National Security Chief Talks About The UK’s Cyber Dangers
External interference in democratic processes, along with the current wave of international ransomware attacks against Healthcare, Communications and other critical infrastructure and systems, place cybresecurity firmly at the centre of topitical events.
Ciaran Martin, chief of he UK's new National Cyber Security Centre was interviewed by Wired about how these threats will impact the UK and what we can do about it.
Cyber Threat to the UK
“In the first few months since the National Cyber Security Centre formally came into being, we’ve dealt with around 60 to 70 Category Two and Three attacks per month. We’ve never had a Category One attack, a serious national emergency, that we’ve seen in other countries. Those that require co-ordination from the national authority on cyber security are in the region of 60 to 70 per month.
“The issue of cyber-security is often shrouded in mystique. We view that as unhelpful because there are all sorts of different attacks with different motivations and levels of sophistications, you need to think about it in that disaggregated way in order to tackle it.”
Nature of the Attacks on the UK
“We’re seeing traditional state-sponsored espionage in our critical services, we’re seeing the heightened threat from Russia that we’ve spoken about in terms of critical services against our allies, and, of course, the well-documented attacks on other democracies. We’re also seeing significant, commercially-related espionage at both the high end and the low end, meaning high-end intellectual property and the theft of small amounts of money at scale, which equates to large amounts of money.
“There’s also the theft of considerable amounts of personal data and hacktivist attacks, either for propaganda or for menacing purposes. The attacks range in sophistication from things that really only the state could defend against all the way through to very basic attacks. It’s our view that too many basic attacks are coming through.”
Who is Responsible
“There are hostile state actors of various sizes and then there are significant criminal gangs. The transnational ones can be extremely sophisticated and therefore difficult to combat, and also sometimes difficult to use law-enforcement powers against, because of where they may be located. But with international partnerships and with the great work by the National Crime Agency in that international arena, we have more success than you might think.”
Cyber-Terrorism
“Although we see terrorists using the internet and cyberattacks to menace, harass, embarrass and achieve propaganda, they seem to be still some way off the destructive capability that no doubt they intend to develop. The reasons why are pretty obvious, building a high-end offensive cyber capability requires stability, money and skills.
“All three things are associated with the state rather than a stateless terrorist group operating in hiding from western powers. We try not to exaggerate the threat; we try to give realistic assessments and that’s why we don’t overstate the current threat.”
On Active Defence
“Active cyber defence is about moving beyond passivity and thinking actively about technological improvements as close as possible to the source. This takes the burden away from individual users, moving away from advice such as “Don’t click on a dodgy link” when most people don’t know what a dodgy link looks like, into an active process of researching ‘How do you stop malicious email being delivered in the first place?’ And it includes the right to act aggressively in the most serious cases. We have a declared offensive cyber capability; we can, and will, get on to the infrastructure of those attacking us when there is no other option – and we will disrupt attacks actively in the most serious cases.”
On International Co-Operation
“Cyber doesn’t respect international borders. There is a process underway between like-minded allied nations of informal but increasingly active co-operation in threat-sharing and joint operations. Some of our most successful cyber-crime operations have been led by the FBI and we have an excellent operational relationship with France.
“We’re an intelligence organisation, so it’s not easy, but it’s possible to build trusted relationships where we can share sensitive data at an increasing scale. We’re building capacity and capability where it is in our interests for our closest economic partners to be well protected and, in so far as we have expertise that they wish to draw on, we’ll be happy to do that.”
On the Mission of the NCSC
“The NCSC has three priorities:
- One is to build long-term defences for our critical services.
- Secondly it’s to manage incidents as and when they happen.
- Third is to improve the underlying technology of the Internet to make it easier for people to live and work online safely, that's in ways people use technology and in ways that they don’t see.
“Protecting critical services will be a long-term challenge and the strategic solution is, as legacy systems are phased out, building embedded security features into the new systems. One of our showcase items is what we’ve done on smart meters, from next generation power supply all the way through to new government payment systems we’ll build that resilience in.
“The UK is doing reasonably well in this, but there’s no room for complacency and I’m certainly not ruling out potential for a major attack. I think a Category One incident of some sort is likely to happen in my time in this job, but it will be a major focus of work over the next decade to put in long-term mitigations into these services [that will last] for decades to come.”
Challenge for Individuals and Organisations to keep up with Advances in Technology.
