Speech by Ciaran Martin, NCSC Chief Executive, given for London Tech Week on 13th June 2017.
First, thanks for the honour of the invitation and second, thanks to Google for hosting at the Academy. This is a truly excellent facility.
For those of you who haven’t been put through this ordeal previously, my name is Ciaran Martin. I am head of a new body called the National Cyber Security Centre. It’s part of GCHQ, our hi-tech, top secret signals intelligence and cyber security agency.
I’ve been on the Board of GCHQ for three and a half years. Most people here will never see the inside of it so I thought I’d try to describe the famous Doughnut in Cheltenham. I suppose it’s a bit like an early version of a Google office – very informal, very open plan, people writing on walls, round the clock working, a big open garden in the middle. So it’s pretty similar to this place, apart from all the barbed wire and armed police officers.
I joke, but there’s an important point here. In 2015 the Government decided it needed a single, authoritative voice on cyber security and so decided to set up something called a National Cyber Security Centre. It decided to have it within GCHQ because that’s where the best data and the world class expertise was. But to meet this mandate we had to change the way we work. In short, there’s no way you can do cyber security – a team sport – from an exclusively top secret facility a long way away from where most of the headquarters of Government and critical industry. In a nation of 64 odd million people and the fifth largest economy in the world, you have to get out there and talk to people. So, the NCSC is actually around the corner on Victoria Street. We were opened officially by HM The Queen, and HRH the Duke of Edinburgh in February (it’s even closer to Buckingham Palace than it is to here). It’s an open organisation – that event was on live TV. It’s a unique building, with a small classified area connecting back to Cheltenham, but mostly it’s an open, accessible venue for experts and others to gather and talk about what needs to be done to secure Britain in cyberspace, out there in the open. We have a media suite and a conference centre. Perhaps next year we can even host an event as part of Tech Week.
I’ll come to what we do to help organsiations with their defences in a moment, but let me first talk about London Tech Week and the UK’s tech industry. The relationships between Governments and tech companies in liberal democracies have many challenges. The dialogue around those challenges will evolve; all I would say, as Government has consistently said for some years, is to remember that Government and the tech industry share the liberal, democratic values from which the Internet sprang. Our goal is to help build a digital economy and society that is both secure and open. We have many common interests and we want to work even more closely with you in partnership on cyber security. So, thank you again for the invitation.
So, to answer how a business defends itself I’m first going to talk about how a country tries to defend itself. For the entirety of this decade, cyber security has been – to use the Whitehall jargon – a Tier One national security threat. The Government’s ambition is to make the UK the safest place to live and work online.
As a country, we care about cyber security for two reasons. The first is what I might call cybergeddon. We know all about this because Hollywood makes films and programmes about it and some of the more lurid ads from cyber security providers make similar shows. There is a teenager, wearing a green hood, sitting in the dark, with binary in the background in green on a dark wall. He is – always a he – at one and the same time Russian, Chinese, North Korean but also living in the suburban US. He cannot be defeated. The only thing stopping him from shutting down your local hospital’s power supply is that he’s got a short attention span and is distracted by social media.
I jest, but there is something more serious here which constitutes a first order national strategic risk. There are a range of attackers – highly organised and professional, sometimes state sponsored or state tolerated – who pose a first order national security risk. They interfere in elections. They preposition on critical national networks. They disrupt broadcasters in France. They set fire to power stations. And so on. We absolutely have to guard against this. And they are sophisticated so we need, at GCHQ and the NCSC within it, to employ the very best defenders we can find, and I can proudly say we have some of the best in the world.
But most people in the audience today are unlikely to face that type of threat. You are less likely to be affected by one of the most serious attacks groups than you are by the bulk of what we call commodity cyber attack. Many of these are preventable. There are so many of them that not all of them are preventable. But those that get through can be managed so they cause less pain.
But too many are getting through. This year’s Cyber Breaches Survey, which many of you will have participated in, revealed that nearly seven out of ten large businesses identified a breach or attack. And, in the first three months after the NCSC was created, the UK was hit by 188 high-level attacks that were important enough to warrant NCSC involvement. Not that many of them were terribly sophisticated though.
