2024: Putting Cyber Resilience into Social, Political, Business and Budget context.

On-line Safety, Safeguarding, Security, Counter-fraud and Resilience matter to voters and to business budget-holders. Cyber does not … until they become victims.

I knew London would need a different approach to the other Cyber Resilience Centres when I agreed in September 2022 to Convene an Advisory Group to help plan and support the launch of the Cyber Resilience Centre for London.

The City of London (with back offices and home-based workers spread across the UK) is the world’s largest Financial Services and Global Trading Hub, alias honeypot, outside North America. It is also home to more Fintech, Cybertech and Security businesses than anywhere else outside North America.

The metropolis covered by the Greater London Authority contains the most culturally, economically, linguistically and socially diverse set of communities on the planet.

That combination gives unique opportunities and problems. London has a wealth of potential partners, including at least a dozen with information security (including cyber) resources which dwarf those available to UK law enforcement. It also has an equal wealth of potential misunderstandings, from the practical to the political, between those partners as well as between them and local government and law enforcement.

The LCRC Board agreed to the Advisory Group focussing on the role of the CRC as the umbrella for a web of partnerships with the potential to draw in the resources necessary to address the needs of London, both scale and variety. It soon became clear, however, that “cyber” had little more priority for most of the time to most target audiences, that have the electricity supply or the plumbing, except during a power cut or after a pipe burst. More-over, to change metaphors, many are not “reading the same book”, let alone “on the same page”.

Online crime is, however, now the world’s third biggest economy (after the United States and China).

“Cybercrime as a service” has joined sanctions busting on oil and gold as a prime source of funding for the military budget of Russia.

North Korea is no longer the only nation state dependant on-line crime, including the direct and indirect earnings from cyberfraud and ransomware, to help balance its books.

The threats faced by businesses of all sizes have been evolving, including as low-cost automated AI and Big Data Analytics tools, applied to phishing attacks, bypass reactive products and services that two years ago might have provided reasonable protection to consumers and small firms.

Current feedback from Banks and Building Societies is that the most effective messaging, in terms of changing the behaviour of their customers (whether consumer or business), is that from the Consumer Association: the Which scam alerts.

Messaging to customers to change behaviour before they are victimised therefore needs to be based on easy to adopt, low- cost action plans to reduce vulnerability to fraud and abuse.

Those action plans should indeed include the use of current state of the art security and authentication hygiene, but cyber-speak is a turn off, whether to proprietors and directors or to pupils and public.

Bank budgets for cyber are commonly a fraction of those for counter-fraud, anti-money laundering and compliance. This has implications for making a business case for corporate support at a time when headcounts, let alone external spend, including for digital, are being squeezed and more business (and abuse) is conducted over smart phones than over laptops, PCs or terminals.

Threat reporting and safeguarding intelligence are moving in the same direction, with apps, like imabi, which leverages the technology behind Railway Guardian to collate and present targeted and timely guidance to users to avoid risk.

Meanwhile we have entered the longest election campaign in recent years, beginning with a GLA election in which the need to be seen to be taking action on Cyber Violence Against Women and Girls may well become an election issue. We can expect pressures to be seen to be looking at how to use the On-line Safety Bill to break the vicious cycle (often surprisingly local) between internet misogyny and cyber-bullying and physical abuse and violence in home, playground, park and street. Schools safeguarding and security are already in in the front line as they come under attack, including from their own pupils and as teenagers prey on each other, whether in the same schools or not.

The combination of pressures means that by the end of March, (and the next budget), Home Office and FCO (the twin guardians of NCSC) are likely to announce agreement with HM Treasury to bring together the UK National Strategies for Cybersecurity and Counter-Fraud with closer co-operation between NCSC and NPSA. This is likely to lead to significantly greater priority and funding for the police reporting, investigation and asset recovery partnerships currently under negotiation, as well as more active international co-operation with our Five Eyes allies and G7 Partners to trace activities along the Internet addressing chains.

Hopefully, the announcements will also include serious funding for research into how to better protect the small businesses who are a major source of supply chain vulnerability. As pointed out last July ( Why we need to research the cybersecurity needs of Micro-Businesses ) this needs to begin with how to contact and communicate with them via channels they trust.

My term as Convenor came to end at the beginning of December when a Board replaced the LCRC Advisory Group. Over the couple of months, during the run up to the budget, I intend to help the planned partnerships join up our fragmented and siloed policy implementation drainpipes and use industry support to achieve critical mass at both political and practical level.

I plan to blog separately on why you should support the partnerships covering:

  1. Emerging Issues, Threats and Opportunities and Responses
  2. Small Business Resilience in the face of converged threats
  3. Schools Security, Safeguarding and Digital Careers Guidance and Support.
  4. Digital (including Cyber, Fintech and Online Safety/Security) Skills
  5. Good practice in Online Safety and Security Volunteering and Outreach

My own contributions will then be:

  • high level – in the context of helping the new global research centre, based on City University, secure support for joined up research to find solutions to problems which cross the cultural, disciplinary and political silos of technology, sociology, media, law and business
  • low level – joining up physical and on-line community safety at the bottom of the leaky drainpipes down which policy flows, with implementation fragmented and segmented by professional guidelines, data protection and ring-fenced funding, leaving volunteers to cross boundaries and turn jargon into language understandable by patients and victims.

I intend to continue to trying to help secure political and corporate support for realistic funding and terms of reference for the Resilience Centres as a whole, not just for London, but to do so by engaging with those standing for election, whether in London or elsewhere, plus those seeking to transform Education, Recruitment, Training from cradle to dotage. 

I look forward to hearing from anyone interested in helping.