The UK aims to build “national scale” cyber defence capabilities to respond to growing threats from hostile states and artificial intelligence (AI)-powered attacks.
Security minister Dan Jarvis said today that defending against “frontier AI” will require a national effort from government and businesses.
He said the government was “laying the groundwork” for a national capability, which has been dubbed the “national cyber shield”, to protect the UK against cyber threats, and called for AI companies to work directly with the government to develop AI to defend against automated cyber attacks.
The government’s vision is to develop defensive AI technology that has the capability to identify and repair security vulnerabilities in software at machine speed. “Make no mistake, this is a generational endeavour, and it will test the absolute limits of our engineering and innovation,” Jarvis said in a speech in Glasgow.
He was speaking following Anthropic’s decision to delay its Claude Mythos AI model from public release after the technology uncovered thousands of previously known security vulnerabilities across commonly used software applications.
Mythos had uncovered “critical flaws that had gone unnoticed by human experts and automatic tools for over two decades”, said Jarvis.
He said that protecting Critical National Infrastructure will require a “fundamentally different approach” in the age of AI. “We will not secure the central pillars of the UK state simply by purchasing off-the-shelf vendor solutions,” said Jarvis.
Cyber attacks more sophisticated
Jarvis said the nature of warfare had changed, and that attacks on British systems were increasing in “volume, sophistication and in ambition”.
Hostile states have “worked out that the most effective way is not to confront us directly, but to quietly hollow us out”, he said.
The National Cyber Security Centre (NCSC), part of GCHQ, handled over 200 nationally significant incidents last year, double that of the year before. The majority are attacks from hostile nation states, including Russia, Iran and China.
“That number tells me the frontline isn’t coming – it’s here,” said Jarvis. “The cyber security of British business is a matter of national security.”
Hostile states were attacking logistics systems used to move goods, and were compromising high street business – a reference to the debilitating cyber attacks against Marks & Spencer and Co-op.
The cyber attack against Jaguar Land Rover, had it been caused by an old-school physical attack, “would have been the equivalent of hundreds of masked criminals turning up to dealerships across the country breaking glass, smashing up computers and driving cars right off the forecourt”.
Business needs to step up
Companies are most at risk from cyber attacks, not because attackers exploit vulnerabilities, but because companies have failed to keep their systems up to date, or to deploy base-line security measures such as multi-factor authentication.
Jarvis said that while government can set standards, share intelligence and provide guidance, it was no substitute for businesses ensuring basic cyber security hygiene.
“Basic cyber hygiene is no longer optional, but the baseline – the absolute minimum we should expect of any serious organisation operating in the modern economy,” he said.
Cyber Resilience Pledge
Jarvis said the government would be inviting organisations to sign a Cyber Resilience Pledge.
Businesses will be invited to make a “public commitment” to investors, their customers and supply chains to make cyber security a board-level responsibility.
They will also be urged to commit to meeting basic security standards through the NCSC’s Cyber Essentials programme.
The pledge will accompany the government’s National Cyber Action Plan – a national strategy for cyber security – to be published in the summer.
“The plan will demonstrate how we will tackle the growing threat, how we will strengthen our collective resilience, and how we will harness the opportunity for our world-leading cyber sector to secure the UK’s economic growth for years to come,” said Jarvis.
More funding for small business
The security minister said the government was making £90m of investment to strengthen cyber resilience, to provide “practical targeted support” to small and medium-sized businesses.
It will be distributed over the next three years through existing schemes run by the Department for Science, Innovation and Technology and the National Cyber Security Centre.
Cyber security minister Baroness Lloyd said the government had written to the CEOs and chairs of over 180 of the UK’s leading businesses to encourage as many as possible to sign up to the pledge ahead of a formal launch later this year.
“The cyber threat facing UK businesses is serious, growing and evolving fast,” she said. “AI is giving attackers capabilities that would have seemed extraordinary just a year ago, and no organisation can afford to be complacent.”