive operations. Off-stage, technology company Norse produced an arresting graphic showing the location and target of these cyber-attacks based on its five million sensors recording internet protocol addresses.
Anil said the second reason for attacks increasing came from the growing number of access opportunities. He said: “There will be 25 billion devices connected to the internet by 2015 – 500 per house.”
The third reason was the opportunity for cyber-attacks to develop asymmetric forms of political or economic warfare. He said it was asymmetric as attackers could be relatively few and attacks low-cost to conduct, but could inflict damage equivalent to a physical attack.
Heli Tiirmaa-Klaar, cyber-security policy adviser at the European External Action Service, the foreign office of the European Commission, said such cyber-attacks were now part of “hybrid” warfare, along–side kinetic, or physical, combat.
She said as a minister in Estonia she had to put in place cyber-security measures following Russia’s denial of service operations against the country in 2007. These had been followed by operations against Georgia and then Ukraine. The cyber-campaign to shape public opinion was part of the warfare, she added.
That the attacks and information campaigns can affect any or all parts of society is bringing together these constituencies (see below). Bob Dudley, CEO of oil major BP, said it worked with government as a result. He said: “Cyber unites. Government does not control the key assets [to respond] as it would in a physical or terrorist attack.”
He said the energy sector had been a prominent target, as it made up 10% of global GDP and underpinned the other 90%. He added that while uncertainty was a fact of life, the response could be certain, and he held out the hope that cyber-security processes could be simplified under a framework of the right governance, developing capabilities to respond, changing behaviour to reduce vulnerabilities among BP’s 80,000 staff and preparedness under different scenarios.
He said BP carried out “ethical phishing” to identify people likely to be fooled by malicious emails or calls, and had improved the way people could report such attempts to cause damage. In addition, BP now compartmentalised information so joint venture partners, such as China’s state oil company, or contractors could gain only limited access.
In turn, the UK and other countries have been pushing national cyber-security initiatives. Ian Caplan, the UK Home Office’s acting deputy director responsible for delivering the pursue strand of the government’s Serious and Organised Crime Strategy – the other strands are prevent, protect and prepare – said the authorities were embedding technology into the way they tackled any crime – pursuing criminals by gathering evidence, preventing others joining them in their activities, protecting people and institutions, and helping them prepare to mitigate the effects of cyber-attacks.
However, tackling cyber-security fully – what Caplan called the Home Office’s most important issue – required combining the cyber-world with legislative changes, such as making transparent the beneficial owners of companies, as well as partnering other countries in dealing with what is a global issue.
Sir Iain Lobban, director of the UK’s Government Communications Headquarters (GCHQ), said partnership with the US Federal Bureau of Investigation (FBI) had helped in securing prosecutions against organised hacker groups.
The speed of technology change makes security a challenge. Michael Trevett, senior information risk owner at the UK government’s Cabinet Office, in a networking lunch on risk management, posed a series of questions about how organisations could cope with the speed of change. If technology improves so rapidly, identifying what is important and protecting it, rather than trying to protect everything, might be helpful, he said.
Additionally, understanding the nature of threats was important.
Other government officials were more critical of the lack of regulatory attention being paid to the risks of so much innovation so rapidly. One said on the sidelines of the event: “Technology is moving too fast and policymaking is at the lowest common denominator. AI is not thought of as an issue.”
But the penalty for misjudging the regulators could be steep. Sir Iain Lobban, outgoing director of GCHQ, said the UK would have been harder on Edward Snowden, the cyber-security contractor who revealed US surveillance measures last year, had he been a Briton revealing the UK’s cyber-security measures.
The Severn valley’s cyber-security cluster
There are a few global regions where cyber-security experts cluster. These include Washington DC, the west coast around San Francisco, Israel, Beijing in China and the Severn valley in the western UK between Malvern and Newport.
This last region is perhaps the most nascent and was cited as an example at the Sinet Global Cybersecurity Innovation Summit’s panel on cluster models. Emma Philpott, managing director of services company KeyIQ and founder of the Malvern Cyber-Security Cluster, said she had moved to Malvern three years earlier from Singapore and had been struck that everyone she seemed to meet worked in cyber-security but did not know one another. As a result, she setup an informal networking meeting once a month and more than 50 companies in the area now attend.
Andy Williams, head of Cyber-Connect UK, said the role of government had been indirectly important as the UK’s Qinetiq defence research laboratory and GCHQ were in the area, and after the privatisation of Qinetiq a number of people left to set up their own business.
- Tell the truth – that the products do what vendors claim.
- No more sell and forget.
- It is a front rather than back-office system – individuals are at risk.
- It is not a government or individual that leads – it is about collaboration.
- Hands-off – no poaching, but work together on developing the skills for the next five to 10 years.