“This is not a new problem, but it’s not a mature problem either, it's a maturing problem. It's now clear that part of this is just thinking about it in normal risk-management terms: whether you're a business or an individual, think about the exposure you’ve got online and what you care about.
“Why did our password guidance get so much pick up? Because it allows people to think about what’s good enough for most things they care about, and then what they need to apply exceptional security to. Individuals will have different requirements and the government can’t dictate that for them, nor would it be appropriate to do so. Businesses are the same.
“We do need a step change in the evidence base of cyber security: we’re trying to publish what works, what we get right and wrong, we’re trying to set out the evidence and put out guidance at scale about vulnerabilities and so on.
“There is a point, particularly for businesses, about understanding how technology works. As we migrate towards the Internet of Things, there’s a potential opportunity where you move from a model where the price of a service is the provision of data, personal data, or corporate data, for free to the provider of that service, to a model where the price is actually a fee for a service. It should be a differentiator, which people can use when selecting that service, including how secure they think it is and what reputation it has for security.
“A third point is about what the government and the technology industry can do together and separately to improve the underlying infrastructure. I think we’ve underinvested in the energy and focus that we’ve put into the technological improvements we can make. We’re addressing that as quickly as we can. There’s also the work we’re doing about hardening the border gateway protocol to make sure that the routing of traffic between big UK centres is safer, so it doesn’t get rerouted via the Ukraine or Moscow – as happened to the Atomic Weapons Establishment. That sort of thing, which users will not see, is critical.
“My message is not to have a council of despair about these things. Let's deconstruct and disaggregate the problem. Let's look about what matters to users and individuals, what matters to businesses, what happens at the national level and, fundamentally, let's get the government thinking about how it can incentivise and work with industry to fix some of these things at source.”
Challenges of Quantum Computing
“It's a big strategic challenge; in the long-term, quantum computers are likely to break the sort of public key algorithms that we use today. A crypto-graphically relevant quantum computer is some years off, probably a small number of decades away, and there is an awful lot of work going on here, in academia, and in industry globally about post-quantum topographies to make sure we develop algorithms that are strong in the face of both a classical and a quantum computer.
“We’re not in the space where we need to worry about a quantum computer breaking the security that we have now, but we need to focus on this as a significant long-term challenge to make sure that we continue to have that ecosystem where there's sufficient security in our systems.
“We never expect technology to stand still, and we never expect our own trade craft and advice and the sort of things we recommend to stand still. If the government wants to do something in the digital space we will never say ‘no, don’t do this digitally’. We might say ‘don't do it this way because it's not safe’, but we never want to be the tail wagging the dog, we always want to say ‘yes, of course’.
“If digital is appropriate from the point of view of the citizen, from the point of view of the taxpayer, our job is to help make it work. When things like quantum computing come along, our job is to make sure that we have a sufficient research and engineering base that we know how to make sure that it's done safely.”
Cyber Security Skills Shortage
It’s a very big challenge and one of the most important. The short term answer is: we need to incentivise various schemes. We have an extensive programme of outreach to schools and we run national competitions.
One is CyberFirst: by 2020 we’ll have 1,000 undergraduate bursaries with people then contracted to work on cybersecurity, not necessarily for us, but in the sphere of cybersecurity for a few years after graduation. And then we extended the programme to younger ages and to girls, because girls are starkly underrepresented. It was massively oversubscribed with hundreds of schools taking part.
“In the workforce we’re offering 100 industry-funded placements in the National Cyber Security Centre so they can send people in who know the work, and we’ll upskill them and gain a better understanding of their industry and then they can go back. We’re trying to get people in the scale of hundreds and thousands through targeted interventions in the education system, at universities and in industry.
“The long term solution is around the [school] curriculum, it's around the education system as a whole, it's around making sure that we really embed both digital technology skills and cyber-security skills into the education system, because industry is crying out for people, it's not as if the demand isn’t there.
You Might Also Read:
Cardiff Cyber Security Research Centre - 'first in Europe':
UK’s New National Cyber Security Centre:
New British Cybersecurity Centre Has A Focus On Financial Services:
Getting Intelligence Agencies To Adapt To Life Out Of The Shadows:
Director's Departure Leaves A Big Hole At GCHQ:
GCHQ Is Investing In Cyber-Security Start-Ups: