Cyber insecurity call to action: The technology explosion has transformed the world

Special to

LiamFoxBy Liam Fox

We live in new world. A world of interdependence where risk in one part of the globe quickly spreads to the rest. Contagion – whether economic – such as the 2008 banking crisis, natural – such as SARS or terrorist – such as 9/11, will ricochet around the globe.

As I wrote in my book, Rising Tides, if Francis Fukuyama had called his book “The end of geography” rather than “the end of history” he would have been closer to the mark.

Nowhere has the rate of change been greater than in the world of communications technology. To put things in context, at the end of 1995 around 16 million people (0.5 per cent of the world’s population) were using the Internet. By the end of 2012 this figure had ballooned to 2.75 billion people, around 39 per cent of the world’s population.

I recently spoke at a gathering of Swiss bankers in Lugano where I was surprised both by the variation in understanding of the potential cyber threats they were facing and the apparent lack of urgency about dealing with them. As I pointed out, the first thing we have to learn about this new world is that we cannot disaggregate risk in the way that we might have been able to do in the past.

Stolen credit card information can be purchased for as little as $1 on the dark web.
Stolen credit card information can be purchased for as little as $1 on the dark web.

Our dependence on new communications technology and the vulnerability that it brings with it has added a new risk to the mix. As we have become more dependent on technology to lubricate the wheels of our everyday activities, so we have become more vulnerable to either the failures of the technologies themselves or our ability to access them.

The upshot has been year-on-year increases in the amount of private data stolen from companies and individuals through cyber-crime, and a corresponding upshot in its profitability for criminals. Their attacks are made easier by a public perception that only financial institutions are targeted. However, as we have seen in recent years, denial of service attacks, theft of employee data and harvesting of personal information have affected firms regardless of their industry.

Whilst stolen credit card information can be purchased for as little as $1 on the dark web, a full set of medical records commands a $2000 premium. Apathy to these threats has combined with increasingly sophisticated hacking groups to leave many companies effectively defenseless.

So what then can be done to combat these threats? As a matter of urgency, we need to develop proper cyber doctrine in the way that we did in the emergence of the nuclear era. We need to determine how we would respond to potential existential threats and how we will use asymmetry to both deter and, if necessary, deal with cyber aggression.

There are two areas for change that I would propose. The first is legislative and the second is organizational.

I believe that the law needs to change in two major ways. As I mentioned earlier, denial of cyber intrusion is too often the response of companies worried about their reputation. This encourages entirely the wrong culture. If the fund holding my pension is being hacked and my money lost, I want to know about it. That is why believe the law needs to change to make it illegal to be hacked without informing shareholders and other stakeholders.

The second change I believe we need is in relation to those who do business with government. As I have already pointed out, it is much easier to penetrate a small company in a supply chain than a major organization such as a government department. That is why believe the government should insist, legally, that any organization that does business with government should have a minimum defined level of cyber security or they will be excluded from government contracts.

The final change specifically refers to the structure of the UK government. I believe that the current structure of Whitehall and the way that our cyber security is arranged this outdated, too complex and is an inefficient way of using taxpayers money. I would like to see all government cyber activity, including both its offensive and defensive capabilities concentrated in one place and answerable to a single ministerial portfolio.

We cannot afford either the luxury or risk of unnecessary duplication and diversion of resources, not to mention the misplacement of the vital, but finite, individuals with the necessary skills to carry out these tasks.

The Rt. Hon. Dr. Liam Fox MP is a former UK Defence Secretary.