The good, the bad and the weird: Ciaran Martin discusses where the pandemic has left cyber security

The former head of the National Cyber Security Centre discusses the effects of the events of recent years on the security of organisations and critical national infrastructure

The good, the bad and the weird: Ciaran Martin discusses where the pandemic has left cyber

Image:
The good, the bad and the weird: Ciaran Martin discusses where the pandemic has left cyber

You may not have noticed but 2020 was actually a good year, for cyber security at least.

That's according to Ciaran Martin, former head of the UK's National Cyber Security Centre (NCSC), speaking at Computing's Cyber Security Festival 2022.

"2020 was surprisingly good for cyber, at the same time as being catastrophic in many other ways," began Martin. "We underwent a massive global unplanned experiment in reconfiguring everything around how we work and live, mostly in the digital space. And there was a realisation that not all the things we warned about came true.

"After six month of lockdown, a colleague mentioned that if you'd said as a society we're going to take every organisation and give them three to five days to go fully remote using whatever IT they can find, you'd say it's going to end very, very badly.

"There were problems and scams, but overall we had an emergency and we got away with it."

The Good, the Bad and the Ugly

Martin cited the New Year's Honour's list, which in 2020 included people who'd helped keep the UK online.

"The honours list came out and there people like OpenReach engineers on it. Some of them had been climbing poles at 3am in remote areas to keep people online."

Presenting 2020 as 'good', he went on to 2021 which he labelled 'bad'.

"In 2021 it was really bad with ransomware. Enough serious incidents happened to give rise to very serious concerns about our systemic vulnerabilities. In the US the Colonial Pipeline hack was scary."

This hack from May 2021 prompted US President Joe Biden to declare a state of national emergency as a key piece of critical national infrastructure was compromised and forced to shut down, resulting in oil and petrol shortages.

"You go to critical infrastructure plants and receive solemn assurances that they were properly shielded from the enterprise IT around it. But that organisation felt obliged to switch off the pipeline as it found out you can have sophisticated safety measures, but if your safety manuals become inaccessible you have to switch if off.

"And that ended with a public safety impact with people filling plastic bags with petrol."

Martin also referred to an attack on the Irish public health system.

"There are always major fears about hospital systems collapsing as the result of an attack, but in this case the hospital booking and commissioning system for an entire country went offline. That had terrifying consequences and it's a ferocious reminder of the soft underbelly of some of our critical systems."

Having covered the 'good' and 'bad', Martin then went on to what he termed the 'ugly'.

"Now in 2022 we have the ugliness of the invasion of Ukraine. We've had for many months this heightened alert around cyber attacks which is justified. But the warnings of digital apocalypse in Britain in response to sanctions haven't come to pass. It's a confusing picture."

Attempting to explain the lack of large-scale digital disruption related to the war in Ukraine, Martin referenced a quote from a key member of the US National Security Agency (NSA).

"The Director of Cyber Security of the NSA said they've noticed that Russian ransomware gangs are having trouble shifting money around perhaps as a result of sanctions and therefore doing less attacks."

The Good, the Bad and the Weird

Having covered the good, the bad and the ugly of recent years, Martin went on to say that it leaves us in a place that can be characterised as good, bad and "a bit weird".

"The experience of the pandemic put an increased emphasis on digital security, and people care about it more. We are now thinking more systemically about cyber, seeing it as a societal challenge."

That was the 'good' of where we find ourselves today, the 'bad' being what Martin defined as the "scary exposure to vulnerabilities from motivated but not terrible sophisticated attacks".

"Think of the message that sends out to a determined nation-state actor," he added.

And the 'weird' element is where we find ourselves in assessing risk.

"We're just not there yet in spite of everything when it comes to assessing risk and likelihood. We're surprised there's been no cyber escalation from Russia, and we don't know if the reason for that is structural or strategic, or whether their cyber organisation is as ineffective as their regular troops. We have a 'shields up' approach at the moment but that takes a lot of energy, when do we put shields down?"

The good, the bad and the weird: Ciaran Martin discusses where the pandemic has left cyber security

The former head of the National Cyber Security Centre discusses the effects of the events of recent years on the security of organisations and critical national infrastructure

Cleaning up Digital Pollution

He then posed the question of how we clean up the digital environment, stating that the immediate priority is to look at what he called the "underanalysed trauma of 2021".

"Hold on to those frightening but localised events of 2021. That tells you a lot about the unhappy legacy of the first generation of technology. We have legacy systems, broken commercial incentives and a lack of understanding of some of the risks.

"There are organisations where some basic security practises are not in place; like basic monitoring and two-factor authentication. There's lots of digital pollution out there in all of our lives and we have to get better at clearing that up."

He continued, arguing that policy makers need to get better at considering this digital pollution.

"Most rational people and organisations don't suddenly become mad when it comes to cyber. So what's wrong here? It's too easy for people like me to blame victims but look at why ransomware is happening.

"There's a triplet of reasons why it broke out. The first is that Russia has provided a benign working environment for well-organised criminals to operate. There are no huge well-organised ransomware groups in the UK or Western Europe. Pre-war President Biden was trying to put pressure on Russia to stop it being haven for 74% of all known ransomware."

The second issue, according to Martin, is that of weak cyber defences.

"How do governments better incentivise people? Is it about buying in some of the good technology that's out there, and investing more in people? How do you nudge better cyber?"

Moving onto his third recommendation, Martin said that society has to get past the situation where the business model for ransomware so heavily favours criminal groups.

"You can hack something, make a demand and be completely immune from law enforcement. From the victim's perspective unless you're a cyber expert you might see it as an existential risk. That's not true most of the time. But if you don't really understand cyber, then you're incentivised to pay. And it's often a double extortion, if you won't pay then they say they're going to leak your data.

"The Irish government thought the full set of all Irish healthcare data would be released online. But what part of the openly accessible web was going to host that? Did they think it'd be published in the Irish Times?

"Just give people better information. Publishing datasets might lead to some risks but it's not as binary as saying everyone can look at everything all the time."

Register now for days two and three of the Cyber Security Festival 2022, taking place online on the 15th and 16th June.