Show Hide image

Dido Harding: "The first ransom demand was not a good moment"

TalkTalk's Dido Harding speaks candidly to Will Dunn about how she managed every CEO’s nightmare: a cyber attack that compromised 157,000 customer accounts

The hack may have begun weeks or months before – it is still subject to a criminal investigation – but the first telltale warning emerged on the morning of 21 October last year, when TalkTalk’s engineers noticed a latency in the company’s sales and service site. While this is not a rare occurrence, it can be an expensive one.

“A priority-one technical incident,” Harding explains, “because customers couldn’t access the website fast enough. I saw that had happened, mid-morning. Often when websites start running slowly, it’s because they’re under some form of attack.”

Harding returned from a lunch meeting to find the problem ongoing and becoming more serious. “Our escalation process is to immediately put the executive committee together if there’s something very serious. On that call, the team talked us through that there was indeed a live attack and that, at that stage, we believed that the attackers had breached through one defence into an online database.”

It was during this meeting that the true scale of the hack became evident – not from TalkTalk’s security team, but from the hackers themselves. Harding recalls: “Roughly three or four minutes into that call – I was sitting in a meeting room in Farringdon [in central London] – I received the first ransom demand from someone purporting to be the hacker.

“That,” she adds, “was not a good moment. It’s not a normal thing to receive a ransom demand in your inbox. I felt physically sick.”

Due to the ongoing criminal investigation, Harding can’t go into detail about the contents of that email, but she says that “it was very clear that it was credible”. For the chief executive of a national telecoms company with four million customers, there was an immediate necessity: “I asked my security director to get hold of GCHQ, straight away.”

A foreign land

“At that point,” says Harding, “we immediately went into serious incident management. It was very quick; we flipped from a normal business objective to ‘hold on, this is a proper crisis’. That’s a very different prism through which to run your organisation.

“I’ve had 20 years, 25 years of running business. I’ve been well trained by a number of amazing organisations and I’ve got a lot of implicit, subconscious pattern recognition on how to make business decisions. But what we discovered in the cyber attack, from that moment of getting the ransom demand onwards, was that none of us had been prepared to live in this world of spooks. We very quickly started to do what we normally did – to rely on gut instinct – until we realised that our gut instincts were based on having watched Spooks and James Bond.

“You can’t rely on your intuition and your instincts if you don’t have years of pattern recognition, if you haven’t lived in that world before. We had to very quickly rely more on data and evidence, and listen more to the experts from the different security services.

“Likewise, we’d had a long-standing relationship with BAE Systems, who ran our security operations centre, and I was on the phone to multiple board directors – including the chairman – of BAE, asking their advice, because of course they do live in that world. In that sense we knew very quickly that we were in a foreign land.”

One of the defining characteristics of a major cyber attack is uncertainty. “If somebody breaks into your shop,” Harding explains, “you know who it is. If a foreign army has just invaded your shop, it’s pretty visible, and if it’s a local gang, it’s pretty visible. In a cyber attack, in the initial period of knowing you’ve been attacked but not knowing what’s been taken or who’s done the taking, you really genuinely don’t know if you’re in the territory of a state actor – a foreign state – or one individual acting maliciously from inside the business, or a few people from outside. You just don’t know. That makes it terrifying, in the heat of the moment.”

What’s missing?

As the day progressed, GCHQ put the TalkTalk team in touch with the right people at the National Crime Agency and the police. Harding continues: “That afternoon, the case was passed to the Met police, who immediately kicked off their investigation. We’d already taken the decision to bring down all of our systems, which is the safest way to act to protect your customers’ data, so the urgent thing for us, that afternoon, was to work out what might have been stolen.”

As evening drew in, this became a global effort. “We used, that first night, a team from BAE based in the US, so you’re trying to use the time zones in your favour to get analysts and computer programmers immediately mobilised to start looking through lines of code to see what’s happened. [The aim is] that overnight you get to a place where, first thing in the morning, you can have a view of what’s actually been taken.

“I probably slept quite easily on that Wednesday night,” Harding recalls. “I didn’t quite know what was ahead of me. I knew that there was an issue. I knew we had all the right people working on it. I’d had great advice from the law enforcement agencies on what to do, and I was expecting that someone would give me, first thing in the morning, quite a black and white view of what had been stolen and what hadn’t. What I now know is that that was a very naive hope.”

Going public

The following morning brought no such certainty. “At 8am on the Thursday, we had another incident call with the executive leadership team, and they took us through what they knew. What they told us was that it was going to take quite a long time to figure out which customers had been affected and what data had been stolen.”

Harding and her team now faced a difficult decision: try to solve the problem quietly, or go public. “That was the biggest decision we took – if we had chosen not to warn our customers that day, but instead had waited two weeks and said 157,000 customers had been affected – it wouldn’t have been news. The actual number affected was quite small. What was different was that we thought we could protect our customers, at that moment in time, by warning all of them.”

The decision to go public was partly informed by TalkTalk’s knowledge of its customers. “What we suspected then, and we know in spades now, is that having somebody steal your bank account details, in and of itself, isn’t dangerous. The problem is that the criminals then use that data to prey on the most vulnerable in society. That’s not just happening to TalkTalk customers – it’s happening in the UK and globally. The concern we had is that we serve a lot of those most vulnerable groups in society. We’re a value provider – a lot of people getting a broadband connection for the very first time get it from us – and we worried that they would be the most easily conned by these criminals pretending to be TalkTalk.”

Does Harding believe other companies have kept their own data breaches quiet, and avoided the headlines that have plagued TalkTalk for the past year? “I don’t know for sure, but I think so. The awful truth is that the actual data isn’t very valuable on the dark web any more. What is valuable is people being afraid of their brand reputations. So I think this is quite a popular crime, and it’s one of the reasons we think it ought to be mandatory for businesses that experience a successful cyber attack to have to tell not just the Information Commissioner’s Office, but to tell their customers. Not least because it’s actually the only way to give people the confidence to trade online.

“It never used to be mandatory to report health and safety incidents on oil rigs, until after the Piper Alpha disaster. Once it was mandatory to report it, health and safety got a lot better. Once it becomes mandatory to report that you’ve had data stolen, blackmailing you is a waste of time. Blackmailing you to keep quiet – you can’t, because you’ve got a legal obligation to tell everyone.”

While the security team continued to search for answers, Harding focused her other teams on providing TalkTalk’s customers with information. But not everyone was eager to tell the press: “When we talked to the police around lunchtime, they were really adamant that they didn’t want us to go public. We ended up having a long conference call with the Metropolitan police’s hostage negotiation team, where we felt like we were almost from scratch trying to work through whether or not you should treat a digital ransom demand in the same way that you would a physical one.

“[The police] were incredibly rofessional and always very supportive, but in the end, their objective is to catch the bad guys. Our objective was to protect our customers. If I could change anything, I would have gone out at lunchtime or mid-afternoon in a much more measured way. It would have been better for our customers if there had been a more ordered communication through that Thursday afternoon.

“I’ve heard other CEOs since – with me in the room – say that it’s important not to go too soon and to wait until you know the scale. I couldn’t disagree more. If you can protect your customers by warning them of a potential threat, then you should do it.”

The recovery plan

Harding spent the Thursday evening appearing on news outlets. First thing on the Friday morning she was interrogated by “a very grumpy John Humphrys”. In between media appearances, she began planning TalkTalk’s recovery.

“I was setting up the operation of the company to be able to run what became, for several months, the most important thing that the business was doing. I pulled out my group change director on the Thursday night and made him the programme director for the recovery from the cyber attack, and I asked him to mobilise all his best programme managers and project managers, to assign them to workstreams.

“So we had a workstream to work out what data had been stolen, how they got in. We had a workstream for communicating with customers and managing customer contact. There was a big workstream dealing with all the big law enforcement agencies, which we called the ‘cops and robbers’ workstream – jokingly. You need to have a sense of humour to survive these situations.”

