Eleonora Harwich: What must be done to bolster our cyber security – and save lives

18 Oct

Eleonora Harwich is the Director of Research and Head of Tech Innovation at Reform.

Last month, a woman in Germany died as a result of a cyber attack. Hackers disabled the IT system at Düsseldorf University Hospital and the patient, who was supposed to receive a lifesaving treatment, could not be transferred to a different hospital in time to save her. The German police has opened a homicide investigation – the first known to be the result of a hack.

This incident in Germany serves as a reminder of the horrifying consequences that a cyber attack can have in a hospital setting. Yet too much of our public sector remains highly vulnerable.

Last week, the London Borough of Hackney suffered a serious cyber attack which halted many of its services. This example is part of a long list of attacks experienced by local councils and public services in recent months.

One of the key risks has been the massive uptick since March in people working from home. Covid-19 has led to almost 50 per cent of the UK workforce doing some form of remote working, including most civil servants and many others employed by the public sector.

A sizeable proportion are unlikely to be adhering to basic security protocols like two-factor authentication, and many may be using personal devices as opposed to office equipment. This significantly increases the risk of cyberattacks.

joint paper from the UK National Centre for Cyber Security and the equivalent body in the United States Department of Homeland Security warned in April that “malicious cyber actors are exploiting the current Covid-19 pandemic”, and in particular the vulnerabilities in home working. Interpol has reported an increase in cybercrime targeted at governments and critical health infrastructure since the start of the pandemic.

As was the case in Germany, these attacks can have very serious consequences for people’s lives. They can also be extremely costly for the public finances. In February, Redcar and Cleveland local authority suffered from a serious ransomware attack costing the council more than £10 million. The infamous WannaCry attack in the 2017, which led to around 19,000 appointments being cancelled, cost the NHS an eye-watering £92 million. Thankfully no deaths occurred as a result of the attack, but we may not be so fortunate in the future.

As the public sector increasingly digitises and collects more data about citizens, cyber security can no longer be seen as an add-on; it must be a core component of service delivery.

The UK is seen as a world leader in cyber security with its National Cyber Security Centre, two National Cyber Security Strategies and the Secure by Design guidance published by the the Department for Digital, Culture, Media and Sport (DCMS).

However, there is a gap between the available guidance and expertise held within these central bodies and what cyber security policies and practices actually look like on the ground.

Two years on from the ‘WannaCry attack’ last summer, over a million hospital computers were still running Windows 7, an operating system released a decade ago and no longer supported by Microsoft.

By July this year, following an offer of centrally funded Windows 10, 846,000 NHS computers had been fully upgraded. This suggests that there are still about 150,000 computers in the NHS which are using outdated and unsupported systems, and are therefore extremely vulnerable to hacks.

Dealing with legacy IT is only one of the challenges the public sector faces when it comes to cyber security.  Reform’s latest reportResilient public services in the age of cyber threats, highlights that skills, procurement and imbalances in knowledge sharing and communication between central and local levels of government are undermining cyber resilience.

According to the DCMS, 27 per cent of public sector organisations outside of central government departments, have a basic technical cyber security skills gap. Yet, a quarter of cyber leads do not even feel confident providing training materials or sessions to upskill their workforce.

The next National Cyber Security Strategy is due in 2021, and must have a strong focus on addressing this skills gap. It must also place a greater emphasis on basic cyber hygiene skills for all public sector professionals.

Reform recommends that the National Cyber Security Centre should increase the capacity of, and mandate attendance to, their cyber security training courses to anyone working in the public sector handling sensitive information. This would go some way in reducing the skills gap and ensure that data held by public sector bodies is handled securely.

Increasing the resilience of public services in the face of cyber threats also means adopting technology that has security built in. Yet it is currently very difficult for those procuring tech to know if what they are purchasing complies with the right security standards. A kitemark – akin to that used for food safety – would enable commissioners to purchase products confident that they meet government’s ‘secure by design’ guidelines.

Covid-19 has accelerated the digital transformation of public services – a positive legacy of this terrible crisis. But this also means that our public sector infrastructure is increasingly vulnerable to those who wish to hack it – whether for financial gain or nation-state destabilisation.

Failing to act now to enhance cybersecurity and protect our essential services – from the NHS to the benefits system, prisons to social services – will come at a high cost. We do not want the second homicide investigation stemming from a cyber attack to be in the UK.

Eleonora Harwich: What must be done to bolster our cyber security – and save lives

18 Oct

Eleonora Harwich is the Director of Research and Head of Tech Innovation at Reform.

Last month, a woman in Germany died as a result of a cyber attack. Hackers disabled the IT system at Düsseldorf University Hospital and the patient, who was supposed to receive a lifesaving treatment, could not be transferred to a different hospital in time to save her. The German police has opened a homicide investigation – the first known to be the result of a hack.

This incident in Germany serves as a reminder of the horrifying consequences that a cyber attack can have in a hospital setting. Yet too much of our public sector remains highly vulnerable.

Last week, the London Borough of Hackney suffered a serious cyber attack which halted many of its services. This example is part of a long list of attacks experienced by local councils and public services in recent months.

One of the key risks has been the massive uptick since March in people working from home. Covid-19 has led to almost 50 per cent of the UK workforce doing some form of remote working, including most civil servants and many others employed by the public sector.

A sizeable proportion are unlikely to be adhering to basic security protocols like two-factor authentication, and many may be using personal devices as opposed to office equipment. This significantly increases the risk of cyberattacks.

joint paper from the UK National Centre for Cyber Security and the equivalent body in the United States Department of Homeland Security warned in April that “malicious cyber actors are exploiting the current Covid-19 pandemic”, and in particular the vulnerabilities in home working. Interpol has reported an increase in cybercrime targeted at governments and critical health infrastructure since the start of the pandemic.

As was the case in Germany, these attacks can have very serious consequences for people’s lives. They can also be extremely costly for the public finances. In February, Redcar and Cleveland local authority suffered from a serious ransomware attack costing the council more than £10 million. The infamous WannaCry attack in the 2017, which led to around 19,000 appointments being cancelled, cost the NHS an eye-watering £92 million. Thankfully no deaths occurred as a result of the attack, but we may not be so fortunate in the future.

As the public sector increasingly digitises and collects more data about citizens, cyber security can no longer be seen as an add-on; it must be a core component of service delivery.

The UK is seen as a world leader in cyber security with its National Cyber Security Centre, two National Cyber Security Strategies and the Secure by Design guidance published by the the Department for Digital, Culture, Media and Sport (DCMS).

However, there is a gap between the available guidance and expertise held within these central bodies and what cyber security policies and practices actually look like on the ground.

Two years on from the ‘WannaCry attack’ last summer, over a million hospital computers were still running Windows 7, an operating system released a decade ago and no longer supported by Microsoft.

By July this year, following an offer of centrally funded Windows 10, 846,000 NHS computers had been fully upgraded. This suggests that there are still about 150,000 computers in the NHS which are using outdated and unsupported systems, and are therefore extremely vulnerable to hacks.

Dealing with legacy IT is only one of the challenges the public sector faces when it comes to cyber security.  Reform’s latest reportResilient public services in the age of cyber threats, highlights that skills, procurement and imbalances in knowledge sharing and communication between central and local levels of government are undermining cyber resilience.

According to the DCMS, 27 per cent of public sector organisations outside of central government departments, have a basic technical cyber security skills gap. Yet, a quarter of cyber leads do not even feel confident providing training materials or sessions to upskill their workforce.

The next National Cyber Security Strategy is due in 2021, and must have a strong focus on addressing this skills gap. It must also place a greater emphasis on basic cyber hygiene skills for all public sector professionals.

Reform recommends that the National Cyber Security Centre should increase the capacity of, and mandate attendance to, their cyber security training courses to anyone working in the public sector handling sensitive information. This would go some way in reducing the skills gap and ensure that data held by public sector bodies is handled securely.

