應對網路威脅需要私營部門出手

In recent months public attention has been on state-led cyber attacks, from the drama of Russian aggression to crude North Korean online bank heists. Of course these matter and we have recently written to UK political parties to warn them about current threats, but this should not become a distraction from the much broader cyber challenge for western countries.

近幾個月來，公眾關注焦點一直是國家主導的網路攻擊——從俄羅斯黑客入侵的戲劇性事件到粗暴的朝鮮線上銀行盜竊。當然，這些事情很重要，最近我們寫信給各個英國政黨，就當前威脅向他們提出了警示，但這不應該分散西方國家對於廣泛得多的網路挑戰的注意力。

The British government has radically changed its approach to cyber security in the past few years, but we now need an accompanying shift in culture and skills across the private sector if we are to address the rising tide of cyber incidents. The challenge for business is to engage, understand more, and update corporate governance for the digital era.

過去幾年裡，英國政府已徹底改變了其應對網路安全的方法，但如果我們打算解決不斷增多的網路事件的話，現在需要促成整個私營部門在文化和技能方面實現相應轉變。企業的挑戰在於參與進去，瞭解更多，並更新數字時代的公司治理。

There is a generational gap at the heart of this. In boardrooms cyber security is now acknowledged as important, but is still seen as a baffling problem for IT experts to fix, or an unavoidable cost of doing business. For the innovators and disrupters, who understand it better, this is someone else’s problem and far less exciting and profitable than the technology they are creating.

此事的核心是一種代際差距。在董事會會議室裡，網路安全如今被承認是重要問題，但仍被視為一個令人困惑、該由IT專家去解決的問題，或者是一種不可避免的業務成本。對於更瞭解網路安全的創新者和破壞者而言，這是別人的問題，遠不如他們正在創造的技術那般令人興奮和有利可圖。

The key for both groups is to see this as primarily a problem about data, not IT. Everyone understands the importance of data to their business, but not enough senior people are truly engaged in understanding which data are most precious to them and how it is handled, stored and protected.

對這兩個群體而言，關鍵是把網路安全主要視為資料問題，而不是IT問題。每個人都理解資料對其業務的重要性，但是對於理解哪種資料對他們最寶貴以及資料的處理、儲存和保護方式，沒有足夠多的高層人員真正參與其中。

Nervousness in the face of technology prevents business leaders from applying the forensic interest they would have in financial or legal areas. Corporate governance structures are not up to the task: how are investors to know whether a potential investment, acquisition or shareholding is managing its cyber risk properly?

對技術感到緊張，妨礙了商界領導人像對待金融或法律領域一樣拿出法庭科學取證一般的興趣。公司治理結構勝任不了這一任務：投資者如何知道潛在的投資、收購或持股是否正確地處理了其中的網路風險？

This will become even more critical as the internet of things moves from largely pointless gadgets to being hard wired into every area of the economy, with billions of new devices producing ever richer data. From healthcare to travel, education to food, every sector that depends heavily on data will begin to face problems already familiar to financial services.

這一點將變得更關鍵，因為物聯網正從接入一些不重要的裝置變為內建到經濟的每一個領域，數十億臺新增裝置隨時產生日益豐富的資料。從醫療保健到旅遊，從教育到食品，每一個嚴重依賴資料的行業將開始面臨對於金融服務業來說已很熟悉的問題。

Nor is theft or destruction of information the greatest worry. Integrity is. If businesses cannot be confident that their data has not been changed maliciously or accidentally, they will simply become paralysed.

最令人擔心的問題也不是資訊失竊或被毀，而是誠信。如果企業不能確定自己的資料未被惡意或意外更改，它們將無法正常執行。

In the UK the government’s response has been twofold. First it has rationalised the smorgasbord of organisations involved in cyber security by creating the new National Cyber Security Centre. More importantly, by making it an operational arm of GCHQ, Britain’s electronic intelligence agency, it has put world-leading technologists at the heart of both advice and operations. We have learnt from the tech sector that expertise needs to be at the heart of strategy. Relying solely on the well-meaning generalist, which has not served government policy well in computer science since the 1950s, is not enough.

在英國，政府的迴應體現在兩個方面。首先，政府建立了新的國家網路安全中心(National Cyber Security Centre)，使原來負責網路安全的龐雜機構更有條理。更重要的是，通過把該中心變成英國電子情報機構英國政府通訊總部(GCHQ)的業務部門，政府讓世界領先的技術專家在諮詢和操作中發揮核心作用。我們從科技行業學到，必須把專業知識置於戰略的核心 。僅僅依靠善意的通才——自1950年代以來，他們在電腦科學領域的政府政策作為並不理想——是不夠的。

More significant than any new structure is the determination to take more of the strain at a national level. This means developing with industry innovative defences at scale, using technology to defeat technology threats. Criminal and state cyber attacks are inevitably part of an arms race moving at dazzling speed, but western governments and industry together can stay ahead.

比任何新結構更重要的，是在國家層面挑起更多重擔的決心。這意味著大規模使用行業創新防禦手段進行開發，以技術打敗技術威脅。犯罪性質的和國家支援的網路攻擊不可避免地成為一場速度令人炫目的軍備競賽的一部分，但西方政府和行業可以通過合作保持領先。

At its most basic, this can simply mean preventing criminals posing as organisations such as the tax officials at HM Revenue & Customs, or filtering out those countless “spear phishing” emails that clog our inboxes. In a few years I suspect the public will wonder why service providers did not do this at a national level a long time ago. The answer, of course, is that the internet was not designed with security or crime in mind. It evolved in a wonderful collaboration of academia and industry.

最起碼，這可能意味著防止犯罪分子把自己偽裝為英國稅務及海關總署(HM Revenue & Customs)之類的機構，或者過濾掉那些塞滿我們收件箱的數不清的魚叉式網路釣魚(Spear phishing)電子郵件。我懷疑，幾年後公眾會發問，為什麼服務提供商不在很久以前就在國家層面採取這種措施。答案當然是，當初設計網際網路時並未考慮到安全或犯罪問題。網際網路一直在學術界和行業的完美合作中向前發展。

But these and other more sophisticated measures will not absolve the private sector from building sensible security into their new products, their business models and their corporate governance at every level. Others have begun to regulate to achieve this, notably New York state, which just introduced tough cyber accountability for Wall Street chief executives. Critically, they will also be held responsible for good security in their supply chain.

但是這些和其他更復雜的措施將不會免除私營部門的如下責任：把合理的安全措施置入他們的新產品、他們的商業模式和他們在每個層級的公司治理。已經有一些當局——特別是紐約州——已開始實施監管以做到這一點。紐約州剛剛引入了針對華爾街執行長的嚴苛的網路問責。關鍵是，他們還將對其供應鏈的良好安全狀況承擔責任。

Finally, at the heart of our generational problem on cyber is a shortage of skills. We cannot wait for this to fix itself. Alongside all the new initiatives to promote cyber skills, those in senior positions and responsible for corporate governance should educate themselves and overcome their fear of cyber.

最後，我們這一代人在網路方面的問題的核心是技能不足。我們不能等待這一局面自我修復。除了提高網路技能的所有新舉措，那些擔任高階職位和負責公司治理的人應進行自我教育，並克服對網路的恐懼。

If we get this right, there are enormous opportunities for the UK, not only to become the safest place to live and do business online — but to export some of the solutions.

如果我們在這方面做好了，英國將享有巨大的機會，不但會成為最安全的居住和線上經商之地，而且能夠輸出部分解決方案。

The writer is head of GCHQ

本文作者為英國政府通訊總部(GCHQ)主任