UK Announces New Policy on Cyber Attacks: ‘We Will Strike Back in Kind’

The interactions of the Active Cyber Defence programIn recognition of the risk cyber attacks pose, the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK – that’s the same level as terrorism, or international military conflict.

[W]e must keep up with the scale and pace of the threat we face. So today I am launching the government’s National Cyber Security Strategy for the next 5 years. The new strategy is built on three core pillars: defend, deter and develop, underpinned by £1.9 billion of transformational investment.

First of all Defend. We will strengthen the defences of government, our critical national infrastructure sectors like energy and transport, and our wider economy. We will work in partnership with industry to apply technologies that reduce the impact of cyber-attacks, while driving up security standards across both public and private sectors. We will ensure that our most sensitive information and networks, on which our government and security depend, are protected.

In practice, that means government taking a more active cyber defence approach – supporting industry’s use of automated defence techniques to block, disrupt and neutralise malicious activity before it reaches the user. The public have much to gain from active cyber defence and, with the proper safeguards in place to protect privacy, these measures have the potential to be transformational in ensuring that UK internet users are secure by default.

We are already deploying active cyber defence in government and we know it works: we’ve already successfully reduced the ability of attackers to spoof government e-mails as a key example. Until 6 weeks ago we were seeing faking of some @gov.uk addresses, such as ‘taxrefund@gov.uk’. Criminals have been using these fake addresses to defraud people, by impersonating government departments. 50,000 spoof emails using the taxrefund@gov.uk address were being sent a everyday – now, thanks to our interventions, there are none.

The second pillar is deterrence. We will deter those who seek to steal from us, threaten us or otherwise harm our interests in cyberspace. We’re strengthening our law enforcement capabilities to raise the cost and reduce the reward of cyber criminality – ensuring we can track, apprehend and prosecute those who commit cyber crimes. And we will continue to invest in our offensive cyber capabilities, because the ability to detect, trace and retaliate in kind is likely to be the best deterrent. A small number of hostile foreign actors have developed and deployed offensive cyber capabilities, including destructive ones. These capabilities threaten the security of the UK’s critical national infrastructure and our industrial control systems.

If we do not have the ability to respond in cyberspace to an attack which takes down our power networks leaving us in darkness, or hits our air traffic control system, grounding our planes, we would be left with the impossible choice of turning the other cheek and ignoring the devastating consequences, or resorting to a military response. That is a choice that we do not want to face – and a choice we do not want to leave as a legacy to our successors. That is why we need to develop a fully functioning and operational cyber counter-attack capability. There is no doubt in my mind that the precursor to any future state-on-state conflict would be a campaign of escalating cyber-attacks, to break down our defences and test our resolve before the first shot is fired. Kinetic attacks carry huge risk of retaliation and may breach international law.

But in cyber space those who want to harm us appear to think they can act both scalably and deniably. It is our duty to demonstrate that they cannot act with impunity. So we will not only defend ourselves in cyberspace; we will strike back in kind when we are attacked.

And thirdly development. We will develop the capabilities we need in our economy and society to keep pace with the threat in the future. To make sure we’ve got a pipeline talented of people with the cyber skills we need, we will increase investment in the next generation of students, experts and companies.

I can announce we’re creating our latest cyber security research institute – a virtual network of UK universities dedicated to technological research and supported by government funding. The new virtual institute will focus on hardware and will look to improve the security of smart phone, tablets and laptops through innovative use of novel technology. We’re building cyber security into our education systems and are committed to providing opportunities for young people to pursue a career in this dynamic and exciting sector. And we’re also making sure that every young person learns the cyber life-skills they need to use the internet safely, confidently and successfully.

These three pillars that I’ve outlined – deter, defend and develop – are all supported by our new National Cyber Security Centre, based in Victoria in central London.

For the first time the government will have a dedicated, outward-facing authority on cyber – making it much simpler for business to get advice on cyber security and to interact with government on cyber security issues. Allowing us to deploy the high level skills that government has, principally in GCHQ, to support the development of commercial applications to enhance cyber security.

The Centre subsumes CERT UK and will provide the next generation of cyber security incident management. This means that when businesses or government bodies, or academic organisations report a significant incident, the Centre will bring together the full range of technical skills from across government and beyond to respond immediately. They will link up with law enforcement, help mitigate the impact of the incident, seek to repair the damage and assist in the tracing and prosecution of those responsible.

Across all its strands, the National Cyber Security Strategy we’re publishing today represents a major step forward in the fight against cyber attack.

Excerpts from “Speech Launching the National Cyber Security Strategy,” by Chancellor of the Exchequer Philip Hammond, Nov. 1, 2016.

Image: The interactions of the Active Cyber Defence program (graphic: UK National Cyber Security Center)