Maksim Kabakou - Fotolia
From manifesto to material: What No. 10 needs to make reality
With Labour returning to 10 Downing Street after 14 years, the Computer Weekly Security Think Tank panellists share advice and wish lists for the new government
The last time we had a Labour government was 14 years ago, and things were very different when it came to cyber security. Back in the day (he says, in his rocking chair by the fire) you knew where the threat actors were, and you had a firewall. If you had a firewall and an antivirus, you were laughing!
I remember when I started my career in cyber security there was always a belief that the internet shouldn’t be used for business-critical information. But the biggest difference now is our fundamental reliance on technology for communications – everything is mediated by computers and the internet. There’s no going back to paper now, the genie is well out of the bottle.
The threats that organisations and companies are now under are so great because the money a criminal could gain, or disruptions they can cause, is significantly greater than 14 or even five years ago. 10 years ago, ransomware was merely a prediction – can you imagine! Well, here are my predictions for what the new administration should be keeping an eye on in cyber security.
Working together to take down criminals
We need to focus on international and transnational working and cooperation. Keir Starmer has already been resetting relationships with NATO, the EU, and I expect more to follow suit.
This is important because cyber criminals act locally but hide globally. They can affect significant change from a small town on the other side of the world while stealing from someone’s house in southeast London. We need agreements so that we can extradite people to cooperate with law enforcement. There’s a lot of good indications from the new administration that this will improve.
The new government announced a new Cyber Security and Resilience Bill in the King's Speech, which aims to address existing vulnerabilities and strengthen the UK's defences against cyber-attacks. This includes extending the scope of the existing NIS regime to protect more digital services and supply chains and impose additional incident reporting obligations. There are also plans for significant investment in cyber security infrastructure and capabilities, which will enhance the UK’s ability to collaborate with international partners.
Working with big tech
We are now in a world where surveillance capitalism exists, where big tech can own, map and sell your identity and personal data, rather than governments – who can be voted out.
I started working in government when Tony Blair was leaving, and I recall a deeply passionate set of debates around surveillance, civil liberties, and technologies at the time. Back then, politically it wasn’t the right time or environment for ID cards. But if we as a country had stepped into that environment, I think things would be very different. Identity is a fundamental tenet of cyber security, and we now have a fragmented system where we don't have an ‘identity ground truth’. Some may say this is for the best, while others will vocally disagree with my opinion.
One thing that will be crucial for the new administration’s success is holding government, companies, and big tech, to account.
Tackling cross-border cyber warfare
An interesting challenge is what to do about proxy groups. These cyber criminal groups work on behalf of governments, but this arrangement allows these countries plausible deniability. I feel that we’ve been quite remiss in challenging these governments beyond just sanctions. There hasn’t been anything of real consequence.
We are bound by Western democratic values in the UK – but are these threat actors bound by the same rules? What is the equivalent of ‘don’t attack hospitals or civilians’ in cyberspace? We only need to look at WannaCry to understand the same standards don’t apply. This needs to be addressed. But it needs time, money and innovation to understand how to regulate and manage it. There have been tentative steps in this direction, for example the International Committee of the Red Cross (ICRC) published rules of engagement in 2023 for civilian hackers involved in conflicts.
Matching ardour with ability
Finally, I personally hope the government meets these challenges head on with the right skills in the right roles. The new government is bringing in people that are competent and have done the job before. Science ministers that have a strong academic and scientific background, people that working in the Treasury who have economic degrees. I have a feeling that the people in the new administration are passionate about what they need to do and to do it in the long-run.
Setting realistic expectations is important, too. Any new measures should be proportionate to what our nation and its organisations can reasonably put in place. But if we start on these building blocks and fundamentals, we can hopefully reap the benefits in five to 10 years’ time.
The Computer Weekly Security Think Tank on cyber policy
- Dhairya Mehta and Cate Pye of PA Consulting: How might the UK's cyber landscape change under Labour?
- Adam Button of Elastic: Labour's first cyber priority must be the NHS.
- Ameet Jugnauth and Mark Pearce of ISACA: Cyber lessons and policies for the UK's new government.
- Elliott Wilkes of ACDS: Labour should focus on talent to improve UK's cyber posture.
- Jon Carpenter of Advent IM: Is it time to refresh the UK's cyber strategy?