On Monday 5th November 2018, the Industry and Parliament Trust hosted a dinner discussion entitled ‘UK Cyber Security: Digital Trust in a Connected World’. Held in the House of Commons, the event was chaired by Rt Hon Dominic Grieve QC MP, Chair of the Intelligence and Security Committee. Participants included Members from both the House of Commons and House of Lords, as well as key stakeholders from business and industry.
In what follows, Dr. Christopher R. Moran FRHistS and Professor Richard J. Aldrich, FRHistS (both from the Department of Politics and International Studies, at the University of Warwick) offer a few thoughts on some of the issues pertinent to the discussion.
Compared to other developed nations, the United Kingdom is experiencing something of shortfall in cyber security expertise. To address this, it is clear that education is fundamental. In this context, it is alarming to note that rumours abound on university campuses that Her Majesty’s Government, in its current review of Higher Education, is considering an increase in tuition fees for STEM subjects. From a cyber security perspective, this could be a problematic move, for STEM subjects are the foundation degrees for creating and sustaining a pipeline of cyber security talent.
Instead, the government could think creatively about how it can better create the conditions for cyber expertise. In Asia, for example, there has been a proliferation of Cyber Security degrees paid for by governments, on the condition that the recipients of that funding work in these countries or for an Asian company for a minimum of 3 years after graduation. In the United States, security and intelligence agencies have long benefitted from ‘scholar-in-residence’ programmes, where academics are invited to spend short periods in government to tackle pressing real world problems and share their expertise.
In the UK, recent efforts by the government to designate more universities as ‘Academic Centres of Excellence in Cyber Security Research’ constitute a step in the right direction, but these tend to produce specialists. It is also important to ensure that leaders understand cyber. Here, we suggest that executive education could play an important role since there is need for this expertise in the boardroom as well as the backroom. Universities might collaborate to provide a week-long cyber summer school. In Malaysia, attendance at this sort of short course has been introduced as a condition of advancement and promotion in government.
The ‘B’ word is relevant to this issue, and it should go without saying that whatever ‘Brexit’ deal is agreed, it needs to be flexible enough to allow agencies like GCHQ to attract specialist cyber talent from the EU and beyond, for domestically our cyber skills set is peaking. European research funding programmes have given cyber unprecedented importance, extending to the protection of elections, and it is critically important that Britain continues to collaborate with the best cyber centres across Europe.
Among UK security and intelligence agencies, the obvious short-term solution to cover the shortfall in cyber expertise is to build alliances with the IT industry, and employ more independent contractors and third-party experts. Here, we would sound a note of caution. Recent academic research has shown that many IT specialists and software developers regard themselves as Internet utopians and identify with figures like web guru and political activist John Perry Barlow, who famously penned a ‘Declaration of Independence for the Internet’. Ideologically, Internet utopians are vigorously opposed to state secrecy, because they see the secret state as a direct threat to their own space, undermining everything that makes the Internet creative and free.
In his book Playing to the Edge (2016), former Director of the US National Security Agency (NSA) Michael Hayden explained that his decision to embrace silicon valley and recruit contractors from the private sector was simultaneously his greatest success and failure at NSA, because while these technically-gifted individuals played a critical role in the fight against terrorism after 9/11, they rejected the Agency’s traditional culture of secrecy. Put another way: his decision helped to prevent further terrorist attacks, but it also planted organisational landmines in the shape of Edward Snowden. This US public-private partnership led to an unprecedented loss of UK state secrets. Secret agencies like GCHQ, therefore, face a dilemma: how to protect secrets when the best cyber talent typically has libertarian and anti-secret inclinations? Before rushing to fill the current cyber expertise void with external collaborators and partners, it is imperative that they think this through. In the future, assured secrecy may be as valuable as improved capability.
So-called ‘smart’ devices are revolutionising the way we lead our lives, often in the service of convenience; but it is only now becoming clear that many of these devices have not been designed with security in mind and thus are vulnerable to cyber attack with the potential for devastating ‘real-world’ impact. In recent years, governments have rightly sought to secure the ‘Industrial Internet of Things’, to stop hackers from attacking or gaining control of everything from critical infrastructure and heavy machinery to cars, trains, and airplanes. It is now essential that more be done to secure the ‘Consumer Internet of Things’.
Currently, very few of our beloved gadgets – from smart phones, watches and tablets that control our household to networked baby monitors, webcams, and toasters – have any capacity to host anti-virus software, firewalls, or even updates and are hideously exposed to malware. To correct this, the government might consider introducing an accreditation standard for smart devices. They might also consider regulating to ensure that a certain percentage of the cost of producing a device is spent on securing it. For example, installing a firewall that allows for automatic anti-virus software updates. Alongside this, it will be important for the government to educate the public on why this is being done, to stop consumers from believing that extra security for their devices is in fact a cash grab from industry vendors determined to boost their profits.
For decades, what used to be known as information security or communications security was the poor relation amongst the security agencies. The Internet has transformed this situation, manifest in the creation of the National Cyber Security Centre (NCSC) out of GCHQ in 2016. To safeguard critical environments, we are encouraged that the NCSC is currently weighing up the pros and cons of a national firewall to block malicious websites, emails, and domain names, in effect stopping cyber attacks at source. The Prime Minister has already spoken of a ‘national firewall’. Should a national firewall be implemented, with GCHQ managing what can and cannot interact with the UK network, we suggest a comprehensive programme of public education by ministers and key officials to explain why this is being done. In the absence of a clearly defined rationale for a national firewall, the public may well wrongly interpret the move as the government arbitrarily clamping down on what people can access online, violating civil liberties. It will be incumbent upon the government to set out clearly and precisely what sites are being blocked; who decides what to block and using what criteria; and what oversight mechanisms there will be to prevent abuse. A transparent and trusted system to oversee this will be important.
 Richard J. Aldrich & Christopher R. Moran, ‘“Delayed Disclosure”: National Security, Whistle-blowers, and the Nature of Secrecy’, Political Studies (First published 28 March 2018): https://doi.org/10.1177%2F0032321718764990.
 Michael V. Hayden, Playing to the Edge: Intelligence in the Age of Terror (New York: Penguin, 2016).