PaCCS/KTN Policy Briefing on “Innovation Challenges in Cybersecurity”
By Dr Tristram Riley-Smith & Dr Siraj Ahmed Shaikh
This stems from a residential workshop that we ran last November, bringing together a small group of leaders from research, policy-making, industry and investment. The aim was to uncover and address the main obstacles to delivering effective cybersecurity solutions.
This is a pressing issue, because both the threats and opportunities are enormous.
As the Chancellor of the Exchequer said (in his GCHQ speech, shortly before our workshop), there is a “painful asymmetry between attack and defence”. It is getting cheaper and easier to acquire malign code to breach cyber defences; the attack surface is growing at an alarming rate; cyber-confidence artists are duping us with ever more sophisticated tricks; and the rewards of crime are enormous.
Last week, we learned about a sophisticated operation aimed at extracting $1bn from the New York Federal Reserve. The criminals successfully penetrated Bangladesh’s Central Bank, before transferring tens of millions of dollars from New York to accounts around the world. They had lifted $100m, with payment instructions fully authenticated by the SWIFT messaging system, when a spelling mistake in one instruction (“Fandation” instead of “Foundation”) prompted a routing bank query, and the crime was exposed. The $100m was retrieved, and the criminals frustrated. But no doubt, like The Terminator, “they’ll be back!”
Great value will accrue to those who can deliver the products and services to protect us from cyber attack. The UK should be well-placed to contribute here. We have hundreds of cybersecurity research projects under way in our universities, run by an academic community that is the envy of the world; we have engineering companies with an established global reach and sophisticated marketing teams; cohorts of angel investors and fund managers are interested in supporting early-stage ventures; and professional policy-makers whose understanding of the issues is illuminated by world-class Security and Intelligence Agencies.
But despite the dangers, the demand, and the opportunities for delivery, we are failing to satisfy the market for cybersecurity solutions. This isn’t an isolated case, of course. Britain has struggled, in other sectors, to draw these threads together and create the start-up companies that can deliver the goods. But matters seem particularly dire (and particularly pressing) when it comes to thwarting cyber attacks.
The problems, our Policy Briefing concludes, can be summarised in terms of Market Literacy and the Innovation Pipeline. We wouldn’t claim to have produced a comprehensive analysis of the challenges based on a 24 hour workshop. But we have succeeded in unpacking these issues in some detail, and – thanks to the quality and diversity of our experts– we have created a set of recommendations for addressing these challenges that reflects the complexity of the problem.
There is one key message to take away from the Briefing. We are all in this together; no single sector can sort this out on its own; small contributions can make a difference, but ideally this needs to be tackled through a collective, collaborative effort.