Baroness Neville-Jones, Prime Minister David Cameron’s special representative to business on cyber security, will be opening this year’s brand-new SDL Educa track for ONLINE EDUCA BERLIN, by speaking at the Security & Defence Learning Forum, on Wednesday 28th November 2012, 9:15 am. She will be joined by Chairman Dr Harold Elletson, New Security Foundation and Marcus Klische, BlackBerry’s Security Advisor.
Pauline Neville-Jones was chairman in 1993 and 1994 of the Joint Intelligence Committee, which directs and coordinates the three British intelligence and security agencies, known colloquially as GCHQ, MI5 and MI6. In the 1980s, she was Chef de Cabinet to European Union Commissioner Christopher Tugendhat and also served as a governor of the BBC.
Baroness Neville-Jones kindly answered some questions for the ONLINE EDUCA News Service:
Which cyber security threats would you say need the most immediate defensive action?
The threats where the attacks are most sustained, and vulnerability is to its greatest, are in financial theft and theft of intellectual property (IP). The losses through financial theft amount to many trillions worldwide and the vast majority could be prevented through relatively simple upgrades in cyber security. The monetary losses through theft of intellectual property are harder to calculate, partly because they are frequently not discovered and often not reported. Over the long term these are probably more damaging to prosperity and wealth creation.
Can you explain the broad requirements of your post as special representative to business on cyber security?
In my position as the British Prime Minister’s special representative to business for cyber security, I work closely with the government to ensure the effective implementation of a key element of the cyber security strategy – the partnership between government and the private sector. Since the private sector is a supplier of most of the relevant technology, operates most of the systems and networks, owns most of the national infrastructure on which the continuity of the nation’s business depends and is itself a victim of attack, close cooperation between the public and the private sector is essential to success. The government offers threat analysis and information to the private sector, gives guidance on cyber security, recommends boardroom custodianship of the data assets of a company and is taking action to improve the supply of individuals with cyber skills from school onwards. I am active in all these aspects.
How can staff be trained in cyber security?
Organisations need to institute regular cyber training and updates, have standard, easily understood and enforced rules on access to electronic data, have layered security, which matches the degree of access permitted to individual employees, and should penalise breaches.
Do you agree with the US National Academy of Sciences that a cyber-attack on the control systems of the US power grid could be “more destructive than super-storm Sandy, possibly costing hundreds of billions of dollars and leading to thousands of deaths”?
If a penetrated control system of the power grid were to result in a large sector covering a wide area to go down, with cascading effects such as hospitals losing power for a sustained period of time and gas explosions occurring, the damage could turn out to be extensive and costly. Loss of lives could not be ruled out, although the death of thousands sounds an extreme case prediction. More usually, it would be possible to evacuate vulnerable individuals, and self-healing processes would be likely to restore some parts of the grid quite quickly.
Do you also agree that in Britain, privatisation of the power generation system has weakened its resilience to such potential attacks?
I do not agree that this act has itself been a cause of any weakening in resilience, as the bulk of the effects of privatisation of the British power generation system occurred some decades ago and is heavily regulated. Investment decisions are the object of negotiation with the regulator, which has a duty to ensure the safety and reliability of supply. SCADA systems are well established. I would however be in favour of the regulators of the different power industries having a duty in respect of cyber-related resilience.
After it was shown that a cyber-attack on Lockheed’s networks in May 2011 had been launched through the computer systems of two of its suppliers [RSA, the security division of EMC Corp and another unidentified company] should big companies take special measures to defend their systems from their suppliers and defend from the social networking systems used by their staff?
The defences chosen by companies in relation to their suppliers should be a function of the nature of their own system and their relationship with given suppliers. If their data is stored on standalone systems with perimeter security, they may have no choice but to have a barrier to entry by suppliers. There is a business cost in this, especially in cases where the supplier is frequent and heavily relied on. Where a company is using a managed service in the Cloud, it is more efficient and more secure to give a supplier, especially a frequent one, access, provided always that the architecture of the network is designed to allow this. Social networks are another question, although some companies do find it efficient to allow staff to use the company networks for social purposes, which demands high quality layering of security.
Thank you very much for the interview!