UK Cyber-Security Chief Baroness Neville-Jones on threats to business

Andrew Rosthorn interviews Baroness Neville-Jones of Hutton Roof, the British Prime Minister’s Special Representative to Business on Cyber-Security.

Baroness Neville-Jones of Hutton Roof was a career diplomat leading the British delegation during the Dayton Accords which brought peace to Bosnia in November 1995 after 42 months of war.

She was chairman in 1993 and 1994 of the Joint Intelligence Committee which directs and co-ordinates the three British intelligence and security agencies, known colloquially as GCHQ, MI5 and MI6.

During her chairmanship of the JIC, the British government acknowledged for the first time the existence of MI6, establishing the Secret Intelligence Service on a legal basis after 85 years of espionage, two world wars and one global cold war.

In the 1980s Pauline Neville-Jones was Chef de Cabinet to European Union Commissioner Christopher Tugendhat.

She has served as a governor of the British Broadcasting Commission and as non-executive chairman of the government-owned defence technology firm QinetiQ, which was eventually privatised for £1.3 billion in February 2006.

As a working peer in the House of Lords since 2007, she was the Conservative party’s shadow spokesman on security until the 2010 Conservative – Liberal Democrat coalition government took power, when she was appointed Minister of State for Security and Counter Terrorism. In a change of office on May 2011 she became Prime-minister David Cameron’s Special Representative to Business on Cyber Security.

She was educated at Leeds Girls’ High School, where the bleak motto “Age Quod Agis” was borrowed from the Book of Eccliastes in the Authorised Version of the Bible: “Whatsoever thy hand findeth to do, do it with thy might; for there is no work, nor device, nor knowledge, nor wisdom, in the grave, whither thou goest.”  Pauline Neville-Jones read modern history at Lady Margaret Hall, Oxford.

 

Q. Which cyber security threat would you say needs the most immediate defensive action?

A. The threats where the attack is most sustained, and vulnerability to it greatest, are in financial theft and theft of intellectual property (IP).  The losses through financial theft amount to many trillions world wide and the vast majority could be prevented through relatively simple upgrades in cyber security. The money cost of losses of IP are harder to calculate partly because frequently not discovered and often not reported.  Over the long term they are probably more damaging to prosperity and wealth creation.

Q. Can you explain the broad requirements of your post as Special Representative to Business on Cyber Security?

A.  In my position as the British Prime Minister’s special representative to business for cyber security, I work closely with government to ensure the effective implementation of a key element of the cyber security strategy – the partnership between government and the private sector.  Since the private sector are suppliers of most of the relevant technology, operate most of the systems and networks, own most of the national infrastructure on which the continuity of the business of the nation depends and is itself a victim of attack, close cooperation  between the public and private sectors is essential to success.  The government offers threat analysis and information to the private sector, gives guidance on cyber security, recommends boardroom custodianship of the data assets of a company and is taking action to improve the supply from school onwards of individuals with cyber skills. I am active in all these aspects.

Q. How can staff be trained in cyber security?

A. Organisations need to institute regular cyber training and updates, have standard, easily understood and enforced rules on access to electronic data, have layered security which matches the degree of access permitted to individual employees and should penalise breaches.

Q. Do you agree with the US National Academy of Sciences that a cyber attack on the control systems of the US power grid could be “more destructive than superstorm Sandy, possibly costing hundreds of billions of dollars and leading to thousands of deaths.”

A. If a penetrated control system of the power grid were to result in a large sector covering a wide area to go down, with cascading effects such as hospitals losing power for a sustained period of time and gas explosions occurring, the damage could turn out to be extensive and costly.  Loss of life could not be ruled out, although the death of thousands sounds an extreme case prediction. More usually it would be possible to evacuate vulnerable individuals and self healing processes would be likely to restore some parts of the grid quite quickly.

Q. Do you also agree that “The push by federal regulators to introduce competition in bulk power across the country has also resulted in the transmission network being used in ways for which it was not designed” and that in Britain, privatisation of the power generation system has weakened its resilience to such potential attacks?

A. I cannot answer the first part of the question, which applies to US conditions. As regards the effect of privatisation of the British power generation system, the bulk of which occurred some decades ago, and which is heavily regulated, I do not agree that this act has itself been a cause of any weakening in resilience.   Investment decisions are the object of negotiation with the regulator which has a duty to ensure the safety and reliability of supply.  SCADA systems are well established.  I would however be in favour of the regulators of the different power industries having a duty in respect of cyber related resilience.

Q.  After it was shown that a cyber attack on Lockheed’s networks in May 2011 had been launched through the computer systems of two of its suppliers [RSA, the security division of EMC Corp and another unidentified company] should big companies take special measures to defend their systems from their suppliers and defend from the social networking systems used by their staff?

A. The defences chosen by companies in relation to their suppliers should be a function of the nature of their own system and their relationship with given suppliers. If their data is stored on standalone systems with perimeter security, they may have no choice but to have a barrier to entry by suppliers.  There is a business cost in this, especially in cases where the supplier is frequent and heavily relied on. Where a company is using a managed service in the Cloud, it is more efficient and more secure to give a supplier, especially a frequent one, access, provided always that the architecture of the network is designed to allow this.   Social networks are another question, although some companies do find it efficient to allow staff to use the company networks for social purposes, which demands high quality layering of security.