Putting up cash rather than sound-bite platitudes, the UK Home Secretary Amber Rudd gave a speech and series of announcements at the NCSC CYBER UK Conference in Manchester today that really seemed to say that the Government has truly responded to WannaCry and taken Cyber Security on board as potentially the biggest threat facing the country.
She told delegates: “Chairing the first ever cyber-COBR after the incident [WannaCry] really brought home to me how damaging attacks like these can be and how important cybersecurity is.” She added, “Over the past six months, the NCSC has responded to 49 incidents associated with Russian cyber-groups, some of which have hundreds of potential victims. Russian actors have systematically targeted the UK amongst others, expanding the number of sectors targeted, in addition to the energy, telecoms and media sectors that the Prime Minister highlighted last November.”
Over £50 million investment was pledged for the UK's cyber-defensive capabilities within law enforcement at a national, regional and local level.
This will include £9 million to fund law enforcement efforts to tackle illegal activities on the dark web, including selling of firearms, drugs, malware and people. “The funding will help to build on the ongoing investigative work of the National Crime Agency's Dark Web Intelligence Unit and the security and intelligence agencies, to disrupt and bring to justice those who use the dark web as a marketplace to trade illegal goods and services, including drugs, firearms and malware,” commented the Home Secretary. A new national training programme will be developed for police and the wider criminal justice system, sponsored by the National Police Chiefs Council.
In an email to SC Media UK Ross Rustici, senior director, intelligence services, Cybereason, commented: “Black markets on the dark web is less of a hydra problem than one might expect. Fundamentally, the market places have to operate on a basis of trust. If criminals don't believe that they are anonymous while conducting the illegal activity they are unlikely to conduct it in that forum. The take down of Alpha Bay shook this trust quite a lot. If Interpol/Europol can take down a few more of the major markets, the ones that replace them will be less robust and trafficked. This doesn't solve the problem, but it increases the cost of conducting the illegal activity which will hopefully serve as another deterrent.”
Matt Walmsley, EMEA director at Vectra added in an SC Media UK: “Talking of cleaning up the dark web is more political rhetoric rather than practical reality. If the Government seeks to impose UK access controls to the dark web, then aside from technical workarounds for the more online savvy, we're going to be reopening the net-neutrality debate.”
Rudd also announced that there will be £5 million spent over the next year on local and regional policing which will in part help to set-up dedicated cyber-crime units in every police force in England and Wales. (Currently only 30 percent of local police forces have a cyber capability that reaches the minimum standard.) However, Walmsley observed: “Giving police additional resources to investigate and bring cybercriminals to justice is a laudable goal, but £5 million alone, allocated for the regional local level support, isn't going to scratch the surface. Even if you get over the significant barriers of accurate attribution of the cyber-crime, it's more than likely the suspects will be outside of UK legal reach, and so challenging to bring to justice.”
There will also be money for the National Crime Agency to support their work going after sophisticated cyber-criminals and the prevention of cybercrime in the first place.
Some £3 million will go to CyberAware; a nationwide campaign to educate the public and businesses with the latest advice on how to take simple steps to protect against cybercrime.There will be more money to support victims of cyber-crime, improving the information they have on how their crime is progressing and being dealt with.
It was also announced that the UK will be running the first live national cyber-crime exercise to test the response of security and intelligence agencies, police and first responders, in the event of a large scale cyber incident.
Rudd mentioned that GCHQ is shortly to open a new facility in Manchester which will include partnerships with Manchester's tech and academic communities and noted that these investments are in addition to yesterday's announcement of the launched a new world-fist £13.5 million Cyber Innovation Centre in London.
She also observed how nearly seven in 10 large businesses have been affected by cyber-crime, with an average cost of £20,000 per business, while one in ten of us have been the victims of cyber-crime personally, making us 20 times more likely to be a victim of crime online than offline.
The government strategy “...includes calling out those states and publicly attributing their actions where we believe it is in the best interests of the UK to do so,” said Rudd, highlighting the activities of hostile states including Russia for meddling in elections and unleashing the destructive NotPetya cyber-attack of June 2017, and the North Korean Lazarus Group for the WannaCry ransomware campaign.
Technical advice in the form of the Small Business Guide and Cyber Essentials and the 10 Steps to cybersecurity was commended, personal cybersecurity called for, and businesses making internet-connected products were told that cyber-security should be factored into the design.
Walmsley concluded, “Investments in further bolstering the UK's own cyber-defences are extremely welcome though. Protection of critical national infrastructure and having the NCSC's oversight and support to UK businesses and public sectors for significant cyber issues is good news. However, ultimately UK organisations can't rely on legislation, policing, or the government to minimise their cyber risk, instead they need to take direct ownership.
“Cybercriminals are increasingly well resourced, innovative and highly motivated, and online attacks are becoming easier to execute. It's tough for UK organisations as they have limited time, and finite human and technical resources and capabilities with which to protect themselves. Organisations therefore need to realise that breaches are a case of when not if. That's why we need to adopt a “we're already compromised” mind-set.”