In recent months public attention has been on state-led cyber attacks, from the drama of Russian aggression to crude North Korean online bank heists. Of course these matter and we have recently written to UK political parties to warn them about current threats, but this should not become a distraction from the much broader cyber challenge for western countries.
近几个月来,公众关注焦点一直是国家主导的网络攻击——从俄罗斯黑客入侵的戏剧性事件到粗暴的朝鲜在线银行盗窃。当然,这些事情很重要,最近我们写信给各个英国政党,就当前威胁向他们提出了警示,但这不应该分散西方国家对于广泛得多的网络挑战的注意力。
The British government has radically changed its approach to cyber security in the past few years, but we now need an accompanying shift in culture and skills across the private sector if we are to address the rising tide of cyber incidents. The challenge for business is to engage, understand more, and update corporate governance for the digital era.
过去几年里,英国政府已彻底改变了其应对网络安全的方法,但如果我们打算解决不断增多的网络事件的话,现在需要促成整个私营部门在文化和技能方面实现相应转变。企业的挑战在于参与进去,了解更多,并更新数字时代的公司治理。
There is a generational gap at the heart of this. In boardrooms cyber security is now acknowledged as important, but is still seen as a baffling problem for IT experts to fix, or an unavoidable cost of doing business. For the innovators and disrupters, who understand it better, this is someone else’s problem and far less exciting and profitable than the technology they are creating.
此事的核心是一种代际差距。在董事会会议室里,网络安全如今被承认是重要问题,但仍被视为一个令人困惑、该由IT专家去解决的问题,或者是一种不可避免的业务成本。对于更了解网络安全的创新者和破坏者而言,这是别人的问题,远不如他们正在创造的技术那般令人兴奋和有利可图。
The key for both groups is to see this as primarily a problem about data, not IT. Everyone understands the importance of data to their business, but not enough senior people are truly engaged in understanding which data are most precious to them and how it is handled, stored and protected.
对这两个群体而言,关键是把网络安全主要视为数据问题,而不是IT问题。每个人都理解数据对其业务的重要性,但是对于理解哪种数据对他们最宝贵以及数据的处理、存储和保护方式,没有足够多的高层人员真正参与其中。
Nervousness in the face of technology prevents business leaders from applying the forensic interest they would have in financial or legal areas. Corporate governance structures are not up to the task: how are investors to know whether a potential investment, acquisition or shareholding is managing its cyber risk properly?
对技术感到紧张,妨碍了商界领导人像对待金融或法律领域一样拿出法庭科学取证一般的兴趣。公司治理结构胜任不了这一任务:投资者如何知道潜在的投资、收购或持股是否正确地处理了其中的网络风险?
This will become even more critical as the internet of things moves from largely pointless gadgets to being hard wired into every area of the economy, with billions of new devices producing ever richer data. From healthcare to travel, education to food, every sector that depends heavily on data will begin to face problems already familiar to financial services.
这一点将变得更关键,因为物联网正从接入一些不重要的设备变为内置到经济的每一个领域,数十亿台新增设备随时产生日益丰富的数据。从医疗保健到旅游,从教育到食品,每一个严重依赖数据的行业将开始面临对于金融服务业来说已很熟悉的问题。
Nor is theft or destruction of information the greatest worry. Integrity is. If businesses cannot be confident that their data has not been changed maliciously or accidentally, they will simply become paralysed.
最令人担心的问题也不是信息失窃或被毁,而是诚信。如果企业不能确定自己的数据未被恶意或意外更改,它们将无法正常运行。
In the UK the government’s response has been twofold. First it has rationalised the smorgasbord of organisations involved in cyber security by creating the new National Cyber Security Centre. More importantly, by making it an operational arm of GCHQ, Britain’s electronic intelligence agency, it has put world-leading technologists at the heart of both advice and operations. We have learnt from the tech sector that expertise needs to be at the heart of strategy. Relying solely on the well-meaning generalist, which has not served government policy well in computer science since the 1950s, is not enough.
在英国,政府的回应体现在两个方面。首先,政府创建了新的国家网络安全中心(National Cyber Security Centre),使原来负责网络安全的庞杂机构更有条理。更重要的是,通过把该中心变成英国电子情报机构英国政府通信总部(GCHQ)的业务部门,政府让世界领先的技术专家在咨询和操作中发挥核心作用。我们从科技行业学到,必须把专业知识置于战略的核心 。仅仅依靠善意的通才——自1950年代以来,他们在计算机科学领域的政府政策作为并不理想——是不够的。
More significant than any new structure is the determination to take more of the strain at a national level. This means developing with industry innovative defences at scale, using technology to defeat technology threats. Criminal and state cyber attacks are inevitably part of an arms race moving at dazzling speed, but western governments and industry together can stay ahead.
比任何新结构更重要的,是在国家层面挑起更多重担的决心。这意味着大规模使用行业创新防御手段进行开发,以技术打败技术威胁。犯罪性质的和国家支持的网络攻击不可避免地成为一场速度令人炫目的军备竞赛的一部分,但西方政府和行业可以通过合作保持领先。
At its most basic, this can simply mean preventing criminals posing as organisations such as the tax officials at HM Revenue & Customs, or filtering out those countless “spear phishing” emails that clog our inboxes. In a few years I suspect the public will wonder why service providers did not do this at a national level a long time ago. The answer, of course, is that the internet was not designed with security or crime in mind. It evolved in a wonderful collaboration of academia and industry.
最起码,这可能意味着防止犯罪分子把自己伪装为英国税务及海关总署(HM Revenue & Customs)之类的机构,或者过滤掉那些塞满我们收件箱的数不清的鱼叉式网络钓鱼(Spear phishing)电子邮件。我怀疑,几年后公众会发问,为什么服务提供商不在很久以前就在国家层面采取这种措施。答案当然是,当初设计互联网时并未考虑到安全或犯罪问题。互联网一直在学术界和行业的完美合作中向前发展。
But these and other more sophisticated measures will not absolve the private sector from building sensible security into their new products, their business models and their corporate governance at every level. Others have begun to regulate to achieve this, notably New York state, which just introduced tough cyber accountability for Wall Street chief executives. Critically, they will also be held responsible for good security in their supply chain.
但是这些和其他更复杂的措施将不会免除私营部门的如下责任:把合理的安全措施置入他们的新产品、他们的商业模式和他们在每个层级的公司治理。已经有一些当局——特别是纽约州——已开始实施监管以做到这一点。纽约州刚刚引入了针对华尔街首席执行官的严苛的网络问责。关键是,他们还将对其供应链的良好安全状况承担责任。
Finally, at the heart of our generational problem on cyber is a shortage of skills. We cannot wait for this to fix itself. Alongside all the new initiatives to promote cyber skills, those in senior positions and responsible for corporate governance should educate themselves and overcome their fear of cyber.
最后,我们这一代人在网络方面的问题的核心是技能不足。我们不能等待这一局面自我修复。除了提高网络技能的所有新举措,那些担任高级职位和负责公司治理的人应进行自我教育,并克服对网络的恐惧。
If we get this right, there are enormous opportunities for the UK, not only to become the safest place to live and do business online — but to export some of the solutions.
如果我们在这方面做好了,英国将享有巨大的机会,不但会成为最安全的居住和在线经商之地,而且能够输出部分解决方案。
The writer is head of GCHQ
本文作者为英国政府通信总部(GCHQ)主任