For Governments not so long ago, cyber protection was chiefly about safeguarding national security and shielding their secrets and data. Today, our lines of defence have moved out of the world of espionage into every part of our public and private infrastructures.
With the implementation of the national Cyber Security Strategy, Protecting and Promoting the UK in a Digital World’ 1, cyber security is now firmly established as a key pillar of economic prosperity. On the one hand, it protects our public services, citizens and businesses from viruses, dark web assailants and hactivists. On the other, it underpins competitive advantage for the UK as ‘one of the most secure places in the world to carry out business on-line’.
With the recent creation of the National Cyber Security Centre, there is a welcome new emphasis on ensuring that the ‘people, public and private sector organisations and the critical national infrastructure of the UK are safer online’. NCSC are not just setting standards and giving advice, they are creating protective capability to help the UK stay safe on-line.
Trust and compliance
To prosper, the UK needs to balance security, freedom and confidence so that we are conscious of, but not paralysed by, the need to keep ourselves safe. This balance is founded on achieving the right levels of trust and compliance. We give digital marketplace leaders (such as Amazon, e-Bay and the like) our personal and payment details because we trust them. Government must continue to win the same level of public trust – especially as wide-scale digital transformation progresses.
Compliance underpins this trust. In essence, it is about Government working to protect citizens’ interests by putting constraints on the way services are provided. It is important – and challenging – to make sure that regulatory and legal obligations stay relevant and responsive as technologies advance.
Availability, confidentiality and integrity
In recent years there has been a blurring of the lines between the public and private. The result is that there are large numbers of daily touchpoints between citizens and private sector partners delivering services on behalf of Government. These companies need to work with public services (and other vendors) to prove their ability to deliver Government’s three key data requirements: availability, confidentiality and integrity. Critically, all three are required simultaneously and continuously – even more so than in the commercial sector.
Working with private companies also opens up opportunities to inject learning from other sectors. For Atos, one key engagement has been as Worldwide Technology Partner for every Olympic Games since 2001. At London 2012 we faced off over 250 million security events over the 17 days with zero impact on the Games – a feat we again repeated at Rio 2016 where the number of incidents again increased substantially. Rio also saw the move of key Games capabilities to a secure cloud environment in Brazil (supported from a central technology centre in Barcelona) – another advance in future use of secure cloud facilities for other sectors.
Cyber threat – call and response
So what is Atos’ vision to deal with the cyber threat now facing the UK? In our view, protection needs to be moved nearer and nearer to the data itself. Experts now generally agree that ‘perimeter protection’, while part of the solution, is not nearly enough on its own. Firewalls are permeable – and will soon become so even if they are upgraded. This moves the focus from just Prevention to a balance across defence, detection, reaction and remediation: it is about getting that balance right.
We will see an increasing reliance on emerging technologies to ‘reduce the attack surface’ by containing any problems (ideally to the one machine or server that has been compromised). Relatively new concepts like ‘microsegmentation’, ‘application containerisation’ and ‘micro virtualisation’ are increasingly important because they are about containment. Complementing this is behavioural analytics: machine learning that understands what should be happening and reacts when it does not.
The challenge always is to find the equivalent of a needle in a haystack in a millisecond – which is why at Atos, we see major benefits in merging our supercomputing capabilities with our data analytics expertise to create analytics platforms. These search vast volumes of raw data for anything aberrant, then react either through an automated response or with near-real-time human intervention. We describe this as progressing from ‘predictive security’ (which assesses what may happen) to ‘prescriptive security’, which stops things happening in the first place.
This ability to collect and correlate enormous volumes of data makes it possible to deal with IT delivery, performance and security data all in the same way – putting security right at the heart of operations. We are also developing ‘data-centric security’, where each piece of data is surrounded by its own metadata (data about data) that defines how it can be accessed, where and by whom – so the data actually helps protect itself.
Cyber security is the arms race of the 21st century. Constant efforts by our adversaries in finding ways to steal or damage our data must be matched by Government and private sector collaboration and investment to keep it safe and secure. The Government has the lead role in this, but needs the support of citizens and businesses to play their full part in protecting our nation state while enabling us all to capitalise on the huge opportunities we have in the world today.
This article is part of the Atos Digital Vision for Government opinion paper, which seeks to highlight the immense opportunities associated with a strategic programme of digital transformation which may also enable the UK to become a global leader in the provision of digital public sector services.
It is techUK's PS2030 campaign week this week. To see more blogs like this, please visit the website here.