As the U.K.'s special representative to business on cybersecurity, appointed by the prime minister, Pauline Neville-Jones ensures that British government agencies and private companies work closely together to counter cyberattacks and develop a national cybersecurity strategyto protect the nation's critical infrastructure. In the first part of this two-part video series, Neville-Jones sits down with SearchCIO Editorial Director Christina Torode and explains why the public and private sector need to join forces on cybersecurity and how that changes their traditional relationship on security issues. Neville-Jones also lays out just how unprepared many corporates, as she calls them, are for cyberattacks. Here are excerpts from their discussion.
You've done a lot in trying to bring the government and the private sector together. Why is it so critical for the U.K. government and for the private sector to work together on cybersecurity?
Very often, companies don't realize the company they keep.
Pauline Neville-Jones: I think the criticality of the issues is not just unique to the U.K. I think it's one that's shared, really, by most advanced economies: Which is to say, we need to redefine national security these days, not simply to include the safety and security of government assets and state institutions, but also the national economy -- its capacity for prosperity and wealth creation, because that depends upon the intellectual property, which the private sector owns.
You need to be secure in the operation of the infrastructure of daily life, in the critical sectors of the economy. All of those are potentially vulnerable to cyberattack. Really, the task becomes one which is, first of all, of government and not just a few departments. It affects almost every department of government one way or another. We have to share in the task of taking the lead. Then secondly, forming a relationship with, most particularly, the private sector because it's the private sector which … is the wealth-creating sector of the economy, and also, is actually the operator in a very large number of countries, certainly in the U.K. and the U.S., of the critical national infrastructure. It's absolutely fundamental, and government can't do it on its own.
Private sector and business does have to cooperate, and it changes the relationship a bit between the two. I think government needs [to] give the lead, but also needs to accept that business actually should, not just have a right to consultation but actually be a part of the policy formation process. Conversely, corporates do actually have to take responsibility, I think, in a way that they haven't previously had to, for national security issues.
You had said at one point during your talk that it is alarming how many companies don't think they have a problem in terms of vulnerability to cyberattacks, with a general problem being that companies aren't looking in the right place. What's the right place to look?
Neville-Jones: This is a question of, obviously, understanding your systems. Part of the problem is that … to be quite frank, [the employees of] many companies are not in themselves really masters of the technical systems that they're dealing with. That is an area where corporates need to strengthen their expertise, which relates to a further problem, which is a shortage of people. This is a real skill shortage area. There are multiple problems.
Nevertheless, often the answer to your question is that they simply don't understand where they need to look. They also don't understand, very often, the relationship between where data is stored and how it's accessed, and who accesses it, also very often, how we need to limit that. ... The thought doesn't occur to them that you can perfectly well penetrate a system via somebody's scheduling, their calendar, their diary, and get into information about an important contract via a route which actually is not related to the data store but is related to operations.
You have to understand the relationship between these various things and where you might be vulnerable, and why you might be vulnerable. Very often, companies don't realize the company they keep. [A] very, very large number of companies these days are operating well outside their domestic environment. They've got businesses in foreign countries, and they need to understand the degree of risk they may be carrying.
More on cyberattacks and cybersecurity strategies
Cybersecurity Rx: Seven steps to "digital resilience"
Cybercrime on the mind of board members
The status of cybersecurity legislation
You mentioned the supply chain and how it can be your weakest link. Is there enough attention being paid to it?
Neville-Jones: No. There are two issues here. One is that some industries do have very big supply chains -- not all of them do, but some of them have very big supply chains. [The Ministry of] Defense [is] an obvious example; they integrate with a lot of other companies down the line that have specialties. You need to understand that there may be a company somewhere down, quite small, but which actually has something, an algorithm or something, which is actually critical to the security of the whole supply chain. You need to understand your supply chain in detail. Then there are other situations where a relationship with other companies is looser, so the problems may be different. You still need to understand which of your suppliers actually has a degree of connectivity with your end systems such that you need to be interested in their level of security.
I think that that is one of the next big tasks. The top league is only the top league, and the economy is actually composed of this vast number of companies underneath, including private-owned ones and nonprofit companies who also need to be aware and have some protection.