A key part of the ambition for London’s £13.5m government-funded cyber innovation centre is that it will help drive UK exports, according to Robert Hannigan, former head of GCHQ.
“We hope that companies founded and given a boost and support in going to market will also go to market overseas,” he said at the official opening of the centre – to be known as the London Office for Rapid Cybersecurity Advancement (Lorca).
“The government’s ambition is very clearly to make the UK a leader in cyber security exports, and I see massive potential out there in countries around the world that need a variety of different solutions,” said Hannigan, who will lead Lorca’s industry advisory board.
“We know we have great talent, potential and possibilities, and bringing it all together was the challenge for government and what has led to this [cyber security innovation] centre,” he said.
The centre will play an important role in bringing together the many good innovators and incubators across the UK and provide a focal point for interacting with government, said Hannigan.
Lorca will also bring together cyber security innovators with academics in the field, with various industry sectors – starting with the cyber security-leading finance sector, with other technical and non-technical disciplines, and with international partners.
“This centre has links to the US, Israel and Singapore, and convening the three most prominent cyber security industry centres in the world is going to be very powerful in magnifying the value of this centre,” said Hannigan.
Commenting further on the potential for cyber security exports, Hannigan told Computer Weekly there is a “massive market” out there because there are many economies that are some way behind the cyber security technology front-runners that are looking for solutions.
“There is massive potential, we have got some great companies, the UK has a good reputation and we should capitalise on that because if we put all that together and get it right, we will have a booming cyber security export industry,” he said.
“There is a lot of private sector capital looking to invest in cyber. So there is no shortage of capital, it is all about finding the right vehicle, and Lorca will help with that. But there is no reason why, in the future, there shouldn’t be more initiatives along the same lines.”
For this reason, Hannigan believes there is room for many more initiatives aimed at supporting cyber security entrepreneurs.
“There is no competition between incubators and accelerators within the UK – the more the merrier,” he said, explaining that each has something different to offer, with Lorca being more industry-focused with international links, for example, and the GCHQ accelerator and innovation centre in Cheltenham being more focused on national cyber security.
The government funding for Lorca will also promote its role as a convening body for other accelerators and incubators as a “useful way of amplifying the UK’s overall cyber security offering, particularly overseas, said Hannigan.
The top priorities for cyber security innovation are identity management, patch management and configuration management, he said.
“These are basic components of cyber security, but failure to do them well is still responsible for the bulk of cyber attacks that we are seeing.”
Identity is one area where the UK is particularly strong, with some great companies focused on it, he said, particularly in the academic “pre-company” sector, where universities are doing some “really innovative things” around identity management and authentication.
“Identity is key to cyber security, and if we can get a product out there that beats others, the sky is the limit, especially for the export market, and it will be about who gets there first with a viable solution,” he said.
Hannigan believes the internet of things (IoT) and cloud computing are two more areas where cyber security entrepreneurs should be focusing their efforts.
He said cloud computing is “problematic” because it makes it harder for companies to understand what the perimeters of their networks are.
“Even for those companies that have worked out what their cyber security policy is and managed the risks, suddenly to do all their processing and storage in the cloud complicates that,” said Hannigan. “It is not terminal, but it means they need to rethink their risks and mitigations.”
He advised organisations to look at the guidance on security in the cloud from the National Cyber Security Centre (NCSC).
IoT ripe for innovation
The IoT is “ripe for innovation”, said Hannigan, because it is unlikely that regulation or government guidelines will address the immediate risks.
“It is going to be a long time before security by default is achieved, so in the meantime we need to find ways to mitigate potential disasters, with billions of devices connecting to the internet,” he said.
In terms of going to market, Hannigan advises cyber security entrepreneurs to spend some time considering things from the customer’s perspective.
“In the UK, companies are more likely to be conservative in their cyber security investments and stick with well-established suppliers than countries like the US and Israel, so startups need to take that into consideration,” he said.
Hannigan believes Lorca has a role to play here in helping startups to think through how their technology will integrate with existing IT environments, making it as easy as possible with minimal disruption.
“One of the biggest obstacles to startups making sales is often that they have not looked at it from a customer’s perspective and understood that even though they have a great idea, buyers don’t want to have to re-engineer their entire IT operations to accommodate a new solution,” he said.
Asked about business attitudes to cyber security, Hannigan said big businesses are taking it more seriously than they have in the past.
“It used to be very difficult to get company boards to talk about cyber security, but now most big companies understand why it is important,” he said, adding that the global cyber attacks of WannaCry and NotPetya in 2017 were a huge wakeup call.
“It was a big shock that these attacks resulted in big organisations being unable to operate, so now most, if not all, do get it, even if they may not know what to do about it,” said Hannigan. “But the bigger challenge is for small businesses because they typically do not have the required money, capacity and skills, and as a result, they feel the least prepared.”
Scanning for vulnerabilities
He warned that cyber criminals are scanning for vulnerabilities in new ways, which means organisations that have been below the radar in the past will start getting caught out when attackers find vulnerabilities they can exploit.
“It is easy to scaremonger in cyber, and I try not to, but there is no question that the volume is increasing and the sophistication is rising, much helped by nation-state activity,” said Hannigan, who addressed that topic in more detail at Infosecurity Europe 2018 in London.
But there is no cause for panic or surrender, he said. “There are things that can be done at a national level, such as the NCSC’s Active Cyber Defence programme, which has huge potential to raise the baseline for the UK, and we need to keep plugging away at getting the basics right across all organisations while we are doing the clever high-end stuff.”
Hannigan noted that neither the government’s Cyber Essentials Scheme nor the NCSC’s small business guide requires huge amounts of money.
“In fact, both emphasise that it is not all about buying expensive kit because most of it is about changing behaviour, taking it seriously and thinking through current policies, processes and procedures to identify any areas of weakness,” he said.
Time and skills required
Although small businesses do not necessarily need to spend a fortune on cyber security, it does require some time and sometimes skills that may be lacking in-house, said Hannigan.
“I do have sympathy for small businesses, but many are doing more than they used to in the past and are using things like Cyber Essentials and the small business guide because they are seeing how cyber attacks are affecting companies or because their insurance companies have told them to,” he said.
Hannigan believes there is a need for effective managed security services for small and medium-sized businesses. “A regular complaint I get is that managed security services suppliers are not really appropriate for small businesses and aren’t necessarily that effective, so there is a challenge there to the industry to come up with managed security services that really work and that don’t just dump the problem back onto the client, but actually do something about it,” he said.
Commenting further on the importance of cyber security at a national level, Hannigan said the UK is in a good position to develop a data-driven economy because of its strength in terms of government and business digital services and adoption of e-commerce.
“We should see cyber security as an enabler of all that, as well as something we can export because everyone around the world is going to be looking to benefit from a data-driven economy,” he said.