Show Hide image

Chi Onwurah: “We are only as strong as our weakest link”

Shadow digital minister Chi Onwurah says the cyber security needs of Britain’s 5.4m small businesses are being dangerously overlooked

The link between a parliamentarian and their appointed subject can be tenuous – Andrea Leadsom, then climate change minister, famously asked in 2015 if climate change was real – and this disparity becomes more apparent the more technical the portfolio. The current digital minister, Matt Hancock, does have some tech experience – he worked briefly for his father’s computer company – but his opposite number, Chi Onwurah, is that rare thing: a politician who is also a highly qualified engineer.

“Engineers are definitely underrepresented in government,” agrees Onwurah. “And they’re underrepresented in the Civil Service, because the Civil Service has had an emphasis on generalism. That basically meant not being an engineer. It meant having a first in classics or medieval history, and there haven’t been career paths for engineers and technical specialists. The Civil Service says it’s addressing that, and I hope it is.”

She adds: “We are under-represented in political parties, too, because the routes by which most MPs become MPs do not include engineering. We’ve got lawyers, spads [special advisers], PR people, journalists, but we don’t have engineers.

“I joined the Labour Party when I was 16. I wanted to become an engineer or scientist from the age of about nine. I looked to politics and technology as the two ways of changing the world for the better, and first of all I thought I wanted to be an engineer, as that was also what interested me – making things work, building things, so I went into engineering. It was a fantastic career and I’d recommend it to anyone and everyone.

"Particularly during my time working in Africa as an engineer, and later at Ofcom, it really highlighted to me the importance of public and government policy in making technology accessible."

“I could design the best broadband network in the world – I still think I could,” she says, with the confidence of someone who has clearly not quite given up being a telecoms engineer, “but only if people had the right income, the right skills, the necessary rights to lay cables, to actually get to use that fantastic technology. And so when it was announced that the MP for the bit of Newcastle where I grew up was standing down, I thought, ‘Let’s see if we can.’ ”

It was in Onwurah’s pre-political career that she first encountered cyber security. “Quite early in my career, as an engineer for Northern Telecom, or Nortel, we were looking at how access to telecoms switches were password-protected or not. We didn’t call it cyber security then; it was just security. The first time I encountered it as a citizen issue was ten years ago at Ofcom, when I was asked to write a report on malware.

“I went back to Ofcom’s senior board with all these tales of black hats, honeypots and viruses, and they thought I’d been playing Dungeons & Dragons. A lot of the terms I used then have changed but the actual threats and challenges, whether they’re to mobile telephony or fixed lines or desktop PCs, are still there. I remember learning about honeypots and bot networks long before these terms had any common understanding.”

Onwurah also has plenty of experience of battling to make the case for cyber security. In 2005, she says, even the Ofcom board was slow to appreciate the risk. “They were sceptical, I think, about whether we needed to invest real resource then. Ten years on, those threats are very, very real – they’re part of the daily, lived experience of everyone who’s online.”

Reluctance to address this risk, she says, persists today: “I’m still very surprised at the level of complacency. Ed Vaizey [digital minister in the Cameron government] used to talk with great pride about putting over £600m into cyber security, but that had almost all gone into the security services – MI5 and MI6 – and critical national infrastructure. It hadn’t gone to the police force, to deal with the day-to-day rising tide. And they’re totally under-resourced, so I think there’s still huge complacency.

“We’ve just seen today, and I’ve asked for an urgent question on it, that GCHQ has raised security questions about Universal Credit, and that’s one of the reasons it’s been delayed. I’ve been raising security questions about Universal Credit since about 2012, because they didn’t design security into it from the start, and you’ve got millions of vulnerable people with low digital skills, which creates a huge potential for fraud.

“I don’t want to put people off technology. I’m a tech evangelist – I think it can do amazing things for us and make our world better – but obviously it can also be used for scams, IP theft and more, and it’s a real dilemma about how we raise the profile of the threat without scaring everybody silly. But I’m coming to the conclusion that we need to scare people, because it’s not being taken seriously.”

Onwurah even has the dubious honour – increasingly common among public figures – of having been hacked. She found the experience informative: “It was a very good demonstration of the risks small businesses face. Our office is about the size of a small business. From the investigation that was done, we know that one of my staff had gone on to a perfectly legitimate website in the course of their work, where there had been an ad that had downloaded malware on to their computer. That had spread over the course of about three days on to our servers, and then the ransomware locked up our files and demanded a ransom.”

