Introduction
Good morning everyone,
It’s really great to be here with you in Manchester.
This is one of Britain’s great cities.
From music to sport to industry, Manchester has made its mark on the world in so many ways…
And today I want to talk to you about an area where I believe Manchester, the North West, the whole country can grow in strength in the future.
There might have been times when a government minister making a speech about cyber security was thought to be something routine.
Ritual calls for preparedness, and it might not seem to have much connection to the real world.
But not today. Not this time. Not this week. Not with what we have been seeing happening over the past few weeks.
Great British businesses. Household names like M&S, the Co-op, Harrods, all the subject of serious cyber incidents.
These cyber attacks are not a game. They’re not a clever exercise. They are serious organised crime.
The purpose is to damage and extort good businesses. It’s the digital version of an old-fashioned shake down. Either straight theft or a protection racket where your business will be safe as long as you pay the gangsters.
And what we’ve seen over the past couple of weeks should serve as a wake-up call for everyone – for government and the public sector, for businesses and organisations up and down the country, as if we needed one, that cybersecurity is not a luxury – it’s an absolute necessity.
Whether it is a system failure or a deliberate attack, no organisation can afford to treat cyber security as an afterthought.
So it’s not routine. It’s a good time to be gathering today, to discuss what we can do to make our defences as strong as possible.
Now it’s one of the paradoxes of modern life technology brings huge benefits, and there’s no going back – but it also brings risks.
The internet is one of the greatest engines for creativity and innovation in modern history. It has transformed the way we live, work and learn.
Just think of the applications. Busy parents who can save so much time by ordering goods online, students with an unfathomable range of knowledge at their fingertips, families all around the world able to share pictures of those precious moments – birthdays, christenings, weddings – just at the press of a screen. All of us benefit from this astounding level of connectedness.
Yet the technology that underpins it can be weaponised by those who want to destabilise our infrastructure, our information systems, or our industrial base.
The UK’s critical infrastructure is now more interconnected than ever. That is empowering…
But it also carries risks, because there are vulnerabilities – and more than we had years ago. Right down to the household level.
As the cost of the tech has plummeted, and broadband speeds have risen, more and more devices are connected online. In 2020, it was thought to be about 50 billion. By 2030 – which isn’t that far away now – it will be 500 billion, according to projections.
More connections, more interconnectedness.
Technological leaps are rarely born in comfort; more often, they are forged during conflict, or competition or by sheer necessity. And history shows us that innovation always accelerates when the stakes are highest, from nuclear energy to the space race.
The stakes are high right now. And we are in the middle of another huge technological leap – a “technology shock” if you like – with AI and other emerging technologies developing at breakneck speeds.
It’s a duty for Government and all of us to keep up.
Because in the modern world, where everything is connected, and so much of it’s online, it doesn’t take much if that is attacked to cause serious disruption.
Just ask anyone in Spain or Portugal who went through the power outage last week. Passengers stuck in underground trains. Payment systems disabled and suddenly, for a day, cash is king again. And a host of other effects.
I experienced last July, just a couple of weeks after the general election, the CrowdStrike incident. We worked closely with one of the sponsors of this conference, CrowdStrike, to manage the fallout of that.
That wasn’t a cyber attack but it did cause ripples right across the country and the world.
Flights grounded. Hospital appointments disrupted. Holidays cancelled. GP services cut off.
We worked closely with the company to resolve it. But what did we learn?
Lessons
First, you’ve got to bring people together and coordinate. We had the National Cyber Security Centre, the Cabinet Office – the department I lead – Microsoft and CrowdStrike, all the different parts of government to understand what the incident was.
Secondly, Government cannot do it alone. You have to have good partnerships between the public and private sector.
And thirdly, even though it exposed a responsibility, there is also a prize to be grasped here.
Because if interconnectedness that I’ve spoken about requires greater protection and powers of recovery, then those countries that think about this, that invest in the cybersecurity services, will be able to offer those services to those that need them.