A powerful lesson

As the weekend arrived, one of the main priorities was to reassure four million anxious customers. “We started polling our customers, that first weekend, running statistically significant consumer research to understand how they felt about what was going on.

“We tracked whether or not the messages were getting through, and whether or not we were building trust in what we did. What we saw, throughout the first three weeks, was that the more communication we engaged in, the more customers thought we were looking after them. Absolutely contrary to what a lot of commentators at the time were saying, we were using customer insight to drive how we supported our customers. It was such a powerful lesson for the whole company, that if you ask your customers what they think and act on what they tell you, things work out OK.”

Have they worked out OK, then? Is TalkTalk back in control? “That might still be a work in progress,” Harding says. “On the Sunday night after the attack, I scribbled down one slide to present to my board, with three phases: one to two weeks to be off the front pages of the papers and to get the call centres under control. Then we said we were going to take until Christmas to stabilise the business, and a further three months reviewing what this meant for the strategy of the business. That is exactly what we did.”

Harding’s advice for others in this situation is to get involved. “The temptation is to assume that if you’re not an engineer – and I’m not – you don’t really understand this stuff enough to know the risks you’re taking. Businesses and leaders want to ask the question ‘Are we safe now?’, and that is entirely the wrong question to ask, because the only answer you can give is no. No organisation is going to be completely safe from cyber attack.

“You need to ask what risks you’re taking today by trading online, and what risks would you mitigate if you did more, and what risks would grow if you did less. You don’t need a PhD in electronics to do that. So the biggest piece of advice I give to people now is to stop asking ‘Are we safe now?’, and instead get your engineers and technologists to tell you what business risks you’re exposed  to, based on where your security programme is today.

“You’ll find they find it incredibly difficult to answer the question, and the more you push them, the more you will realise you don’t need a computer science degree to understand the answer. And then you are taking business decisions while knowing the risks.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

China’s strategy to become the world’s strongest cyber power

Nigel Inkster, former operations and intelligence director of MI6, analyses China’s efforts to impose order on its vast online community.

When just over two years ago I began researching a book on China’s cyber power, mainstream western media were full of stories about China’s alleged programme of state-sponsored cyber industrial espionage directed against US and other western corporations. Following an agreement between Presidents Xi Jinping and Barack Obama in December 2015 that “that neither the US nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” that story dropped out of the headlines. But the importance of China as a cyber power has not diminished and understanding China’s capabilities and objectives in the cyber domain has become a key element in understanding its global strategic objectives. It is also an important prism through which to understand China’s long struggle to achieve modernisation whilst retaining its cultural and political self-esteem.

China came out of the Cultural Revolution in a state of economic and technological backwardness that demanded urgent attention. Its new leadership was seized of the important role modern ICT would play. Although the internet did not become accessible to ordinary Chinese citizens until 1996, the subsequent take-up has been dramatic. China has over 700 million “netizens”, the majority of whom access online service through smartphones. In 2015, the total value of online sales was $581bn, making China the world’s largest digital marketplace. The Chinese government has ambitious plans to switch from an export-dominated economic model to one based on domestic consumption; and to move up the value chain to break free of a middle-income trap. A key enabler will be an Internet Plus strategy that aims to integrate the real-world and digital economies.

In pursuing this, China’s government had to confront two vulnerabilities. The first is the potential of the internet to serve as a vector for subversive influences that challenge the Communist Party’s legitimacy. The second is a high level of dependence on western – largely US – technologies and software, seen as a security threat. From the outset China’s authorities sought to control online content through a combination of firewalls to filter externally generated content, regulation of service providers and censorship; the latter becoming ever more technologically enabled but still reliant on large numbers of censors and pro-government activists who promote and defend official views on social media sites such as Weibo.  

