National Security Chief Talks About The UK’s Cyber Dangers

Uploaded on 2017-05-15 in NEWS-News Analysis, INTELLIGENCE--International, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

External interference in democratic processes, along with the current wave of international ransomware attacks against Healthcare, Communications and other critical infrastructure and systems, place cybresecurity firmly at the centre of topitical events.

Ciaran Martin, chief of he UK's new National Cyber Security Centre was interviewed by Wired about how these threats will impact the UK and what we can do about it.

Cyber Threat to the UK
“In the first few months since the National Cyber Security Centre formally came into being, we’ve dealt with around 60 to 70 Category Two and Three attacks per month. We’ve never had a Category One attack, a serious national emergency, that we’ve seen in other countries. Those that require co-ordination from the national authority on cyber security are in the region of 60 to 70 per month.
“The issue of cyber-security is often shrouded in mystique. We view that as unhelpful because there are all sorts of different attacks with different motivations and levels of sophistications, you need to think about it in that disaggregated way in order to tackle it.”

Nature of the Attacks on the UK
“We’re seeing traditional state-sponsored espionage in our critical services, we’re seeing the heightened threat from Russia that we’ve spoken about in terms of critical services against our allies, and, of course, the well-documented attacks on other democracies. We’re also seeing significant, commercially-related espionage at both the high end and the low end, meaning high-end intellectual property and the theft of small amounts of money at scale, which equates to large amounts of money. 

“There’s also the theft of considerable amounts of personal data and hacktivist attacks, either for propaganda or for menacing purposes. The attacks range in sophistication from things that really only the state could defend against all the way through to very basic attacks. It’s our view that too many basic attacks are coming through.”

Who is Responsible
“There are hostile state actors of various sizes and then there are significant criminal gangs. The transnational ones can be extremely sophisticated and therefore difficult to combat, and also sometimes difficult to use law-enforcement powers against, because of where they may be located. But with international partnerships and with the great work by the National Crime Agency in that international arena, we have more success than you might think.”

Cyber-Terrorism
 “Although we see terrorists using the internet and cyberattacks to menace, harass, embarrass and achieve propaganda, they seem to be still some way off the destructive capability that no doubt they intend to develop. The reasons why are pretty obvious, building a high-end offensive cyber capability requires stability, money and skills. 
“All three things are associated with the state rather than a stateless terrorist group operating in hiding from western powers. We try not to exaggerate the threat; we try to give realistic assessments and that’s why we don’t overstate the current threat.”

On Active Defence
“Active cyber defence is about moving beyond passivity and thinking actively about technological improvements as close as possible to the source. This takes the burden away from individual users, moving away from advice such as “Don’t click on a dodgy link” when most people don’t know what a dodgy link looks like, into an active process of researching ‘How do you stop malicious email being delivered in the first place?’ And it includes the right to act aggressively in the most serious cases. We have a declared offensive cyber capability; we can, and will, get on to the infrastructure of those attacking us when there is no other option – and we will disrupt attacks actively in the most serious cases.”

On International Co-Operation
“Cyber doesn’t respect international borders. There is a process underway between like-minded allied nations of informal but increasingly active co-operation in threat-sharing and joint operations. Some of our most successful cyber-crime operations have been led by the FBI and we have an excellent operational relationship with France. 
“We’re an intelligence organisation, so it’s not easy, but it’s possible to build trusted relationships where we can share sensitive data at an increasing scale. We’re building capacity and capability where it is in our interests for our closest economic partners to be well protected and, in so far as we have expertise that they wish to draw on, we’ll be happy to do that.”

On the Mission of the NCSC
“The NCSC has three priorities: 

  • One is to build long-term defences for our critical services. 
  • Secondly it’s to manage incidents as and when they happen. 
  • Third is to improve the underlying technology of the Internet to make it easier for people to live and work online safely, that's in ways people use technology and in ways that they don’t see.

 “Protecting critical services will be a long-term challenge and the strategic solution is, as legacy systems are phased out, building embedded security features into the new systems. One of our showcase items is what we’ve done on smart meters, from next generation power supply all the way through to new government payment systems we’ll build that resilience in.
“The UK is doing reasonably well in this, but there’s no room for complacency and I’m certainly not ruling out potential for a major attack. I think a Category One incident of some sort is likely to happen in my time in this job, but it will be a major focus of work over the next decade to put in long-term mitigations into these services [that will last] for decades to come.”
Challenge for Individuals and Organisations to keep up with Advances in Technology.

“This is not a new problem, but it’s not a mature problem either, it's a maturing problem. It's now clear that part of this is just thinking about it in normal risk-management terms: whether you're a business or an individual, think about the exposure you’ve got online and what you care about.

“Why did our password guidance get so much pick up? Because it allows people to think about what’s good enough for most things they care about, and then what they need to apply exceptional security to. Individuals will have different requirements and the government can’t dictate that for them, nor would it be appropriate to do so. Businesses are the same.

 “We do need a step change in the evidence base of cyber security: we’re trying to publish what works, what we get right and wrong, we’re trying to set out the evidence and put out guidance at scale about vulnerabilities and so on.
“There is a point, particularly for businesses, about understanding how technology works. As we migrate towards the Internet of Things, there’s a potential opportunity where you move from a model where the price of a service is the provision of data, personal data, or corporate data, for free to the provider of that service, to a model where the price is actually a fee for a service. It should be a differentiator, which people can use when selecting that service, including how secure they think it is and what reputation it has for security.

