Cabinet Office
INTRODUCTION
Welcome to Lancaster House.
Our surroundings might be familiar to our French co-hosts, as the interior decoration was inspired by the Palace of Versailles
and they might be familiar to everyone else, as the backdrop to the Netflix series The Crown and Bridgerton.
In the real world, this house has played a role in delivering global peace and security for centuries.
And so it is fitting that we are here today to talk about how we secure our peace and security in the centuries to come
in a world where the challenges we face increasingly come from cyberspace.
I want to start by welcoming the close and dedicated partnership we have had with France on this issue over the last year
and we are delighted to be co-hosting with our French colleagues.
Just as the Olympic torch is passing to France this year, we in the UK are proud to pick up the baton on cyber security
following the excellent conversations you convened at the Paris Peace Forum.
DANGEROUS WORLD
We live in an increasingly volatile world.
State competition national conflicts organised crime domestic terrorism
all of these things are growing and converging, while the established multilateral order is being challenged.
Meanwhile, technology is developing exponentially
and the economic sphere is ever more contested.
In this new dangerous and volatile world, the frontline is increasingly online
where the weapons used are often virtual ones
and online conflict and cyber criminality are becoming increasingly reckless.
Thanks to rapid advances in technology including AI those weapons are becoming cheaper, more widespread, and easier to use.
There is now a growing market for the sort of cyber tools that, in the wrong hands, can be used against ordinary people
to steal from businesses
to carry out crippling ransomware attacks
and to threaten our critical national infrastructure.
That is what I want to focus on today.
These products often have legitimate uses such as for law enforcement and national security but they can also be misused
and increasingly, more actors are getting hold of them.
That opens up this battleground to a whole new world of unaccountable actors
Have-a-go hackers
People who, with minimal barriers, can unleash maximum disruption to individuals, institutions, companies and indeed countries.
THE IMPACT
That is why this matters.
Because what happens in the virtual world has real-world consequences.
It is extremely likely that almost everyone in this room has been the victim of some form of cyber-attack.
Whether it is your data your identity your intellectual property or even your money that has been expropriated
All are now seen as legitimate targets.
And as the commercial market for these tools grows, so too will the number and severity of cyber-attacks
compromising our devices and our digital systems
causing increasingly expensive damage
and making it more challenging than ever for our cyber defences to protect public institutions and services.
If we fail to act, this market will rapidly become a driver for much of the cyber threat we face
beyond just sophisticated and established state actors, and opportunistic criminals.
In this year of elections, in which four billion people - half the worlds population - will vote in what are, often, digital electionswith digital campaigns and digital infrastructure
all vulnerable to digital threats
we must consider the impact upon our democracy too.
SUCCESS SO FAR
We approach this threat from a position of strength, thanks to the work we have already been undertaking.
As part of our work to protect the UK from all forms of cyber attack, I have set ambitious cyber resilience targets for UK critical national infrastructure to meet by 2025
And in December, I launched the Secure by Design Framework for the UK public sector.
Through these efforts the UK Government is embedding cyber security into the heart of our system design.
We are defending our democratic processes by offering technical support to individuals at high risk of targeting
and we are working to better understand and mitigate the threats of AI and disinformation during our elections.
As so often, where new forms of malign influence have emerged, the UK is once again at the forefront of combatting this emergent threat.
Indeed our burgeoning cyber security industry continues to go from strength to strength
with our most recent estimates showing that the sector generates over 10 billion pounds in revenue - third only to the US and China
with exports also growing to over 5 billion pounds.
In the room today I see several faces I recognise from innovative young UK companies
and I know the important role they and others play in making us safer, both online and off.
The Government recognises the huge potential for growth in this industry
and the potential for cyber security to drive growth across all sectors of our economy.
That is why, alongside Michelle Donelan, the Secretary of State for Science Innovation and Technology, I have asked the Rt Hon. Steven McPartland MP to lead an independent review to look at how we can shift the narrative and market incentives around cyber security to make this a reality.
We derive our strength and resilience not only from what we do alone, but what we do with our allies.
So the UK was proud to sign-up to the Joint Statement on efforts to counter the proliferation and misuse of commercial spyware at the 2023 Summit for Democracy last March
and I look forward to furthering that conversation when I attend the 2024 Summit in Seoul next month.
Indeed, when our allies strengthen their defences, our defences are strengthened too.
So we welcome the European Parliaments work on this issue
and we recognise the changes made through international export control frameworks, including the Wassenaar Arrangement.
We further note the recommendations of the Paris Call Working Group on Cyber Mercenaries, and the Cybersecurity Tech Accords.
These represent crucial progress on spyware.
But we must go further if we are to prevent commercially available cyber weapons from being developed and sold, used irresponsibly, or falling into the wrong hands.
A BROADER ALLIANCE
That work starts with building a broader alliance against those who seek to do us harm.
The market for these intrusion capabilities, with its vendors and customers, is very much a global phenomenon
as is the impact of the threats created by malign and irresponsible activity.
Addressing this issue therefore falls to all the states and stakeholders in this room and more besides, in wider, multilateral fora.
Our joint efforts should focus on ensuring that states and industry alike act responsibly in cyberspace
ensuring our robust existing framework of international law and norms are equally applied in the virtual realm.
For governments, we can make a difference, through effective regulation, proper export controls
and working with the market responsibly as a customer, and end user
to develop better safeguards and oversight.
Our partners in industry also have a role to play:
Software providers keeping their products patched, identifying flaws, and working with partners on collective security.
And the legitimate vendors of these capabilities ensuring they have responsible supply chains.
They all have a responsibility to vet and limit their customers
and to exercise caution when considering their use.
Throughout this, civil society will continue to play a vital part, shining a light on the realities of this complex threat.
We should pay tribute to the hard work - often at personal risk, often without fanfare - that organisations and individuals have carried out
they are the embodiment of our resilience
And the UK is committed to supporting these efforts.
I can announce today that we will be enhancing our strategic partnerships with non-profit organisations working on these endeavours
through a one-million-pound uplift to Shadowserver, to help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyber-attacks.
TAKING ACTION
This bigger, broader alliance must come together to agree exactly what the threats are.
The worlds first AI Safety Summit, which the UK Government held at Bletchley Park last year, kicked off a new type of multilateralism for artificial intelligence.
where civil society, industry and nation states came together to build a shared vision of the future.
We will need this same whole-of-society approach when it comes to cyber intrusion.
And so today, I am proud to be joined by my French colleagues, and all of you, in launching the Pall Mall Process,
a new multi-stakeholder initiative through which we will, together
work to tackle the proliferation and irresponsible use of commercially available cyber intrusion capabilities.
Named after the very street on which this house sits.
The scope must be broad
not just looking