We are critically dependent on the internet, yet anything connected to it is vulnerable to cyber-attack. The global May 2017 ransomware cyber-attack, which affected some 150 countries, highlights the vulnerability of computer networks and the need for strengthened cyber-security. Can the Government keep pace with this evolving threat?

The average cost of a cyber-security breach for large firms is estimated to be £36,500, and it is thought that the costs of cyber-security breaches to the UK economy as a whole range from £1 billion to £27 billion per year.

Understanding the threat

‘Cyber-security’ refers to the protection of information systems and networks from unauthorised access, harm or misuse. Many breaches of it are small-scale and unreported. A black market in computerised extortion, hacking-for-hire and stolen digital goods is on the rise. Large-scale cyber-attacks make headline news.

Phishing emails sent to politicians in the Democratic National Party in 2016 led to the first recorded attempt to use cyber to influence a US election.

The threat to cyber-security comes from a number of sources: states and state-sponsored threats, terrorists and ‘insider threats’. Technical expertise can now be bought rather than learnt, making it an increasingly accessible form of crime.

With the advance of the ‘Internet of Things’ (IoT) it is predicted that by 2020, 21 billion devices worldwide will be internet-connected. As this number increases, so too does the potential for cyber-attacks.

Quantifying the threat

According to the Cameron Government’s Cyber Security Breaches Survey 2016 a quarter of all businesses in the UK have experienced one or more cyber-security breaches in the past year. Of those companies that had a breach, 68% said they suffered from viruses, spyware and malware, 32% had attacks resulting from others impersonating the company, and 15% had a denial-of-service attack.

68% of organisations were affected by viruses, spyware and malware

Of all UK businesses, just 17% said their staff had attended some sort of cyber-security training in the past year. This varies across the size of businesses (around 10% of micro firms had staff training in the past year, compared with over 60% of large firms).

Large businesses were disproportionately affected by cyber-security breaches in 2015/16

It is estimated that by 2022 there will be a shortfall of 1.8 million people in the global cyber-security workforce, and that the UK currently has the second largest skills gap of 10 major countries.

Responding to the threat

The National Cyber Security Strategy (NCSS) aims to make the UK resilient to cyber-attack by defending against an evolving threat, deterring attacks by pursuing offenders and developing research and skills. The Strategic Defence and Security Review (SDSR) committed £1.9 billion over five years to “transform significantly the UK’s cyber security.” In 2016 the National Cyber Security Centre was established to provide leadership on this issue.

Despite the global reach of cyber-crime, there is no agreed mechanism to deal with it internationally. Part of the UK strategy is to operate closely with allies in the EU, NATO and the UN on this issue.

Both the SDSR and the NCSS committed to providing the armed forces with advanced offensive cyber capabilities. The previous Government was reticent to provide more details but has said the armed forces are working closely with GCHQ on a National Offensive Cyber Programme. This includes basing a unit from the Joint Forces Cyber Group at GCHQ’s base in Cheltenham.

There is a growing body of work examining how current international law applies to cyber warfare, and there has been some discussion of whether a treaty to govern cyber-weapons is needed.

A higher proportion of large businesses had cyber-security training for their staff in 2015/16

What are the laws against cyber-attacks?

The Computer Misuse Act 1990 (CMA) is the main piece of UK legislation relating to cyber-crimes such as hacking and denial-of-service attacks. Other legislation deals with unlawful interceptions and data protection.

The 1990 Act does not define what is meant by a ‘computer’, to allow for technological development. Although the NCSS does not include any specific proposals for new legislation, the law will need to accommodate technologies moving further away from traditional conceptions of computer-based tools.

Stopping the threat: what more could be done?

Some commentators argue that companies can’t be wholly reliant on the national Government strategy to protect them and should take measures such as ensuring that staff are trained in cyber-security principles and computer networks have adequate software.

Others have suggested that, while it’s good that more money is being devoted to cyber-security, legislative change is needed too. John Naughton, for example, argues that it could be made a criminal offence to sell or import IoT devices that don’t meet specific security criteria.

Additionally, Naughton argues that, just as it’s illegal to drive a car without an MOT, it could be made a criminal offence to run a networked computer system that does not have all current security patches installed, or make software companies liable if they sell/distribute software that has known security vulnerabilities.

This article is part of Key Issues 2017 – a series of briefings on the topics that will take centre stage in UK and international politics in the new Parliament.