Increasing the resilience of public services in the face of cyber threats also means adopting technology that has security built in. Yet it is currently very difficult for those procuring tech to know if what they are purchasing complies with the right security standards. A kitemark – akin to that used for food safety – would enable commissioners to purchase products confident that they meet government’s ‘secure by design’ guidelines.

Covid-19 has accelerated the digital transformation of public services – a positive legacy of this terrible crisis. But this also means that our public sector infrastructure is increasingly vulnerable to those who wish to hack it – whether for financial gain or nation-state destabilisation.

Failing to act now to enhance cybersecurity and protect our essential services – from the NHS to the benefits system, prisons to social services – will come at a high cost. We do not want the second homicide investigation stemming from a cyber attack to be in the UK.

Profile: Olive, sorry, Oliver Dowden, saviour of the arts, bedrock insider – and unknown to the public

9 Jul

By far the greatest power of a Prime Minister is the power of patronage. He or she decides who to appoint to ministerial posts, and the Government prospers or fails largely as a result of whether these people prove able to rise to the level of events.

In February, Boris Johnson made Oliver Dowden Secretary of State for Digital, Culture, Media and Sport.

Dowden is unknown to the wider public, and in ConservativeHome’s latest Cabinet league table is buried two-thirds of the way down the list, among a cluster of other ministers who have yet to become household names.

Leading figures in the arts had little faith he would be able to rescue their sector from the disastrous impact of Covid-19, and were getting ready to go mad at him with rage.

Instead of which he and Rishi Sunak astonished the world of the arts, at the start of this week, with a package of support for the arts which the leading figures queued up to praise.

As Charlotte Gill pointed out on ConHome, Dowden had been underestimated.

Here is a minister who knows how to get things done, including the tricky art of persuading the Treasury to part with the necessary funds.

Dowden is a professional politician, indeed a professional man of government: the kind of person at whom it is easy to sneer, but without whom nothing in Whitehall would move.

He succeeds partly because he does not seek to hog the limelight. There was no sense, as he announced the £1.57 billion support package for the arts, that this was being treated as something that would above all redound to the greater glory of the Secretary of State.

In photographs, it never seems this tall, friendly, fair-haired, respectable figure wants to outshine the other people in the picture.

In the words he uses, there is likewise a complete absence of any discernible urge to shine. “He is not an aphorist,” as one of his colleagues conceded, after ConHome remarked on the absence of a single memorable phrase in the Dowden record.

And yet those who know him well insist he is delightful company. One of them warned:

“I am sure you will not depict him as resembling in any way the dreary apparatchik that he might at first glance appear, having spent so much time behind the scenes at the Conservative Research Department and in the Cameron entourage before landing the safe seat that Cecil Parkinson once represented. He has a lightness of touch and charm that resemble Parkinson.

“His Canadian parents-in-law were at first reluctant to see their clever daughter married to an English politician; he soon won them round.

“He greets comments made to him with an infectious little laugh; I think this a most useful habit to have acquired or to be blessed with since birth: it creates an immediate impression of amiability and allows time to consider how best to reply.

“He is interested in bohemian ways without being drawn to participation in them. His best friend in the Research Department at the 2005 election was much given to cycling round London, drunk and naked, during the night.”

The safe seat in question, won by him in 2015 after he had defeated Sunak and others in the final of the contest to select the Conservative candidate, is Hertsmere, on the southern border of Hertfordshire.

In his maiden speech, he spoke with emotion of “the last unspoiled rolling hills of England before the home counties give way to London”, and said he is “absolutely determined to preserve them from soulless urban sprawl so that my children and grandchildren may enjoy them as I have done.”

He touched also on his constituency’s position “at the heart of the British film industry”, thanks to Elstree film studios in Borehamwood. But he went on:

“What characterises Hertsmere, far more than its landscape or its industry, is the character of its people. They get up very early every morning and from Bushey, Potters Bar, Radlett and Borehamwood they cram on to commuter trains or set off along the M25 and the A1. They are hard-working men and women who make sacrifices to provide for themselves, their families and their community. They know that in this life, we do not get something for nothing; we have to work in order to get something out.

