“We need to ensure that cyber security encompasses the full range of cyber security challenges which are rooted in, or accelerated by technology, otherwise we risk missing a quite important bigger picture, in which elections can be manipulated and vulnerable young people radicalised,” he told the FT Cyber Security Summit Europe in London.
All these elements are part of the same cyber security continuum, and tackling them, he said, requires as much of a paradigm shift by the private sector as it does action by those in government.
While governments need to play their part, King said building effective cyber security cannot rely solely on governments telling people what to do.
“Given 95% of the cyber threat surface is in private hands, it is only by working jointly with the private sector that we’ll succeed,” he said.
According to King, this means shifting the view of cyber security as an unavoidable cost to one where cyber security is sought after as a way of gaining competitive advantage, and one where business also shoulder its responsibility for keeping customers safe.
The basic building blocks to the respond to the systems threat, he said, are well known, such as making attacks more difficult to carry out, increasing public awareness, and reducing the impact of attacks. “Not rocket science, but clearly judging by the current state of collective coordination and preparedness, this is easier said than done.”
With this in mind, King said the European Commission recently brought forward a comprehensive security package based around resilience, deterrence and defence.
“At a macro level, EU governments have a responsibility to put in place comprehensive national cyber security strategies to protect critical infrastructure.”
Regulators can help by setting clear and predictable frameworks, and creating the right incentives, but rules alone are not enough to transform the current state of affairs, said King.
“This requires a shift away from the situation where security is treated as an afterthought in product design or a luxury, to one where it is embedded from the outset in our policies, strategies, management decisions, training and education, and is part of everybody’s daily routines.
The solution, said King, cannot be spending more public money. “The market needs to play an active role. The increased public awareness of the cyber threat, can be translated into demand.
“Add to this potential liabilities arising from data protection requirements, and you not only have the scope for a cyber risk insurance market with the power to drive minimum standards, but also the potential to make the highest levels of cyber security a source of competitive advantage in terms of consumer confidence,” he said.
Promoting product standards
However, King said things can begin to look more positive if at the same time EU-wide product standards are promoted to help buyers know they are getting something safe and help suppliers to sell anywhere in the European single market, and there is useful research in new technology.
“We need clear protocols and standards to enable informed choices and to limit potential sources of vulnerabilities or entry points for attackers.
“We need a series of fundamental security design principles worked out jointly by public and private players should apply across the board, starting with not setting default passwords, keeping software updated, and informing users when these updates will no longer be available,” he said.
King called for what he called a “new sense of corporate social responsibility” in the relationship between tech businesses and their customers, proposing a new model for the software market.
Unlike many other investments, he said software currently has no residual value. “Manchester Police’s expensive Windows XP operating system software is now effectively worthless, and the costs of buying a replacement are high which leads such organisations to sweat these assets.
“But this is bad news for the rest of us from a wider cyber security point of view,” said King. “If it were possible to trade in software after a number of years in return for a meaningful discount on a newer system, the picture and the market would look different, and barriers to updating which create huge vulnerabilities would be reduced.”
“We need to think about changing the model from one where there is a huge profit every 10 years, to one where there are good profits every three or four years,” he said.
Raising public awareness
In terms of cyber threats from behavioural manipulation by terrorists and political actors, King said raising public awareness and questioning the sources of information is crucial, but these threats are all enabled by online platforms.
“Any credible and effective response requires those platforms to be both more vigilant and more proactive in identifying and automatically taking down illegal content in return for maintaining the liability exemption they currently enjoy,” he said.
For these threats and cyber-enabled manipulation of elections through timed releases of hacked emails and fake news, King said the providers of online platforms have a key role to play.
“The big providers that collect and sell data have a responsibility, in the same way arms manufacturers have to abide by rules and codes of conduct in terms of who they can sell arms to. In terms of terrorist content, there is a growing head of steam amongst governments to try to deal with this through legislation.
“And while effective voluntary action is preferable and quicker, the European Commission stands ready to look at legislation in early 2018 if those voluntary efforts are assessed to have fallen short,” he said, adding that it is reasonable to look to platform providers to exercise a “duty of care” to their users.
Keeping pace with the threat
In conclusion, King said the way cyber security is defined needs to keep pace with the evolution of the threat.
“Countering that constantly evolving threat is in everybody’s interest and is everybody’s responsibility. The internet is a public good, but both public and private actors have a responsibility and a shared interest in keeping safe and open.
“That means not only governments but also businesses need to think more holistically and differently about their role in delivering cyber security,” he said. “The market has a key role to play, but so too do the big market players as they exercise corporate social responsibility for our digital age.”