Transcript of speech to Organisation for Security and Co-operation in Europe (OSCE) Conference 2020

“I was hopeless with the Internet. I didn’t even like it… I thought ‘what an annoying thing’ you know, it’s doing all these terrible things, but the minute I got into lockdown I’ve lived with the Internet. We’ve seen family, we’ve talked, we’ve laughed, we’ve joked, we’ve done everything.” That was Camilla, Duchess of Cornwall.

Like many of her generation, locked down away from friends, family (and in Camilla’s case probably courtiers, horses and corgis too), the Covid-19 pandemic was the event that brought them not just online, but to be superusers - exploring video conferencing and immersing themselves in online life. I have observed the same phenomenon with my own parents, now in their 80s, and how my children (in their 20s) have become ‘elder tech support’, training them in how to use Zoom, Skype, Facetime and Microsoft teams. In April, in the darkest days of the UK lockdown, like many families, we lost a close relative to the coronavirus. As his funeral was beamed via video conference from his parish in Birmingham, 500 family members across the world were able to share a moment of remembrance and togetherness. A poor substitute for being physically present, to be sure, but better than the alternatives, and from deep in our personal lockdowns, technology enabled us to participate in that important event, no matter what our age or geography.

In many countries, we have observed our own healthcare services extended to breaking point (and sometimes beyond) and the courage of individual carers and healthcare professionals at times when key resources, knowledge and facilities were lacking. And if the ‘elder internet’ story is an uplifting illustration of how the Internet has helped us live our lives during lockdown, there are plenty of more depressing examples - such as how cybercriminals and other bad actors have exploited the pandemic to target those working to save lives: healthcare providers. Two companies involved in building emergency ‘Nightingale’ hospitals in the UK were targeted by cyberattacks by malicious actors; in April, Interpol warned that cybercriminals were targeting critical healthcare institutions across the world with ransomware ‘to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid’.

These stories help to explain why thinking about cyber resilience has had to evolve over the past decade. Ten years ago, the early national cyber strategies tended to focus exclusively on protection of critical infrastructure. This is clearly essential. And it’s a challenging and big enough task, especially as what turns out to be ‘critical’ can vary. In 2020, our attention is on healthcare, for obvious reasons. But another crisis will force another sector to the fore, and expose the weaknesses of its cyber protections. Chatham House has published leading research on the cyber security of civil nuclear facilities, and satellites. Nothing is perfectly protected. Even the limited challenge of building cyber resilience of critical infrastructure is too large, too specialised to be accomplished by governments alone. Public private partnerships are essential.

However, when we think about Camilla and all the other grannies on Zoom, teachers conducting online classes, offices attempting to deliver business as usual with a staff now operating from their kitchen table or bedrooms, it doesn’t take long to realise why a more holistic approach to national cyber resilience is essential to protect all of society. And this is reflected in many of the second and third wave of national cyber strategies. Covid-19 has accelerated and amplified a range of social and economic trends, particularly in relation to digital technology and cybersecurity. Enterprises, citizens, and governments have become more dependent on the technology they are using in almost every aspect of daily life and work. With this increasing dependence, comes an increased reliance on the security of that technology, raising new challenges for governments and industry alike. As these challenges emerge, so too are opportunities for innovation, collaboration, and disruption.

But the scale of that challenge is immense, including the protection of those who have no interest or skill in technology (can you picture Camilla trying to configure her home router?). Government has a role, of course. As the UK’s National Cyber Security Centre (NCSC) puts it, "By working behind the scenes, the NCSC can ensure that cyber security issues have as little impact on UK citizens as possible, in many cases resolving problems before they arise. After all, prevention is better than cure."

It’s a challenge whose magnitude will only increase. As we move into a world of smart devices, smart cities, driverless cars, our sense of ‘going online’ will diminish but our interactions with a vast connected infrastructure will be constant. In this context, it is essential to harness the goodwill and assistance of private sector and other actors, and it is clear from the NCSC’s annual reports that it is doing just that. One example of this is a public-private partnership I’m personally involved in which seeks to raise the standards of cybersecurity in consumer smart devices, which is the subject of a new ETSI standard and proposed legislation and guidance in multiple jurisdictions including Australia, Singapore, the US states of California and Oregon and the UK. Working closely with government and a private sector industry body, we are developing quick guides and webinars on the new regulations, and a vulnerability disclosure platform aimed at resource constrained organisations and SMEs involved in this sector.

The ongoing pandemic has motivated many private sector and technical organisations to do their bit by partnering with government to protect healthcare facilities across the world, often on a voluntary basis. Speaking to friends in the UK government, they were overwhelmed by offers to help from the private sector during the crisis.

Both the Dutch and Belgian governments have adopted partnership approaches to providing rapid response to hospitals – protecting technical assistance and advice against cyberattacks during the pandemic. In both cases, they have mobilised partners through the national CERTs. In the Netherlands, more than 70 companies are collaborating to protect Dutch healthcare institutions free of charge, working behind the scenes to prevent attacks by cybercriminals, limiting the number of incidents with a significant impact. The initiative provided support to hospitals, doctors and medical practices, research labs, med-tech suppliers, IT service providers in healthcare, and nursing and care homes. In Belgium, the CERT (CERT.be) partnered with 19 companies under the banner ‘We help our hospitals’ to provide support and resources to Belgian hospitals. The initiative matched healthcare providers in need with companies that were able to assist them and offered support to hospitals, Belgian service providers and eHealth, Belgian recognised research laboratories, and other organisations involved in caretaking for covid-19. Numerous coalitions of cybersecurity professionals and associations are coming together to provide help and support to SMEs, healthcare providers, and individuals during the pandemic. Just a few examples - The ECHO network of cybersecurity centres’ covid-19 Cyber Defence Alliance was created to support all initiatives aimed at protecting the EU member states, essential services and critical infrastructure from cyberattacks. The Digital Solidarity campaign in Italy brings together Italian companies and associations that have made and will offer free services. In Canada, the private sector domain name registry, CIRA is providing a free protected DNS service using threat intelligence from the public sector Canadian Centre for Cyber Security to protect Canadians from phishing attempts and fake websites during the pandemic. The Cyber Peace Institute works with companies, governments, non-profits, and other organizations to address complex challenges on a global scale. Its targeted service helps healthcare organisations fighting COVID19 to find trusted, free cybersecurity assistance, provided by qualified and reputable companies.

These examples, whether on the societal level, or targeted interventions to support healthcare, illustrate the power of dynamic partnerships to enhance cyber resilience.

Looking to the future, While some impacts of covid-19 may be partially time-bound – I hope that some of these positive effects will form new habits that last beyond Covid-19 in some form, especially when they represent accelerations of pre-existing trends. Gurus and futurologists have been predicting a reduction in physical travel and an increase in video conferencing for decades. But it took a pandemic to force that issue, reducing daily global CO2 emissions by –17% by early April 2020 compared with the mean 2019 levels. Whether or not we choose to continue with positive trends or let them fall away as part of forgetting a difficult period in our lives, depends on us.

Most likely, the pandemic will not just suddenly switch off, but we will have a period of faltering recovery, local lockdowns and temporary restrictions or quarantines, which force individuals once again to retreat into their homes with their laptops and phones.

Promoting cyber resilience among the entire population is a daunting task and cannot be accomplished alone. My hope is that both government and industry will take stock of their actions to date, learn from what was dynamically developed during the crisis and develop a sustainable, long term approach to ensuring cyber resilience, so that as the immediate crisis passes, enhanced cyber resilience by sustainable public private partnerships can form part of all of our societies’ longer-term recovery.

Thank you for your attention. I will look forward to your questions.