For Onwurah’s well-supported team, this wasn’t a huge problem. “We have a big department supporting us. We also had all our casework on a separate server, which meant there was no compromise of constituents’ data. Our digital services identified the virus, cleaned up our systems and restored us to the day before the virus was downloaded – we lost a couple of days’ work. But if we had been a small business, we wouldn’t have had access to that kind of support, and it could have put us out of action for a lot longer.”

What many small businesses may not realise is that their cyber security constitutes a responsibility not only to themselves, but to others. The law takes a dim view of businesses that do not protect their customers’ data.

“We have a duty of care, which is why it was so important that our constituent data wasn’t compromised, but a small business could find themselves liable in that respect. Also, small businesses are in the supply chains of large businesses. I’m really keen to emphasise to large businesses and government that protecting the big boys is all very well, but actually small businesses are part of everyone’s supply chain, as well as having access to important data. We’re only as secure as the weakest link.”

Is an institution such as the new National Cyber Security Centre (NCSC) solely for the big boys, then? “To be honest, small businesses generally don’t have the resources themselves to seek out the right sort of support,” Onwurah says.

“The NCSC is focused on the financial sector, and the financial sector is hugely important, but it clearly doesn’t see it as its role to raise the overall standard of cyber security.” So who is there to help the little people? “That’s the key question. The government put in place the Cyber Essentials programme of accreditation for small businesses but it’s had very low take-up – just over 2,100 when I last asked.” From the UK’s more than 5.4 million SMEs, that represents a take-up rate of 0.0004 per cent.

“One of the things I want to look at,” she adds, “and one I know the Institute of Chartered Accountants in England and Wales, for example, are looking at, is linking insurance to cyber skills. So you get a discount on your insurance if you’ve trained in cyber skills.”

Should small businesses have to display their cyber credentials, as restaurants display their hygiene certificates? “There is a level of cyber hygiene that we need to be promoting and enforcing,” Onwurah says, “but part of the challenge is having the skills for enforcement. That is one of the things Cyber Essentials was supposed  to address, but I don’t think it has.”

She believes that cyber security is too important to be left unenforced: “Government should recognise that it has a real role to play here, that it’s not enough to say, as they have, that the market will deal with it, and that people have recourse to the small claims court if they feel that their data have been mishandled. Government should be much more proactive. It should be working with insurance companies, to look at driving the incentives by linking premiums to cyber security knowledge, and looking at kitemarks and standards.

“There isn’t cyber-security support in a box. We need to look at stimulating the small-business cyber-security market, so that there are more products and better services out there. And yes, there should be ways of making that more visible to consumers. Look at the role that the fire brigade plays in helping small businesses with their fire alarms – there are many examples where the state intervenes to ensure a level of security, because it’s in the interests of everyone, but this government hasn’t recognised that cyber security is just like that.”

Like many others, Onwurah is dissatisfied with the low level of reporting of cyber-security incidents. “One of the issues with reporting is that people often feel stupid – they don’t want to report it; it’s not good for business – so the level of reporting may not yet match the level of the issue. But now that cyber statistics have been added to the police crime statistics, we’ve seen a huge rise in reporting, and I think we’re going to see that in small businesses as well.” We should, she says, see this as a chance for Britain to become a leader in cyber security: “There’s a huge opportunity here.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

China’s strategy to become the world’s strongest cyber power

Nigel Inkster, former operations and intelligence director of MI6, analyses China’s efforts to impose order on its vast online community.

When just over two years ago I began researching a book on China’s cyber power, mainstream western media were full of stories about China’s alleged programme of state-sponsored cyber industrial espionage directed against US and other western corporations. Following an agreement between Presidents Xi Jinping and Barack Obama in December 2015 that “that neither the US nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” that story dropped out of the headlines. But the importance of China as a cyber power has not diminished and understanding China’s capabilities and objectives in the cyber domain has become a key element in understanding its global strategic objectives. It is also an important prism through which to understand China’s long struggle to achieve modernisation whilst retaining its cultural and political self-esteem.

China came out of the Cultural Revolution in a state of economic and technological backwardness that demanded urgent attention. Its new leadership was seized of the important role modern ICT would play. Although the internet did not become accessible to ordinary Chinese citizens until 1996, the subsequent take-up has been dramatic. China has over 700 million “netizens”, the majority of whom access online service through smartphones. In 2015, the total value of online sales was $581bn, making China the world’s largest digital marketplace. The Chinese government has ambitious plans to switch from an export-dominated economic model to one based on domestic consumption; and to move up the value chain to break free of a middle-income trap. A key enabler will be an Internet Plus strategy that aims to integrate the real-world and digital economies.

