Ciaran Martin, chief executive of the National Cyber Security Centre
The importance of cyber-security to protecting the UK economy, society and even democratic institutions cannot be underrated.
That was the opening message from the chief executive of the National Cyber Security Centre (NCSC), Ciaran Martin, speaking yesterday at the CyberUK 2017 conference in Liverpool.
The three-day conference, running from 14-16 March, brought together experts from government, universities, cyber-security providers and end-user organisations to discuss best practice and promote partnership in the fight against online crime.
The NCSC was officially opened by the Queen just last month, but it has been busily building its capabilities and staffing its headquarters in London since October. In its first three months of operation, it dealt with 188 C2 and C3 incidents, those judged to be severe or moderately severe but not a threat to national infrastructure.
Martin said that since opening, the NCSC has been working to build partnerships with the private sector and academia as quickly as possible because, he noted, the problem of defending cyberspace was too big for government to tackle alone.
“It's a partnership with a purpose, and when I talk about that, I think about the fact that we are evolving in the way we partner between government, industry and academia,” he said.
Examples of work include development of a classified lab at the NCSC to work on new systems, one of which is decoys to confuse and mislead attackers.
The NCSC is also working with business organisations such as the British Retail Consortium and the FSB (the Federation of Small Business, not the Russian intelligence agency, Martin hastened to add!).
“We are also talking about partnerships with the citizens. There is a contract and a compact here which is aiming to make things easier for the citizen,” he said.
“We are ambitious in our strategy”, added Martin. “We want to be the very best in the world at what we do, not just to give ourselves a pat on the back but because we want to be part of an effort to make this country the safest place in the world to do business and live online. Nothing less than that, and it is an achievable goal.”
Following Ciaran Martin's introduction, the audience was treated to an interview with Robert Hannigan, the outgoing head of GCHQ, conducted by Lionel Barber, the editor of the Financial Times. Barber noted that he has known Hannigan for many years, since he was embedded in a unit with Hannigan in Afghanistan. “You know you have made it as a journalist when you share a helmet and a flak jacket with a future spymaster,” he noted.
Echoing Martin's comments, Hannigan said the intelligence community must build bridges with the tech industry because only together can they tackle the problems of crime and terrorism on the internet.
Following that, Barber headed up a panel discussion with Dr Ian Levy, the NCSC technical director, Prof Angela Sasse, director of the UK Research Institute in Science of Cyber Security at UCL, Ciaran Martin, Jennifer Walsmith, vice president for integrated national systems at Northrop Grumman and Conrad Prince, the UK cyber-security ambassador.
(left to right) Lionel Barber, Dr Ian Levy, Prof Angela Sasse, Ciaran Martin, Jennifer Walsmith and Conrad Prince
Barber asked the panel, in the vein of the famous seatbelt campaign which is credited with helping to change people's attitudes toward vehicle safety, what is the “Clunk Click Every Trip” advice for cyber-security?
Martin said it was as simple as teaching people to update the basics and work out what you care about – those are the simple things that will make it that bit harder for the criminals. “Like the seatbelt analogy, it's not going to prevent all car fatalities but it's going to make it a lot harder to get injured and do harm,” he said.
Sasse said it will be a challenge to come up with a simple, single piece of advice to keep people safe on the internet because of the sheer complexity of the systems involved. But she said, there were three things she would recommend: backup your data so you can't be exploited by ransomware, don't use the same passwords everywhere and keep your devices updated.
Levy agreed that computer systems are far too complex for the average user to understand, let alone protect, so it is imperative to work with academics and the software industry to figure out how to design systems that are secure by default. “Then we will be able to give people very simple advice [on how to secure themselves],” he said.
For Walsmith, cyber-security is more of a hygiene issue. In the same way you combat germs by washing your hands, you have to adopt secure behaviour online to reduce your cyber vulnerabilities.
A question from a representative of the Nuclear Decommissioning Authority was next: What strategies are being developed to protect the public that have been developed by nation-states or organisations that are free to act with impunity?
Martin replied by saying that over the next 10 years, the NCSC will be looking at all the critical services as they are upgraded and as new systems come in to try to build resiliency and security into them. “The current systems aren't designed with security in mind in that way and while they are still running, they are very expensive and disruptive to try to fix,” he said.
This is similar to the work that has already been on the smart meter systems, he said, which has been built on the concept of “trust but verify” but also to contain some resiliency so that you would have to do multiple, sophisticated attacks to do serious damage. “The beauty of this strategy [all of which has been published] is that it is threat actor neutral, so it doesn't matter who is after you. Given the lifespan of some of these systems, we will want them to be resilient to changes in geopolitics.”
He added that we have to consider that some of these threats are going to happen. “So how do we build up capability within the private sector with incident response companies so that we can focus on some of the very top bits of it,” he said. “Let's say it is a state actor, we can focus the intelligence efforts and the mitigation efforts on that bit of it that really only government has the capability and legal authority to do.”