But there were many, many other attacks that, whilst they were below the level of national importance, had significant impact on the victim organisation. In many cases these are organisations who are no more equipped to deal with the threat than they are able to afford to have downtime from their business. A real case I know of: £1,500 ransom payment is a lot for a small business of four employees who have to write to all their small customer base cancelling appointments and informing them their data has been compromised by criminals. A near death experience.
One of these attacks is not a strategic national risk. Hundreds of thousands of them constitute a strategic risk to economic prosperity because people will lose confidence in the digital economy. So large scale commodity cyber attack is the second reason Governments care about cyber security and it’s the main threat most people face in their everyday personal and professional lives. What is frustrating – really frustrating – for people like me is that this is defeatable: we can’t reduce all the attacks but we can do things – at Government level, at corporate level and at individual level – to take away most of the harm from most of the people most of the time. There is an ecosystem – a global, dark economy in cyber attack – and it works on return on investment. Make the input costs higher – make it harder to get in and if an attacker does get through, make it harder for them to get anything useful – and you’ll have fewer attacks.
This brings me to today’s theme: defending borders of your business. I hate to attack the premise of the question, but I’m going to have to do it anyway to make the point. It’s not all about borders.
I’ve talked about this subject before in a way I thought made sense. If it’s not already obvious by now, I’m not a techie. I employ some of the best, but my main education was history. So in 2014, at an investment bank sited on a Roman ruin, I gave a complex speech using the analogy for cyber security of the collapse of the Roman empire. Did the greatest Empire ever known collapse because it stopped defending its borders as effectively as it once did, as some historians argued? Or did it atrophy from within as its institutions and internal grip waned? Probably both, and organisations needed to think like this.
Since then I have acquired a new head of office who is tremendously effective and not afraid to be, shall we say, constructively critical. Assertively constructively critical.
“I’ve read that Roman speech online. It’s rubbish, it’s completely incomprehensible and you can’t use it at London TechWeek she said”. Asked to provide an alternative, she, with a straight face, urged me to dissect the 4-1 massacre of my beloved Manchester United in spring 2009 by Liverpool of all teams, ending a 14 match unbeaten run in spectacular fashion, including the total humiliation of my then favourite player, defender Nemanja Vidic.
I’m not going to go any further with that one either then. And I’m not completely convinced she was making a point about corporate cyber security strategies.
Instead I’m going to talk about a real life example, the TalkTalk case. I have the standing permission of the company’s admirable chief executive, Baroness Dido Harding, to do this. Dido has been commendably open about TalkTalk’s experience in a way that has given anyone who listened real benefit about what it’s like to be in the firing line in a significant cyber attack incident.
The TalkTalk attack was an attack on the perimeter of the network through the SQL injection technique, in effect, for those who don’t know it, taking command of a data entry part of a website like a search function or where you’d type your name on a form, and issuing commands instead. It is a technique pioneered in the last few years – of the last century. It shouldn’t have got through.
But it did and sometimes these things will happen given the scale of attack. So what matters then? The SQL injection onto a fairly obscure part of the company’s web surface area was not an entry point into the command and control infrastructure of the company. But there was an old customer database of about low six figures of customers which dated from the company’s acquisition of Tiscali about six years earlier. So to use the analogy of house crime, the front door was open, most of the most valuable stuff was locked away in a strongly protected safe but there was still something worth taking in the front hallway. Furthermore, and again the company has been commendably open about this, the fact that it didn’t understand the way its systems were structured as well as it now does meant that it took time to understand what had and had not been taken by the attackers; this meant it took longer to reassure the company’s 4 million customers that the vast majority were unaffected by what had happened whereas clearly the company, the customers and the general public would all have preferred earlier reassurance. (As an aside, we bore that lesson closely in mind when the WannaCry ransomware crisis broke last month).
There are some very simple lessons here. Border defence matters. Of course it does. But total border protection of a network is impossible. Internal defences matter too. Noticing anomalies. Understanding how your network is configured.
