Cyber & Information Security has gained prominence in recent years, with increased media coverage and growing airtime in the boardroom as well as the corridors of power. A rich and developed field, we were interested in learning more about its development in the UK and in anticipation of this year’s Cyber Security Summit and Expo, we sat down to interview summit chair, and all round cyber expert, Mike StJohn-Green to hear his thoughts on the evolution of information security.
Cyber Insider: As someone who has been at the forefront of the UK’s information security community for many years, could you tell us what have been the key driving factors in how we understand cyber security?
Mike: I first became involved in information security in government the 1980s when words like Comsec (communications security) and Compusec (computer security) were in vogue. I saw at close hand the development of what today we call cyber security. I think the big changes started with the arrival of personal computers and IP networks to join them together, during the 1980s and 90s. A honeymoon period followed in which the world has enjoyed the benefits and built the virtual world of cyberspace but the world didn’t anticipate the true extent of the risks.
By 2008, the Cabinet Office and GCHQ had become concerned and we produced its first national cybersecurity strategy in 2009, which focused on building sufficient capacity across government to just understand this issue! That strategy was replaced in 2011 and again in 2016. The UK government remains a world leader – yet the malicious actors have been setting too much of the cybersecurity agenda. In my view, the risks continue to accelerate faster than our ability to manage them and I welcome the creation of the NCSC as a robust response by the UK government.
Cyber Insider: Mike, you have an impressive list of roles within many of the UK’s most prestigious institutions in Cyber Security including the GCHQ, CESG and the Cabinet Office. Could you tell how government priorities have shifted and where they will focus in the future?
Mike: The world continues to roll out this networked digital technology to every conceivable corner of our lives and at an unparalleled pace – machine-learning, IoT, autonomous devices are arriving. We are utterly reliant on a complex cyberspace that was not built to be resilient to malicious activity.
Cybersecurity has moved from a focus on prevention of bad things happening to accepting that breaches are inevitable and deal with response and recovery of those systems, to minimise harm. The next step is for cybersecurity to have those systems we rely upon designed better in the first place, so that they are more intrinsically resilient to malicious activity and are not brittle
Looking to the future, in my view, this means that cyber security must become a mainstream activity for all engineers, alongside safety, reliability, maintainability and other good engineering practices. I see the key to this change lies with a combination of market forces (e.g. company reputation), legal liability and government regulation through standards (e.g. for professional staff and throughout the supply chain).
Cyber Insider:As well as having worked for government, you have also lead cyber security strategy with major economic players in the City of London and Europe, could you tell us a bit about how the threats facing organisations have evolved and how the mindset of business leaders has evolved in kind?
Mike: This topic has moved inexorably up the management chain as the use of networked digital technologies has become more embedded in corporate life. However, recognition in many organisations still lags dangerously behind the reality of its utter reliance on cyberspace and consequent exposure to new risks. The level, tempo and aggressiveness of malicious activity has further accelerated away from the ability of some organisations to cope.
This year, GDPR and the NIS Directive are focussing minds on the regulatory consequences of poor performance but it is too easy for organisations to overlook the need to manage non-regulatory consequences. How does an organisation a proportionate response to vulnerabilities and malicious actors who are by their very nature hidden from view?
Here is the issue, do we all need to be experts in cybersecurity as well as in our day-to-day business in order to fully understand the complex risks? Or do we need to simply follow a set of rules provided by governments or international standards bodies? Neither extreme appeals to me and I think there is a middle ground, with some companies being experts and others (e.g. SMEs) following rules. However, I don’t see this narrative being explained very well so far.
Cyber Insider: Media focus on cyber security often centres around the loss of customer data, highlighted by the recent Equifax hack. Do you believe that the reputational damage is high enough for companies who betray customers’ trust and are organisations well equipped enough to mitigate this risk?
Mike: I think the consequences are severe enough already. Because many businesses do not have an accurate assessment of the risk they are facing – nor the means to generate that assessment – they focus on their core activities and neglect cybersecurity. Many SMEs just don’t have the headspace. Other issues include false confidence arising from partial solutions sold by vendors as complete solutions and some advice – in my view – being plain wrong.
Cyber Insider: Beyond economic and reputational damage incurred by attacks, there is also the very real and terrifying physical and often life threatening damage caused by attacks on power grids, global transport (on which food security depends) and now with IoT, personal transport and even such vital medical technology as pacemakers. As technology is often a global march of progress, what activity is being undertaken on the international stage to ensure net-cyber security?
Mike: You are quite right. Data loss is one thing. Cyber-physical systems going mad is quite another.
This question about international cooperation can be answered at two levels. First, engineers in various sectors are collaborating to create protocols and standards by which IoT devices will interact. It remains a concern about whether security has sufficient prominence because the market rewards those who deliver the first product, with the new functionality that customers crave. Security features can be costly and time consuming. This comes back to market, liability and regulation, but the magic balance that maintains technological progress is notoriously hard to get right
Second, at a global level, agreement on how networked digital technology – cyberspace, the internet – operates will depend on agreement by key governments on what constitutes acceptable behaviour. This in turn depends on agreeing on what is acceptable according to the different cultures around the world, what constitutes illegal activity, what constitutes evidence of criminal activity, etc. So far, Norms of Behaviour with any substance, that are agreeable to all, have been elusive.
You can see Mike StJohn-Green on the main summit stage at the upcoming Cyber Security Summit and Expo on November 16th at the Business Design Centre. Check out the summit agenda here.