User login

Event Summary 'After the Hack: How safe is Britain's data?'

Event Summary 'After the Hack: How safe is Britain's data?'

19th October 2017

‘After the Parliament Hack: How safe is Britain’s data?’

Event Summary

Key Findings of our Panel:

è Nick Coleman (IBM) stresses that the current 200 day average time to detect a cyber breach demonstrates the challenge organisations face

è Baroness Neville-Jones identifies the absence of product regulatory framework for IOT products a gap in the system

è Introduction of GDPR will force corporations to rethink how they store and process personal data

è Daniel Thornton (Institute for Government) argues that the threat is increasing as are the penalties for data breaches, so more people including MPs need to get to grips with the issues

è Cyber security challenges need to be viewed in an international context, particularly the increasingly sophisticated state sponsored attacks

 

The APGDA event ‘After the Parliament Hack: How safe is Britain’s data?’ set out to address a number of important issues and questions regarding cyber security, foremost among those was of course the question featuring in the event title. The event focused on addressing the following inter-related issues:

·         Liability for data theft: current vs. desirable rules

·         How to improve security of public service digital infrastructure

·         Product regulatory approaches

·         Economic incentives for software developers to take cyber security seriously

·         Encryption: Solution or government dilemma?

 

Our panel was:

·         Daniel Zeichner MP: Member of Parliament for Cambridge and Chair of the All Party Group on Data Analytics

·         Baroness Neville-Jones: Former Minister of State for Security and Chair of the Joint Intelligence Committee

·         Nick Coleman: Global Head of Cyber Security Intelligence, IBM

·         Daniel Thornton: Programme Director, Institute for Government

The event was opened by the chair of the APGDA, Daniel Zeichner, MP for Cambridge, who welcomed all panellists and attendees and thanked the Policy Connect staff for facilitating this vital contribution to the ongoing debate on cyber security. Daniel provided some context to the event by referring those present to the debate on data security in post Brexit Britain which took place in the House of Commons on Thursday the 12th of October and several pieces of legislation currently being considered, first among those the Data Protection Act.

Dr. George Dibb, Head of Industry, Technology and Innovation at Policy Connect, then also offered a few welcoming remarks and pointed out that our cybersecurity event is only one in a series of events which address contemporary and essential issues surrounding the impact, implications and innovations surrounding Big Data and highlighted some research available to our members and the general public.

For the convenience of the reader, this summary will not follow the chronological order of the event itself, which featured opening statement by our experts, Baroness Neville Jones, former Minister of State for Security, Nick Coleman, Global Head of Cyber Security at IBM and Daniel Thornton, Programme Director at the Institute of Government, but rather outline key aspects of our panellists statements and Q&A by topic:

Liability for data theft: current vs. desirable rules

The question of liability in cases of data theft is a vitally important one, not only from a privacy point of view, but also from a business perspective. Daniel Zeichner MP, points to this aspect by stressing that 61% of UK enterprises now hold personal data and the percentage of enterprises using cloud storage has risen from 49% to 59%. This rapid expansion in the usage of cloud solutions and the sheer explosion of available data is gradually reflected in changing public attitudes to cyber security, as Baroness Neville-Jones emphasises: ‘Cyber security didn’t impinge on the public consciousness very much, and I think one of the major transformations over the last decade actually is the way in which people are aware, although not necessarily very well informed. This gives rise to anxiety rather than a capacity to manage, so we still have a long way to go, embedding this aspect of our future life’.

Apart from shifting public perceptions of cyber security, she also reinforces Daniel Zeichner’s point that there is a strong business case for increased emphasis on good cyber security, particularly considering the looming introduction of the GDPR into law in March 2018, which contains among its provisions ‘swinging penalties, the kind that put you out of business’.

How to improve security of public service digital infrastructure

Nick Coleman, Global Head of Cyber Security at IBM, adds to this that in recent years, the public sector has significantly improved its cyber security provisions, in part due to the Coleman report, which made recommendations about the allocation of clear responsibilities for cyber security within each department and agency of government, and the programmes necessary for delivering cyber security maturity. Daniel Thornton outlines his view that by using ‘unsupported and un-updated operating systems’, the NHS has accrued at least a share of responsibility for the damage caused by the recent Wanna Cry attack on several NHS trusts. However, these weaknesses in the cyber security frameworks of NHS trusts were aggravated by fragmentation of the NHS and the financial constraints under which the trusts operate. Baroness Neville Jones states that the NHS, as the largest holder and processor of personal data in the UK has a particular responsibility towards its patients and the general public to prevent a recurrence.

Product regulatory approaches

In this context, Baroness Neville-Jones expressed her hope that ‘market mechanisms will sort those producers who don’t take security seriously’ as well as her conviction that cyber security provisions in IOT devices, particularly ‘information about vulnerabilities, patches to software etc.  should be a collaborative exercise between producers and product users’.  In addition, she registered her amazement that there is no product regulatory regime for cyber security currently in place, which can only be seen as a gap in the system. Lucy Purdon of Privacy International highlights this gap by identifying the roll-out of smart meters containing security weaknesses as an example for this gap.

Daniel Thornton of the Institute for Government emphasises the need for a holistic understanding to cybersecurity: ‘there is no point in putting strong bolts on your front door if you leave the back door open’. In his view one weak link in the cybersecurity chain has the potential to undermine the integrity of the entire system. He also disputes the common perception that cloud storage is a weak point in many cyber security frameworks, assuming the consumer chooses a reputable provider.  During the Q&A, David Wilde of Essex council floated the idea of a MOT for cyber security relevant products, thus enforcing continual product upgrades. This could alleviate the danger identified by Nick Coleman of a ‘kite mark type’ approach, which could have the unintended consequence of signalling to the consumer ‘“Don’t worry about it” and that’s the last thing we want.’ “Cyber security certification and labelling look like a good route to cyber maturity. In practice, there are key limitations which need consideration. For example: a security label which can lull some customers into thinking that their device is safe forever – without the need to update its security”. 

Economic incentives for software developers to take cyber security seriously

Nick Coleman highlights the great potential of economic incentives such as the so-called ‘Bug bounties’ whereby ethical hackers who identify structural weaknesses and entry points in the systems of corporations or public organisations are rewarded by financial incentives. In his words this means that ‘the good guys’ get a reward.  Baroness Neville-Jones complements the point by stressing that corporations also need to review their policies regarding the personal data they hold, particularly in light of the introduction of the GDPR: ‘I think one of the things that will happen is that companies, retailers and organisations like Microsoft and Google, will think very hard and rather harder than they do at the moment, about which personal data it is really sensible to keep. In other words they need to clear up their lockers’. Panellists stressed the fluid nature of the threat posed to cyber security, with the implications that ‘bug bounties’ would ensure continual testing of cyber security frameworks.

Encryption: Solution or government dilemma?

The issue of encryption was the least controversial discussed by our panel by some margin, with all panellists and our chair Daniel Zeichner MP agreeing that while encryption poses challenge to the national security of the UK, it is also a ‘necessary tool’. Encryption will never be infallible, but it does constitute an important component in any cyber security framework, be it in the public or corporate sector. In his concluding remarks as chair, Daniel points to the eternal trade-off between data security and its utility, of which the debate around encryption is but one manifestation.

Interested in reading more? Find a blog on cybersecurity by APGDA members’ comparethemarket.com by clicking here.