Following the recent resignation of Sir Michael Fallon from the Cabinet, the choice of Chief Whip Gavin Williamson as the new Defence Secretary surprised many insiders. While he's relatively new to Parliament, Williamson's reputation as an astute political operator is already well documented. Yet the somewhat unexpected appointment has led to questions around his policy priorities in the cybersphere.
Williamson joins the Cabinet at a critical time for cyber-security in the UK. Despite policy successes over the last few years, the threat facing British businesses and institutions has never been greater. Only by leading from the front, and setting an example for others to follow, will the Defence Secretary build the culture of resilience needed to make the UK the “safest place in the world to be online.”
Our social lives and our economy are underpinned by digital webs spanning the country. The world's most creative businesses house sensitive corporate information and our personal data on UK-based networks. Connected technology is bringing us unparalleled prosperity but is also making us vulnerable and open to cyber-attacks.
Despite record defence spending in the private sector last year, and £1.9 billion of government investment, we've seen countless breaches in the last 12 months. Dedicated nation-state attackers and unsophisticated bedroom criminals alike have successfully breached some of the UK's largest organisations, taking advantage of inadequate defences, a lack of basic skills, and a sometimes wilful ignorance of the threat. The cybersphere is an enormous contested theatre. Governments alone cannot protect us. Everyone must take some responsibility for data protection and network security.
Without adequate defences the dangers are clear, including damage to critical national infrastructure, theft of valuable intellectual property, and loss of faith in our democratic institutions.
These aren't hypothetical situations. Earlier this year, the WannaCry attack crippled parts of the NHS, cancelling thousands of operations and closing A&E departments. In the summer, a brute-force attack was waged against email accounts at the Houses of Parliament - including the Prime Minister's. Only last month, US Senator Angus King suggested foreign cyber-agents had “set up shop” in Scotland, aiming to destabilise the country ahead of any future independence referendum.
The spread of ministerial responsibility for cyber-security means Williamson alone cannot solve these problems. Yet, by replicating previous successes at the Ministry of Defence, we can all take simple steps to dramatically cut risk. That's why the most fundamental thing Williamson can do is to lead from the front and continue to foster a nationwide culture of resilience. Here are three ways he should do so:
- Acknowledging the threat: The reclassification of cyber as a Tier One threat in the 2015 Strategic Defence and Security Review is a good example of this leadership. Recognising the reality of the modern threat has caused many business leaders to pay attention and take action. During his tenure, the Secretary should not let cyber-security drop down the agenda. Businesses will look to him for guidance, so he must signal to them that the threat cannot be ignored.
- Training and accountability: The announcement that Ministry of Defence staff must now complete information-handling training every year, and take responsibility for the data they hold, is another positive story. Basic cyber-training for all staff is essential at every organisation, as security is no longer solely a problem for the IT department. Making an individual accountable for data security only drives up standards, regardless of their home department.
- Getting the basics right: The Defence Cyber Partnership Programme, which ensures companies with UK defence contracts are meetings basic security standards, is another good example of the leadership needed. Lucrative public sector contracts shouldn't be awarded to organisations that have not implemented fundamental security safeguards. Simple steps can make a huge difference. The National Audit Office warned last month the WannaCry attack on the NHS could have been prevented had “basic IT security basic practice” been followed.
Williamson will need to publicly champion these types of initiatives and share the lessons of best practice as widely as possible. Proliferating these across the public and private sectors will ensure the integrity of government bodies and cause a ‘trickle down' of positive security practice throughout society.
The new Defence Secretary faces myriad challenges. He joins the Cabinet at a challenging moment for politics and cyber-security. If he builds on the successes of the past and champions methods of best practice, we will see standards improve across the country. By leading from the front on this issue, Williamson will have the chance to prove his doubters wrong and defend the country against this new Tier One threat.
Contributed by Matt Ellard, vice president EMEA, Tanium
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.