Speech on Cyber Security at the University of Lancaster

Delivered 06.07.2022

Ambassadors, Distinguished Guests, Ladies and Gentlemen.

My name is Simon Fell. I am the Member of Parliament for Barrow and Furness which is just over on the other side of Morecambe Bay, but I speak to you today as Chair of the All-Party Parliamentary Group (APPG) on Cyber Security. With the speed that politics is moving at at present, who knows – by the end of this speech, I may very well be the next Chancellor of the Exchequer?

What is an All Party Parliamentary Group, I hear you ask? Well, APPGs are cross-party groupings of MPs and Peers – self selecting – that look at every issue under the sun. We focus on cyber security because we are interested in it – our membership comprises over 100 parliamentarians, including former Ministers, three former security ministers, and a wide range of industry members. We’ve looked at everything from how cyber security impacts the delivery of aid to war-torn nations, to the influence of hostile states on academia and our supply chains.

As you have already heard on the first day of this symposium, like any other crisis the key to surviving it and coming out stronger is directly related to the quality of the leadership on offer. (It’s almost as if I updated this speech on the train…). This is certainly true in the world of cyber. Recent history is littered with memorable examples of how cyber-related crises are increasing in number and complexity.

But this isn’t just about leadership in the moment of crisis – it is also about preparation – ensuring that when the attack comes – and it will - we are prepared.

I am sure this audience will recall back in 2017, when the Danish shipping giant Maersk suffered a massive cyber attack. IT systems seized up, booking systems worldwide failed and the company ended up having to pay a hefty ransom. Total financial losses are estimated to have reached £230 million. A testing time for any organisation, I am sure you will agree.

Maersk fell victim to a programme called NotPetya, coded not by cyber criminals working independently, but by agents of the Russian state. It is widely believed NotPetya had originally been conceived by the Russian military and deployed in Ukraine, specifically targeting its financial systems.

However, due to the interconnected nature of the internet, Maersk, as well as many other organisations, ended up being ‘collateral damage’. The sum total of this ‘collateral damage’ has been estimated globally at 15 billion dollars.

Russia is not the only perpetrator of these kinds of attacks. Last year, Western governments including the UK accused the Chinese state of teaming up with criminal gangs to carry out online theft of intellectual property and cyber espionage. In April of this year Ukraine’s security service revealed that China had attempted to hack 600 websites prior to Russia’s invasion.

This isn’t the only attack of course. The example that is well-worn is WannaCry. I heard from a Council that is based not a million miles from here during a recent APPG meeting that they lost 20% of their budget as a result of that attack. When your budget is used to fix potholes, replace street lights and keep the bins emptied, that is a tangible impact on people’s daily lives.

Last week I was speaking to the Health Secretary – the then health secretary – about the plans to open up NHS data. I made the point about cyber security and that the system was hit so badly by WannaCry not because it was a complex piece of software, but rather that the NHS was populated by crappy old Windows PCs that had been left unpatched and un-updated for too long.

Security isn’t just about data. It’s about physical systems, virtual vaults, and – crucially – people.

So what do our cyber leaders need to prepare for?

The NotPetya and Chinese examples illustrate not just the scale of the threat we face, but also that the line between our notion of cyber security and crime is blurred beyond recognition. Cyberspace invites covert interaction between agents of the state and criminals on an unprecedented scale. In secrecy, attacks are launched with the aim of securing financial resources as well as gaining strategic advantage.

Every state-sponsored cyber crime committed is a force multiplier for offences committed by thieves armed with laptops, their crimes ranging from fraud against a single individual to multi-million pound thefts.

According to the National Fraud Intelligence Bureau, UK Finance, and my former employer, the anti-fraud service Cifas, in the year ending September 2020 there were a staggering 413,417 cases of fraud in the UK, a 27% rise from the previous year. Even more concerning, in the same time period there was a 42% increase in financial investment fraud. Bear in mind, these are only the frauds that were reported and that we know about. It is estimated that those unreported and undiscovered dwarfs these figures by some margin.

UK Finance says “nearly every scam now has an online element” as people and businesses conduct most of their day-to-day transactions and administration online. Cyber criminals typically deploy nefarious phishing techniques and hack accounts to illegally retrieve data, which they then use to commit fraud.

I can speak to this. In the fraud world a decade ago, 15% of criminal activity was cyber-enabled. By the time I left legitimate employment and became an MP in late 2019, it sat at 85%. And even where cyber was not the attack vector, it is the channel used to magic away the illicitly acquired funds.

The UK Government is well aware of the dangers and is taking swift action to provide the necessary strategic leadership. In December 2021, the Government launched its third Cyber Security Strategy.