There’s another example of the limitation of border defences. In one non-UK major incident, which I won’t go into too much detail on, it appears there was a rather sophisticated targeting of a systems administrator by a hostile foreign state. The attacker put a lot of effort into targeting the administrator and got his credentials. That can be hard to defend against but thankfully can’t be done at scale.
Compromising the sysadmin meant the border was breached. So what matters now is what they can do with it. Turns out the attacker could spend virtually a full day copying a gigantic database using vast amounts of computing power and no one noticed. That’s the problem. Defending against sophisticated human targeting is at the hard end of the spectrum. Having some sort of system that sounds an alarm when something as weird as that is going on is not.
And so we end up where we always do. Basic defence is the key.
The Government has recognised this. So we want to do things that only the Government can do or stuff that the market doesn’t really incentivise. Take email spoofing. Most cyber attacks start with an email pretending to be from someone trustworthy. Slightly more sophisticated ones will spoof someone you’re supposed to trust, someone the average person in the street will have a financial relationship with. So in the UK the most spoofed brand has been, for some time, HM Revenue and Customs.
Not anymore. As is now well known, we piloted a bit of code, which we’ve published, telling Internet distribution mechanisms this is how to recognise HMRC emails. If it doesn’t look like this, don’t send it. Send it to us so we can see who is sending it. And HMRC stopped 300 million fake emails last year by doing that. Similarly we’re using a small, brilliantly innovative company to automate requests to hosts to take down infected websites in the UK. The exact measures differ for how long bad stuff is up, but we’re talking about dramatic reductions in the so-called time to die from on one measure a day to 45 minutes.
And so for companies, some key messages.
First, understand the problem. I hope everything I’ve said so far is easily comprehensible. Companies deal with huge complex problems all the time. All companies, by law, deal with pensions liabilities and other contingent liabilities and personally that sort of risk to me is a lot harder to get my head around than cyber risk. Companies need to – and are – taking the problem more seriously and I don’t have a massively strong view on how they should organise themselves to do that. What I do have a strong view on is that a strategy that involves hiring a company to make the problem go away without understanding it is doomed.
Second, work out what you care about and protect it accordingly. Like all risk, work out what you can and can’t afford to be compromised. As the information risk owner on GCHQ’s board, in 2014 I was dismayed by a DDoS attack on our website which took it down for a few hours. But in some respects it helped us communicate our strategy. It is a small website of static, basic information about what we do. It is not strategically important in the operational sense and it contains no personal data about anyone. To defend it to the same degree as we defend our state secrets would be an indefensible use of taxpayers’ money. That is risk management in action. Know yourselves, know where your data is right up to the border, and defend accordingly.
Third, learn the basic of how to protect yourselves. There are a whole range of fairly basic protections that can be layered to build up your defences. Understanding the threat environment is important of course. As well as having me do the hand waving scary stuff, our weekly threat reports and other assessments about the threat to business are useful sources that can be readily accessed on our website. Follow us on Twitter, even – we’re more fun than we sound. During WannaCry we sent out three simple messages: keep security software patches up to date, use AV, and back up as you can’t be held to ransom if you’re backed up. They worked. Also, have an incident management plan and know what you would do.
Fourth, prove you can defend yourselves with the basics. Have a look at the Government’s Cyber Essentials scheme and implement it and get the badge if you don’t have it. And when you do have it, tell your customers that you do.
Fifth, collaborate. Share threat data. Join the cyber information sharing partnership we run. Help create a virtuous circle of threat data we can all benefit from. Look at our website. Join the skills schemes. Comment on the advice. If you can afford it, think about putting someone in our Industry 100 scheme where people spend time with us.
Finally, keep thinking about people. Skills and diversity have been mentioned elsewhere in proceedings and on the latter we ran a fantastic competition for 13-15 year old girls earlier this year; more than 8,000 entered and we are helping keep the winners involved in STEM. And think about the less skilled user too. So much nonsense is written about people being the weakest link: everything we’re talking about here is a human invention to be used by humans so let’s stop talking rubbish about how things would be fine if it weren’t for humans. Whatever you do in your organisation needs to work for human beings if it’s to be properly safe.
And keep engaging in this national conversation as we continue this national fightback to help secure the UK’s position as the safest place to live and do business online.