Cybersecurity has become a public good with the industry tasked with maintaining society’s trust in digital technologies, according to the UK’s National Cyber Security Centre (NCSC) founding CEO.
Speaking during the (ISC)2 Secure UK & Europe event, the former NCSC CEO Ciaran Martin highlighted the societal impact of the recent ransomware attack on Australian healthcare insurer Medibank and said the breach meant “we have a population scared and traumatized by a cyber-incident.”
Medibank refused to pay the ransom demand and has confirmed that the attackers have started to leak the stolen files on the dark web, including highly sensitive data, such as mental health consultations and patients’ alcohol and drug problems. The company holds data of 9.7 million current and former customers in Australia.
In a period when technology has been our “saviour” during the pandemic and has become integral to our way of life, it is crucial this fear is conquered. “Cybersecurity is a noble profession and a public good because we need a safer digital environment,” added Martin.
Explaining why online risks are so high, he cited one of the pioneers of the internet’s architecture, Dr Vinton Cerf, who admitted he and his colleagues did not know they were laying the tracks for what would become the foundation of the global economy. Cerf also acknowledged that they did not envision that “people would intentionally take advantage of the network to commit theft and fraud.”
This explains why digital insecurity is a structural problem and never built into the internet’s architecture, said Martin.
Threat Proliferation
Another major challenge is the proliferation of cyber-threat actors, with several motivations and techniques. There are significant variations among nation-state affiliated groups, according to Martin. For example, Russia generally uses cyber-attacks to spy on and undermine rivals, with China is more focused on economic power, such as IP theft, Iran primarily motivated by “asymmetric political retaliation” while North Korea is considered a “state-sponsored cyber-criminal” due to its frequent attempts to steal money to fund its government activities.
Martin said that he dealt with over 7000 cyber incidents during his time at the UK NCSC (2016-2020), and used these insights to characterize three types of cyber harms:
- Getting robbed – cash theft, such as skimming small amounts of money from banks, heists on financial services organizations, IP theft and data theft.
- Getting weakened – this is more strategic, and involves espionage and data theft on governments and critical industries and interfering politically, such as electoral administration, with the purposes of undermining confidence and weakening other nations.
- Getting hurt – where serious disruption puts basic services and sometimes people’s lives at risk. This includes attacks designed to knock out critical infrastructure, such as power grids, food distribution services and hospitals.
Despite the increased dangers and fears around cyber-attacks, Martin insisted there are reasons for optimism around the ability to manage risk better and fight back.
He argued that the example of internet of things (IoT) devices shows that new technologies should be viewed as “a security opportunity” rather than a threat. He noted that initially, the growth of connected devices was viewed as a security disaster following numerous attacks that exploited weaknesses within IoT devices, such as weak default passwords that cannot be changed.
However, IoT has not been the security disaster it was first expected to be as “we saw IoT coming, and governments and industry started to think about how we manage the security aspects of it.” This has led to a plethora of standards and legislation to ensure security is built into the hardware of the products before they reach the consumer.
These principles should be applied to secure emerging technologies like AI and quantum computing. “Let’s think about how we implement these technologies securely to remove the structural digital insecurity,” outlined Martin.
Cyber Partnerships
Martin emphasized the importance of cyber resilience, particularly the role of partnerships in ensuring business continuity and recovery in the event of an attack.
“There are some threat actors who are so effective that it’s not economic to expect a company to deal with them on their own. You need relationships with government, and those relationships can work.”
Martin provided an example of a banking ecosystem partnership created during his time at the NCSC, designed to tackle threats from North Korean actors. This involved a network of government entities and the major banks “that could share information at scale when things happened.” This enabled 54 sophisticated attempts on UK banks to be blocked immediately.
Such partnerships also provide the ability to “learn from our chronic digital insecurity and begin to fix it.”
Concluding, Martin reiterated that if we continue to see major security breaches like Medibank, “people’s confidence in the digital economy is going to go and that will be a disaster.”
Therefore, cybersecurity has moved beyond protecting ourselves and our own interests, to being a public good. “I hope we’ll all join together to fight back against this chronic digital insecurity,” he added.