應對網絡威脅需要私營部門出手

In recent months public attention has been on state-led cyber attacks, from the drama of Russian aggression to crude North Korean online bank heists. Of course these matter and we have recently written to UK political parties to warn them about current threats, but this should not become a distraction from the much broader cyber challenge for western countries.

近幾個月來，公衆關注焦點一直是國家主導的網絡攻擊——從俄羅斯黑客入侵的戲劇性事件到粗暴的朝鮮在線銀行盜竊。當然，這些事情很重要，最近我們寫信給各個英國政黨，就當前威脅向他們提出了警示，但這不應該分散西方國家對於廣泛得多的網絡挑戰的注意力。

The British government has radically changed its approach to cyber security in the past few years, but we now need an accompanying shift in culture and skills across the private sector if we are to address the rising tide of cyber incidents. The challenge for business is to engage, understand more, and update corporate governance for the digital era.

過去幾年裏，英國政府已徹底改變了其應對網絡安全的方法，但如果我們打算解決不斷增多的網絡事件的話，現在需要促成整個私營部門在文化和技能方面實現相應轉變。企業的挑戰在於參與進去，瞭解更多，並更新數字時代的公司治理。

There is a generational gap at the heart of this. In boardrooms cyber security is now acknowledged as important, but is still seen as a baffling problem for IT experts to fix, or an unavoidable cost of doing business. For the innovators and disrupters, who understand it better, this is someone else’s problem and far less exciting and profitable than the technology they are creating.

此事的核心是一種代際差距。在董事會會議室裏，網絡安全如今被承認是重要問題，但仍被視爲一個令人困惑、該由IT專家去解決的問題，或者是一種不可避免的業務成本。對於更瞭解網絡安全的創新者和破壞者而言，這是別人的問題，遠不如他們正在創造的技術那般令人興奮和有利可圖。

The key for both groups is to see this as primarily a problem about data, not IT. Everyone understands the importance of data to their business, but not enough senior people are truly engaged in understanding which data are most precious to them and how it is handled, stored and protected.

對這兩個羣體而言，關鍵是把網絡安全主要視爲數據問題，而不是IT問題。每個人都理解數據對其業務的重要性，但是對於理解哪種數據對他們最寶貴以及數據的處理、存儲和保護方式，沒有足夠多的高層人員真正參與其中。

Nervousness in the face of technology prevents business leaders from applying the forensic interest they would have in financial or legal areas. Corporate governance structures are not up to the task: how are investors to know whether a potential investment, acquisition or shareholding is managing its cyber risk properly?

對技術感到緊張，妨礙了商界領導人像對待金融或法律領域一樣拿出法庭科學取證一般的興趣。公司治理結構勝任不了這一任務：投資者如何知道潛在的投資、收購或持股是否正確地處理了其中的網絡風險？

This will become even more critical as the internet of things moves from largely pointless gadgets to being hard wired into every area of the economy, with billions of new devices producing ever richer data. From healthcare to travel, education to food, every sector that depends heavily on data will begin to face problems already familiar to financial services.

這一點將變得更關鍵，因爲物聯網正從接入一些不重要的設備變爲內置到經濟的每一個領域，數十億臺新增設備隨時產生日益豐富的數據。從醫療保健到旅遊，從教育到食品，每一個嚴重依賴數據的行業將開始面臨對於金融服務業來說已很熟悉的問題。

Nor is theft or destruction of information the greatest worry. Integrity is. If businesses cannot be confident that their data has not been changed maliciously or accidentally, they will simply become paralysed.

最令人擔心的問題也不是信息失竊或被毀，而是誠信。如果企業不能確定自己的數據未被惡意或意外更改，它們將無法正常運行。

In the UK the government’s response has been twofold. First it has rationalised the smorgasbord of organisations involved in cyber security by creating the new National Cyber Security Centre. More importantly, by making it an operational arm of GCHQ, Britain’s electronic intelligence agency, it has put world-leading technologists at the heart of both advice and operations. We have learnt from the tech sector that expertise needs to be at the heart of strategy. Relying solely on the well-meaning generalist, which has not served government policy well in computer science since the 1950s, is not enough.

