The front line in cyber security is as much in business as it is in government. So said the Director General of the Security Service, Jonathan Evans, at the Lord Mayor’s Annual Defence and Security Lecture, at Mansion House in the City of London on June 25.
He said: “At the forefront of our minds are the Olympic and Paralympic Games. The security preparations for the Games have been long and thorough. Members of my Service have been involved in advising on the physical design and security of the sites, but also in the accreditation of those working at the venues and in ensuring that intelligence collection and analysis for the security operation can meet the increased demand. This is not a solo activity. We are working as part of a mature and well developed counter-terrorist community in the UK and with the close support and co-operation of friendly Services overseas, who have been extremely generous in their assistance. We are also anticipating an Olympic security legacy after the Games – better intelligence coverage of potential threats, better integration at the local and national level of security and intelligence effort, and new, closer and better developed intelligence co-operation at the international level. I hope and expect that this legacy will live on well after the Games themselves have closed.
On terrorism he said problems have a long tail. “They very rarely just stop. At best they can be exhausted by long and persistent pressure, together with political measures. It is essential that we maintain pressure on Al Qaida and its associates and squeeze the vigour out of the terrorist groups so that the risk of terrorism does not revive here. That will take perseverance. Developments in Northern Ireland, where the dissident Republican groups remain active many years after the Good Friday Agreement, demonstrate how important it is that the security forces remain engaged and alert to any resurgent threat. Recent successes against dissident Republican groups have demonstrated that continued intelligence led operations there are both necessary and effective.
“But we do see a changing shape of the threat internationally. Whereas a few years ago 75pc of the priority casework addressed by my Service had some sort of Pakistan and/or Afghanistan dimension, thanks to our efforts and those of our international partners that figure has reduced and now stands at less than 50pc. We appear to be moving from a period of a deep and focused threat to one where the threat is less monolithic but wider.
More prominent in the last few years has been malicious activity in cyber space, he went on. “The boards of all companies should consider the vulnerability of their own company to these risks as part of their normal corporate governance – and they should require their key advisors and suppliers to do the same. One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations. It is particularly appropriate for me to be addressing this issue here in the Mansion House. The front line in cyber security is as much in business as it is in government. Britain’s National Security Strategy makes it clear that cyber security ranks alongside terrorism as one of the four key security challenges facing the UK. Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both State sponsored cyber espionage and organised cyber crime.
“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions. What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations. And the threat to businesses relates not only to major industrial companies but also to their foreign subsidiaries, and to suppliers of professional services who may not be so well protected.
“Much of the Security Service’s work in this area is undertaken through the Centre for the Protection of National Infrastructure, in which we have made a significant investment in recent years. Working in close collaboration with GCHQ, the Department of Business Innovation and Skills, the Department for Energy and Climate Change, and also with law enforcement, we are currently investigating cyber compromises in over a dozen companies and are working with many others that are of high economic value and that are potential future targets of hostile state cyber activity. But this is only a tiny proportion of those affected.
“And the internet has developed from a communication network to what is called the “internet of things” – connecting via the internet the buildings we work in, the cars we drive, our traffic management systems, Bank ATMs, our industrial control systems and much more. This increases the potential for mischief and leads to risks of real world damage as well as information loss. We are contributing to the international process of ensuring that the appropriate IT security management standards are in place to manage some of these new risks. So far, established terrorist groups have not posed a significant threat in this medium, but they are aware of the potential to use cyber vulnerabilities to attack critical infrastructure.
He summed up: “Describing the threats from the perspective of a security service can appear either to be crying wolf or revealing our own blind spots. At least some of the areas of concern that I have highlighted tonight may turn out to be dogs that don’t bark. I hope that is the case! On the other hand, the dog you haven’t seen may turn out to be the one that bites you.”