The result has been a cat-and-mouse game in which China’s netizens have sought to bypass censorship by relying on the infinite capacity of the Chinese language to generate homonyms for terms which are banned, giving rise to a rich lexicography of online dissidence. But it is a game the authorities are winning thanks to technology dominance and the huge manpower resources devoted to an issue seen by the leadership as existential. This is not to say that the Chinese internet is characterised by an atmosphere of sterile ideological conformity; in many respects it is more vibrant and anarchic than its western equivalent and has been used to good effect by its citizenry to hold officialdom to account. But first under Hu Jintao and ever more under Xi Jinping a climate of greater political and cultural conformity has led to popular bloggers –so-called Big Vs – being shut down. And China is unapologetic about asserting an approach to the internet based on the concept of cyber sovereignty, in effect its right to determine what its citizenry can access.     

Meanwhile, China is pursuing a policy of indigenous innovation to reduce dependence on western technologies. Dependence on western ICT is such that when in 2014 Microsoft announced that it would cease supporting Windows XP it subsequently had to make an exception for China, such was its reliance on that system. That dependence will take time to erode. But there is a growing number of indigenous Chinese software companies, Chinese smartphones and other devices are increasingly competitive with western equivalents and Chinese entrepreneurs have shown considerable ingenuity in developing and marketing a range of online services. As the Chinese state seeks to impose greater order on what to date has been an anarchic and insecure Chinese cyber environment, new laws have imposed greater demands on western companies such as the provision of source code. China is seeking to leapfrog the west in key areas of ICT including artificial intelligence (AI), quantum encryption and quantum computing. And the Chinese government is facilitating the purchase by Chinese companies of western technology start-ups. In 2014, $22bn had been spent on such deals, which have significant medium-term implications for the competitiveness of advanced industrial economies including the UK, France and Germany.

The global outlook of China’s leadership is dominated by the so-called Century of Humiliation covering the period from the mid-19th century up to the founding of the People’s Republic in 1949 during which China was virtually colonised by the west. The determination not to repeat this experience has translated into a transformation of China’s defence posture from a land-based, low-tech, mass-mobilisation force to one that is increasingly based on a capacity for naval force projection with a view to securing China’s supply lines and protecting its growing range of overseas interests. Digitisation is seen as critical for China’s efforts to develop armed forces on a par with its only real comparator, the United States. This is exemplified by an ambitious reorganisation at the end of 2015 which led to the creation of a new Strategic Support Force that combines signals intelligence, electronic warfare and information warfare capabilities within a single organisation that also has responsibilities for space-based activities. After a long period of coyness PLA officers now talk openly of China developing offensive cyber capabilities albeit at a “moderate rate” and in response to the activities of states such as the US.

This posture also translates into a more assertive foreign policy, no longer merely concerned as until recently with ensuring peace and stability to permit economic development. China probably does not aspire to replace the US as, in their words, “global hegemony”.  But it does wish to move from a global governance system dominated by the US and its allies to a world that is multi-polar and which respects different political and cultural systems. And to transition to a “new security concept” which while broadly respectful of international institutions like the United Nations, also subordinates customary international law to the interests of major powers. Here too the cyber domain plays a major role with China championing its vision of a global cyber governance and security order where the USA is no longer predominant. This vision enjoys some support in the developing world, not least due to the activities of national champions such as Huawei and ZTE who are building and operating core backbone IT infrastructure systems in countries that would otherwise remain on the wrong side of the digital divide.

To revert to cyber espionage, it is now clear that US threats of financial sanctions against Chinese companies deemed to have benefited from the theft of US intellectual property (IP) persuaded China’s leaders that this particular game was no longer worth the candle. The “noisy” reduplicative exploits that characterised so many cyber-attacks emanating from China are now much less in evidence. But cyber capabilities have become a major enabler of Chinese statecraft and are inter alia reducing the space within which overseas-based opponents of the regime can operate. For better or worse China is transitioning from becoming a large cyber power to a strong cyber power and can be expected to play an increasingly prominent role in this space.

The west will have to get used to living in a world in which it no longer enjoys the unquestioned technology dominance to which it has long been accustomed.