“A third point is about what the government and the technology industry can do together and separately to improve the underlying infrastructure. I think we’ve underinvested in the energy and focus that we’ve put into the technological improvements we can make. We’re addressing that as quickly as we can. There’s also the work we’re doing about hardening the border gateway protocol to make sure that the routing of traffic between big UK centres is safer, so it doesn’t get rerouted via the Ukraine or Moscow – as happened to the Atomic Weapons Establishment. That sort of thing, which users will not see, is critical.

“My message is not to have a council of despair about these things. Let's deconstruct and disaggregate the problem. Let's look about what matters to users and individuals, what matters to businesses, what happens at the national level and, fundamentally, let's get the government thinking about how it can incentivise and work with industry to fix some of these things at source.”

Challenges of Quantum Computing
“It's a big strategic challenge; in the long-term, quantum computers are likely to break the sort of public key algorithms that we use today. A crypto-graphically relevant quantum computer is some years off, probably a small number of decades away, and there is an awful lot of work going on here, in academia, and in industry globally about post-quantum topographies to make sure we develop algorithms that are strong in the face of both a classical and a quantum computer.

“We’re not in the space where we need to worry about a quantum computer breaking the security that we have now, but we need to focus on this as a significant long-term challenge to make sure that we continue to have that ecosystem where there's sufficient security in our systems.

 “We never expect technology to stand still, and we never expect our own trade craft and advice and the sort of things we recommend to stand still. If the government wants to do something in the digital space we will never say ‘no, don’t do this digitally’. We might say ‘don't do it this way because it's not safe’, but we never want to be the tail wagging the dog, we always want to say ‘yes, of course’.

“If digital is appropriate from the point of view of the citizen, from the point of view of the taxpayer, our job is to help make it work. When things like quantum computing come along, our job is to make sure that we have a sufficient research and engineering base that we know how to make sure that it's done safely.”

Cyber Security Skills Shortage
It’s a very big challenge and one of the most important. The short term answer is: we need to incentivise various schemes. We have an extensive programme of outreach to schools and we run national competitions. 

One is CyberFirst: by 2020 we’ll have 1,000 undergraduate bursaries with people then contracted to work on cybersecurity, not necessarily for us, but in the sphere of cybersecurity for a few years after graduation. And then we extended the programme to younger ages and to girls, because girls are starkly underrepresented. It was massively oversubscribed with hundreds of schools taking part.

“In the workforce we’re offering 100 industry-funded placements in the National Cyber Security Centre so they can send people in who know the work, and we’ll upskill them and gain a better understanding of their industry and then they can go back. We’re trying to get people in the scale of hundreds and thousands through targeted interventions in the education system, at universities and in industry.

“The long term solution is around the [school] curriculum, it's around the education system as a whole, it's around making sure that we really embed both digital technology skills and cyber-security skills into the education system, because industry is crying out for people, it's not as if the demand isn’t there.

Wired

You Might Also Read:

Cardiff Cyber Security Research Centre - 'first in Europe':

UK’s New National Cyber Security Centre:

New British Cybersecurity Centre Has A Focus On Financial Services:

Getting Intelligence Agencies To Adapt To Life Out Of The Shadows:

Director's Departure Leaves A Big Hole At GCHQ:

GCHQ Is Investing In Cyber-Security Start-Ups:

 

 

« Darktrace Forms Cybersecurity Partnership With Siemens
Facebook Pays For Fake News Ads In UK Press »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

OASIS Open

OASIS Open

OASIS Open is where individuals, organizations, and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards.

Conscia

Conscia

Conscia provides IT infrastructure solutions and 24/7 services in network, data center, security and mobility.

Cydome

Cydome

Cydome offers full-spectrum cybersecurity solutions tailored for the maritime industry.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

Blaze Information Security

Blaze Information Security

Blaze Information Security is a privately held, independent information security firm born from years of combined experience and international presence.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

Inpher

Inpher

Inpher has pioneered cryptographic Secret Computing® that enables advanced analytics and machine learning while keeping data private, secure, and distributed.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

CybersCool Defcon

CybersCool Defcon

CybersCool is committed to educate and train, re-skill and up-skill the current workforce of various industries and businesses in the knowledge and know-how of cybersecurity.

LayerX Security

LayerX Security

LayerX's user-first browser security platform turns any browser into the most protected & manageable workspace, by providing real-time monitoring and governance over users’ activities on the web.

Randaemon

Randaemon

RANDAEMON’s mission is to create True Random Number Generators (TRNG) that are hardware-based and integrated into System-on-Chip.

Anjuna Security

Anjuna Security

Software from Anjuna Security effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud.

Omantel Innovation Labs

Omantel Innovation Labs

The Omantel Innovation Labs is a platform to enable startups and innovators to develop and commercialize solutions within selected technology verticals including cybersecurity.

CloudCoCo

CloudCoCo

CloudCoCo help UK businesses of all sizes and industries succeed by providing enterprise-grade technology at small-business prices.

Security Risk Advisors (SRA)

Security Risk Advisors (SRA)

Security Risk Advisors deliver cybersecurity services to leading companies in the Financial Services, Healthcare, Pharmaceuticals, Technology and Retail industries.