Market dynamics:

stimulating cyber supply and demand

Richard Bach

Assistant Director Cyber Security

• A Tier One threat to the UK’s national security – and growth

Why does HMG care about Cyber Security?

The National Cyber Security Strategy and Programme

• Strategy launched in 2011

• “Programme” – NCSP – to support the strategy

– Duration: five years

– Originally £650m

• MoD, BIS, GCHQ, Home Office, FCO…

– Raised to £860m

– Now in its final year: what next?

UK Cyber Security StrategyOur vision

Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our

actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a

strong society.

Our objectives

Objective 1:

The UK to tackle cyber crime and be one

of the most secure places in the world to

do business in cyberspace

Objective 2:

The UK to be more resilient to cyber

attacks and better able to protect our

interests in cyberspace

Objective 3:

The UK to have helped shape an open,

stable and vibrant cyberspace which the

UK public can use safely and that

supports open societies

Objective 4:

The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives

The UK Cyber

Security Strategy

in words

Cyber security as a partnership

• The Government role

– Leadership

• Defining what good security looks like

– Bringing clarity to a confusing and complex landscape (of guidance,

standards, practices…)

• The industry role

– Insight

– Commercial understanding

– Scale

• Set the direction (mostly Government)

– Cyber Security Strategy

• Build the proposition (Government and industry)

– Standards

– Guidance

– Assured services (assurance = confidence)

• Drive adoption (Government and industry)

– Supply and demand

– Domestic market and exports

– The biggest challenge

Partnership in practice

BIS – partner examples (CS&R)Academia and skills

Oxford Global Capacity Building Centre

Institution of Engineering and Technology

Imperial College London

Warwick University

Kings College London

Royal Holloway

Cyber Security Challenge

Industry individuals

CEOs

CISOs

Consultants and auditors

Professional Bodies

Law Society

IIA

ICAEW

ICAS

CIPS

CIPD

ICSA

Trade associations

FSB

CBI

The IRM

BBA

Regulators

Bank of England

Ofcom

ICT and Cyber Security Bodies

TechUK

ISF

CREST

IASME

Law firms

Insurers

Cyber Security Firms

Think Tanks

IISS

RUSI

International partners

Others, and arms-length bodies

BSI

UKAS

InnovateUK

MOPAC

BCC

Partners:

the

national

cyber

landscape

https://www.cesg.gov.uk/publications/Documents/uk_ia_community.pdf

Supply and demand

• No single answer; what, how

• Cyber Growth Partnership

– Ministerial lead

– Members: large and small businesses

– Focus: strong domestic market; exports

• Informal: TechUK; ADS

• Badging suppliers to Government

– HMG badge

• “Ask Dave”

• Government procurement

– Template for industry

• Insurance as a “lever”

• Promotion

• Incentives

– Innovation Vouchers

– Tax incentives?

• Removing barriers

– Cohesion

• Privacy (data protection) and cyber

security

• Government partnership with Information

Commissioner’s Office (ICO – UK data

protection registrar and regulator)

• Bring clarity to confusing and complex

landscape

– What does “good” look like?

– Cyber Essentials

Incentives – Innovation Vouchers

• Administered by Innovate UK

• £5,000 to help with cyber security solutions

• https://vouchers.innovateuk.org/cyber-security

• Cyber Incident Response (CIR) companies

– A small number

– Licensed by CESG

– Respond to high-end incidents, e.g. advanced threats against Critical National Infrastructure

(CNI)

– Assured service (assurance = confidence)

• Cyber Incident Response Scheme (CIRS)

– Operated by CREST

– CREST licensed by CESG

– CIRS companies (many)

• badged by CREST

• Respond to cyber incidents

Incident response

• Cyber security: a long-term and constant activity

• Skills

– Equipping industry and government for the future

– Definition

– Guidance

• Education

– Massive Open Online Course (MOOC)

• Developed with the Open University

• Free

– Training programme for professional services

Skills and education

Cyber Security Information Sharing Partnership (CISP)

• A CERT-UK platform

• Voluntary Sharing

• Regional Nodes / SMEs

• Build/gain trust; be active!

Caveat emptor: Snake Oil

Cyber Security standards

• What does good cyber security look like?

• Have I got the basics in place?

• How can I demonstrate my cyber credentials

to customers and suppliers?

• Mandated in Government procurement (supply

chain).

– Leading companies adopting, e.g.

Barclays Bank, National Grid, HP (UK)

The threat

Nature

• complex, global and constantly changing

• perpetrated remotely

• difficult to trace

• significant impact in the longer term

Threat actors in Cyber Space

• hacktivists – to cause disruption

• criminals – financial impact

• states – conducting cyber espionage or disruptive attacks

• terrorists – physical attacks remain priority

Threat evolution

Notes

Illustrative only.

Based on multiple sources, including Symantec and MIT

Barriers to entry have reduced but actor sophistication has increased

Thre

at v

olu

me

1970s 1980s 1990s 2000s 2010s

Phone hacking –

“phreaking”

Computer

clubs

hacking

State on

state?

Crime

Hacktivism

Serious

crime

State

(industrial)

Required actor

sophistication

Sophistication

and availability

of tools

NationState

OrganisedCrime

Skilled ProfessionalHacker

Amateur Hacker, Journalist

Anyone

Everything else plus have the resources to introduce

features or vulnerabilities they can later exploit.

Opportunistic.computers left unlocked,

passwords on post-itseasy passwords, etc,.

