Lockdown measures against the coronavirus pandemic have catalysed digitalisation on a global scale. As more and more companies move their products and services online, people, in general, have begun living an increasing amount of their lives in cyberspace. But, alongside a culture where convenience is king, it is important to be mindful that with all this technology come new risks. Cyber security, once viewed as the preserve of IT departments, has been elevated not only to a boardroom issue – companies can live or die by their capacity to protect sensitive information – but it has also become a daily skill set that the average consumer, and citizen, needs to stay abreast of – particularly so if the trend of working from home continues as expected.
At a recent round-table event hosted online by the New Statesman and sponsored by BAE Systems, Royal Holloway, University of London, DXC, QA Consulting, Sophos and Fortinet, a group of policymakers, industry experts and business leaders gathered to discuss the evolution of the internet. How cyber security became central to defence strategy, digital skills and electoral integrity all featured on the agenda.
Matt Warman, the Minister for Digital Infrastructure, confirmed that cyber security represented one of the key considerations in the government’s ongoing “integrated review of defence and technology”. Warman said that any UK cyber security strategy hinged on a “whole-of-society approach”, pointing out that digital threat landscapes were extensive and included many civilian environments. Civilians, therefore, need to be “involved” in the process to create a “cyber-resilient digital economy that enhances public security”.
While Warman was keen for “all UK citizens to have some knowledge” of cyber security, he still noted the need for dedicated and specialist professionals. In this regard, he said, there is a “skills gap” that needs addressing. Warman said that the government was keen to work with industry and academic partners to make sure the UK could rely on a cyber security workforce “that is diverse in its constitution and sustainably supplied into the future”.
He added: “There are 10,000 more professionals needed annually to meet the existing needs we have. We know that the workforce is not sufficiently diverse. It will need to be more innovative, more inclusive and more inspiring [in order to attract new talent].” Diversifying the cyber workforce, Warman insisted, was not a “box-ticking exercise”, but rather a “virtuous circle” that could create many long-term employment opportunities and also help to keep society safer online.
According to DXC’s security president Mark Hughes, the Covid-19 crisis has “exposed” many businesses whose digital capabilities were not up to scratch. Companies reliant on “very legacy IT, which is sometimes many decades old” has made them more susceptible to cyber attacks. This has made them easier targets, he explained, for hackers looking to exploit the pandemic for their own gain.
Sadie Creese, a professor of cyber security and computer science at the University of Oxford, said that attacks on supply chains and public services had highlighted the modern world’s “dependency” on technology. Organised crime, she predicted, is increasingly likely to target cyberspace because that’s where the “main revenue streams are”, and that halting systems or processes that affect large numbers of people was an effective way of holding attention. “We’ve seen a little glimmer of the systemic cyber risks we’re going to face,” she said. “But I don’t believe that all of the technical solutions are ready. It’s going to get worse and we need to prepare.”
Non-traditional “technical” sectors, Creese said, “still relied on technology, like everything does these days.” As such, she called for strong leadership from business leaders and a recognition that this was the case, and to invest in cyber defences appropriately. “There needs to be a focus on how we can make more organisations become cyber-aware, so that they can invest, scrutinise, prepare and lead in the face of this threat, because I think it’s just going to get worse… If we can set the tone right from the top, then we have a chance of following through with the right levels of investment.”
Saj Huq, the cyber innovation lead at Plexal, agreed that too many firms had failed to modernise at the pace required to cope with the new normal. As many are reticent about the expense of investing in cyber security, Huq suggested that “more needs to be done to incentivise organisations to move away from outdated tech… Perhaps this is something the government can consider in terms of [business] rates or schemes. You have to show them that it is going to be worthwhile.”
And Victoria Knight, strategic campaigns director at BAE Systems, built on that point, arguing that there needed to be a “balance” in the “narrative” around cyber security. There is too much fearmongering around the cyber conversation, she said. “When you’re talking to boards, you’ve got to think about the language you’re using around how to address this issue. They’re more likely to respond if you tell them how an effective cyber strategy can help make them more profitable.” Similarly, Knight noted, talking about the cyber industry’s potential to achieve positive things would make it “more attractive and inspiring” to prospective employees.
Read more: The price and politics of security
Poor cyber hygiene, Hughes said, was at the root of most cyber attacks. “You know, every attack that I see seems to involve some form of [compromised] credential, some form of ingress… There’s always some sort of vulnerable point in the services that organisations have. It probably wasn’t even known about, but once it’s been exploited, we see credential harvesting.” Hughes said that in addition to regular audits of an organisation’s cyber capabilities and systems, there was a responsibility to “bake in” cyber awareness across the whole company, “that’s everyone who uses a computer, not just the ones in IT.”
Paul Anderson, regional director for the UK and Ireland at Fortinet, went even further. He suggested that such was cyber security’s growing pertinence in society that it should be introduced as a school subject, with as much importance as English or Maths. “For me, I don’t understand why it isn’t part of the core curriculum,” he said. “Our children live almost entirely online. There might be [at the moment] one talk [relating to cyber skills] every year. That’s not good enough. If we are telling our kids how to identify people who might look suspicious when they’re out, why aren’t we doing the same thing from a digital perspective?”
Ultimately, the participants of the round table agreed, cyber security could no longer afford to be viewed as a problem for tomorrow. The Covid-19 crisis accelerated technological prevalence at an unprecedented scale. Any business or government organisation worth its salt must modernise or risk irrecoverable damage to its revenue streams or reputation. As Knight noted, there is a “real threat to our values, in terms of what we stand for as a democracy, [and] in terms of interference in things like elections.” Cyber security is “fundamental”, she said, “in defending our values and our economy.”