The UK government’s flagship security event, CYBERUK 2022, returned this week, with two days of conversations centred around the changing nature of ‘the cyber challenge’, as we move away from a period of rebuilding the digital landscape after the pandemic.
NCC Group had the pleasure of leading the technical masterclasses for the event, and with about half of those present attending for the first time, it seems there has been a welcome injection of fresh talent in the cyber community over the last year.
On the contrary, when it comes to addressing the wider ‘cyber challenge’, there has not been so much new life. We’ve seen a continuation of the rehearsed rhetoric that cyber is no longer a niche issue, but a whole-of-society problem, and this has dominated discussions about solutions.
What we did learn this year, is that there is an appetite for disruption coupled with a desire for the cyber industry to take the initiative, that we are seeing increasing regulation, and that the cyber landscape remains unpredictable, as proven by events such as the response to Ukraine.
Following on from the conference we asked Kat Sommer, our head of public affairs, for her key takeaways from CYBERUK 2022:
A desire for disruption
While the cyber world continues to evolve at pace, on the whole we’re still not very good at getting the basics right, and we haven’t seen anything genuinely disruptive in the solutions space.
Rhetoric around ‘the cyber challenge’ has remained stagnant for several years now. We know that cyber is no longer a niche issue, and that it requires diversity, trust, collaboration and information sharing – a ‘whole-of society’ approach – to work.
But, we are also still struggling to treat cyber as a science. Data sharing across sector and national boundaries remains a challenge – so we aren’t putting the large volumes of data we have to use.
On a more positive note, feedback from NCC Group’s technical masterclasses suggests there is a strong desire for disruption in the form of pragmatic solutions. There is a need for this to go beyond the high-level rhetoric based on a shared sense of mission and purpose. And, as visible in the National Cyber Security Centre’s (NCSC) move to principles-based advice and guidance, we are seeing a greater desire to empower organisations to manage their own cyber risk, and making the response to cyber threats scalable, rather than concentrating it in a single, central body.
An increasingly regulated sector
From supply chain security and secure-by-design principles, to mandatory incident reporting, there is a growing sense that cyber is becoming a highly regulated sector. Across the globe, governments are re-writing the rulebook for many sectors that are essential to the functioning of modern societies and economies when it comes to cyber regulation.
And because this is happening everywhere, it’s likely that we will continue to see an increasingly complex global regulatory landscape – though there is some evidence of international collaboration and co-operation.
The development of international standards for emerging technologies (and, by extension, their underlying cyber security) has become front and centre of this debate. As tech development fragments across different values, we have been forced to consider several important questions. How should standards be written, agreed and governed? And are ‘traditional’ standards bodies equipped to be used as tools of the power competition between nation states?
Cyber events remain unpredictable
Even though intelligence and information sharing – as well as a general understanding of the cyberspace – is better than ever before, there are still unpredictable events that take even the most advanced cyber defenders by surprise.
One example of this is the unexpected rise of cyber vigilantism in the context of the Ukraine crisis. Citizen hacktivists are targeting Russian-owned systems, making authorities’ ability to respond ever more complex, and the risk of wrongful attribution and escalation grows.
As Juhan Lepassaar, Executive Director of ENISA, helpfully put it: ‘we talk about a whole of society approach to cyber…it turns out we did not expect a whole of society response. Are we prepared for it?’