Exploits knownsoftware bugs, weak

passwords and published ‘features’.

Uses commodityhacking tools.

Physical element, massive scale,

blackmail, bribery, forgery, etcDevelops bespoke

exploits, finds new software bugs, exploits

obscure features.

Who should it

be protected

from

Cyber Essentials Scheme• What it is:

– A set of technical controls to achieve basic protection from Internet-borne commodity threats

– Aimed at enterprise IT

– The start of a journey; organisations should also consider other activities

– see Government’s 10 Steps to Cyber Security for examples

– Based on government analysis of adversary cyber attacks

• What it isn’t:

– A cyber security “silver bullet”

– Aimed at operational systems, e.g. control systems, payment systems

Cyber Essentials Scheme• What:

– Requirements document. Comprises five control themes:

• Firewalls; Secure configuration; User access control; Malware protection; Patch management

• Risks: implicit assumptions of threats and vulnerabilities

– Assurance Framework, defining two assurance tiers:

• Cyber Essentials: verified self-assessment

• Cyber Essentials PLUS: independently tested

– Tests whether controls implemented are sufficient to defeat common Internet based attacks

• Who:

– Developed in collaboration with industry: IA for Small and Medium Enterprise (IASME); Information Security Forum (ISF);

British Standardis Institute (BSI)

– Endorsed by Government

– Principles applicable to all; design aim: accessible for SMEs

CES – Government and industry in partnership

National Cyber Security Strategy (2011)

Policy and Analysis (2012 - 2013)

Industry-led Review (2013)

Call for Evidence (2013)

Present findings (late 2013)

Drafting Group (2013 - 2014)

Devise Scheme (2014)

Launch/promote (2014 - )

Adopt

Industry Government

Cyber Essentials in Government procurement• Why?

– Reduce cyber risk in Government supply chains

– Leadership by Government

• Guidance

– Published as a Procurement Policy Note

• https://www.gov.uk/government/publications/procurement-policy-note-0914-cyber-essentials-scheme-certification

– Includes use cases

– Transparency: same guidance used by Government procurement staff

• Scope

– Which contracts:

• where sensitive information is handled;

• provision of certain ICT products/services

– Proportionate; reasonable expectation

• When

– In tenders advertised from 1 October 2014

CYBER ESSENTIALS

Facilitating a step change in cyber security behaviours in the UK

privacy security

What needs protectingNames

Addresses

Dates of birth

Shopping patterns

Intellectual property

Documents Credit card details

Music

Videos

Telephone calls

Presentations

TV

Customer records

Bank account details

Spreadsheets

Databases

Games

Medical recordFacebook profile

Social network activity

Privacy - data protection in the UK

• UK Data Protection Act (1998)

– http://www.legislation.gov.uk/ukpga/1998/29/contents

– Implementation of Directive 95/46/EC of the European Parliament and of the Council of 24

October 1995 on the protection of individuals with regard to the processing of personal data and

on the free movement of such data

• Regulated by the Information Commissioner’s Office (ICO)

– www.ico.org.uk

– Guidance

• Guide to Data Protection https://ico.org.uk/for-organisations/guide-to-data-protection/

• Supported by Practical Guide to IT Security https://ico.org.uk/media/for-

organisations/documents/1575/it_security_practical_guide.pdf

ICO Guide to Data Protection | 10 Steps/Cyber Essentials

Principle 1 – fair and

lawful

Principle 2 – purposes

Principle 3 – adequacy

Principle 4 – accuracy

Principle 5 – retention

Principle 6 – rights

Principle 7 – security

Principle 8 –

international

Information Risk Management Regime

Secure configuration

Network security

Managing user privileges

User education and awareness

Incident management

Malware prevention

Monitoring

Removable media controls

Home and mobile working

Principle 7 - IT Security Guide | 10 Steps/Cyber Essentials

The first step: assess the risk to your business

Use a layered approach to security

Physical security

Anti-virus and anti-malware

Intrusion defence

Access controls

Employee awareness and training

Segmentation

PoliciesDevice hardening

Keep you and your systems up to date

Information Risk Management Regime

Secure configuration

Network security

Managing user privileges

Incident management

Malware prevention

Monitoring

Removable media controls

Home and mobile working

User education and awareness

What next? The Industrial Strategy

• Long term

– Stability → confidence →

investment → growth

• Partnership with business

• Cross-party support

• The strategy

– Sectors

– Access to finance

– Skills

– Procurement

– Technologies

• Sectors– Life Sciences

– Aerospace Growth Partnership

– Nuclear Industry Council

– Oil and Gas Industry Council

– Offshore wind

– Information Economy Council

– International Education Council

– Agritech

– Construction – Leadership Council (CIC)

– Professional and Business Services Council

– Automotive Council

– Creative Industries Council

– Industrial Strategy Council

– The Electronic Systems Council

– Chemistry Growth Partnership

– Rail Supply Group

– Defence

Cyber Essentials Common Cyber At… European initiativ… UK Data Protectio…

• Partnership with audit companies (PwC, Deloitte, KPMG, EY)

• Questionnaire-based survey

– biggest 350 companies registered on the FTSE

– chairs and audit chairs

FTSE350 Health Check

Contacts

General queries: cyberessentials@bis.gsi.gov.uk

AB/CB-related queries: cyberessentials@cesg.gsi.gov.uk

PPN-related queries: info@ccs.gsi.gov.uk