Over the New Year I changed ‘brief’ as it is called in the Westminster village. Shadow ministerial responsibility for Innovation and Science is now with the excellent Shabana Mahmood (Science) and Iain Wright (Innovation including Digital Infrastructure).
Ed Miliband asked me to move to the Shadow Cabinet Office, where my responsibilities include social entrepreneurship, cyber security, e-government, open government and civil contingency. It is a much broader brief, but it is clear that technology is an important part of it, particularly cyber security, civil contingency and digital government.
Digital government is seen as both a way of reducing Government spending and increasing engagement between Government and the people, as this recent ’digital by default’ announcement makes clear: http://www.cabinetoffice.gov.uk/news/digital-government-secure-britain-global-race
Civil contingency is about keeping transport links going during severe weather, but also making sure the telecoms networks do not fall over during a terrorist attack - as the capital’s mobile networks did following the July 7th bombings.
Cyber security embraces protecting the nation’s critical infrastructure from foreign cyber attacks, and protecting citizen consumers online.
The Cabinet Office believe that cybercrime costs the UK £27bn a year, though, given neither the Home Office nor the Justice Department collect statistics on cybercrime that is difficult to verify.
There has been widespread criticism of the lack of joined up action across Government. Last month’s parliamentary report on Defence and Cyber Security accused the Cabinet Office of addressing only the tip of the iceberg and there is concern that the Government “remains too fixated on high-level ‘macro’ security issues driven by GCHQ priorities rather than taking into account the bigger picture". The concerns were reflected in today’s National Audit Report which, while finding some progress, highlighted the lack of a joined-up approach and a dearth of cyber skills.
GCHQ say that network security can solve 80% of Government's cyber security vulnerabilities along with personnel security.
One of my priorities is to find out how they define ‘Government cyber security vulnerabilities’. It axiomic that security is only as strong as the weakest link. In cyberspace, everything is linked. The nation’s critical infrastructures includes much which is outside Government, in the private sector. That is particularly true of the financial services sector.
As some readers may know, prior to entering parliament I worked in ICT for twenty three years, as a Professional Engineer. I often worked with financial services companies, they were some of the biggest customers for the PBXs, operational support systems, fixed, mobile and virtual networks I designed in Europe, the US, Asia and Africa.
I would like therefore to say I had had a great deal of experience in financial services cyber security but it is more accurate to say I have a great deal of experience in cyber insecurity. It was not that the financial sector was wholly to blame. From voicemail boxes on corporate phone networks to virus laden floppy discs, ICT companies have often failed to ensure the networks they sell are truly secure.
But the financial services sector is a special case. Although it invests hugely in ICT infrastructure, at the front end at least, we know it failed to invest in the back office systems around risk management and security – whilst spending millions securing split second advantages in financial transactions.
Last week I spoke about this at the launch of Intellect’s Financial Infrastructure Programme. Intellect is the industry body for the technology industry representing most of the UK’s ICT companies. It is concerned that the financial industry’s ICT infrastructure is not ‘fit for purpose’ and last year published a paper, ‘Biting the bullet – why now is the time to rebuild the foundations of the financial system’ , which sets out the case for investment. Whilst I applaud the programme all the indications are that the sector is not yet seized of the urgency of the challenge.
We are still living with the economic impact of the 2008 financial crash. If the financial services critical infrastructure was disabled the economic impact would be huge. But because cyber attacks often go unreported we have only a limited idea of the scale of the threat. Last year a PWC report found complacency amongst banking companies whilst in December McAfee warned of spring blitzkrieg of cyber-attacks on U.S. banks. Even those free market evangelists at the Economist are saying further regulation is needed.
The Government has yet to decide how active it needs to be in pursuing cyber security in private infrastructure. The fact is that in our interlinked world there is no such thing as a secure public sector without a secure private sector.