George Osborne will use a speech at GCHQ in Cheltenham today to affirm the government’s “duty to protect the country from cyber attack, and to ensure that the UK can defend itself in cyberspace.”
Announcing a new national cyber plan as a key part of his Spending Review, the chancellor is due to announce that the national cyber security budget will double to £1.9 billion by 2020 and that, adding together “the spending on core cyber security capabilities, protecting our own networks and ensuring safe and secure online services, the government’s total cyber spending will be more than £3.2 billion.”
He will say:
For our country, defending our citizens from hostile powers, criminals or terrorists, the internet represents a critical axis of potential vulnerability. […]
The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost.
In the wake of Friday’s attacks in Paris, Mr Osborne will also highlight the cyber threat posed by ISIL:
They [ISIL] have not been able to use it to kill people yet by attacking our infrastructure through cyber attack. They do not yet have that capability. But we know they want it, and are doing their best to build it.
So when we talk about tackling ISIL, that means tackling their cyber threat as well as the threat of their guns, bombs and knives.
“Companies need to protect their own networks”
Acknowledging that at “the heart of cyber security is a painful asymmetry between attack and defence”, the chancellor will emphasise the need for every individual and organisation to make efforts to protect themselves.
Citizens need to follow basic rules of keeping themselves safe – installing security software, downloading software updates, using strong passwords.
Companies need to protect their own networks, and harden themselves against cyber attack.
The starting point must be that every British company is a target, that every British network will be attacked, and that cyber crime is not something that happens to other people.
He will conclude:
If the lights go out, the banks stop working, the hospitals stop functioning or government itself can no longer operate, the impact on society could be catastrophic. […]
Our vulnerability as a nation in cyberspace goes well beyond the critical national infrastructure. […]
We have a collective interest in the cyber defences of individual companies across the British economy.
Companies that want to demonstrate their commitment to cyber security should start with the Cyber Essentials scheme.
Launched in 2014, Cyber Essentials is a government-backed cyber security certification scheme that provides a set of five controls that organisations can implement to establish a baseline of cyber security, and against which they can achieve certification to prove their credentials. According to the government, implementing these controls will prevent around 80% of cyber attacks.
There are two levels of certification to the Cyber Essentials scheme: Cyber Essentials and Cyber Essentials Plus.
- Cyber Essentials requires a company to complete a self-assessment questionnaire, which must be signed off by a senior company representative and then verified by an external certification body. An external vulnerability scan is also required if the company chooses to be certified by a CREST-accredited certification body such as IT Governance.
- Cyber Essentials Plus requires a more advanced level of assurance. In addition to meeting the requirements of Cyber Essentials, organisations must undergo an internal assessment and internal scan conducted on-site by the certification body.
More than 1,200 organisations have already achieved certification to the scheme. Certification demonstrates to customers and business partners that fundamental cyber security measures are in place, and provides evidence to validate your organisation’s security posture.