Bryan Lillie, CTO of Cyber, QinetiQ
When one compares cyber security today to what it was ten years ago, the two are almost unidentifiable as the same industry. The iPhone had only just launched; Facebook was still in it’s infancy; the Internet of Things (IoT) was still a dream. The routes a hacker could use to access a system were limited, and because of this, cyber security was built around walls. One was encouraged to block attacks with firewalls and other perimeter security that could be plugged into existing systems. There was no wider strategy, with little thought given to what would happen if those walls were breached. This created a very segmented landscape, made up of a multitude of different products, all with varying capabilities and from different suppliers.
Today’s landscape is utterly different. The routes into a system are so numerous they are impossible to police effectively, with the IoT making this problem greater by the day.
Yet this same technology that is causing a headache for cyber security professionals is the exact same technology that can help drive a business forward. Consider the transformational potential of IoT. Data between previously distant departments or operations can now be collected, shared and used automatically, dramatically improving the efficiency with which those two business areas work.
The consequences for cyber security, however, are serious. Access across a large multinational corporations’ systems can be gained through one chink in the armour of one small department. Recent hacks have shown this time and again. The hack against Target, one of the biggest ever and responsible for the loss of details of 110 million customers, stemmed from a phishing attack on a contractor. USB sticks infected with malware are an ever-present threat; once plugged in, hackers quickly spread throughout an organisations system and begin to do serious damage. This has been proven to chilling effect in the health sector, where patient monitors have even been accessed.
To counter this, the cyber industry must work to develop a security protocol – a standard – that can operate effectively across all different elements of modern, large-scale computer systems; a system of systems. Such a protocol will allow for the effective identification and quantification of any security and privacy issues in any part of a business’ IT systems. Other industries have used similar models of ever-presenting testing and evaluation to ensure their services are as rigorous as can be. Engineering, constantly evolving since the industrial revolution, is built upon testing. From product design through to end-of-life decommissioning, the industry constantly tests the performance and capabilities of its devices.
A system of systems will allow cyber security to the same. All parts of the IT supply chain, from the service provider to the OEM; the management consultancy to the market researcher; all will be able to scrutinise their business operations from a cyber security stand point, and all to the same high level of quality.
This will align with and be underpinned by the National Cyber Security Strategy, supported by the NCSC. It aims to create an “ecosystem” of “innovative and thriving cyber security” by bringing together the “best minds from government, academia and the private sector” to deliver this system of systems, solving the issues presented by a divergent and complex online world. It will be the beginning of a new era of cyber security protection, based not on unrealistic goals but on our ability as a nation to mitigate and minimise risk through collaboration. It will give the UK and its population assurances that its data and systems are safe and the base from which a successful digital economy can flourish.