Comment piece in The Times from Chancellor of the Duchy of Lancaster and No 10 Chief of Staff Steve Barclay and Director General of the CBI Tony Danker
In the spring of 2021, America's Colonial Pipeline - the 5,500-mile fuel superhighway, which supplies half the East Coast's petrol and diesel - abruptly shut down for six days. The cause was a cyber-attack, launched by a Russian-based criminal gang. The stuff of nightmares for every board director.
President Putin's war in Ukraine has included cyber-attacks on the country's government and banking sites. Western intelligence has warned that more is likely to come, with Russian cyber actors potentially already pre-positioned in Ukrainian IT systems, collecting intelligence and preparing to launch disruptive activities.
The UK has given strong support for Ukraine and is proud to have helped coordinate the international regime of sanctions against Moscow, and many British businesses including CBI members have led the way in divesting from Russia and Belarus.
While the NCSC is not aware of any specific cyber threats to UK organisations in relation to the Russian invasion, there is a heightened risk of hostile cyber activity. In the last year, two in five UK businesses were subject to some form of cyber-attack or attempted breach.
If the UK is to be protected, Government and business must act as one.
That is why today, as lead Minister for Cyber Security and as head of the UK's biggest business organisation, we are jointly calling on businesses to work together and treat cyber security as a core boardroom responsibility; an equal threat to financial and other risks.
Strengthening collaboration and resilience forms a core part of the Government's National Cyber Security Strategy, backed with 2.6 billion of funding. This includes record investment to the National Cyber Security Centre (NCSC), part of GCHQ, to provide resources and bringing together businesses. Like the meeting today of directors of critical national infrastructure operators, such as airports, powerplants and major banks, to examine, challenge and support preparations against cyber threats.
However, it isn't just critical national infrastructure that need to take action. Government is also appointing senior business expertise to our new National Cyber Advisory Board, bringing the lessons learned by all businesses to challenge and guide the UK's approach and encourage lessons learnt and greater collaboration.
A cyber-attack recognises no physical or geographical boundary, and cyber criminals thrive on the unwillingness of companies to share their experiences.
Companies must stress test their whole supply chains' cyber security, right down to the smallest partner, because any weakness can be exploited. This isn't hypothetical. The attack on the Colonial Pipeline, which disrupted the lives of millions due to supply shortages, a fuel price spike, petrol stations running dry, was down to the theft of a single password.
The reluctance to share when something goes wrong is completely understandable, but cyber security is one area where healthy rivalry of business will not help, and where cooperation and sharing lessons-learned, within and between our organisations, will make us all safer, along with the customers and the public that we serve.
By reporting cyber-attacks to the NCSC Incident Management team, businesses will be supported and their evidence will contribute to a greater understanding to combat attacks more effectively in the future, and by following their Cyber Essentials guidance at all levels of the business, you'll be better protected. The public can also help - reporting suspicious activity like phishing emails to the NCSC has already helped identify and remove 76,000 scams from the internet.
The greatest weakness in cyber defences is often human error, just look at the Colonial Pipeline experience. While businesses have long recognised the importance of cyber security, the urgency is now much clearer. Russia's invasion has increased the risk and, as the Russian economy retracts under the weight of sanctions, more cyber criminals will look to the West and the UK.
That means UK plc and Government acting as one, prioritising cyber security so the country can defend itself as one.