There are two types of risk with which the National Cyber Security Centre, the public-facing arm of GCHQ tasked with making this country “the safest place to live and do business online”, must contend. The first is the kind of attack that makes headlines – a “national-security type of attack”, says Ciaran Martin, explaining that such attacks target “critical national infrastructure, hard infrastructure like electricity systems, and soft infrastructure like the press and the electoral system.” Defending against such attacks, he says, “will always be a critical function of the state.”
But there is another risk that, because it is more amorphous, makes fewer headlines. While a cyber attack on, say, a power station is “strategically significant in and of itself,” says Martin, “attacks on individual businesses and small business normally aren’t. But when you add them all up, the cumulative effect is of a significant and potentially very serious national challenge.”
It does not follow, in this case, that small crime is necessarily less serious. Because malware can be endlessly duplicated at no cost to the attacker, a single programme could affect a large proportion of the 5.7m SMEs that employ 60 per cent of Britain’s workforce. Even a small proportion could affect the wider market, says Martin. “If ordinary citizens are getting letters all the time saying, ‘as required by law… your personal data has been breached’, then there’s a risk that people could lose confidence in the digital economy. Cumulatively, I think there is
a significant, national-level risk from the aggregation of low-sophistication but very high-volume cyber crime.”
Nor is smaller crime easier to defend against. In fact, Martin says it’s actually “harder to organise ourselves as a country to defend against this sort of thing. It’s easy, conceptually, to organise ourselves to defend the state. It’s hard to do operationally, but conceptually it’s just, we’ve got some adversaries out there, let’s contest the space. This is much more difficult. This is about how you get a level of security that’s good enough, that means that most digital services are safe enough, without imposing onerous costs that smaller businesses can’t afford.”
With pervasive, low-level cyber crime, it’s important to recognise that most cyber criminals are themselves in business, often in a fairly small way. It is, says Martin, “fundamentally about return on investment.” To send out large numbers of unsophisticated “phishing” attacks, he says, “carries very low costs. If organisations or individual networks are weakly defended, and the attacker gets in and can gain some advantage, that’s going to be a successful route of attack for them. They’ll keep coming back, and will be encouraged to attack similar targets in the UK. If, on the other hand, you make it that little bit harder – they might go somewhere else, frankly.”
While sole traders and microbusinesses are at risk from indiscriminate viruses and ransomware – especially as their equipment is often older and less likely to be updated – larger businesses represent a more profitable target for direct attacks. Martin says he “wouldn’t rule out a household name going out of business” in the near future due to “the desertion of customer confidence that might ensue” from a major cyber attack.
It’s for this reason that the NCSC has released a “board toolkit” for businesses, in the form of five intelligible questions board members can ask their heads of information security. Martin sees no reason why board members can’t get “a little bit technical” in these discussions. “Most companies will have extremely technical discussions about the implications of their pension liabilities,” he notes. “They all seem fluent and conversant in that type of risk.”
At the same time, Martin says the NCSC is “not asking anybody to be able to code. I am asking people to be able to leave the board meeting, confident that they’ve understood what they’ve heard.”
Simply hiring a chief information security officer and giving them a seat on the board, says Martin “doesn’t take care of the problem. It’s what this person does and the support they have from the rest of the corporate leadership – which entirely depends on how much the corporate leadership understands what this person is talking about.”
The five questions are aimed to provoke “plain English” discussions about cyber-hygiene subjects such as phishing, authentication and access to privileged accounts, but they also cover management subjects that board members should be familiar with, such as relationships and contracts.
These are issues where good decision-making is crucial. For example, organisations in both the private and public sectors are often locked into contracts, he explains, that limit them to a certain number of updates per year. “But with vendors offering patches all the time, we have heard of organisations using up all their requests for change by the end of January. It costs money to change these contracts. So then the board-level discussion you have to have is, for the remaining 11 months, what is the sensible risk balance? Should we buy ourselves out of this contract and take the hit, or should we let it run, and run at risk until we renegotiate? Those are the business decisions we’re trying to equip people to take.”
For businesses in the UK to make sensible decisions about cyber threats, however, they do at least need to be aware of those threats. Last month, it was reported that GCHQ and the Ministry of Defence were developing a 2,000-strong “offensive cyber force”. This is a point of concern for some in the business community, because the tools developed by organisations such as GCHQ in pursuit of national security can directly affect civilian software and services.
Martin responds that the issue is “way more complicated than that, and there are very robust mechanisms for overseeing it. I’m not in charge of offensive cyber capabilities… but, for example, there are technologies out there which are very specialist, sold on the criminal market, that are used exclusively by child pornographers. Now, if we find a flaw in that, is it really against the national interest to withhold knowledge of that, and not fix it?”
No-one could reasonably object to the state cracking software used by paedophiles to mask their crimes. But in a least one case, security services may have developed a tool that threatened the operating systems of more than 80 per cent of the world’s desktop computers.
Last year, current and former agents of the US National Security Agency (NSA) told the Washington Post that in 2012, they exploited a weakness in Microsoft’s code that allowed them to access older Windows systems, used by hundreds of millions of computers worldwide. Rather than telling Microsoft, the NSA continued to use the exploit, which they called EternalBlue, for more than five years. Microsoft was not able to release a patch for the vulnerability until March 2017. Two months later, with huge numbers of PCs still unpatched, a piece of malware called WannaCry used the exploit to infect more than 200,000 machines in a single day. In the NHS, an estimated 70,000 devices were affected, including equipment used in surgery and blood storage. Production at the UK’s largest car factory came to a halt.
The UK-USA agreement, which originates from the end of WW2, commits the NSA and GCHQ “to the exchange of the products” of surveillance, including “acquisition of information regarding communications organisations, procedures, practices and equipment.” This has led the Open Rights Group, among others, to infer that GCHQ knew about EternalBlue. Neither security agency has confirmed or denied the accusations, but after the attack Michael S Rogers, then the director of the NSA, told President Obama that the NSA “failed to build an environment that protected these extraordinary secrets”. Can the security services develop these “extraordinary capabilities” without endangering businesses and the public?
“We would never”, responds Martin, “leave UK business and the UK population wide open to attack like that. Our job is to protect the UK; that’s not the sort of thing we do.” The final element in the cyber security of the UK’s businesses are the consumers that buy the products of those businesses. Martin says the NCSC is “trying, with DCMS, to do more to enable consumers, whether they’re individuals or corporate consumers, to make choices based on evidence about the standards of security.” One planned result will be “the equivalent of food packaging for internet of things devices. I think that’s a really good idea. At the moment, in many areas, it’s hard to differentiate on security as a consumer.” Intel has forecast that internet-connected devices will soon outnumber humans by more than 20 to one; with such a huge market emerging, perhaps the best way to ensure businesses build security into this new world of “smart objects” is by guiding the power of consumer behaviour.
For businesses of any size that find themselves compromised or under attack, Martin says the single greatest mistake they can make is to attempt to cover it up. “In nearly five years as the head of operational cyber security for the UK, I’ve never seen an organisation benefit by being secretive, by closing ranks when they’re faced with a cyber security problem, not contacting the authorities for help, or refusing help. I’ve never seen it end better.”
And he reiterates that NCSC was established to help. Business, he says, “needs and deserves support from the government on this issue.”