Jonathan Evans, director general of the U.K.'s security agency MI5, warns that Western nations are being targeted by an "astonishing " level of cyber espionage activity on an "industrial scale".
"The front line in cyber security is as much in business as it is in government. Britain’s National Security Strategy makes it clear that cyber security ranks alongside terrorism as one of the four key security challenges facing the UK. Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both State sponsored cyber espionage and organised cyber crime," Evans said.
Evans made the statements during the Lord Mayor’s Annual Defence and Security Lecture, telling the assembly of business leaders that the threats are as serious as those presented by terrorist activities.
Beyond being a serious threat to national security, Evans characterized the consequences of state-sponsored cyber espionage operations as a major economic problem that can have dire financial consequences for the viability of enterprises and their stakeholders.
"This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions. What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations. And the threat to businesses relates not only to major industrial companies but also to their foreign subsidiaries, and to suppliers of professional services who may not be so well protected," said Evans.
Evans advised that corporate leadership should be addressing the threat of network intrusions as a priority issue, and warned that the potential damages incurred from infiltration can include not only monetary losses, but a loss of competitive advantages.
"The Boards of all companies should consider the vulnerability of their own company to these risks as part of their normal corporate governance – and they should require their key advisors and suppliers to do the same. One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations. They will not be the only corporate victim of these problems," Evans continued.
Evans noted that the ubiquitous nature of information systems now pervade every aspect of society, making the inherent vulnerabilities enormous in scope.
"And the internet has developed from a communication network to what is called the “internet of things” – connecting via the internet the buildings we work in, the cars we drive, our traffic management systems, Bank ATMs, our industrial control systems and much more. This increases the potential for mischief and leads to risks of real world damage as well as information loss," Evans said.
Evans also cautioned that the threat of cyber attacks is not limited to nation-state operatives, and expects that organized terror groups have an eye on the potential for using cyberspace as a battlefield in the near future.
"So far, established terrorist groups have not posed a significant threat in this medium, but they are aware of the potential to use cyber vulnerabilities to attack critical infrastructure and I would expect them to gain more capability to do so in future."
Evans went on to describe the role of MI5 in enhancing the nation's cyber defenses, pointing out the investments made in initiatives like the Centre for the Protection of National Infrastructure and the efforts made to increase cooperation between business, law enforcement and agencies like the GCHQ, the Department of Business Innovation and Skills, the Department for Energy and Climate Change.
"We are contributing to the international process of ensuring that the appropriate IT security management standards are in place to manage some of these new risks," Evans said of the U.K. government's efforts to bolster cybersecurity.
Evans highlighted the need to firmly establish a public-private partnership to formulate strategies to combat cyber threats, and to break down barriers to information sharing in an effort to create an atmosphere of resiliency while protecting proprietary information and the confidentiality of the private sector.
"The Government’s National Cyber Security Strategy makes clear that success in this endeavour is only possible if it engages not just government but also the private sector in tackling cyber crime, making the UK more resilient to cyber attacks, shaping an open and stable internet and developing our skills base. Within Government much of the deep technical knowledge on these issues lies in GCHQ. But we are all potential or actual victims of cyber attacks and so the knowledge that we all have of the vulnerabilities and losses our own systems have experienced is relevant to finding the right solutions. Through our involvement with the CPNI we have for several years encouraged the development of information exchanges where companies in the same sector can share information on security vulnerabilities in a confidential environment," Evans said.