在英國，政府的迴應體現在兩個方面。首先，政府創建了新的國家網絡安全中心(National Cyber Security Centre)，使原來負責網絡安全的龐雜機構更有條理。更重要的是，通過把該中心變成英國電子情報機構英國政府通信總部(GCHQ)的業務部門，政府讓世界領先的技術專家在諮詢和操作中發揮核心作用。我們從科技行業學到，必須把專業知識置於戰略的核心 。僅僅依靠善意的通才——自1950年代以來，他們在計算機科學領域的政府政策作爲並不理想——是不夠的。

More significant than any new structure is the determination to take more of the strain at a national level. This means developing with industry innovative defences at scale, using technology to defeat technology threats. Criminal and state cyber attacks are inevitably part of an arms race moving at dazzling speed, but western governments and industry together can stay ahead.

比任何新結構更重要的，是在國家層面挑起更多重擔的決心。這意味着大規模使用行業創新防禦手段進行開發，以技術打敗技術威脅。犯罪性質的和國家支持的網絡攻擊不可避免地成爲一場速度令人炫目的軍備競賽的一部分，但西方政府和行業可以通過合作保持領先。

At its most basic, this can simply mean preventing criminals posing as organisations such as the tax officials at HM Revenue & Customs, or filtering out those countless “spear phishing” emails that clog our inboxes. In a few years I suspect the public will wonder why service providers did not do this at a national level a long time ago. The answer, of course, is that the internet was not designed with security or crime in mind. It evolved in a wonderful collaboration of academia and industry.

最起碼，這可能意味着防止犯罪分子把自己僞裝爲英國稅務及海關總署(HM Revenue & Customs)之類的機構，或者過濾掉那些塞滿我們收件箱的數不清的魚叉式網絡釣魚(Spear phishing)電子郵件。我懷疑，幾年後公衆會發問，爲什麼服務提供商不在很久以前就在國家層面採取這種措施。答案當然是，當初設計互聯網時並未考慮到安全或犯罪問題。互聯網一直在學術界和行業的完美合作中向前發展。

But these and other more sophisticated measures will not absolve the private sector from building sensible security into their new products, their business models and their corporate governance at every level. Others have begun to regulate to achieve this, notably New York state, which just introduced tough cyber accountability for Wall Street chief executives. Critically, they will also be held responsible for good security in their supply chain.

但是這些和其他更復雜的措施將不會免除私營部門的如下責任：把合理的安全措施置入他們的新產品、他們的商業模式和他們在每個層級的公司治理。已經有一些當局——特別是紐約州——已開始實施監管以做到這一點。紐約州剛剛引入了針對華爾街首席執行官的嚴苛的網絡問責。關鍵是，他們還將對其供應鏈的良好安全狀況承擔責任。

Finally, at the heart of our generational problem on cyber is a shortage of skills. We cannot wait for this to fix itself. Alongside all the new initiatives to promote cyber skills, those in senior positions and responsible for corporate governance should educate themselves and overcome their fear of cyber.

最後，我們這一代人在網絡方面的問題的核心是技能不足。我們不能等待這一局面自我修復。除了提高網絡技能的所有新舉措，那些擔任高級職位和負責公司治理的人應進行自我教育，並克服對網絡的恐懼。

If we get this right, there are enormous opportunities for the UK, not only to become the safest place to live and do business online — but to export some of the solutions.

如果我們在這方面做好了，英國將享有巨大的機會，不但會成爲最安全的居住和在線經商之地，而且能夠輸出部分解決方案。

The writer is head of GCHQ

本文作者爲英國政府通信總部(GCHQ)主任