On 13 December 2020, the White House confirmed reports that the US treasury and commerce departments had fallen victim to a major cyber espionage campaign. Orchestrated by hackers thought to be working on behalf of Russia, the campaign stunned the US intelligence community. But for Lindy Cameron, the new chief executive of the National Cyber Security Centre (NCSC), the incident was just the latest in a series of geopolitical crises she had witnessed as a senior civil servant.
“I had quite an amusing conversation with Jeremy [Fleming],” says Cameron, referring to the GCHQ intelligence chief she reports to. “I had to remind him that the bread and butter of what I’ve done for 20 years has been managing crises and conflicts. So, in some ways, a rapid-onset, complex, international crisis allowed me to work out how to apply my skill set to the new organisation.”
Cameron applied to become NCSC’s second chief executive last summer. “I’ve known Jeremy for a while and he called me up to ask me if I was interested,” Cameron tells Spotlight during a recent interview at NCSC’s headquarters in central London. “We had a really great conversation about how the skill set that I had – which was effectively about convening across Whitehall and being able to communicate a set of tricky issues really effectively – would work in this space.”
While Cameron notes that she is still working with many of the same people in the national security community she has “grown up with”, she likes “doing new and different things. I get bored easily and I like to stretch myself.” That she was succeeding Ciaran Martin, the first CEO of NCSC, also appealed: “I like taking over from people who have done a brilliant job.”
Cameron’s first year as Britain’s most senior cyber official has coincided with an extraordinary era in national security. Less than a month after the Russian attack on the US government came to light, it emerged that China was exploiting vulnerabilities in Microsoft Exchange email servers in what became an even larger crisis. Five months later, cyber extortionists believed to be operating out of Russia triggered the shutdown of one of the most critical parts of US energy infrastructure: the Colonial Pipeline responsible for transporting millions of barrels of fuel between Texas and New York each day.
The pipeline attack “parachuted” cyber security onto the agenda of the G7 meeting in Cornwall in June, says Cameron. “Of all the many things Ciaran left me, what he didn’t leave me was the expectation that we would be right at that level on the agenda of a very high-level political meeting less than a year later.” The real question now, she says, is how to take advantage of that moment of opportunity. “World leaders understand that cyber security is a really big issue for the future, both in technological terms but also in operational risk terms,” she explains.
During the G7 meeting, leaders issued a communique calling on Russia to “hold to account those within its borders who conduct ransomware attacks” and “abuse virtual currency to launder ransoms, and other cybercrimes”. Cameron says the meeting has led to closer international cooperation on how best to tackle the “complex system that is the ransomware criminal network”.
In February, Cameron’s predecessor, the aforementioned Ciaran Martin, called on governments to consider banning insurers from subsidising their clients’ ransom payments. “I see this as so avoidable,” Martin said. “At the moment, companies have incentives to pay ransoms, to make sure this all goes away. You have to look seriously about changing the law on insurance and banning these payments, or at the very least having a major consultation with the industry.”
Does Cameron agree? “The government’s got a really strong position on this that people shouldn’t be paying,” she says. “I can understand that there are specific contexts in which, more actually from a law enforcement perspective, sometimes you don’t want it to be absolutely binary. I just think we need to make it much easier for people to feel like that’s not the choice.”
Cameron believes that because the cyber insurance market is still relatively new, providers are not yet at a point where they incentivise prevention rather than payment. “I think about it a bit like the car insurance market,” she explains. “When I was 17, it was quite cheap to insure myself with a learner driving permit. It’s definitely not that cheap for my godchildren to do it these days.” Cameron would really like insurers to be “incentivising businesses to be demonstrating that they’re not a risky proposition”. This is because, in her opinion, businesses have done a “fantastic job with their own cyber resilience”, and therefore, she adds, “they’re a very good insurable risk”.
Over the coming weeks, the government is expected to publish an updated national cyber strategy. Cameron is keen that the remit of NCSC, which is now five years old, is clearly articulated. “It does require us to slightly more carefully redefine what’s the thing that we need to do and only we do or that we always do,” she says. “I’m definitely not on a mission to be expansionist. If I was, this organisation would be ten times the size.”
As the government seeks to transform the UK into a “science and technology superpower”, one role NCSC will increasingly play is as an advisor – drawing on GCHQ intelligence – on the threats posed by emerging fields of technology.
“We’re the base of the cybersecurity apparatus that really understands in depth the insight we get from secret intelligence,” says Cameron. She notes that NCSC has also “some of the most incredible technologists in government! and that when their analysis is combined with secret intelligence, it provides unrivalled insights. “I think it’s a real responsibility for us to be able to use that really strategically, really long term, to ask ourselves the questions that my successor in 10 years time will really grateful that Ian levy [NCSC’s technical director] was thinking about today.”
If the UK is to prepare for the future, ministers and civil servants need to be “driven by a real understanding of what that 20-year vision looks like, not just a single political cycle”, says Cameron. “We have a real responsibility to be doing the stuff that is the very long-term understanding of trends and technology, both in terms of intent and in terms of capability, in a way that means that we are helping to proof the UK against future cyber security threats.”