Which, of course, is where partnerships come into it, Martin said, as the industrial base can be called in to mitigate the harms and reduce the risk of it.
The next question asked the panelists to say, in a nutshell, what state actors are looking for when they attack.
Levy replied that they were, quite simply, looking for advantage in information or a hold over someone, a point that Prince expanded on.
“What we are seeing is a much greater willingness to use cyber tools to achieve political outcomes,” he said. “It's all about advantage, and the trend we are seeing is a move toward a much more sophisticated use of those cyber capabilities. Whether it's around theft, destruction or seeking to influence political processes, what we are seeing is increasing aggression in that space. And that's what the NCSC, working with all its partners, is geared to address and deal with.”
You had them at ‘free'
Another question from the audience asked what free cyber-security products will the NCSC make available?
Levy replied that there were currently three products on the NCSC website which are available to public-sector organisations: Web Check which is designed to scan organisations' systems for common vulnerabilities and suggest ways to fix them, a protective DNS service which helps mitigate the harm of attacks and the DMARC service which enables organisations to take control of their email domains and prevent spammers from spoofing mail from their accounts. For non-governmental organisations, the NCSC's DMARC tool, MailCheck, has been made available in the public domain and can be downloaded from the NCSC's Github account.
The next question came from a small business perspective and asked, too many companies see cyber-security as an IT issue, not a board issue, so what can be done to add it to the agenda in the boardroom?
Sasse replied that for many SMEs, “when you only have £20,000 let to spend, are you going to spend £10,000 on Cyber Essentials? Probably not.” SMEs need packages of services at a reasonable price that they can use, she said.
“When you talk about the bigger companies, there is still a mindset in the boardroom that it's technical and needs to be delegated to technical people, but I think that's a mistake – it's part of the business and business leaders need to get engaged in these threats that will affect the business.”
Barber asked if there needs to be a mandatory cyber-security qualification for board members?
Walsmith said it's a “ubiquitous problem and will take everyone at every level to understand how it affects us”.
Conrad Prince, UK cyber-security ambassador
Prince said it was a problem of language – geek speak doesn't work in the boardroom. “We are seeing boards trying to get their heads around cyber-security, but there's a key issue around cyber-security professionals conveying the cyber-security issues in a language that the boards can understand, putting themselves in the shoes of the board members.”
He said GCHQ and NCSC have worked on ways to simplify ways of thinking about cyber-security issues. “In my mind, there's a challenge for cyber-security professionals as well as boards and the challenge for professionals is to express these issues in a way that boards can understand. After all, board members are not going to become techy geeks so we have to put ourselves in their minds, look at the issues from their perspective and explain it in a way that they can relate to.”
Levy agreed. “We confuse with them complicated technical terms, we let the CIO or CTO talk to them in a way that makes no sense to them. We need to start giving boards the tools to cut through the crap. We shouldn't be talking to them about malware risk and privilege escalation, we should be telling them, if your admins browse the web or get email on the same account they do their admin on, you are too stupid to help. Any board member can understand that.”
Barber noted that Robert Hannigan wrote an opinion piece in The Financial Times saying, it's not just about IT security, it's also about data. However, Barber noted, “I don't think that message has filtered through to the investment community yet.”
The next question was about fake news and how it could be dealt with, without creating more hysteria.
Ciaran Martin said that the NCSC is working with political parties to teach them the basics about how to protect their systems and their people from cyber-attack. The other issue, he said, was the growing trend to steal information and then alter it, to make it appear that an official document said something different from what it really said. He asked, how can we detect that?
As for the fake news agenda, he said that government agencies were – and should be – reticent about labelling information as “fake news” because that goes against the principle of free speech. He said citizens need to learn to be more sceptical about what they are hearing. “If someone is trying to sell you something, you are naturally sceptical. In the same way, you should be sceptical of someone who is trying to tell you something,” he said.
Levy said that the main difference between the fake news of old and the phenomenon today is that the barriers to entry into the publishing game are much lower than they used to be.
One delegate to the conference was Bryan Lillie, CTO for cyber-security at Qinetiq, who has been attending the conference for a number of years.
He welcomed the emphasis on partnerships and openness, noting that the cyber-security industry has suffered in the past from being too insular. “What I have seen is more open discussion between companies, between academia and with government about sharing problems, and that's the first step,” he said. “For a long time as an industry we have done lots of spot solutions, but now we are thinking more systemic and that's very interesting.”
He said the NCSC was facing a huge change and enormous challenge. “When they were a different government department, GCHQ, their remit was quite tight. It was about securing government whereas now it's about securing the UK, and when you think about that, that's a huge remit: securing the citizen, securing the business and all the like. The change in scale is huge.”
It can be done, Lillie said, if the NCSC takes a strategic approach. “They can set seeds and they can, by benefit of their position, set policy and set direction, but they will need uptake from industry partners to move that forward as well.”