Big businesses have traditionally been the most common victims of cybercrime and economic espionage perpetrated through cyberspace. The problem is clearly getting worse because the average cost of the most severe online security breaches for big business has more than doubled just over the last year to reach £1.46 million. However, the nature of cyber-attacks is changing and cybercrime is an increasing threat to small businesses and households too. On top of the direct theft of money, the cost of cyber-attacks to the private sector is also felt through the disruption of services and less quantifiably through reputational damage. Increasingly, cyber-attacks are aimed at stealing IP information and sensitive client data.
One of the newer threats is the growth of Advanced Persistent Threats which are focused on just a few people in an organisation and designed to go unnoticed whilst they begin a slow and methodical probe of the targeted network. Threats to essential services and critical national infrastructure are coming from terrorists, hacktivists and hostile foreign states often directly but increasingly this is sponsored. 30% of organisations of national importance critically depend on externally hosted services. Nor does it seem that regulators such as the Civil Aviation Authority, Ofgem, Ofwat, Ofcom or the Bank of England currently have sufficiently coordinated cyber security strategies.
Financial institutions and telecommunications companies have in recent years been the focus of attention with respect to cybercrime. Yet it is clear that infrastructure companies are increasingly the target of sustained cyber-attacks and must be prepared for ever more sophisticated attacks. Cyber liability insurance cover must play a part in this. First-party insurance covers against losses occurring directly to the insurance holder whereas third-party or liability insurance protect against claims for losses from another organization or individuals affected by a cyber-attack.
There are evidently obstacles to the development of a mature cyber insurance market. For example, the heterogeneity of risks to be insured, the difficulty in predicting future losses from past events, the interdependency of assets in cyberspace, the lack of an upper limit on losses and a misperception that existing liability insurance products cover cyber-risks are all preventing the natural growth of the market. Many companies are suffering from the ‘agency dilemma’ concerning cyber-attacks. They do not want to talk too openly about the issue due to the reputational damage it may cause but this means that it is difficult for any third-party to get precise information about the overall scale of attacks.
There are certainly lessons which we can learn from Estonia. Since being subjected to a coordinated cyber-attack in 2007, Estonia has become a world-leader in cybersecurity. Estonia’s cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole; in part this is being driven by the Information Security Interoperability Framework. The Estonian Information Systems Authority helps both private and public sector organisations to maintain the security of their information systems and it is constantly monitoring cybersecurity threats.
In the UK, the National Cyber Security Programme encompasses four key aims. Firstly, making the UK one of the most secure places in the world to do business in cyberspace; secondly making the UK more resilient to cyber-attacks; thirdly helping shape a cyberspace that supports open societies and fourthly building the UK’s cyber security knowledge, skills and capability.
Some good steps have been taken including merging the Police eCrime Unit and SOCA cyber team within the National Crime Agency. The information asymmetries which the Estonian model has reduced are being tackled through the UK’s Cyber Security Information Sharing Partnership. This allows the government and industry to exchange information on cyber threats in a trusted environment. Also as the National Audit Office pointed out, exports of cyber products have grown and larger companies seem to be making progress in mitigating risks.
However, the level of awareness of the risks of cyber-attacks to public services is far from where it should be and SMEs in particular still seem particularly vulnerable to attacks. At the same time, the broader issue of skills shortages remains a long term weakness.
There are some things which the Government can do. The Commercial Product Assurance scheme to certify commercially available cyber security products for use in the public and private sectors could be rolled out much quicker. Also Fusion Cell information sharing needs to be heavily promoted. Companies which have been the subject of a serious cyber-attack should be obliged to share this information within the Fusion Cell. This would allow greater sharing of information between the state and the private sector as well as reduce damaging information asymmetries.
The Government could also look to establish an early warning platform which could analyse select data to identify common threats and help to co-ordinate responses. Cross-government contingency plans need to be updated to include the possibility of the externally hosted services of organisations of national importance being overwhelmed by coordinated cyber-attacks. The Government should also look to push ahead with an expansion of the Cyber First scheme which aims to boost the UK’s cyber security skills base. Exempting strategically important subjects including cybersecurity courses from the equivalent and lower qualifications policy would also be helpful.
Cybersecurity threats are constantly evolving and becoming more effective. Under Francis Maude, a lot of positive steps were taken in the previous Parliament. Nevertheless there is still much more to do to raise awareness of the threats which exist and to improve our capacity to respond to them.