In pursuing this, China’s government had to confront two vulnerabilities. The first is the potential of the internet to serve as a vector for subversive influences that challenge the Communist Party’s legitimacy. The second is a high level of dependence on western – largely US – technologies and software, seen as a security threat. From the outset China’s authorities sought to control online content through a combination of firewalls to filter externally generated content, regulation of service providers and censorship; the latter becoming ever more technologically enabled but still reliant on large numbers of censors and pro-government activists who promote and defend official views on social media sites such as Weibo.  

The result has been a cat-and-mouse game in which China’s netizens have sought to bypass censorship by relying on the infinite capacity of the Chinese language to generate homonyms for terms which are banned, giving rise to a rich lexicography of online dissidence. But it is a game the authorities are winning thanks to technology dominance and the huge manpower resources devoted to an issue seen by the leadership as existential. This is not to say that the Chinese internet is characterised by an atmosphere of sterile ideological conformity; in many respects it is more vibrant and anarchic than its western equivalent and has been used to good effect by its citizenry to hold officialdom to account. But first under Hu Jintao and ever more under Xi Jinping a climate of greater political and cultural conformity has led to popular bloggers –so-called Big Vs – being shut down. And China is unapologetic about asserting an approach to the internet based on the concept of cyber sovereignty, in effect its right to determine what its citizenry can access.     

Meanwhile, China is pursuing a policy of indigenous innovation to reduce dependence on western technologies. Dependence on western ICT is such that when in 2014 Microsoft announced that it would cease supporting Windows XP it subsequently had to make an exception for China, such was its reliance on that system. That dependence will take time to erode. But there is a growing number of indigenous Chinese software companies, Chinese smartphones and other devices are increasingly competitive with western equivalents and Chinese entrepreneurs have shown considerable ingenuity in developing and marketing a range of online services. As the Chinese state seeks to impose greater order on what to date has been an anarchic and insecure Chinese cyber environment, new laws have imposed greater demands on western companies such as the provision of source code. China is seeking to leapfrog the west in key areas of ICT including artificial intelligence (AI), quantum encryption and quantum computing. And the Chinese government is facilitating the purchase by Chinese companies of western technology start-ups. In 2014, $22bn had been spent on such deals, which have significant medium-term implications for the competitiveness of advanced industrial economies including the UK, France and Germany.

The global outlook of China’s leadership is dominated by the so-called Century of Humiliation covering the period from the mid-19th century up to the founding of the People’s Republic in 1949 during which China was virtually colonised by the west. The determination not to repeat this experience has translated into a transformation of China’s defence posture from a land-based, low-tech, mass-mobilisation force to one that is increasingly based on a capacity for naval force projection with a view to securing China’s supply lines and protecting its growing range of overseas interests. Digitisation is seen as critical for China’s efforts to develop armed forces on a par with its only real comparator, the United States. This is exemplified by an ambitious reorganisation at the end of 2015 which led to the creation of a new Strategic Support Force that combines signals intelligence, electronic warfare and information warfare capabilities within a single organisation that also has responsibilities for space-based activities. After a long period of coyness PLA officers now talk openly of China developing offensive cyber capabilities albeit at a “moderate rate” and in response to the activities of states such as the US.

This posture also translates into a more assertive foreign policy, no longer merely concerned as until recently with ensuring peace and stability to permit economic development. China probably does not aspire to replace the US as, in their words, “global hegemony”.  But it does wish to move from a global governance system dominated by the US and its allies to a world that is multi-polar and which respects different political and cultural systems. And to transition to a “new security concept” which while broadly respectful of international institutions like the United Nations, also subordinates customary international law to the interests of major powers. Here too the cyber domain plays a major role with China championing its vision of a global cyber governance and security order where the USA is no longer predominant. This vision enjoys some support in the developing world, not least due to the activities of national champions such as Huawei and ZTE who are building and operating core backbone IT infrastructure systems in countries that would otherwise remain on the wrong side of the digital divide.

To revert to cyber espionage, it is now clear that US threats of financial sanctions against Chinese companies deemed to have benefited from the theft of US intellectual property (IP) persuaded China’s leaders that this particular game was no longer worth the candle. The “noisy” reduplicative exploits that characterised so many cyber-attacks emanating from China are now much less in evidence. But cyber capabilities have become a major enabler of Chinese statecraft and are inter alia reducing the space within which overseas-based opponents of the regime can operate. For better or worse China is transitioning from becoming a large cyber power to a strong cyber power and can be expected to play an increasingly prominent role in this space.

The west will have to get used to living in a world in which it no longer enjoys the unquestioned technology dominance to which it has long been accustomed.