C3ISP@Cyberuk (24th-25th of April 2019)

Cyber security can be a very, very dry subject, discussing highly sensitive topics to all businesses. These include security breaches, threat sharing, security and privacy by design and multiple specialised areas including the application of AI, defence against bot-nets, network and device security, as well as industry specific rules and regulations.

What CyberUK 2019 achieved was to maintain a balance between technical and regulatory depth and readily understandable information. With plenty of experts on hand in the exhibition space ready to answer any queries one may have.

For Digital Catapult we joined our colleagues from the Department for Digital Culture Media and Sport (DCMS) to fly the flag for Cyber innovation from small businesses, and to connect the dots for the role of central government including the National Cyber Security Centre. We also promoted our work on the C3ISP initiative funded by the European Commission.

The 3 key takeaways from CyberUK to consider are:

  • How can the industry increase openness and collaboration to highlight the resilience and strength of UK cyber capabilities?
  • How will the industry adapt as applying advanced digital technologies requires an agile approach to security, be it regulatory, educationally or technically?
  • How can we accelerate the adoption of the core values of cyber security more clearly, particularly within the private sector, to increase national resilience to attacks?

Taking each of these points in turn and based on the conversations, panel discussions and key notes I hope to offer some practical views on what could be interpreted from these topics.

Openness, collaboration and sharing

These terms are a far cry from the traditional cyber conscious organisation of the past seeking to protect highly sensitive and/or valuable assets and information from those wishing to take malicious action. As cyber security continues moving out of the backrooms and bunkers of defence organisations and into the C-suite of organisations of all sizes the language of cyber defence is changing. In discussion with key industry players it was articulated clearly that this is as a direct result of the threat actors willingness to share. As those looking to do damage to our critical infrastructures are happy to collaborate and expose multiple vulnerabilities across their networks those responding to these actors must readily share information about how best to repel such attackers.

The work of C3ISP is exploring open threat sharing at a technical level, and it is clear from the multiple threat intelligence (commercial) offerings on display, from players including BAE Systems and AXIA, that there is interest in this from the market. Existing offerings go someway toward addressing these concerns however it is clear that there is a need for threat information on some level to be shared between organisations providing proprietary systems. I did hear organisations highlight the value of their platforms based on their reach across the ecosystem enabling them to detect key threat actors before others. However in the context of connected Critical Infrastructure partial protection does little to benefit the whole. It seems clear that offering freely accessible threat sharing baseline services could be a huge game changer for the market. The work of the NCSC is progressing the adoption of CISP, and MISP was acknowledged as part of the opening of the conference, in order to truly see a market shift we will need more organisations to promote the value of open standards and sharing capabilities which include those with vested interests.

Enabling Advanced Digital Technology

While hosting the Near Future Business Impacts of AI panel and also as part of other discussions on 5G and Connected Autonomous Vehicles at the conference the role of advanced technologies both as an evolving threat generator and as a defence mechanism was a hot topic (as ever). This year under the recent news about Huawei and the 5 Eyes view of the threat posed by nations with combative national interests kicking off the conference, the tone was set for the rest of the 2 days.

The AI panel was very clear that huge benefits can be gained from applying AI effectively. At the start of the day it was alluded to that AI is being applied in highly effective ways by NCSC to deter phishing attacks with the UK phishing attacks today representing 2% of global phishing down from 4%. Microsoft in their talk on AI also suggested their work in this area (with regards to the monitoring of billions of accounts) has been largely powered by AI and related services. However the technical ability of systems was countered by the legal, political and ethical impacts of such technology particularly around automation. The importance of these non technical factors where particularly supported by the panel. In the Connected Autonomous Vehicles talk we heard how large scale car thefts today driven by key fob range extenders (allowing access to high end vehicles) is the impact of risks given a lack of consideration or not yet identified prior to launch. The academic perspective suggested that these types of vulnerabilities are hard to predict on mass however through better collaboration between research and commercial product development teams we could see more of these threats identified at early stages. Further to this many Cyber service providers are seen offering ‘Red Team Services’ including ethical hackers, test-to-break teams and security hackathons. One sales lead at a large industry player suggested this is the fastest growing area of business.

Digital Catapult’s work through the Machine Intelligence Garage and the AI Ethics committee brings commercial access to both much needed compute power and ethical guidance, this service benefits businesses of all sizes both as providers of advanced digital services and acquirers of such services. The panel also highlighted the need for improved data principles, the game-changing impact of advanced processing power from companies such as Optalysys and Graphcore as well as the opportunity we have to learn from other nations such as Estonia’s well documented citizen digital identify approach.

Cyber’s growing reach

Is AI cyber? Is cyber always going to be AI? Are all AI services appropriate for application in cyber? Is your business cyber, AI, or both? What does 5G mean for cyber? Can I be IoT and cyber or do I have to choose?

The questions were raised, and fundamentally the answer seemed to be a mixture of, address a market or a problem and don’t try to define your offer by the technology you use but instead how it is applied. In discussion with public sector, SME and commercial colleagues it was widely agreed that their is an ever blurring edge between the cyber security industry and other widely applicable technologies such as AI, future networks including 5G, LPWAN and IoT as well as distributed ledger, however Blockchain was much less a feature in 2019 than previous years.

The result of this blurring is beneficial with regards to better definition of purely cyber applications (such as anti-phishing, red teaming and threat sharing) however it opens the market to new players unfamiliar with cyber terminology. We saw on the innovation ally companies like Wott pushing IoT network security, we see the presence of sector agnostic applications like AWS and Kafka taking up large stands and we see the more traditional incumbents adjusting their language and presentation styles to be more accessible.

Digital Catapult will continue through Cyber101 to support companies both with cyber only offerings and those with combined solutions. Engaging the community in the conversation through mentorship on the programme is essential to close the loop from big companies to small and academia with regards to understanding the latest and most effective defences against specific attackers.

So what?

The optimism of CyberUK 2019, the high profile nature of the 5 eyes coming together and the underlying buzz of the industry is a positive indicator of the strength of the UK ecosystem in supporting businesses in the UK and beyond to be cyber secure. This means there is, and there will continue to be real money to be made, meaningful research to do and companies with increasingly open minds looking to adopt the latest technology to better ensure their cyber defence capabilities. Ultimately making consumers and businesses safer is an unwavering priority.

Nationally there is a push to increase cyber conscious businesses in all sectors, the value of creating accountable information which can be acted upon quickly will be realised through improved application of advanced digital technologies and the cyber jargon is finally thinning out, but we still have a long way to go.

So what can you do:

  • Cut down on cyber jargon
  • Highlight the value you provide and the risks you reduce over the technology you apply
  • Speak to your competitors and your colleagues about threat intelligence
  • Consider developing data trusts, ethical guidelines and policies which encourage best practice in developing highly impactful products and services (and shout about it)
  • Challenge those taking risks (especially those doing so at the expense of the industry)
  • Look for opportunities to trial the latest solutions from academia, startups, SMEs and corporates and provide valuable feedback