Cyber security may not be on the minds of most people in Westminster at the moment, but just as we find ourselves at a critical juncture for our nation, important decisions must now also be made to keep our country safe in the digital age for the decades to come. We often hear strong rhetoric from the Conservative Party. In 2016, the Tories announced their shiny £1.9bn National Cyber Security Strategy; they unveiled a cyber security wing of GCHQ, and at the time they even said that “we must set ourselves the highest standards of cyber security and ensure we adhere to them… [setting] an example for others to follow.”
So, at first glance, one might think that everything is under control. But once you scratch the surface, underneath lies a government failing to provide the leadership and vision needed. Just take a moment to assess how the Tories protect themselves before we look at how they protect us. Infamously, last year at the Conservative Party’s conference, the party’s app managed to leak cabinet ministers’ mobile phone numbers.
In terms of government, in 2017, our NHS was hit by the WannaCry ransomware attack that led to 19,500 cancelled appointments, left 600 GP surgeries without their IT systems and cost the NHS £92m. Yet the government has seemingly learnt nothing. Today, it still does not know how many computers in the public sector are running Windows XP, let alone if they are updated with the latest software to protect against another cyberattack.
More broadly, the government does not monitor how many attacks hit the public sector or the cost this incurs. Last month, it was reported that of the 3,220 domain names registered under the gov.uk domain, 524 have unpatched vulnerabilities leaving our public sector bodies wide open to attack.
And in a series of answers to questions I have asked to all departments, we see starkly varying practice. The Ministry for Justice and Department for Health do not require civil servants to undertake cyber security training. Compare that to the MoD and the Ministry of Housing where cyber security is included as part of core and updated training.
Clearly, the government has failed to get its own ship in order before it even tries to foster the cyber culture that organisations and the public need. Protecting us means leading by example, which may explain why the government’s own figures show a society unprepared for the risks we are seeing emerge.
The Cyber Security Breach Survey 2019 found that one in three businesses identified cyber breaches last year and only 31 per cent of businesses have conducted a full cyber risk assessment. This total failure to ignite a cyber security revolution in company cultures can all be traced back to the flaws in the original 2016 strategy.
This strategy is premised on the delivery of cyber security for the many, but it is delivered by only a few mega firms. As we have seen with every outsourcing scandal, the government has consistently outsourced responsibility for delivering public services and securing public wellbeing and safety, and this same attitude underpins its neglect of cyber security.
This model was never going to return the high levels of security and assurance that we need across society. We can see how flawed this approach is just from the engagement levels with businesses.
Incredibly, only 7 per cent of businesses have sought information from the government or the NCSC. This is exactly why I believe we now need to boldly reclaim the cyber security landscape for the public good. We cannot afford to wait until another WannaCry before we take decisive action.
This begins right at the top. The government needs to lead by example and provide the leadership that has been lacking up until now. Currently, responsibility for cyber security is spread across six different government departments. From my conversations with key actors across the industry it is clear that this approach is not providing the coherent, unified message they need to up their game – a clear finding of the recent Joint Committee on National Security Strategy report.
Nobody in government is seen to be drawing this all together. When some point to the minister for the Cabinet Office, David Lidington, he is taken up by Brexit negotiations and his other wide-ranging ministerial responsibilities. For a task as critical and vast as the United Kingdom’s cyber resilience, we need a strategic centre to co-ordinate across multiple departments and ensure high standards and shared practices across government as a whole.
A single minister for cyber security, with the commitment and authority to ensure our public sector is safe and to engage constructively with the private sector to bolster resilience, is a move which warrants serious consideration.A single minister might work closely with the National Cyber Security Centre but provide the authority and weight of government behind their recommendations to ensure the UK is one of the most prepared and resilient nations in the world.
Whilst we in the Labour Party are looking closely at the best ways of meeting these challenges head on, one thing is for certain: where with the Conservatives we see chaos and disorder, the next Labour government will provide the laser-like focus needed to get on top of the threat, lead by example and begin the cultural cyber shift we desperately need across society.
These proposals will form part of a wider strategy that takes the public good approach that we need to provide the skills to match the threat, to engage comprehensively with business and the general public alike, and act with decisiveness to secure our critical national infrastructure.
As we enter a new era for our digital economy, with ever more people and devices connecting to the benefits of the internet each day, we urgently need a bold cyber strategy that harnesses the full weight of society to meet the challenge and that is exactly what the next Labour government will deliver.