The strategy is built on five pillars: strengthening the cyber ecosystem; building a prosperous and resilient digital UK; taking the lead in technologies vital to cyber power; advancing the UK’s global leadership, and detecting, disrupting and deterring UK adversaries to ensure UK prosperity in cyberspace.

This means investment in the UK’s cyber defence network and encompasses the management of vulnerabilities, collaboration with commercial suppliers, and access to data, thereby enabling government departments to make effective risk-management decisions.

One aspect of the strategy I am particularly glad to see focus on is the aim of building strategic partnerships with the private sector and international partners worldwide so that the United Kingdom can mount an effective and robust defence against an attack. Never has the phrase, “we’re all in this together” been more apt.

The Government is already making moves on this front. A new Cyber Security Centre of Excellence for Africa has been launched in Rabat, Morocco through a joint venture involving a British company, Templar Executives, and backed by the UK Government.

This new centre will supply Africa with a constant stream of cyber security graduates to build resilience in both the public and commercial sectors across the continent. I would urge the Government and key stakeholders to replicate this model in other parts of the world.

Additionally, Lancaster University is involved in helping to deliver a ground-breaking cyber security MBA course specifically designed for C-suite decision makers. I believe you may know something about this.

And not a million miles away, more is coming. The National Cyber Force is to be based in Salmesbury just outside of Preston, and the Barrow Town Deal is brining a University campus to my constituency for the first time, a joint project between the Universities of Cumbria and Lancaster, with a major focus on cyber-security skills.

It is extremely important that Britain plays a role in developing capability overseas. A major vulnerability we have is the ability of criminal coders to meet online and collaborate in building and even selling off dangerous malware, such as that developed by the Kremlin.

This collaboration does not recognise borders. The Government and its partners need to meet the challenge with a much higher level of coordination and strengthened global capabilities.

One piece of legislation that looks to strengthen our capability in countering threats from foreign states is the UK National Security Bill, introduced to the House of Commons in May of this year. It intends to replace existing counter-espionage laws with a comprehensive framework for countering hostile state activity, similar to the counter-terrorism framework.

A new sabotage offence will be introduced to provide greater scope to respond to new tactics and technology, such as the use of drones and cyber attacks. It will also address the serious threat from state-backed attacks on sites, data, and infrastructure that is critical to the UK’s safety and interests.

As the chair of the APPG on cyber security, I have closely followed this complex and very real threat as it explodes in scale. Through my work with the APPG I have examined the Online Harms Bill introduced to protect the public against cyberbullying, misogynistic abuse, pornography, and material promoting violence and self-harm.

A first draft of the Bill was published in May 2021, building on the Online Harms White Paper that had gone before it. A revised draft of the Bill was introduced into Parliament in March and is expected to be fully operational in 2024.

The Online Safety Bill requires social media platforms, search engines and other apps and websites to protect children and tackle illegal activity while maintaining freedom of speech. For companies that do not comply, the industry regulator Ofcom will be given the power to fine them up to 10 per cent of their annual global turnover.

Frankly, as a legislator, as a member of the Home Affairs Committee, as the Chair of the APPG Cyber Security, I am sick to the back teeth of social media companies shirking their responsibilities, claiming that they are doing all they can when the evidence suggests otherwise, and hiding behind the defence of ‘not being a publisher’ – a dubious claim at best.

How the algorithms potentially work, particularly in relation to AI, how content is promoted, and how users interact with company platforms affect the way that harms materialise online. The legislation promotes greater transparency, however we need to be mindful that transparency leads to a higher risk of a cyber attack.

More broadly, we need to acknowledge that online financial crimes perpetrated by organised criminals, usually to move illicit money gained from activities as diverse as human trafficking to county lines drug dealing, demands a proportionate response. The same goes for low and high-level fraud occurring on an unprecedented scale and, of course, systemic criminal threats at the hands of nation states.

The Government has taken a substantial and very positive step towards managing these dangers and protecting us against them, but to meet the challenge, legislation that is fit for the challenge of the future is needed. This includes reforming the Computer Misuse Act. It beggars belief that the law that governs much of our cyber interactions and protections predates Google and the common internet, and was introduced at a time when the primary mode of exchanging data was floppy disks!

The world of cyber security is an ever evolving and complex environment that will continue to test those safeguarding our everyday lives. A key component to the success of our cyber leaders, be it in the public or private sector, will be education.

That is why I am delighted to address this Cyber Leadership Symposium here today. I welcome the launch of this forward thinking and proactive MBA. We need more people with cyber skills – from practitioners on the ground to the C-Suite making decisions that are informed and cogniscent of the risks that cyber poses in an ever-changing environment.

The future of cyber security rests on initiatives such as these, which is why they are so important. Together, we have it in us to build a cyber-resilient future.

Thank you.