Henry Collis
- It is now ten years since the UK started to change its approach to cybersecurity, driven by the attacks on Eastern Europe, said Henry Collis, Deputy Director for Security and Defence Projects in the Prime Minister’s Office and Cabinet Office Communications Team. Our mantra: skills, not tools. Over this time, the UK’s approach has evolutionized into a “Fusion doctrine” which uses cybersecurity with other tools to deliver security objectives together with sanctions and diplomacy, strategic communication. According to Mr. Collis, it brings together levers of influence, economic levers, and hard security elements coordinated by a National Security Secretariat.
- What matters most for the government is being equally flexible and adaptable as the adversary, which is not constrained by the same considerations as most responsible states.
The UK launched its first cybersecurity strategy in 2011, and the second one in 2015, with 1.9 billion pounds allocated. In Mr. Collin’s words, the root of their success was in improving their governance and overcoming the state inertia. This took a long time, and was focused around three considerations: coordination, cooperation, capability.
- Collaboration. As it is now in Ukraine, the United Kingdom started out with a mess of overlapping government institutions and responsibilities. “There was a time when we saw what was happening in Eastern Europe, but nothing was done because capabilities and responsibilities were distributed around different government departments and it took time rallying them together and creating a senior responsible officer at a senior level in government who was responsible for writing and delivering our first strategy. But to be effective in any government, you need to have a mandate. That’s why we created a cybersecurity program to encourage collaboration, to fund interdepartment activities which would normally fall between the cracks. We were talking to nations which had created their own national cybersecurity centers and we created one as well. That launched in 2016; it had dealt with 1,100 attacks on its 2nd birthday, most of which were attributed to hostile state actors. We now have a public face which goes on TV and explains to your grandmother that she should update her antivirus,” said Mr. Collin.
- Cooperation means working better beyond government, extensive working with the cybersector. This needs to be done at scale, with direct industry engagement, to be working with those who hold the greatest risk, with prioritized sectors of the economy. The solutions are probably already there in business; so the government needs to enable sharing of threat intelligence and data on the motivation of cybercriminals so that the partners can defend their networks – and the government can multiply the solutions. For this, the UK government created an online platform called Threat-o-Matic, which allows firms to share information on threats anonymously, without fear of financial or reputational loss. The reason was that firms were reluctant to share information and patching information so that it could be done at scale across the whole economy.
- “Build trust to allow anonymous profiles to share information and to become more resilient as a result. That’s a simple fix, but that’s representative for the type of hurdle that needs to be overcome for this sort of cooperation. Finding the technological solutions isn’t the challenge, it’s building the trust for effective cooperation,” stressed Mr. Collin. Capability. According to Henry Collis, the great technological solutions already exist, but the problem is having the right people to select the right tool and use it in the right way: “Long-term, enduring capability at an age of rapid technology means having the right people, not having the right things. Our mantra: skills, not tools. The technology to defend against cyberattacks isn’t expensive. But having the right people to select the right tool and use it in the right way – for this, we need a comprehensive approach across government. Something that depends on the department of education. You need to prescribe a set of education across all parts of the curriculum, so that they can start building skills at an early age. University funds need to create master’s programs in cybersecurity.”[1]