The head of the National Cyber Security Centre has given his first major speech ahead of the NCSC launch in October. Ciaran Martin set out the goals for his department at the 7th Annual Billington CyberSecurity Summit in Washington. Many will question why he chose that forum for such an important speech rather than the UK.
Security experts will pick over what he said for some time. His speech was a mix of big promises that don’t seem to work anywhere else in the world. Among those promises are actively blocking websites that distribute malware and screening web addresses to filter out harmful traffic. This is the type of action that companies will welcome but there is a catch. The systems relies on the cooperation of the Internet backbone. This includes hosting companies, registrars and additionally the telco’s who will be expected to help screen traffic.
Blocking malware at source
Martin called out the success in blocking sites distributing malware. This is great news but again comes with risks. There are not enough unique Internet Protocol (IPv4) addresses for every site to have its own. Many people who buy into low cost hosting share their public IP address with other people. The Internet Service Providers (ISP) then redirect traffic internally to each site. Just blocking the addresses from which malware appears will impact a lot of innocent customers. Telling a company they are offline as collateral damage will result in lawsuits and ISPs facing claims for damages. This is why ISPs must be part of the solution.
None of this is to be paid work. Martin believes that the top-level ISPs can be persuaded to do this voluntarily. That’s a big ask and he will need to determine how he can win them over. He certainly carries a big stick in the form of threatening legislation for those who don’t want to play. What he will offer them if they play nice is harder to determine.
Education a critical challenge
Consumers and businesses also have to play their part. The vast majority of attacks use old methods, old code and rely on unpatched software. It is hard to see how Martin will force businesses to improve their patching and security. It’s hard to see how he will frame legislation to make this work. There is also little that can be offered in terms of inducement to sign up for schemes.
Educating companies and consumers about better online hygiene is a Canute like task. Daily, thousands of people fall for phishing emails and email scams. They click on links that install malware on their machines, allow telephone callers access to their computers and become victims of identity theft or worse. None of this is new. This has been going on for over two decades. The last decade has seen the industrialisation of cyber attacks. It seems that businesses and consumers are just unwilling to listen to advice.
There is also the not insignificant issue of a lack of skills. While universities and training companies are working hard to turn out cyber crime fighters it is not enough. Those that do have skills are quickly snapped up by very large companies, security vendors and ISPs. This continues to leave small to mid-sized businesses unable to afford good security staff and are often the weakest link in the security chain.
Learning to hack is not just coding
The UK is doing a lot to improve the level of cybersecurity training. However, as the recent cybersecurity event in London showed, being a code monkey is of no help when you need to tap a network cable. It will be interesting to see how closely the NCSC works with universities who are not immune from attack themselves. Bournemouth University who run a number of cybersecurity courses has recently admitted to suffering over 20 ransomware attacks. It seems that training the next generation of defenders isn’t enough to protect the university.
Automation helps block low-level attacks
There have been other successes to date. Martin told the audience that the UK Intelligence community is using automated tools to stop a lot of attacks. They have been targeting the exploit kits and hacking tools that are sold online on the Dark Net. These tools are cheap, simple to use and allow anyone with access to a computer and the Internet to start trying to hack computers. Disrupting this market is essential. Ransomware providers continue to actively recruit people to distribute their product. They offer large inducements which mean distributors could earn thousands per week. The majority earn rather less than that. However, the low cost of the tools that they use means that their costs are low making this a safer and more profitable criminal career than selling drugs or stealing cars.
Perhaps the biggest success that Martin spoke about was stopping cybercriminals sending emails that appeared to come from UK government websites. This has been achieved by using security keys to send the emails out. The problem here is that someone has to know the keys and that makes them a target.
Cyber defence or cyber attack?
This is all presented in the guise of a national cyber defence. The focus on low-levels cybercriminals and stopping malware is not enough. Organised crime now have their own cybercriminals. They are sophisticated and go after high profile targets. They don’t even have to rely on buying on the Dark Web as the leaks from the Hacking Team and other cybersecurity companies has shown. All they have to do is buy highly sophisticated attacks from legal companies and then use them to attack businesses. Many of these attacks were legally developed and sold but the companies concerned have no obligation to tell the software companies. This means that there are no real defences in place to protect companies.
If Martin wants to make a real difference then he might start here. The problem is that the organised crime is not the only customer of these companies. The Hacking Team documents outed several Global intelligence agencies and enterprises. How to crack down on this trade in cyberarms is a challenge that many will hope Martin will address.
Another issue not yet addressed is the considerable problem of state sponsored attacks. The UK doesn’t disclose its involvement in such activities or even publically acknowledge it has teams doing this. A good defence needs an offence otherwise you are not solving the problem just putting it off. The US has said that it is prepared to treat cyberattacks as potential military and terrorist threats. As such it reserves the right to strike back. Will Martin put the NCSC on the frontline to be the UK cyber attack and defence team?
Persuading the security community to trust GCHQ
At the heart of the existing cyber defence initiatives is GCHQ, the UK Government communications experts. The last few years have seen attempts to pull part of GCHQ out of the shadows. For Martin’s plans to work it will need to be more active and that means trust. This is a rare commodity, especially when talking about intelligence agencies and their public activities.
One route is to make more of the tools that GCHQ uses available to the security community. There is a danger here. Once they are public it will be hard to control who is using them. This will allow the attackers to build defences against the tools as much as it will allow security teams to use the tools to defend against the attackers.
For all the criticism this is a bold speech by Martin. This all sounds a little quixotic. But if Martin can pull this off and at the very least bring down cyber attacks to the level of two years ago or earlier, it will get him a lot of support. Perhaps his next speech will provide information on how we are to judge him.