“Growing up locally, I was very much imbued with those values. My dad worked in a factory in Watford, my mum at a chemist’s in St Albans. They worked hard and were determined to give me the very best start in life. That started with the excellent education that I received at my local comprehensive school.”

He was born in 1978 and went to Parmiter’s School, founded in 1681 in Bethnal Green and now at Garston, near Watford. Its motto is “Nemo sibi nascitur”, “No one is born unto himself alone”, and from here he won a place to read law at Trinity Hall, Cambridge.

Dowden played no part in student politics, and decided not to be a lawyer. He taught English in Japan, had a stint at LLM, a lobbying firm set up by Labour figures close to Gordon Brown, and in 2004 became head of the Political Section in the Conservative Research Department.

Soon after his arrival, one of his colleagues recalls,

“He became known as Olive through a typographical error which he embraced with characteristic good humour. It almost sounds wrong to call him Oliver if you’ve known him of old.”

Another friend from that period said this week:

“I will call him Olive or I will call him Secretary of State, but I will not call him Oliver.”

Dowden, as he will continue to be called here, displayed an early flair for understanding how a story would play out in the press. He could see the weaknesses in both the Labour and the Conservative position, so could operate in an attacking role – spotting, for example, the potential of the cash for honours story to embarrass the Labour Government – and also defensively, briefing ministers on the line to take when they went on programmes such as Any Questions and Question Time.

He is an enormously experienced insider, who has helped prepare four successive leaders – Michael Howard, David Cameron, Theresa May and Boris Johnson – for Prime Minister’s Questions.

Cameron relates in his memoirs that in 2009, during the MPs’ expenses scandal,

“I set up an internal scrutiny panel, a so-called Star Chamber, including my aide Oliver Dowden, known as ‘Olive’, who I also called ‘the undertaker’, since he so frequently brought me the bad news.”

Another witness says:

“During the expenses scandal, CRD had to triage some of the cases, taking what The Telegraph was accusing people of and working out the truth. It was a long, gruelling period, relentless, it went on for weeks and it was bleak work, the team being set against itself.”

He became “a bedrock figure”, as one former minister puts it, “stable, sensible, unflappable, extraordinarily decent”, in the group which saw Cameron into Number Ten and then sustained him there, with Dowden as Ed Llewellyn’s deputy.

Few people understand better than Dowden how the government machine works, or fails to work. He is not an ideologue, or a bold political thinker, or a stirring orator, but he has sound judgement and knows how to get things done. As one colleague puts it,

“He’s one of the most impressive people I’ve ever been in a room with officials with. At the end he will establish what has been agreed and what we are going to do.”

As an MP since 2015, “he commutes in like his constituents – he puts in the long hours”. His website shows him defending their interests with tenacity.

In the 2016 EU Referendum he was a Remainer, but in the immediate aftermath he supported Boris Johnson for the leadership, which infuriated Theresa May’s team.

Not until January 2018 was he permitted to take his first step on the ministerial ladder, as Parliamentary Secretary to the Cabinet Office.

In the summer of 2019, Dowden, Sunak and Robert Jenrick interviewed Johnson for an hour at Jenrick’s house, after which they put their names to a joint piece for The Times Red Box, which appeared under the headline:

“The Tories are in deep peril. Only Boris Johnson can save us.”

This endorsement by three junior ministers, none of whom was suspected of maverick tendencies, helped convince many waverers that Johnson was on course for victory. Collectively they had become significant players, and all three of them are now in the Cabinet.

Dowden is only 41. Will he go higher? Lord Lexden, official historian to the Conservative Party and the Carlton Club, says of him:

“I am rather inclined to the view that he may well establish himself as the Rab Butler of his time, indispensable in any Tory government, but without Butler’s hesitancy if the chance of the premiership should arise.”