“Whistle-blower or traitor?” is hardly a standard question at most post-conference drinks events but then few of the delegates are as equipped to answer as the attendees of Sinet’s Global Cybersecurity Innovation Summit.
Sinet’s inaugural international conference held in the British Museum in London, UK, rather than the US covered many of the implications of how people, companies and governments can protect themselves from the downsides of the exponential information technology changes. It also looked at how these same issues can create opportunities by offering this cyber-security through collaborations between all three groups and the startups that bring innovative ideas.
As Gerald Brady, head of UK relationship banking at financial services provider Silicon Valley Bank, said, cyber-security was increasing revenues by 8% per year, versus 4% per year for IT sector generally, and would be an $80bn market next year.
Vince Cable, secretary of state for the UK’s Ministry for Business Innovation and Skills, said the UK had committed £860m ($1.2bn) to cyber-security over five years but wanted the country to earn £2bn from exports of cyber-security technology and services by 2016 after recording 22% growth last year. Robert Rodriguez, chairman and founder of Sinet, said there had been 60 acquisitions of cyber-security startups in the first half of the year and said the returns for venture capitalists from their investments in the space had been good.
The driver of this growth is the threats are increasing even faster.
Suleyman Anil, head of cyber defence in the emerging security challenges division of the North Atlantic Treaty Organisation (Nato), said it had seen a seven-fold increase in cyber-attacks over the past two to three years due to three broad reasons.
There had been an increase in the number of attackers, both non-state actors finding cyber-crime both lucrative and low-risk and state actors conducting offensive operations. (Off-stage, technology company Norse showed off an arresting graphic showing the location and target of these cyber-attacks based off its five million sensors recording internet protocol addresses.)
Anil said the second reason for attacks increasing came from the number of chances to do had become more prevalent. He said: “There will be 25 billion devices connected to the internet by 2015; 500 per house.”
The third reason was the opportunity for cyber-attacks to develop asymmetric forms of political or economic warfare.
He said it was asymmetric as the attackers could be relatively few and low-cost to conduct but could cause the same impact as a physical attack.
Heli Tiirmaa-Klaar, cyber-security policy adviser of the European External Action Service, which is the foreign office of the European Commission, said such cyber-attacks were now part of “hybrid” warfare alongside kinetic, or physical, fighting.
She noted her experience as a minister in Estonia having to put in place cyber-security measures following Russia’s denial of service operations against the country in 2007 had been followed by operations against Georgia and then Ukraine. The cyber campaign to shape public opinion was part of the warfare, she added.
But that the attacks and information campaigns can affect any and all parts of society is bringing together these constituencies – see box below. Bob Dudley, CEO of oil major BP, said it worked with government as a result. He said: “Cyber unites. Government does not control the key assets [to respond] as it would in a physical or terrorist attack.”
The energy sector had been a prominent target, Dudley said, as it made up 10% of the global gross domestic product and also underpinned the other 90%. He added that while uncertainty was a fact of life the response could be certain and he held out hope that cyber-security processes could be simplified under a framework of the right governance, developing capabilities to respond, changing behavior to reduce vulnerabilities among BP’s 80,000 staff and preparedness under different scenarios.
He said BP carried out “ethical phishing” to identify people likely to be fooled by malicious emails or calls and had improved the way people could report such attempts to cause damage. In addition, BP now compartmentalised information so joint venture partners, such as China’s state oil company, or contractors could gain only limited access.
In turn, the UK and other countries have been pushing national cyber-security initiatives. Ian Caplan, acting deputy director of serious and organised crime’s pursue team at the UK Home Office’s strategic centre for organised crime, said police were embedding technology into the way it tackled any crime. Caplan said it “pursued” criminals by gathering evidence, wanted to “prevent” others joining them in their activities, “protect” people and institutions and help them “prepare” to mitigate the effects of cyber-attacks.
However, to fully tackle cyber-security – what Caplan called the Home Office’s most important issue – required combining the cyber world with legislative changes, such as making clear the beneficial owners of companies and limited liability partnerships, as well as partnering with other countries on what is a global issue.
Sir Iain Lobban, director of the UK’s Government Communications Headquarters (GCHQ), noted the partnership with the US Federal Bureau of Investigation (FBI) that had helped gain prosecutions from the Lulzsec network.
The speed of technology change makes the challenge of security an issue. Michael Trevett, senior information risk owner at the UK government’s Cabinet Office, in a networking lunch on risk management in a world of fast-paced technological change, posed a series of questions about how organisations could cope with the speed of change. If technology improves so rapidly, identifying what is important and protecting that rather than everything might be helpful, he said. Additionally, understanding what the threats were was important, Trevett added. However, Trevett said the potential “cliff” coming to society of improvements to artificial intelligence (AI) through machine learning and quantum computing could lead to a “ghost in the machine”. This scenario – sometimes called the singularity – was a challenge those in research were also tackling, he noted.
Other government officials were more critical of the lack of regulatory attention being paid to the risks of so much innovation, so rapidly. One said on the sidelines of the event: “Technology is moving too fast and policymaking is at the lowest common denominator. AI is not thought of as an issue.”
Given the standard innovator’s guiding principle has historically been, “ask for forgiveness rather than permission” it could be people will regret governments feeling they are unable to get ahead of the technology curve to regulate more.
But the penalty for misjudging the regulators could be steep.
Sir Iain Lobban, out-going director of GCHQ, said the UK would have been harder on Edward Snowden, who revealed some US surveillance measures last year, as effectively a traitor if he had been a Briton revealing state cyber-security measures.
Box: Seven valley’s cyber-security cluster
There are a few global regions where cyber-security experts cluster, including
around Washington DC in Viriginia and Maryland as well as on the west coast around San Francisco, Israel, around Beijing in China and in the west of the UK between Malvern and Newport.
This latter region, called by the river Severn flowing along the way, is perhaps the most nascent and formed a main example at the Sinet Global Cybersecurity Innovation Summit’s panel on cluster models.
Emma Philpott, managing director of services company Key IQ and founder of the Malvern Cyber Security Cluster, said she had moved to Malvern three years earlier from Singapore and had been struck that everyone she seemed to meet worked in cyber-security but did not know each other. As a result, she set up an informal networking meeting once per month and more than 50 companies in the area now attend as well as the technology showcase (on 2 October).
Andy Williams, head of Cyber Connect UK, said indirectly the role of government had been important as the UK’s Qinetiq defence research laboratory and Government Communications Headquarters (GCHQ) were in the area and after the privatization of Qinetiq had seen a number of people leave to set up their own small business.
Into this mix, Philpott arrived and brought her experience of how the Singaporean government had tried to develop its clusters.
With Williams, she has been developing a national network, often around universities, such as Lancaster and Liverpool John Moores, with specialist departments. Stephen Robinson, founder of Xyone Cyber Security and leading the north-west cluster around Lancaster, said academia had been very important to its cluster through winning research grants. Robinson said bringing together a cluster helped firms collaborate to win contracts and develop people’s skills to work on them. And while these contracts could come from the private sector, the role of government procurement was important, people said, and still needed work. One bemoaned the lengthy paperwork involved in government taking on a contractor.
But given the sensitivity of the work most said some requirements were necessary. And Sir Iain Lobban, out-going director of GCHQ, said over the past three decades he had developed five propositions to help build the relationships between private and public sector.
Tell the truth – that the products do what vendors claim;
No more sell and forget;
It is a front rather than back office system – individuals are at risk;
It is not a government or individual that leads – it is about collaboration;
And hands-off – no poaching but work together on developing the skills for the next five to 10 years.