Cybersecurity has been a vital consideration since the dawn of the Web. However, we are now at a critical juncture of the digital age, when different aspects of Artificial Intelligence (AI), automation, data analytics, social platforms, and the cloud can combine to not just threaten the security of personal data, but also force us to question what is real.
So, who can blame governments for trying to act?
Deep-fake video, social engineering, spear-phishing, voice cloning, chatbots, generative video, fake accounts, bot farms, disinformation, and more, can combine in unpredictable ways to undermine enterprises and reputations, push political agendas, commit fraud, and potentially, destabilise nations or life-sustaining systems.
Things are certainly moving fast. I was first made aware of deep fakes back in 2018 at a military ‘futures’ presentation on AI and robotics. An officer told a room full of technologists and academics that his organization was studying the then unknown phenomenon for the tactical risks it posed in the future.
Fast forward to a US software conference two years ago, and I heard the first news story of fraudsters using AI-cloned voices to scam families out of money by persuading them a loved one – the cloned voice – needed urgent help. Thus, deep fakes have gone from being a dystopian future vision to a breakfast TV news report in less than five years.
Yet ‘traditional’ cyberattacks have not gone away. In the past week alone, breaches have been reported, claimed, or disclosed at M&S, Coca-Cola, US steel manufacturer Nucor, Dior, Adidas, LexisNexis, and NHS Trusts, among others, while reports have emerged of the leak of over 200 million passwords and other data for sites such as Apple, Google, Microsoft, Netflix, Discord, PayPal, and Roblox.
All of which brings us to the question: what can we do about cybersecurity in such a febrile and complex world, beyond remaining vigilant? And what are the policy priorities, beyond ‘assume and prepare for the worst’ – while never ignoring the fallible human element?
UK Government proposes new cybersecurity legislation
In the King’s Speech last July, the British Government announced its intention to draft a Cybersecurity and Resilience Bill. Then on 1 April this year, the Department for Science, Innovation and Technology (DSIT) published a policy statement on the reasoning behind this proposed legislation.
But is politicking and regulation a viable solution? Or merely a performative attempt to create the illusion of control?
James Morris is Chief executive Officer of a think tank called the Cyber Security and Business Resilience Policy Centre (CSBR) which describes itself as a non-partisan non-profit – and distinct from the government-run National Cyber Security Centre (NCSC) and the regional Cyber Resilience Centres (CRCs) overseen by the police.
Speaking at Westminster eForum policy conference on cybersecurity priorities this month, he says that action is needed, partly because of that “chaotic” geopolitical environment – problems partly caused by technology, of course. But is the Government taking the right approach?
Morris says:
There are things within the policy statement that are to be welcomed, such as the focus on strengthening the resilience of supply chains, the bringing of Managed Service Providers (MSPs) under the umbrella of regulation, and the recognition that data centers are now part of our critical national infrastructure.
But the challenge is to ensure that seeking better cybersecurity resilience regulation doesn’t have the unintended effect of stifling innovation and creating onerous or bureaucratic obstacles, especially for small and medium-sized enterprises.
But given today’s chaotic world, if some innovation has been stifled, would that really be a bad thing? Yet Morris continues:
There’s a need for the Government to recognize that it, itself, is sometimes the problem. And it also needs to recognize that legislation and regulation, in themselves, will not solve this problem. There needs to be an intensified effort to embed cybersecurity and resilience awareness, processes, and practices in the heart of our society with a shared understanding of the threat and a shared determination to resist it.
Questions over regulatory approach and implementation
Bold words. So why – except for the plus points he identifies – is a regulatory and legislative approach insufficient? He explains:
Will there be a standard remit between regulators, and how will this work? The policy statement says that the Secretary of State will be given powers, and I quote, ‘to issue a code of practice setting out guidance and how regulatory requirements should be satisfied’.
So, the question is, how will such a Code of Practice be developed, and to what extent will the code be shaped in a bottom-up way through consultation with industry and the wider cybersecurity community?
