Speech

Deputy Prime Minister, Oliver Dowden's speech at the UK - France Cyber Proliferation conference

Deputy Prime Minister, Oliver Dowden's speech at the UK-France Cyber Proliferation conference on commercial cyber tools.

This was published under the 2022 to 2024 Sunak Conservative government
The Rt Hon Oliver Dowden CBE MP

INTRODUCTION

Welcome to Lancaster House.

Our surroundings might be familiar to our French co-hosts, as the interior decoration was inspired by the Palace of Versailles…

…and they might be familiar to everyone else, as the backdrop to the Netflix series The Crown and Bridgerton. 

In the real world, this house has played a role in delivering global peace and security for centuries. 

And so it is fitting that we are here today to talk about how we secure our peace and security in the centuries to come…

…in a world where the challenges we face increasingly come from cyberspace. 

I want to start by welcoming the close and dedicated partnership we have had with France on this issue over the last year…

…and we are delighted to be co-hosting with our French colleagues.

Just as the Olympic torch is passing to France this year, we in the UK are proud to pick up the baton on cyber security…

following the excellent conversations you convened at the Paris Peace Forum. 

DANGEROUS WORLD

We live in an increasingly volatile world.

State competition … national conflicts … organised crime… domestic terrorism…

…all of these things are growing and converging, while the established multilateral order is being challenged. 

Meanwhile, technology is developing exponentially…

…and the economic sphere is ever more contested.

In this new dangerous and volatile world, the frontline is increasingly online…

where the weapons used are often virtual ones…

and online conflict and cyber criminality are becoming increasingly reckless. 

Thanks to rapid advances in technology – including AI – those weapons are becoming cheaper, more widespread, and easier to use.

There is now a growing market for the sort of cyber tools that, in the wrong hands, can be used against ordinary people… 

… to steal from businesses… 

…to carry out crippling ransomware attacks… 

and to threaten our critical national infrastructure.

That is what I want to focus on today. 

These products often have legitimate uses – such as for law enforcement and national security – but they can also be misused…

…and increasingly, more actors are getting hold of them.

That opens up this battleground to a whole new world of unaccountable actors…

…Have-a-go hackers… 

… People who, with minimal barriers, can unleash maximum disruption to individuals, institutions, companies and indeed countries. 

THE IMPACT

That is why this matters. 

Because what happens in the virtual world has real-world consequences.

It is extremely likely that almost everyone in this room has been the victim of some form of cyber-attack. 

Whether it is… your data… your identity… your intellectual property… or even your money that has been expropriated…

All are now seen as legitimate targets. 

And as the commercial market for these tools grows, so too will the number and severity of cyber-attacks…

…compromising our devices and our digital systems…

… causing increasingly expensive damage… 

… and making it more challenging than ever for our cyber defences to protect public institutions and services.

If we fail to act, this market will rapidly become a driver for much of the cyber threat we face…

…beyond just sophisticated and established state actors, and opportunistic criminals.

In this ‘year of elections’, in which four billion people - half the world’s population - will vote in what are, often, digital elections…with digital campaigns and digital infrastructure…

… all vulnerable to digital threats…

…we must consider the impact upon our democracy too. 

SUCCESS SO FAR

We approach this threat from a position of strength, thanks to the work we have already been undertaking.  

As part of our work to protect the UK from all forms of cyber attack, I have set ambitious cyber resilience targets for UK critical national infrastructure to meet by 2025…

…And in December, I launched the ‘Secure by Design Framework’ for the UK public sector. 

Through these efforts the UK Government is embedding cyber security into the heart of our system design.

We are defending our democratic processes by offering technical support to individuals at high risk of targeting…

…and we are working to better understand and mitigate the threats of AI and disinformation during our elections.

As so often, where new forms of malign influence have emerged, the UK is once again at the forefront of combatting this emergent threat. 

Indeed our burgeoning cyber security industry continues to go from strength to strength…

…with our most recent estimates showing that the sector generates over 10 billion pounds in revenue - third only to the US and China…

… with exports also growing to over 5 billion pounds.

In the room today I see several faces I recognise from innovative young UK companies…

…and I know the important role they and others play in making us safer, both online and off.

The Government recognises the huge potential for growth in this industry… 

…and the potential for cyber security to drive growth across all sectors of our economy.

That is why, alongside Michelle Donelan, the Secretary of State for Science Innovation and Technology, I have asked the Rt Hon. Stephen McPartland MP to lead an independent review to look at how we can shift the narrative and market incentives around cyber security to make this a reality.

