The free market is failing when it comes to cyber security, Britain’s electronic spy chief has warned in a rare public intervention that could pave the way for tougher regulation as the threat of attack becomes “exponential”.
“It is time to take a hard look at whether the international market for cyber security is working sufficiently
well . . . something is not quite right here,” Robert Hannigan, director of GCHQ, told senior business figures in London on Tuesday at a private conference organised by the agency and reported on by the FT.
“What is also clear is that we cannot as a country allow this situation to continue,” he will add.
Mr Hannigan’s remarks come barely two weeks after British telecoms company TalkTalk was hit by a damaging but elementary breach that knocked a quarter off the company’s share price and exposed thousands of customers’ personal details, raising questions over the digital resilience of British businesses.
Government officials warned at the time that the attack was a “wake-up call” for organisations that were aware of problems but had not yet acted to prevent them.
“Standards are not yet as high as they need to be,” Mr Hannigan said in his speech, an advance copy of which was seen by the Financial Times. “The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear. The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature.
“Those charged in government with national security have worried about the top-end threats for some time . . . there is no doubt — significant cyber attacks will become more common, not less in the coming period,” he will tell IA15, GCHQ’s conference on information assurance.
Mr Hannigan stops short of calling for new laws, but says the government must act to “make the market work better”. Ideas that have been floated by officials in Whitehall recently include disclosure requirements for listed businesses, greater legal liability or tougher regulation of standards and qualifications.
The government is also looking more broadly at ways to encourage, rather than force, cultural change. UK cyber security officials look to Israel in particular — which has a well-developed private cyber security sector nurtured by the government and its surveillance agencies — as an example to emulate.
The UK has so far been lucky to avoid a serious incident, Mr Hannigan believes. A “destructive” attack, such as that on Sony Pictures, which could threaten livelihoods, businesses or even lives, is highly likely but not taken seriously by the private sector, GCHQ has warned the prime minister.
The past 18 months have seen an increase in online attacks against western targets in particular.
Russia and Iran have both ramped up aggressive operations in cyber space, and proxy groups are being used by both — and other states — to wage sophisticated attacks.
GCHQ monitors and defends government networks, and in partnership with MI5, the UK’s domestic intelligence and security agency, oversees protection of national infrastructure. The agency has made clear to large businesses, however, that it cannot protect their networks and they must do so themselves.
The agency has been at pains to foster greater efforts from the private sector. Last year, GCHQ started sharing classified intelligence material on cyber attacks with some big businesses based in the UK.
Some sectors have invested in shoring up their defences. Banks, in particular, work closely with the government and regulators and spend collectively hundreds of millions of pounds on their digital security.
Other sectors, government officials say, are far less proactive — often despite frequent warnings. Manufacturing businesses and consumer businesses are particularly poor, they say.