Just think about previous waves of interconnectedness and how the UK led the way in protecting them. Think about how Lloyds of London, for example, insured shipping right across the globe, well so too can the UK play a major role in cyber security. A new kind of technological insurance.
We are already the third largest exporter of these products and services in the world.
And as the technology continues to develop, I believe that our cyber companies and start-ups can use that current competitive advantage as a launchpad for greater success – for the benefit of the entire UK economy.
So my message this morning to you is that it’s not just about vulnerability and risk – it’s about economic growth too.
Later this year, we’ll publish a new National Cyber Strategy that will set out how we want to approach these challenges and opportunities in the years to come.
Today I want to touch on three aspects of that today threats, security and growth.
Threat landscape
Scale of activity
The threat is growing.
Last year the NCSC received almost 2,000 reports of cyber attacks – of which 90 were deemed significant, and 12 at the top end of severity.
That is three times the number of severe attacks compared to the year before (2023).
They’re targeted both Government and private systems.
Combatting it is a constant challenge. I can’t stand here this morning and tell you that Government systems are bombproof. That is not the case.
These are new systems, built on top of legacy systems, and we’re doing everything in our power to modernise the state, and to upgrade those core systems . But the Government, and the country as a whole, has to take this seriously if we’re going to do it securely in the future.
Artificial Intelligence
It’s our strong conviction that Artificial Intelligence will bring huge opportunities to the UK. We want this country to be a good home both for investment and adoption in this field. But like all general purpose technologies, it can be used for good or ill.
And just as people and businesses across the country are using AI in all sorts of applications, so too are our adversaries.
Today, we are declassifying an intelligence assessment that shows AI is going to increase not only the frequency, but the intensity, of cyber attacks in the coming years.
Our security systems will only remain secure if they keep pace with what our adversaries are doing.
And that’s why it’s imperative to understand what they’re doing and why.
State-actors
And today state-backed cyber hacking has become the new normal.
Hostile states constantly working to degrade our military advantage. With cyber criminals who will routinely sell their services to other states. These cyber mercenaries can cause huge harm.
Sometimes to steal money. For example, it is thought that North Korea stole $1.34bn through cryptocurrency theft last year, causing US officials to describe their hackers as the “world’s leading bank robbers”.
The cyber activity we are seeing in countries like North Korea reflects that grey area that exists between some states and cyber criminals.
My colleagues at the Home Office, under the leadership of the Home Secretary and the Security Minister, are working hard to strengthen our overall response to cyber crime. They have been consulting on a number of ransomware proposals designed to thwart our enemies.
Other state-backed hacking is done as part of a wider war – and we’ve seen that with Russia’s illegal invasion of Ukraine.
How Ukraine is putting up an incredibly brave fight against cyberwarfare unleashed by the Russians, and we have vowed to stand shoulder-to-shoulder with Ukraine for as long as it takes to defend their sovereignty.
And so we’re going to invest £8 million in the Ukraine Cyber Programme over the next year to counter the Kremlin’s cyber aggression.
What Russia is doing doesn’t stop in Ukraine. There have been a number of other attacks and disinformation campaigns in other countries.
For example, in Moldova’s presidential election last year. And we know that they will keep trying. So we will be investing £1 million in cyber capabilities in Moldova, to help give that country the tools to combat Russian cyber attacks and ensure their upcoming parliamentary election can be as democratic, fair and open as possible.
Our country has always defended freedom.
This is part of the defence of freedom and democracy that has been part of our country’s history.
But defence today is not just about troops and missiles.
It’s also about this cyber realm, too – and this Government is absolutely committed to making sure we and our allies are strong in this domain.
China
And let me say a word about China.
When we think about international activity in cyberspace, we need to be clear-eyed about the challenge posed by China.
It is well on its way to becoming a cyber superpower. It has the sophistication. The scale. And the seriousness.
It’s one of the world leaders in AI, as the world’s second largest economy it’s deeply embedded in global supply chains and markets.
We need to view China’s approach to cyberspace with open eyes. Disengagement economically from China is not an option. Neither’s naivety.
The job of a responsible Government is to protect our people and constructively engage with the world as it is.
