Cyberspace has been a key frontier of Britain’s national security challenge for some years now. Costly and debilitating attacks from hostile state and non-state actors are at their highest-ever levels, and continue to grow in scope and sophistication.
In March 2021, four in ten businesses, plus a quarter of charities, reported having cyber security breaches or attacks in the previous 12 months, with many causing lasting damage. This malign activity brings a financial cost to the UK of some £27bn every year. And by jeopardising the increasingly digital means by which people go about their lives, it carries a heavy social price too.
As our personal and social dependence on online systems and smart technology deepens within our homes, cities, businesses and lifestyles, the imperative for a robust cyber policy becomes ever more urgent.
But despite the efforts of UK law enforcement, our intelligence and security services, plus those working in cyber resilience, ministers have left us exposed. Their failures have seen Britain fall behind the curve compared to our international partners – and, crucially, those who wish us harm.
Not enough is being done to target the organised criminals and cyber terrorists who often work transnationally to maximise their devastation. In many cases, they function like large corporations, backed by sophisticated teams of developers, coders and hackers with the latest tech. In their pursuit of maximum gain and disruption, these criminals rarely discriminate between public and private sectors – all of society stands at risk.
Nowhere is this felt more acutely than in the rising threat posed by ransomware, of which there were some 305 million incidences globally in 2020. Lindy Cameron – head of the UK’s National Cyber Security Centre (and interviewed on page 10 of this issue) – has said that this digital blackmail poses the “most immediate danger” to our country, with GCHQ disclosing that the number of these attacks on British institutions has doubled in the past year.
The government is yet to get serious about this. There was no specific strategy on tackling ransomware in the Beating Crime Plan, nor anything of substance on shutting down those who cynically employ these tactics at home and abroad.
These threats don’t just emanate from organised crime. Hostile states increasingly see cyber as a front line, a grey zone, in conflict. More than half of all cyber attacks are reported to now come from Russia. Iran and North Korea are emboldening their capabilities. Chinese state-sponsored agents attacked Microsoft earlier this year, affecting 30,000 organisations globally. And the Russian-backed SolarWinds compromise in 2020 was estimated to be the worst-ever cyber espionage attack on the US government with several departments hit.
For our foes, cyber has become a means by which to target critical infrastructure, peddle falsehoods in our democracy, and wreak havoc in our communities. This activity is becoming more overt and reckless. Yet, instead of instigating tougher responses, ministers are reticent to bolster our systems.
It beggars belief, for example, that over a year since the damning report on Russia by the Intelligence and Security Committee (ISC), ministers are yet to implement any of its recommendations. It contradicts the Integrated Review’s aim to make the UK a world-leading cyber power.
The long-delayed Online Safety Bill (explored on page 19) is also ineffective. It could see cybercriminals let off the hook. The government must swiftly address its flaws to better protect the public – for example, by introducing criminal sanctions for bosses of the “big tech” companies that do nothing to stop scammers and fraudsters freely operating on their platforms.
Together, these failings reveal this administration’s inability to take strategising, planning and the meeting of targets seriously. A 2019 report from the National Audit Office on the latest cyber security strategy – now five years old – confirmed this. It concluded that the strategy had “inadequate baselines for allocating resources, deciding on priorities or measuring progress effectively”.
The government also shows scant regard for cyber security in practice. Whether ministers are conducting official business via WhatsApp, or using personal email accounts, leaving sensitive data exposed, their failure to attend to the most basic rules of online security is telling.
Reports that ministers are set to outsource the storage and protection of classified data held by the security and intelligence agencies to Amazon raises further serious questions. For a deal with this scale of impact on national security and cost to the taxpayer, it is vital that there be proper scrutiny. We cannot trust ministers’ private assurances given their record on wasteful projects.
Keeping the country and the public safe is Labour’s top priority. This means working to strengthen our resilience in cyberspace, together with those across society who use and rely upon it.
With local authorities, the NHS, engineering firms, tech companies and schools all in the line of fire, the need for a more joined-up, whole-of-systems cyber resilience strategy is clear.
This requires input from the private sector, institutions, researchers and academia. It means improving the recruitment and retention of the UK’s best cyber specialists – a task the government is failing on.
It also means improving cultural awareness of cybercrime and the processes by which hostile cyber activity is reported, monitored and understood. This crime is prevalent, but it is seriously under-reported, with a lack of clarity on who to turn to for UK organisations. The Conservatives have let cybercrime become a cost of doing business – Labour will not.
Finally, we need to ensure our laws are fit for the challenges of today and the future. The Computer Misuse Act, which remains in use, is 30 years old. It was created before most of us could even get online. Reviewing our legislative tools against cybercriminals must be given greater priority.
As we await the next national cyber security strategy, Labour is clear that we need to get ahead of the dangers of cyber threats. If ministers cannot, they will be putting the public, and the country, further at risk.
This article originally appeared in our Spotlight policy report on cyber security. To read the full report click here.