On the 19 of September, a ransomware attack hit a major software supplier used by airports across Europe.
Overnight, checks and systems failed, flights were delayed, staff were forced back to pen and paper.
Thousands of people, families, workers and travellers were left stranded. It wasn’t an attack on any airport directly.
It was an attack on a software supplier, a single weak point rippled across a whole sector.
Incidents like this are becoming more common.
In the UK, 43% of businesses have experienced a cyber security breach or attack in the last 12 months. We estimate that cyber breaches cost the UK about £15 billion a year – around 0.5% of GDP.
And while the digital economy, especially AI, offers huge opportunities for growth across many sectors in the economy, none of that potential can be realised without confidence.
People need to trust the systems they use right now, but they still hesitate.
They worry about how their data is handled and whether the technologies they rely on are secure.
So software security isn’t just technical. It’s a commercial imperative. And trust is what unlocks growth.
Government’s first duty is to keep citizens safe. By securing our technologies, we protect citizens, their businesses, the economy.
Strong cyber security and supply chain security underpin enterprise, prosperity, and jobs.
That’s why we must do everything we can to protect against these attacks, and support our brilliant tech companies, so they can get on with what they do best.
We’re starting in a good place.
The UK has some of the strongest cyber defences globally.
We have fast-growing clusters of expertise in Cheltenham and Manchester, as well as Belfast and Scotland’s cyber cluster that spreads across several Scottish cities.
And our cyber sector is the third largest in the world – achieving double-digit growth, year on year.
As a government, we also know we must do our part.
Backed by over £210 million, the Government Cyber Action Plan published last week sets out how the government will rise to meet the growing range of online threats.
This will improve digital resilience across the public sector.
And as we strengthen government’s defences, we are also setting clear expectations for industry.
The Cyber Security and Resilience Bill will ensure that our critical national infrastructure is protected.
In October, we wrote to FTSE 350 companies, urging them to strengthen their defences – adopting things like our ‘Cyber Essentials’ certification.
This was followed by a similar letter to entrepreneurs and small businesses, in November, with bespoke advice for smaller teams.
We know these things work organisations that adopt ‘Cyber Essentials’ are 92% less likely to claim on cyber insurance than those who don’t.
We have also worked closely with industry to identify the minimum actions to secure the technology that our economy relies on.
This includes working hand-in-glove with the NCSC [National Cyber Security Centre], UK companies, and international counterparts to develop policies that set a global standard for technology security.
For example, the UK’s AI Cyber Security Code of Practice has been developed into a global standard through the European Telecommunication Standards Institute.
This follows in the footsteps of the PSTI ACT world leading legislation to ensure consumer devices secure by design that came into force in 2024.
But we cannot rest where we are.
The threat landscape is evolving rapidly, and adversaries are becoming more sophisticated with attacks on software.
Software now underpins almost every critical service in our economy, from healthcare, to transport, to national security. So it’s fundamental to our resilience and public trust.
To start to address this, the Department [for Science, Innovation and Technology] and the NCSC published the Software Security Code of Practice in May last year.
This Code outlines the minimum actions that software suppliers should take to ensure a baseline level of security across the software market.
But communicating those expectations is just the first step.
We now need to ensure that these actions are embedded in UK supply chains to provide businesses with confidence in the technologies they need to operate and to grow.
Currently, just 21% of organisations say they think about cyber security when buying software.
So it’s time to address this.
The question is how, exactly, we do this.
On one side, there are those who push for new regulation, and stronger government oversight.
On the other, there are those who say ‘do nothing’, businesses will get there themselves – just wait it out.
But I believe we can be more ambitious than that.
The UK is home to some of the best software firms anywhere in the world, and we’re lucky to have great examples here in this room today.
As well as the brilliant international firms who invest here, set up offices here, and make the UK their home.
I believe we need to learn from these companies – to find the ones who are leading the way and celebrate them, as role models.
The firms whose software is developed with security, top of mind.
Who appoint dedicated cyber experts.
Who have brilliant communication between buyer and seller.
Who offer best-in-class training to their workforce.
And whose leaders take safety seriously – with accountability at the very top.
That is what a true pioneer looks like.
And we see the same forward-thinking security posture throughout supply chains.
The UK hosts a burgeoning ecosystem of supply chain security experts.
This includes buyers leading the way in how they manage risks in their supply chains, and cyber security experts offering their services and knowledge to disseminate crucial cyber security capabilities.
Now we must learn from them and spread these habits to as many organisations as possible.
So today I am very proud to announce the UK’s new Software Security Ambassador Scheme, a group of leaders – 13 companies, in total – who are making a public commitment to champion secure software and to be role models for the UK government’s Software Security Code of Practice.
This Code has been written in partnership with industry and with cyber experts, at every step, including the National Cyber Security Centre.
And our national ambassadors span the whole software field – from vendors…
…Sage, Cisco, and Palo Alto Networks, Hexiosec, Zaizi and Nexor…
…to buyers – like Lloyds, and Santander…
…to expert advisors – Accenture, NCC Group, ISACA, ISC2, and Salus Cyber.
Now, we hope you will use your position as industry leaders, and first adopters, to spark a change in the sector more widely.
We’ve seen how effective this model can be.
A voluntary code of practice is a tried-and-true way of setting a professional standard.
Look at the World Health Organization’s code of practice for hand hygiene. First introduced in 2009, the code has become a global benchmark despite not being enforced by law, and has helped to significantly reduce infection rates as hospitals can draw on a single, definitive source of best practice in one place.
That’s exactly what we want the Software Security Code of Practice to become.
Every sector that depends on software, a single trusted reference point that lifts standards across the whole economy.
Our Software Security Code of Practice sets out 14 principles, and clear expectations for how software should be secured in our supply chains to build a common understanding between vendors and buyers of what level of security a software supplier should be responsible for.
I’m delighted to say it’s already being used in the public sector, by the NHS.
So our health service can help to lead by example too.
If we get it right, this could be a real moment of achievement.
Great UK industry, paving the way.
Modelling safe, secure tech for the rest of the market.
And perhaps the start of a new, international benchmark too.
To protect our country from attacks.
Back British growth and prosperity.
And create a better future for all of us, starting here today.
Thank you all.