The policy statement also suggests that one solution being considered is for the Secretary of State to publish a statement of strategic priorities, which the Government hopes would bring consistency and coherence across sectors. But how will this statement of priorities be developed?
At this point, a cynic might wonder whether Morris is essentially pitching for business – after all, the CSBR was formed as recently as last year, yet is already giving a Westminster keynote, in a world brimming with cybersecurity think tanks.
The explanation is that Morris is a former Conservative MP whose constituency was abolished, and – prior to his 2010 election – ran community ‘localism’ think tank, Localis. The CSBR was launched at the Palace of Westminster in November – just six months ago – and its team largely consists of Financial Services experts.
But that is not to say he is wrong, of course. He continues:
The Policy Statement envisages a new role for the Information Commissioner. It says, and I quote, ‘the primary intent of this measure is to enhance the ICO’s capability to identify and mitigate cyber risks before they materialize, thus preventing attacks and strengthening the digital services sector against future threats.’
Now, this represents a significant broadening of the ICO’s remit. How will the ICO be resourced to develop the capacity to perform this new regulatory function? And how do we ensure that there isn’t duplication and overlap with the role of the NCSC? Plus, how can we ensure that the ICO has regulatory teeth?
These are fair points. Since the premiership of Boris Johnson – whose long tail (so to speak) is still with us – regulators have been tasked with enabling growth and innovation for Brexit UK. A role that risks running counter to the aim of consumer protection. And now, piling Pelion on Ossa, the Government wants to add yet more functions to the ICO’s remit, at a time of funding cuts and belt tightening. On the face of it, an expanding but under-funded bureaucracy and nimble, proactive security would seem to be mutually exclusive ideas.
Morris continues:
With regard to the sectoral regulators, the Government is also considering giving the Secretary of State powers to update regulations and bring more sectors under the remit of the proposed Bill to ensure that the Government can respond quickly to emerging threats and new technology.
The Policy Statement says, ‘the Secretary of State will seek powers to update the regulatory framework without requiring an Act of Parliament, subject to certain safeguards’. So, the Bill will need to be clear on what those ‘certain safeguards’ are and how decisions taken by the Secretary of State will be scrutinized and accountability mechanisms developed.
All fair points. After all, the British Government and deep technology expertise are rarely bosom buddies. So, are centralized diktats likely to work? Morris doesn’t think so:
Again, the Policy Statement chooses to deal with the issue of emerging threats by accreting more power to the Secretary of State. Now, while I recognize the need for government to act swiftly to protect national security, we also need a broader approach that embeds good cyber practice in both private and public sectors.
The UK will not become more cyber secure and resilient just by ministerial direction!
Challenges of data sovereignty and transnational compliance
Indeed it will not, that much is certain. But what of the unique threats and challenges facing the UK, which the Bill seems designed to anticipate? The geopolitical picture is clear: a UK decoupled from Europe, yet adrift in mid-Atlantic while US President Trump tears up decades-long alliances. But is there a specific cybersecurity angle?
Morris appears to suggest that many of the challenges stem from over-regulation – he runs a tech think tank after all, and that is always the core message – but he makes a good point about the technology challenges that come in the wake of political decisions:
Much of the UK’s sovereign data is managed on servers outside the UK by transnational companies. The Policy Statement says the measures will expand the remit of current regulations by bringing entities who provide managed services into the scope of the regulations, placing duties on MSPs. But how do we prevent transnational companies from gaming the regulations?
Another good question, and one I have often touched on myself in relation to data adequacy: most UK data is held in the cloud. In the real world, that means in data centers built on land under national and regional laws – in the US and European Union (EU). In other words, that data is only sovereign in name. Lose data adequacy with Europe and you lose access to your own data.
Morris continues:
So, how can we ensure that proposed fines and cost recovery mechanisms don’t provide a disincentive for organizations to comply? And how can we ensure that any proposed schedule of potential fines is proportionate and doesn’t have unintended consequences?
My take
Yet more good questions. But that’s think tank presentations at policy conferences for you: a keynote full of questions, but precious few answers. Perhaps someone should employ a think tank on a long-term consultancy basis.
