National Security Chief Talks About The UK’s Cyber Dangers

Uploaded on 2017-05-15 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

External interference in democratic processes, along with the current wave of international ransomware attacks against Healthcare, Communications and other critical infrastructure and systems, place cybresecurity firmly at the centre of topitical events.

Ciaran Martin, chief of he UK's new National Cyber Security Centre was interviewed by Wired about how these threats will impact the UK and what we can do about it.

Cyber Threat to the UK
“In the first few months since the National Cyber Security Centre formally came into being, we’ve dealt with around 60 to 70 Category Two and Three attacks per month. We’ve never had a Category One attack, a serious national emergency, that we’ve seen in other countries. Those that require co-ordination from the national authority on cyber security are in the region of 60 to 70 per month.
“The issue of cyber-security is often shrouded in mystique. We view that as unhelpful because there are all sorts of different attacks with different motivations and levels of sophistications, you need to think about it in that disaggregated way in order to tackle it.”

Nature of the Attacks on the UK
“We’re seeing traditional state-sponsored espionage in our critical services, we’re seeing the heightened threat from Russia that we’ve spoken about in terms of critical services against our allies, and, of course, the well-documented attacks on other democracies. We’re also seeing significant, commercially-related espionage at both the high end and the low end, meaning high-end intellectual property and the theft of small amounts of money at scale, which equates to large amounts of money. 

“There’s also the theft of considerable amounts of personal data and hacktivist attacks, either for propaganda or for menacing purposes. The attacks range in sophistication from things that really only the state could defend against all the way through to very basic attacks. It’s our view that too many basic attacks are coming through.”

Who is Responsible
“There are hostile state actors of various sizes and then there are significant criminal gangs. The transnational ones can be extremely sophisticated and therefore difficult to combat, and also sometimes difficult to use law-enforcement powers against, because of where they may be located. But with international partnerships and with the great work by the National Crime Agency in that international arena, we have more success than you might think.”

Cyber-Terrorism
 “Although we see terrorists using the internet and cyberattacks to menace, harass, embarrass and achieve propaganda, they seem to be still some way off the destructive capability that no doubt they intend to develop. The reasons why are pretty obvious, building a high-end offensive cyber capability requires stability, money and skills. 
“All three things are associated with the state rather than a stateless terrorist group operating in hiding from western powers. We try not to exaggerate the threat; we try to give realistic assessments and that’s why we don’t overstate the current threat.”

On Active Defence
“Active cyber defence is about moving beyond passivity and thinking actively about technological improvements as close as possible to the source. This takes the burden away from individual users, moving away from advice such as “Don’t click on a dodgy link” when most people don’t know what a dodgy link looks like, into an active process of researching ‘How do you stop malicious email being delivered in the first place?’ And it includes the right to act aggressively in the most serious cases. We have a declared offensive cyber capability; we can, and will, get on to the infrastructure of those attacking us when there is no other option – and we will disrupt attacks actively in the most serious cases.”

On International Co-Operation
“Cyber doesn’t respect international borders. There is a process underway between like-minded allied nations of informal but increasingly active co-operation in threat-sharing and joint operations. Some of our most successful cyber-crime operations have been led by the FBI and we have an excellent operational relationship with France. 
“We’re an intelligence organisation, so it’s not easy, but it’s possible to build trusted relationships where we can share sensitive data at an increasing scale. We’re building capacity and capability where it is in our interests for our closest economic partners to be well protected and, in so far as we have expertise that they wish to draw on, we’ll be happy to do that.”

On the Mission of the NCSC
“The NCSC has three priorities: 

  • One is to build long-term defences for our critical services. 
  • Secondly it’s to manage incidents as and when they happen. 
  • Third is to improve the underlying technology of the Internet to make it easier for people to live and work online safely, that's in ways people use technology and in ways that they don’t see.

 “Protecting critical services will be a long-term challenge and the strategic solution is, as legacy systems are phased out, building embedded security features into the new systems. One of our showcase items is what we’ve done on smart meters, from next generation power supply all the way through to new government payment systems we’ll build that resilience in.
“The UK is doing reasonably well in this, but there’s no room for complacency and I’m certainly not ruling out potential for a major attack. I think a Category One incident of some sort is likely to happen in my time in this job, but it will be a major focus of work over the next decade to put in long-term mitigations into these services [that will last] for decades to come.”
Challenge for Individuals and Organisations to keep up with Advances in Technology.

“This is not a new problem, but it’s not a mature problem either, it's a maturing problem. It's now clear that part of this is just thinking about it in normal risk-management terms: whether you're a business or an individual, think about the exposure you’ve got online and what you care about.

“Why did our password guidance get so much pick up? Because it allows people to think about what’s good enough for most things they care about, and then what they need to apply exceptional security to. Individuals will have different requirements and the government can’t dictate that for them, nor would it be appropriate to do so. Businesses are the same.

 “We do need a step change in the evidence base of cyber security: we’re trying to publish what works, what we get right and wrong, we’re trying to set out the evidence and put out guidance at scale about vulnerabilities and so on.
“There is a point, particularly for businesses, about understanding how technology works. As we migrate towards the Internet of Things, there’s a potential opportunity where you move from a model where the price of a service is the provision of data, personal data, or corporate data, for free to the provider of that service, to a model where the price is actually a fee for a service. It should be a differentiator, which people can use when selecting that service, including how secure they think it is and what reputation it has for security.

“A third point is about what the government and the technology industry can do together and separately to improve the underlying infrastructure. I think we’ve underinvested in the energy and focus that we’ve put into the technological improvements we can make. We’re addressing that as quickly as we can. There’s also the work we’re doing about hardening the border gateway protocol to make sure that the routing of traffic between big UK centres is safer, so it doesn’t get rerouted via the Ukraine or Moscow – as happened to the Atomic Weapons Establishment. That sort of thing, which users will not see, is critical.

“My message is not to have a council of despair about these things. Let's deconstruct and disaggregate the problem. Let's look about what matters to users and individuals, what matters to businesses, what happens at the national level and, fundamentally, let's get the government thinking about how it can incentivise and work with industry to fix some of these things at source.”

Challenges of Quantum Computing
“It's a big strategic challenge; in the long-term, quantum computers are likely to break the sort of public key algorithms that we use today. A crypto-graphically relevant quantum computer is some years off, probably a small number of decades away, and there is an awful lot of work going on here, in academia, and in industry globally about post-quantum topographies to make sure we develop algorithms that are strong in the face of both a classical and a quantum computer.

“We’re not in the space where we need to worry about a quantum computer breaking the security that we have now, but we need to focus on this as a significant long-term challenge to make sure that we continue to have that ecosystem where there's sufficient security in our systems.

 “We never expect technology to stand still, and we never expect our own trade craft and advice and the sort of things we recommend to stand still. If the government wants to do something in the digital space we will never say ‘no, don’t do this digitally’. We might say ‘don't do it this way because it's not safe’, but we never want to be the tail wagging the dog, we always want to say ‘yes, of course’.

“If digital is appropriate from the point of view of the citizen, from the point of view of the taxpayer, our job is to help make it work. When things like quantum computing come along, our job is to make sure that we have a sufficient research and engineering base that we know how to make sure that it's done safely.”

Cyber Security Skills Shortage
It’s a very big challenge and one of the most important. The short term answer is: we need to incentivise various schemes. We have an extensive programme of outreach to schools and we run national competitions. 

One is CyberFirst: by 2020 we’ll have 1,000 undergraduate bursaries with people then contracted to work on cybersecurity, not necessarily for us, but in the sphere of cybersecurity for a few years after graduation. And then we extended the programme to younger ages and to girls, because girls are starkly underrepresented. It was massively oversubscribed with hundreds of schools taking part.

“In the workforce we’re offering 100 industry-funded placements in the National Cyber Security Centre so they can send people in who know the work, and we’ll upskill them and gain a better understanding of their industry and then they can go back. We’re trying to get people in the scale of hundreds and thousands through targeted interventions in the education system, at universities and in industry.

“The long term solution is around the [school] curriculum, it's around the education system as a whole, it's around making sure that we really embed both digital technology skills and cyber-security skills into the education system, because industry is crying out for people, it's not as if the demand isn’t there.

Wired

You Might Also Read:

Cardiff Cyber Security Research Centre - 'first in Europe':

UK’s New National Cyber Security Centre:

New British Cybersecurity Centre Has A Focus On Financial Services:

Getting Intelligence Agencies To Adapt To Life Out Of The Shadows:

Director's Departure Leaves A Big Hole At GCHQ:

GCHQ Is Investing In Cyber-Security Start-Ups:

 

 

« Darktrace Forms Cybersecurity Partnership With Siemens
Facebook Pays For Fake News Ads In UK Press »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Rapid7

Rapid7

Rapid7 unites cloud risk management and threat detection to deliver results that secure your business and ensure you’re always ready for what comes next.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

Information-Technology Promotion Agency (IPA) - Japan

Information-Technology Promotion Agency (IPA) - Japan

IPA is an implementing agency in Japan with a role to address Information Security, IT Systems Reliability and IT Resource Development.

SAI360

SAI360

SAI360 (formerly SAI Global) provide products and services for enterprise risk management including Governance, Risk & Compliance and Digital Risk solutions.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

Caveonix

Caveonix

Caveonix’s RiskForesight TM solution is an automated, proactive risk and compliance platform designed for hybrid and multi-cloud.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Hunton Andrews Kurth

Hunton Andrews Kurth

Hunton Andrews Kurth LLP serves clients across a broad range of complex transactional, litigation and regulatory matters. Practice areas include Privacy and Cybersecurity.

BluescreenIT (BIT)

BluescreenIT (BIT)

BluescreenIT is an IT Security Consultancy and IT and Cyber Security Training company supporting industry, local authorities, MoD and governmental IT departments.

Great American Insurance Group

Great American Insurance Group

Great American's Cyber Risk Division offers cyber solutions for small and medium-sized businesses.

Noerr

Noerr

Noerr is one of the top European law firms with 500 professionals in Germany, Europe and the USA. We provide solutions to complex and sophisticated legal matters including cyber risks.

Secure Enterprise Engineering (SEE)

Secure Enterprise Engineering (SEE)

SEE provides disruptive cybersecurity system engineering, architecture, and operational capabilities to make our customer’s missions execute faster, smarter, and more securely.

SecAI

SecAI

SecAI is an innovative threat intelligence-driven, and AI-powered vendor aiming at cyber threat detection and response.