Public Services > National Security

Cyber security chief warns “too many attacks” are doing “far too much damage”

David Bicknell Published 14 September 2016

Head of the National Cyber Security Centre warns of scale of attacks and admits “in terms of defending against them we are not, yet, good enough”

 

The head of the National Cyber Security Centre (NCSC) Ciaran Martin yesterday told the Billington Cyber Security Summit in the US that GCHQ is looking to create what has already been dubbed “the Great British Firewall” to provide protection against hackers.

He said, “We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?

“Now it's crucial that all of these economy-wide initiatives are private sector led. The Government does not own or operate the Internet. Consumers have a choice. Any DNS filtering would have to be opt-out based. So addressing privacy concerns and citizen choice is hardwired into our programme.”

What was almost as interesting as the idea of what has already been dubbed the “Great British Firewall” in Martin’s speech was his admission about the scale of the security problem cyber attacks are creating and the damage they are causing.

“The great majority of cyber attacks are not terribly sophisticated,” Martin told the security summit. “They can be defended against. And even if they get through their impact can be contained. But far too many of these basic attacks are getting through. And they are doing far too much damage.”

He said, “They're damaging our major institutions. A British telco hit the headlines last year and the initial speculation was around a highly sophisticated attack but it is now believed to have been an SQL injection, a basic technique dating from the end of the last century.

“65 per cent of all large UK companies reported a breach in the last year. And our local media in the UK is full of painful stories of small businesses, lovingly built up, struggling to survive and maintain the confidence of their customers after a ransomware attack.

“Now these attacks aren't carried out by APTs….But whatever term we use for them, they're doing a lot of harm and in terms of defending against them we are not, yet, good enough.”

Discussing the National Cyber Security Centre, Martin said, “It’s not just a building. It's not just there to co-ordinate, it's there to deliver an ambitious strategy that our government is preparing. And that strategy is about tackling the most capable threats and protecting our most important national systems - of course it is. But it's also a significant shift in thinking towards about looking – at a national level – at how we use technology to improve cyber security everywhere in the UK. “

He went on, “If we’re going to retain confidence in our increasingly digitised economy, we have to make sure that everyone – our private citizens, our small businesses, out not-for-profits, as well as our largest and most pivotal public and private institutions – can do business in a digital environment that is fundamental safer than it is now. And to do that means using technology to automate our defences against these unsophisticated but prolific attacks. This really matters for the UK.”

Martin continued, “The government I work for is charged with helping to protect a highly digitalised economy, which by some measures the most digitally advanced, and therefore dependent, in the world.  In July of this year, Britons spent an estimated £10.7bn shopping online. One eighth of the UK’s GDP comes from the digital economy, that's the highest currently in the G20.  UK digital industries grew two and a half times more quickly than the economy as a whole between 2003 and 2013. We have the highest percentage of individual internet usage of any G7 economy. We're among the world leaders in Digital Government.”

Martin described “digital” as a big and growing employer.  “Our critical systems are going increasingly digital too,” he said. “Of course systems like the power grid have long had significant computer networks and we've worked with those providers on security issues for a very long time.

“Previously manual systems, like the meters used for measuring gas and electric usage, are going digital too. This smart meter technology will keep costs down and improve the environment...but it'll also mean a box connected to the Internet in every home and business in our country.

“Similarly, we've moved all our working-age benefits - our social security payments - into a single system, called Universal Credit. When it's fully operational, 90 per cent of our claims will be done online. So this one system will pay out 7 per cent of our GDP. “

“And this is all a success story but we know that with new opportunities come new vulnerabilities. So alongside the ability to transact, process and store data on an unprecedented mind scale so comes the risk of being compromised on an unprecedented scale.”

“Security officials – or securocrats as we’re sometimes pejoratively called on the other side of the Atlantic – we're sometimes accused of wishing this new world away and seeking to thwart or slow the onset of the technology that underpins this revolution.

“I emphatically reject this. We want this digital revolution to succeed. Our job is to help make the digital economy and digital government work, by making it safer.

He described “the great majority” of cyber attacks as “not terribly sophisticated. They can be defended against. And even if they get through their impact can be contained. But far too many of these basic attacks are getting through. And they are doing far too much damage.”

He went on, “They're damaging our major institutions. A British telco hit the headlines last year and the initial speculation was around a highly sophisticated attack but it is now believed to have been an SQL injection, a basic technique dating from the end of the last century.

“65 per cent of all large UK companies reported a breach in the last year. And our local media in the UK is full of painful stories of small businesses, lovingly built up, struggling to survive and maintain the confidence of their customers after a ransomware attack.

Asking whether this is any of the Government’s concern and whether this wasn’t for organisations to sort out for themselves, Martin said, “First, if one survey is to be believed, 77 per cent of Britons are not fully confident in buying things online. That matters hugely to such a heavily digitalised economy as the UK.

“Second, something is not quite working yet in the marketplace for cyber security. There are great companies, great people and great innovation. Barriers to information sharing are being broken down. But let's take an honest look at ourselves collectively certainly in the UK given the record of the past few years it's hard to say and we don't say that we’ve got ahead of the totality of the threat.

And if we’re to maintain confidence in the digital economy, we’ve got to tackle this end of the problem too, the majority of the problem. There's a legitimate role for the government in taking a lead...at least temporarily, and that is the thinking behind our strategy.”

Martin described “tackling low-grade, high-volume cyber attacks” as “a vital part of this three-pronged approach that our government agreed last year as part of its post-election Strategic Defence and Security Review.

“The first prong is organisational coherence with our new National Cyber Security Centre or NCSC. The second is defending against the most serious threats. And the third is about improving our digital security ecosystem to tackle those unsophisticated, prolific threats,” he said.

 

 

 








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.