We\u2019ve just returned from Cyber UK (the Government\u2019s flagship cyber security conference) with the clear message that (i) the UK is facing the perfect storm in terms of cyber risk \u2013 acute geopolitical uncertainty combined with fast-developing technological advancements; and (ii) Government and industry will need to work together to combat this evolving threat. \u00a0<\/p>\n
Boards are clearly already taking cyber risk seriously but what are the practical takeaways from this evolving landscape and the changing expectations of Government and regulators?\u00a0<\/p>\n
Increased risk\u00a0<\/p>\n
Geopolitical uncertainty:\u00a0\u00a0The NCSC and ministers were keen to stress that the UK is currently in the \u2018grey zone\u2019 between peace time and conflict. This means seeing cyber-attacks not just as a criminal act for financial gain but a routine feature of geopolitical conflict used for disruption and destabilisation. There have already been warnings<\/a>\u00a0of a heightened risk of indirect cyber threat for those organisations who have a presence, or supply chains, in the Middle East and specific guidance<\/a>\u00a0those organisations, and CNI (who may face increased attacks), can follow. \u00a0 Rising expectations on organisations and boards<\/p>\n Move from cyber security to cyber resilience:\u00a0Taking this together, the key theme was that cyber resilience has to mean having a \u2018no pay\u2019 plan fit for your business. This includes both technical work (system segregation, secure back-ups, principle of least privilege etc.) and operational and governance processes (for example, regularly practising incident response at gold and silver team level). As the NCSC said in a clear steer as to what \u2018acceptable\u2019 might look like in any \u2018look back\u2019 scenario, failing to grasp this is failing to respond to today\u2019s reality. Against this backdrop, organisations will be keen to avoid being an early test case for regulatory scrutiny, while ensuring that boards, GCs and CISOs are aligned on risk, investment and accountability.<\/p>\n The good news is that there is an expanding body of guidance and support available to help, including targeted assistance for SMEs. At a time when supply\u2011chain exposure is receiving governmental and regulatory focus, this should help organisations strengthen not only their own resilience, but that of smaller suppliers, without imposing disproportionate cost.<\/p>\n","protected":false},"excerpt":{"rendered":"We\u2019ve just returned from Cyber UK (the Government\u2019s flagship cyber security conference) with the clear message that (i)…\n","protected":false},"author":2,"featured_media":23059,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[8983,5,6],"class_list":{"0":"post-23058","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uk","8":"tag-cyber","9":"tag-uk","10":"tag-united-kingdom"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@UnitedKingdom\/116476163009051236","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/posts\/23058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/comments?post=23058"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/posts\/23058\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/media\/23059"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/media?parent=23058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/categories?post=23058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/britain\/wp-json\/wp\/v2\/tags?post=23058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u00a0AI accelerating cyber-attack capability:\u00a0While AI\u2011related cyber risk has been approaching for some time, speakers at CyberUK from across the world provided examples of its capabilities and risks.AI firm Anthropic released its Mythos model in April which is, according to the UK\u2019s AI Security Institute (AISI), substantially more capable at cyber offence than other models. The Government is so concerned by its capabilities that it has written<\/a>\u00a0an open letter to business leaders, warning of the threat. Regulators like the FCA and OFCOM have also warned of increased scrutiny in light of these technological developments. At the conference, Anthropic\u2019s\u00a0Head of Threat Intelligence described how attackers progressed, over the course of just a few months last year, from using AI primarily as a sophisticated search tool to deploying it as a fully\u2011fledged assistant across the attack lifecycle (supporting reconnaissance, penetration testing and the creation of targeted phishing campaigns).AI is already lowering the barrier to entry for cyber criminals and making them more efficient (increasing the volume of expected attacks), and its capabilities are accelerating even faster than had been envisaged. The AISI\u00a0 assess that the capability of these most powerful AI (frontier) models is now doubling every 4 months, compared to every 8 months previously. So, for example, further accelerating the reduction in\u00a0the \u2018dwell\u2019 time between infiltration and attack, which used to be measured in weeks or months but\u00a0can now be less than an hour.That said, one of the risks with this proliferation of AI-enabled attacks is their indiscriminate nature. Speakers from the US and Japan highlighted \u2018bad\u2019 attacks that had been prevented but where the encryption tools used simply didn\u2019t have functioning decryption built in\u00a0or \u2018noisy attacks\u2019 which are easy to spot. The attacks are therefore not necessarily more sophisticated, with many detectable with effective monitoring, but more voluminous.\u00a0\u00a0
\u00a0Humans still matter: Law enforcement agencies were also keen to emphasise the growth and sophistication of AI in human exploitation. That includes phishing, deep fake videos and, in some cases, de facto blackmail of key staff if they or their family are hacked. The clear lesson being that multi-human verification remains key alongside AI-supported detection and response systems.<\/p>\n
\u00a0Cyber resilience pledge:\u00a0Security minister Dan Jarvis echoed this when announcing that the government will ask every major organisation to sign a new Cyber Resilience Pledge this summer. The Pledge will invite organisations to make a \u201cpublic commitment\u201d\u00a0to their investors,\u00a0 customers and supply chains, to make cyber security a Board responsibility, to sign up to the NCSC\u2019s Early Warning service and to require that suppliers are Cyber Essentials certified (which is the Government\u2019s cyber certification scheme). This Board commitment builds on a series of recent interventions, from changes to Provision 29<\/a>\u00a0of the Corporate Governance Code and last year\u2019s Government letter<\/a>\u00a0to all major organisations, to the more recent letter on the latest AI threat which expressly asks boards to discuss cyber risk at their next meeting if they have not done so recently. \u00a0\u00a0
\u00a0Using AI in cyber defence:\u00a0While AI is creating new cyber risks, it can also help cyber security professionals, for example by finding vulnerabilities and patching them at speed. Cyber defenders (both those within your organisation, and experts appointed by your CISO) will need to be at least as adept at using AI as their adversaries which may involve re-assessing current capabilities.<\/p>\n