We derive our strength and resilience not only from what we do alone, but what we do with our allies.  

So the UK was proud to sign-up to the Joint Statement on “efforts to counter the proliferation and misuse of commercial spyware” at the 2023 Summit for Democracy last March…

…and I look forward to furthering that conversation when I attend the 2024 Summit in Seoul next month. 

Indeed, when our allies strengthen their defences, our defences are strengthened too.

So we welcome the European Parliament’s work on this issue…

and we recognise the changes made through international export control frameworks, including the Wassenaar Arrangement. 

We further note the recommendations of the Paris Call Working Group on Cyber Mercenaries, and the Cybersecurity Tech Accords.

These represent crucial progress on spyware. 

But we must go further if we are to prevent commercially available cyber weapons from being developed and sold, used irresponsibly, or falling into the wrong hands.

A BROADER ALLIANCE

That work starts with building a broader alliance against those who seek to do us harm.

The market for these intrusion capabilities, with its vendors and customers, is very much a global phenomenon…

…as is the impact of the threats created by malign and irresponsible activity.

Addressing this issue therefore falls to all the states and stakeholders in this room – and more besides, in wider, multilateral fora.

Our joint efforts should focus on ensuring that states and industry alike act responsibly in cyberspace…

…ensuring our robust existing framework of international law and norms are equally applied in the virtual realm.

For governments, we can make a difference, through effective regulation, proper export controls…

…and working with the market responsibly as a customer, and end user…

…to develop better safeguards and oversight.

Our partners in industry also have a role to play:

Software providers keeping their products patched, identifying flaws, and working with partners on collective security.

And the legitimate vendors of these capabilities ensuring they have responsible supply chains.

They all have a responsibility to vet and limit their customers…

…and to exercise caution when considering their use.

Throughout this, civil society will continue to play a vital part, shining a light on the realities of this complex threat. 

We should pay tribute to the hard work - often at personal risk, often without fanfare - that organisations and individuals have carried out…

…they are the embodiment of our resilience… 

… And the UK is committed to supporting these efforts.

I can announce today that we will be enhancing our strategic partnerships with non-profit organisations working on these endeavours…

…through a one-million-pound uplift to Shadowserver, to help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyber-attacks.

TAKING ACTION

This bigger, broader alliance must come together to agree exactly what the threats are. 

The world’s first AI Safety Summit, which the UK Government held at Bletchley Park last year, kicked off a new type of multilateralism for artificial intelligence.

…where civil society, industry and nation states came together to build a shared vision of the future.

We will need this same whole-of-society approach when it comes to cyber intrusion.

And so today, I am proud to be joined by my French colleagues, and all of you, in launching the Pall Mall Process,

…a new multi-stakeholder initiative through which we will, together…

… work to tackle the proliferation and irresponsible use of commercially available cyber intrusion capabilities.

Named after the very street on which this house sits.

The scope must be broad…

…not just looking at spyware, but also considering the ‘hackers for hire’ phenomenon, the exploit marketplace…

…alongside the broader range of ‘off the shelf’ intrusion capabilities, including tools for disruptive and destructive effect.

With shared definitions…

…we must establish guidelines for best practice for developing, selling, facilitating, purchasing, and using commercially available cyber intrusion tools and services…

…and we must be clear about what irresponsible behaviour looks like, and how to discourage it.

Ultimately, we must agree on what an international framework should look like.

And it must flow from some foundational principles that we all agree, to ensure the responsible use of these tools:

…with accountability, in a legal and ethical manner…

…with precision, avoiding unintended or irresponsible consequences…

…with oversight mechanisms in place…

…and with transparency, around supply chains, financing and responsible business practices.

CONCLUSION 

There is no silver bullet to solving this problem.

But the pace of change demands that we act fast.

We are in a cyberspace race with our adversaries…

…as they develop the tools to do us harm…

…while we define the risks, develop the rules and build the global alliance.

But I am optimistic. 

Cyber, ultimately, can and should be a force for good. 

We have a noble goal…

…to protect our citizens from being illegitimately targeted…

…to give companies the confidence with which to operate and trade…

…and to build an online world that remains free, open, peaceful and secure. 

Another worthy endeavour to pursue amid these historic surroundings…

…and one I hope we can build upon in the months and years to come. 

Thank you.

Updates to this page

Published 6 February 2024