The UK has done a good job over the years in the fight against cyber-crime even as there remains more to do, said the former director of MI5 in a speech today.
Lord Jonathan Evans was speaking to an audience of information assurance and cyber-security professionals at EuroCACS 2015 in Copenhagen today. His 33-year career as an intelligence officer spanned the end of the Cold War and the beginning of the cyber-age. In 2007, he warned business leaders that the Chinese were engaged in cyber-espionage.
After retiring as director of MI5 in 2013, Lord Evans became a director of HSBC where he takes a special interest in cyber-security.
He told the audience that in the cyber-age, it was still necessary to secure the bank against armed attack. “As a bank director I'm aware that there are still physical bank robberies, but that's a really stupid way to get money out of a bank and the main daily threat we find is the cyber-threat,” he said.
Meanwhile, espionage has followed suit and moved online because it's cheaper, less risky and the amount of information that can be lifted is significantly greater.
While he is carefully not to discount the threat of cyber-terrorism, he noted that for all the planning and worrying about it, “cyber-terrorism is a dog that hasn't barked yet”.
In an exclusive interview with SCMagazineUK.com prior to delivering his speech, Lord Evans said that the government has rightly recognised cyber-attacks as one of the greatest security threats facing the country today, on a par with terrorism. “The reason for that is that it is very widespread,” he said. “It's not a narrow and specific thing – it's a whole series of threats.”
On the whole, he thinks that commercial organisations and government are rising to the challenge, and he does not share the concerns expressed by the director of GCHQ about the state of the cyber-security industry.
GCHQ director Robert Hannigan said in a speech yesterday to the IA15 conference in London that standards in cyber-security are not high enough and that the global market for security is not developing as it needs to. “Demand is patchy and it is not yet generating supply. That much is clear,” he said.
Lord Evans said he isn't as worried as Hannigan about this issue. “I think that there is a push on the insurance side but I think that what's on Robert's mind is that it's patchy,” he said. “If you look at some of the regulated industries – the banking industry for example and finance industry in general – the regulators are taking an interest in this, so we have CBEST testing taking place under the auspices of the Bank of England and the PRA [Prudential Regulation Authority], so there is regulatory pressure there.”
He said it's likely that there will be a shift in the extent to which companies are held to account for security flaws in their software. “There are different views as to whether there should be higher levels of liability or whether we are better off not doing that,” he said. “The issues are complex because if you go for very high levels of liability then that incentivises companies not to be open about problems they've had. If you require people who produce software to be liable for any weaknesses in the coding you give them an incentive to get it better but on the other hand you may deter creative innovation and development.”