CYBERUK 2024: Felicity Oswald keynote speech

It seems only right to begin my CYBERUK speech by talking about ‘future tech’.  
  
New technologies offer us significant opportunities to address some of humanity's most pressing challenges.  
  
AI is being used successfully in healthcare. Quantum computers are improving our climate modelling.   
  
We, at the NCSC, are optimistic that the net benefit of AI cyber security will far outstretch any adversary’s gain in their offensive capability, whether that is through fixing code or detecting intrusions. But we should not sit on our laurels.

The AI Safety Summit at Bletchley in November brought together industry, academia and governments for the first time to find a unified approach to developing safe and secure AI.

Next week, we’ll see the next chapter of that discussion in Seoul.

I wish our Korean colleagues all the best for that important event. 
  
I am often asked why is the National Cyber Security Centre part of GCHQ?

The answer is a clear one. The insights we have on our adversaries, and the unique skills and depth of technology expertise that come with intelligence work, provide a unique combination that give us a genuine edge.

Codemaking and codebreaking are as relevant today as and as intertwined as they ever were. After all, despite the famous work at Bletchley Hut 8, Alan Turing spent more of his career in codemaking than codebreaking. 
     
And cryptography and cryptology remain at the heart of so much of cyber security, though it is sometimes forgotten in our sector. 
  
Teams across the NCSC work with many of you in this space. For example, producing cryptographic hardware and keys that help keep government secrets secret. 

But cryptography is also crucial to our future. Our exceptionally skilled colleagues continue to be instrumental in safeguarding critical national systems against formidable future quantum computers.  
 
Important work is underway, as I speak, to finalise post-quantum cryptography (PQC) algorithms. 
 
This is vital to the long-term security of internet communications their roll-out, configuration and integration into real-world systems will be an essential part of this industry’s work.  
  
I am excited that within the Future Tech stream on Wednesday, experts from industry and academia will discuss some of these challenges and opportunities.  

Whilst technology evolves at an extraordinary pace, the tectonic plates of the threats against the UK and our allies are also shifting. 

As the Foreign Secretary Lord Cameron said during his visit to the NCSC last week, the UK and our allies must make security a priority. 
 
The NCSC, as the nation’s technical authority on cyber security, judges that Russia, China, Iran and the DPRK continue to pose the greatest risk to the UK and our allies. 
 
Russia’s illegal war in Ukraine continues. Russia’s malign cyber activity persists. But Ukrainian resilience remains robust, and we are delighted to have Ukrainian colleagues with us today to hear first-hand how they are weathering those challenges.
 
The conflict in Gaza following Hamas’ attack in October last year risks further regional spillover.  
  
And although cyberspace has not been the primary battlefield in these conflicts, we have seen how cyber can be used alongside kinetic warfare.  
  
We also shouldn’t forget the threat from cyber crime which remains stubbornly high.  
  
Ransomware continues to be the biggest day-to-day cyber security threat to most UK organisations.  

In recent months, law enforcement has dramatically reduced the global threat from ransomware by disrupting LockBit’s activities and just last week unmasking and sanctioning one of its Russia based leaders.
 
This is really important, because victims can suffer significant consequences. It affects their day-to-day business functions, their reputations and their finances. 

We’ll hear tomorrow from Sir Roly Keating, CEO of the British Library about the Library’s impressive response to a cyber attack.  
 
The staff and leadership are to be commended for the way they handled the incident and for their decision not to pay the ransom. 

I encourage you to read their public report about the attack, its impact and how they recovered their services. 
 
It reminds us that all businesses must look at cyber security as an integral part of their organisational risk management.  
 
This can be done in a number of ways. 
 
Gaining a Cyber Essentials certificate is a major step in making organisations more resilient. Those that have done so are 92% less likely to make an insurance claim.  
 
Nevertheless, cyber insurance is an added incentive for organisations to implement security controls and resilience measures.  
  
And that’s why I am delighted to announce that we are publishing, today, guidance that we hope will reduce the number of ransoms being paid by UK ransomware victims.   
 
This is being done in collaboration with the Association of British Insurers, the International Underwriting Association, and the British Insurance Brokers’ Association.
  
It will empower organisations to make informed decisions when they are faced with a ransom demand, and ultimately help minimise the disruption and the cost of an incident.    
  
It is a dangerous misconception that paying a ransom guarantees the end of an incident. It doesn’t. And every ransom paid provides incentives for criminals to expand their activities. 
 
As a citizen or a consumer of a company’s services, I don’t want organisations that I trust to be doing the equivalent of leaving a bag full of used bank notes in a dark alley. 
  
That’s why today’s agreement with the insurance sector is so important.  

And before I finish, I want to build upon the points Anne has just made about China.  
   
As the Prime Minister has said, China poses a systemic challenge to our values and interests, a challenge that grows more acute as the country moves towards even greater authoritarianism.   
   
This challenge is clear and pronounced in cyberspace, where the Communist Party’s capability is vast in scale and sophistication.   
   
A growing commercial ecosystem of capable hacking outfits and data brokers is available at its disposal.  
  
And in recent years, the Chinese authorities have introduced a new law requiring the discovery of security vulnerabilities to be provided to the government as a priority and at risk of severe penalty.  This should worry all of us. 

It goes against our long-held principles of transparency and accountability. And it speaks directly to the real-world risks we have highlighted before.   
   
The US, UK and allies have raised the alarm repeatedly about activity by the VOLT TYPHOON group, which could be laying the groundwork for disruptive and destructive cyber attacks. 
 
This is a clear warning about China’s intent to hold essential networks at risk. And it is a warning that providers of essential services in the UK cannot afford to ignore. We are past the point of running unsupported systems. It is not tenable.   
   
Business leaders and networks defenders must take action to make their critical systems more secure across our economy.   
 
Investment in cyber security after the event has little value.  
   
China is certainly not treating security as an extra, and neither should we.    

So, how do we become ‘future ready’ in a world where our systems grow more intricate and hostile actors are attempting to cripple our critical sectors?  
   
The answer is and must be collaboration with our allies internationally and between government and industry.  
   
Because in the face of such a challenge, it is through the strength of our partnerships that we can be most effective in defending against the threats we face.   
  
Bolstering baseline cyber security isn't enough. 

We must revolutionise our defences by sharing the burden more effectively, leveraging our collective knowledge, and – where we need to – taking swift action.  
  
Initiatives like the Cyber Resilience Audit scheme which we are launching today, and NCSC’s own Cyber Assessment Framework, will provide a more accurate picture of sector and national-level cyber resilience. 

As Anne said, our collaborations across government, industry, academia and with like-minded countries around the world are central to our collective success.   
   
And that’s what CYBERUK is all about. I wish you two inspiring days here in Birmingham where you can forge the partnerships we all need to help keep our nations safe online.

Thank you.