“The virus knows no borders” said the UK Prime Minister when asked about the threat of EU export restrictions on COVID vaccines. There was an immediate echo of an often repeated mantra in cyber security, that “Cyber is borderless”.
Even cyber criminals use the existence of borders to their advantage, to hide their activities or to launch them from states which aren’t going to investigate or prosecute. A co-ordinated response to the cyber threat needs to understand that borders really do exist. With the support of their trade association, UK Finance, the financial industry has formed the Financial Sector Cyber Collaboration Centre. They use the UK NCSC’s CiSP (Cyber Security Information Sharing Partnership) to collaborate, but understand that there are borders and boundaries. Boundaries in what private companies are prepared to share about threats to their own operations; boundaries to the circle of trusted individuals they are prepared to share that information with; and for government, limits to whom they can share information derived from signals intelligence with.
The WannaCry ransomware attack was the moment when the UK NCSC said that CiSP came into its own. Private sector contributions dwarfed even those made by the NCSC. WannaCry particularly affected the UK’s NHS with appointments, surgery and clinics all seriously impacted. The scale of the impact on the NHS was perhaps unlike anything we have seen until the pandemic. Our ongoing response to the pandemic has reinforced how important it is that there is a whole of society response, with each sector having an essential role to play.
The private sector contribution
It is the private sector which has delivered extremely effective vaccines in record time. It has partly been able to do that by a willingness to share information in an unprecedented way. The UK has offered expertise in genome sequencing to those countries which don’t have the capability and was the largest contributor to the COVAX scheme, until the US involvement, which ensures global access to vaccines.
The UK was the first to approve and administer the vaccines. They were the result of years of fundamental research and the ability of the pharmaceutical industry to rapidly design, trial and deliver vaccines at scale.
Can you imagine how much harder things would have been if the pandemic had hit as recently as the 1980s before we had internet connections or computers at home? The way the private sector has enabled people working, learning, shopping and being entertained at home is extraordinary.
But the pandemic has uncovered other “boundaries”, divisions which affect our security and which both the public and private sectors have a role to play in bridging.
It is shameful that, almost a year on, there are still young people who are unable to learn from home. There is a marked divide with private education having, in many cases, delivered a full curriculum every day during lockdown and some state schools not providing any online learning at all.
In order to be resilient to future threats our young people need get the education required, so that our best Universities can continue doing the fundamental research which resulted in the vaccines being available in record time. Our young people need that education so that they can contribute as informed citizens and separate fact from fiction, so that they are equipped to deal with dangerous hoaxes, likes those about the virus or the vaccine.
Secure by design
We have seen how rapidly criminals have been able to pivot throughout the course of the pandemic. But with so many more internet connected devices being shipped out to homes, we are opening up new security concerns. For example, we have already seen a horrifying growth in child abuse and sexual exploitation material online.
This is where the private sector needs to step up. In the same way that we are reliant on the private sector to deliver the reliable internet connectivity and devices, we need the private sector to ensure that devices are secure by design. We can’t take for granted that those homes receiving laptops for the first time will understand the need to patch, use safe passwords, or implement other cyber hygiene practices. The likes of Barclay’s Digital Eagles are exemplary in how the private sector can support here. But it will be down to building and delivering personal devices, routers etc. which are secure in the first place.
We have ensured that schools remain open as a safe space for vulnerable children and the children of key workers, but we need to ensure that online is also a ‘safe space’ for them.
Co-operating across borders
We can’t afford to act like these divides don’t exist. For our own collective security, we need to continue to cooperate, working across those borders.
I will leave the last word to the Archbishop of Canterbury. In a message that echoes for cyber as much as it does for our safety in the face of the pandemic: “This virus will not be defeated anywhere, until it is defeated everywhere.”
Adapted from “Intelligence and Early Warning – Integrated Working for Better Effect”. Chaired by Chris Inglis, former Deputy Director NSA in conversation with Sir David Omand, former Director GCHQ. This talk was delivered by Stuart Murdoch on the 28th January 2021 as part of the Twelfth Cityforum Cyber Security Summit, sponsored by Surevine.