As the government’s most senior cyber security expert, Ian Levy always has a heavy workload. But 2020 has been unusually busy, even by his standards.
As the technical director of the National Cyber Security Centre (NCSC), the daunting list of tasks to have faced Levy over the course of the year includes overseeing the security appraisal that led No 10 to ban Huawei, protecting the NHS, vaccinologists and government networks from hackers, and devising systems to help businesses and consumers safely and securely navigate a period of unprecedented digital upheaval.
Following the publication of the NCSC’s annual review last month, we spoke to Levy about his work and how the pandemic has shifted the security landscape. The interview has been edited for clarity and length.
Spotlight: Your report noted a sharp increase in ransomware attacks this year. Why has that form of malware taken off in such a big way in 2020?
Ian Levy: I wouldn’t necessarily look at ransomware as a type of malware. It’s a business people are in, and a piece of malware is a part of that. It’s certainly evolved over the last couple of years. It used to be that people would throw out malware and if people looked like they could pay for it, they’d go and ransom them.
That seems to have changed quite considerably, and it seems to have become much more targeted. People are going after particular organisations – spending lots of effort to get in there, understand what the crown jewels are, deploy stuff in a very stealthy way, make sure they can exfiltrate – so they breach data as well as ransom it, and so on.
The short answer is because that’s where there’s money. It’s developed into a proper business now and that’s the way we’re going to have to go after it.
S: Has the pandemic and the rise of remote working also made people more susceptible to ransomware?
IL: I don’t think we’ve got the data to show that to be a causal thing, but certainly we see lots of different threat actors using the pandemic as a lure for their attacks, whether that’s someone sending out hundreds of millions of emails to citizens saying, “pay here for your test”, or it’s a very direct hit against specific people in specific organisations to achieve something. It could be intelligence, it could be ransomware, it could be anything.
Read more: How to work from home safely during a crisis
S: What work have you done to assist government departments and major businesses in transitioning to remote working?
IL: We’ve published a whole bunch of guidance on the website which helps individuals and organisations of all sizes to understand the different sorts of threats and risks they can be exposed to through this. There’s design guidance, there’s understanding about threats, and we’re sharing lots of threat information directly with organisations so that people can defend themselves better.
For the public sector and the health service, our protective DNS service filters [out attacks]. We put all the information we know about that DNS server on to it so that they can be protected. A couple of weeks ago, we completed the entirety of the health and social care network onto that service. They are now all under its protection.
S: Tangentially related to that is the work you’ve been doing to protect British vaccine research. Are you able to talk about how you’ve sought to protect vaccinologists at Oxford University, Imperial College London, and some of the other places where this research has taken place?
IL: The type of service we provide to a public sector organisation is different to somewhere like a university. A university has its own infrastructure and they can manage that perfectly well themselves. It’s about us giving them better advice, better guidance, better data. But also making sure they are on our list of organisations to care about. So if we watch a particular threat actor, and we see [researchers] being targeted, we can use them to go and talk to them and say: “We need you to do these things because we can see an attacker preparing to do something or another.” That obviously doesn’t scale very well. It’s very, very resource intensive.
The vaccine taskforce directs our work on this. They tell us who they want us to put that resource against. But what we’re doing is trying our best to make sure that the vaccine research remains integral and confidential and all the other things it needs to be, but more importantly that the testing is integral. So the test results are absolutely authentic and haven’t been messed about with.
S: What are you actually looking for?
IL: It’s a bit of a cartoon. If you’re looking at communications and how people attack systems, they have to send some packets to those systems. Those packets have to go over networks and they have particular characteristics. If we happen to see one of those, that will alert us that something might be going on.
Similarly, if you know that particular infrastructure is used, some of those indicators of compromise might be, “oh they’re using this particular IP address”. If you then see a connection from that IP address you know it’s likely to be related to an attack. So it’s those sorts of things, it’s using the knowledge and intelligence they have and turning them into actionable things that either organisations can do themselves or we can do on behalf of those organisations.
S: There have been reports of GCHQ (NCSC’s parent agency) targeting cyber attacks at state-sponsored anti-vaccine campaigns, and of a new cyber force. Would NCSC or GCHQ take offensive action against one of the groups seeking to target the researchers?
IL: Any sort of response, whatever that response is, needs to be part of a campaign and needs to be a government response. NCSC wouldn’t do something unilaterally. It would need to be part of a government response. Obviously, any use of any offensive cyber capability has to go through very strict oversight and authorisation regimes. And that’s a government-wide thing. The offensive cyber capability that has been talked about is a tool and toolbox to be used as the government sees fit, under the appropriate authorisation and oversight regimes.
Read more: The man who stopped Wannacry
S: I guess you can’t tell me then whether offensive action has been taken then…
IL: Correct. Sorry!
S: Have you seen attacks on researchers take place in recent weeks? Has the pattern of these attacks changed over the course of the year?
IL: We’ve talked about some of the nation state-sponsored attacks that we’ve seen against vaccine research. It’s reasonable to say that vaccine research is among the most valuable intellectual property in the world. So you would imagine a bunch of people being interested in it. Our job is to make sure their job is as hard as it can be while still allowing those organisations [to do what] they have to do… You could put security in place that is not quite impenetrable – because nothing is ever impenetrable – but it would mean those organisations could not do their work. So there’s always a balance to be had here.
S: Are you confident that no British IP has been breached?
IL: I’m not going to answer that one I’m afraid… You can’t prove a negative.
S: The Trump administration imposed tough restrictions earlier this year on Huawei’s use of American chip technology. The NCSC said this would make it significantly harder to reliably test Huawei’s telecoms kit and you advised the government you could no longer manage the associated security risks, triggering a seven-year phase-out. With Joe Biden having won the presidential election, there has been speculation that the US restrictions might be eased, although this is still uncertain. If Huawei’s old supply chain was restored under a Biden presidency, would you change your guidance?
IL: No, and we’ve said so publicly. The Chinese state as a sovereign country is never going to be dependent on one of its main strategic allies ever again. Regardless of what the US does over the next couple of years, the Chinese are now on a course of building sovereign capability. Whether it’s this year, next year, five years time, it doesn’t matter, the same risk accrues.
Remember when you’re talking about critical infrastructure, you’re often talking about 15-year life. If you’re talking about when the risk actually starts and when it accrues, it doesn’t really matter. Certainly in all of the different situations we’ve gamed out, we can’t see us changing our advice.
This article originally appeared in a Spotlight report on cyber security. Click here for the full edition.