National Cyber Security Centre: ‘Our adversaries innovate – so we must too’
Senior leaders stress importance of risk-taking in combatting the threats faced by the UK
Credit: NSWC Crane Corporate Communications
Leaders at the National Cyber Security Centre have stressed the importance of matching the ability to innovate of the hostile states and other malicious actors that pose a threat to UK businesses and public sector entities.
In a keynote presentation at the Cyber Innovation Den event hosted yesterday in central London by techUK, a senior NCSC spokesperson told attendees that the intelligence agency addressed the global cyberthreat landscape much as a business would approach its competitive marketplace.
“We do not exactly have competitors, but we do have adversaries, and they innovate – so we had better innovate too,” they said.
The senior manager said that the organisation conceives of maintaining the UK’s status as an innovative “cyber power” in three ways.
- What happens during a cyberattack on critical infrastructure?
- NCSC warns over ‘password spray’ attacks of council cloud services
- Next steps for UK cybersecurity: legislation; skills; and security by design
The first if these is being able to “defend ourselves using innovative technologies”. The second is – in extreme circumstances – possessing “the ability to attack people in cyberspace”, while “the third is to do that within established norms and be ethical and lawful”, the spokesperson said.
They added: “We are in an arms race with cybercriminals and other hostile organisations – and they do innovate.”
The presentation echoed comments made by NCSC chief executive Ciaran Martin at an event last week launching the organisation’s annual report.
“We will take more risks – we will innovate, that is essential,” he said. “Not all of them will work, and my plea to our partners is to stand with us through our failures as well as our successes.”
Developing cyber skills
Published in 2016, the government’s National Cyber Security Strategy set out a five-year plan, the ongoing implementation of which is split into three tracks: Defend; Deter; and Develop.
Also presenting at the techUK event was Andrew Elliot, deputy director of cyber and digital identity at the Department for Digital, Culture, Media and Sport. He said that his department is focused on the ‘develop’ strand of the strategy rollout.
Within this, DCMS has three core objectives, he said.
“Number one is we want to have the skills and capability to meet a growing demand,” Elliot said. “We are also trying to move the responsibility for being secure from the user to the manufacturer – we want to make the internet of things secure by default. Thirdly, we want all organisations to have access to the best security products and services that they need.”
Elliot pointed to two accelerator programmes for cybersecurity start-ups as examples of programmes that demonstrate the role government can play in instigating innovation.
The London Office for Rapid Cybersecurity Advancement (Lorca), which is funded by DCMS, is now recruiting for its fourth cohort of SME companies. Firms that took part in the first three have raised a cumulative total of £58m in investment, Elliot said.
Meanwhile, the Cyber Accelerator programme, run by the NCSC from the Cheltenham headquarters of its parent agency GHCQ, is already working with its fourth cohort of start-ups. The 23 companies to take part in the first three cohorts have attracted backing totalling £35m.
While these figures appear impressive, Elliot stressed that government was still working to ascertain whether “we made sustainable interventions – or have we just created a flash in the pan?”.
“We do not have all the answers yet,” he said. “What is the core role of governments in this space?”
"Government has great convening power... We have various levers – and those levers do not always require funding large programmes"
Andrew Elliot, DCMS
Government’s ability to help organisations work together to the benefit of the UK’s security is evidenced by the growing number of cybersecurity “clusters” across the UK, Elliot said. There are now 24 such clusters around the country, each of which contains a group of cybersecurity SMEs that wish to collaborate with one another.
Another example cited by the DCMS cyber chief of how government can serve as an assembler is the creation of the UK Cyber Security Council. Whitehall funding of up to £2.5m is available to establish the council, which will be dedicated to furthering the cybersecurity profession across the UK and growing the skills. Government is currently working to choose a lead organisation to deliver the council.
“Government has great convening power – we help people make connections,” Elliot said. “We have various levers – and those levers do not always require funding large programmes.”
David Currie explains that there is an ‘arms race’ between web platforms and criminals that are equally sophisticated
Citizens will also be invited to submit ideas for ‘reducing or eliminating regulation’
As our movements increasingly depend on using our smartphones to demonstrate status, we need to ensure technology is secure, according to Dr Sarah Morris, of Cranfield University.
Employers are also encouraged to move towards a hybrid model in the longer term