“Stop the world I want to get off” is not in the United Kingdom’s interests.
Rather, our approach should be to engage constructively and consistently with China where it is in the UK’s economic interests, but also to be clear that we will robustly defend our own cyberspace.
Bolstering our defences
And I want to thank the organisations that do that. GCHQ, NCSC, the National Cyber Force – they keep watch, working tirelessly with our allies, with the Five Eyes alliance, to stay ahead of our competitors.
Our intelligence agencies also play a key role in growing our overall cyber ecosystem – acting as a training bed for all kinds of experts who go on to be successful cyber entrepreneurs.
LASR
And we’re investing in new capabilities in this regard.
Last year, I launched a new public-private partnership to keep the UK on top of some of the risks emerging on how we harness AI.
The idea behind the Laboratory for AI Security Research – or LASR, as we’ve come to call it – is simple accelerate innovation and research into how AI can protect our national security.
Since November, its funded 10 PhDs at Oxford University; funded an in-house team of 9 researchers at The Turing Institute; and its funded research at 8 other leading UK universities including Queen’s University Belfast and Lancaster University.
And we are committing an extra £7million to LASR’s research over the next financial year.
And I’m pleased to announce it has agreed a new partnership with one of the biggest tech companies in the world, Cisco.
They are going to be collaborating with GCHQ and the NCSC, and other partners to expand the research and innovation capacity of the Lab.
They will be running challenges across the UK, and build a demonstrator here in the North West to showcase how our scientists and entrepreneurs can work together to manage the risks, build the skills and grasp the opportunities of AI security.
This is the first collaboration of its kind with LASR, and will be a trailblazer and it will help LASR drive cutting-edge research into the impact of AI on national security.
Cyber Security and Resilience Bill
We’re also modernising the way the state approaches this, through the Cyber Security and Resilience Bill.
That legislation will bolster our national defences. It will grant new powers to the Technology Secretary to direct regulated organisations to reinforce their defences.
And as we begin scrutiny of that Bill in Parliament, we will be launching a new Software Security Code of Practice – to help all organisations take the measures they need to embed security and resilience.
And the prize of all this is growth. Safe economic growth.
Growth
When we’re talking about cyber, it’s easy to focus on the risks and threats.
But we also need to think about the reward. There is enormous potential for cyber security to be a driving force in our economy.
We already have over 2,000 businesses across the UK. An estimated 67,000 jobs – with an increase of 6,000 in the last 12 months.
Revenue of more than £13billion.
And as I said, we’re exporting this across the world.
But there is still potential on the table.
So we’re supporting an independent report from Imperial College and Bristol University, who are going to apply their knowledge and expertise to help us establish which levers we need to pull, and how we do that.
And ahead of the report, we are already making some big investments like the £1billion going into a new state-of-the-art Golden Valley campus near GCHQ’s Cheltenham office.
That site alone is expected to create 12,000 jobs and be home to hospitality, retail businesses, as well as 3,700 new homes. It is all growth.
Industrial Strategy
And that is why cyber is part of our Industrial Strategy too. It is a significant part of our economic future.
Conclusion
So as I said at the start of my remarks, we are in a new world.
In fact, it’s incredible to think it’s been only 36 years since Tim Berners Lee invented the World Wide Web.
I have teenage children and sometimes I try to explain to them the world before the internet. It’s not something they find easy to understand. The pace of change that we have seen during that time is unlikely to slow down.
So we have got to take the long view not just think about the technologies of today, but what it might look like in 10 or 20 years.
Cyber attacks and cyber hacking are likely to be permanent features of this new global order – there is no point in pretending otherwise.
But the opportunities are also huge, and I believe that this country, in its position of creativity and innovation, will be at the vanguard of cyberspace and cybersecurity for decades to come.
Seizing the opportunities to grow the sector, protecting and defending other parts of the economy.
Standing by our allies in an ever changing world, and defending democracy right across the world.
It is at once one of the challenges and opportunities of our time, and we have to work together to meet it.
–ENDS–
