The prospect of a major cyber-attack on the UK will have caused many a sleepless night in recent years, and rightly so.
In 2017, the WannaCry incident laid bare the impact of a significant cybersecurity incident; knocking out computer systems across the NHS and forcing medical practitioners to work by pen and paper.
Ciaran Martin, the former CEO of the National Cyber Security Centre (NCSC), was at the helm of the security centre during this attack and the subsequent NotPetya incident.
Since then, the threat of another major cyber-attack has weighed heavily on his mind and, following the onset of the coronavirus pandemic, these concerns have been especially acute.
How would healthcare services have coped with a major ransomware attack at the height of the outbreak in April? How would public services and local authorities have coped if faced with a similar situation to their American counterparts in Florida or Ohio?
DIGIT caught up with Martin to reflect on the rapidly-changing cybersecurity landscape and discuss some of the key cyber threats facing Britain today.
A War of Attrition
Since the NCSC’s 2016 launch, which Martin oversaw, the global threat landscape has changed significantly. And although he admits that “some things have worsened”, the landscape is more easily understood – the players, the tools and the tactics can be combated.
Traditionally, cybersecurity specialists, intelligence officers and policymakers alike have feared the worst; a cyber-attack similar in nature to a nuclear strike. An attack primarily aimed at totally incapacitating the UK and its critical infrastructure.
While Martin believes these concerns remain valid, the reality is that the global landscape today is more likely to produce long-term, lingering issues rather than a sudden cataclysm. This is a war of attrition, not all-out conflict.
“If you look at the past 20 to 30 years, since the age of the internet and the mass ownership of computers, there’s been a lot of talk about a ‘cyber apocalypse’ and so on,” he says.
“But actually, that hasn’t happened. What has happened is the rise of a more insidious and chronic set of threats.”
Some of these threats do come in the form of belligerent nation-states which seek to steal data for espionage purposes or to interfere in democratic processes and political discourse, he explains.
Recent years have highlighted the seemingly perpetual game of cyber cat and mouse being played by the global big hitters such as China or Russia. Indeed, earlier this year the NCSC published a report revealing the activities of a Russian state-backed hacker group known as ‘APT29‘, which is one of a number targeting organisations involved in Covid-19 vaccine research.
Although state-backed activities are a cause for concern, the most significant threat outlined by Martin comes in the form of highly organised, technically proficient criminal syndicates. These, he asserts, pose a threat not only to nation-states but also to businesses of all sizes and even individual citizens.
“We’ve seen the emergence of a really sophisticated transnational ecosystem of criminal activity, and I think we underestimated the virulence of this threat.”
“And these groups are trying to steal data or extort money through ransomware, which is one of the most potent threats that we face at the moment that is doing some of the most harm.”
Concerningly, Martin believes that many of these groups are also becoming highly sophisticated in terms of their intelligence gathering. Cybercriminals are no longer trawling nets along the ocean floor, they’re using line and pole in a beguiling manner.
“Some ransomware attacks are becoming so sophisticated not just in technical terms, but the criminals themselves appear to be studying victims,” he says.
This intelligence gathering involves actively researching an organisation’s turnover and profitability to estimate how much they can afford to pay, and this represents a significant escalation in terms of tactics.
The increase of ransomware in recent years has been huge and has created a challenging environment for governments, businesses and organisations the world over. A recent study published by IBM highlighted a major increase in the number of ransomware incidents during the height of the pandemic.
In June this year, twice as many ransomware attacks were recorded compared to the month before. Similarly, the report suggested that across 2020, one-in-four cybersecurity incidents have been caused by ransomware.
Ransomware attacks have also raised ethical, legal and moral questions. Are organisations legally entitled to pay a ransom? Is it unethical to do so?
For Martin, a key concern has been the unintended consequences of these cyber-attacks. The development of cyber weaponry has increased to such an extent that things have the potential to spiral out of control and impact a wider range of victims unintentionally.
“There are markets out there on the dark web and elsewhere in which people can buy really quite sophisticated tools. And of course, one of the biggest risks, in my opinion, is that the attackers don’t always know how to control those tools,” he says.
- SBRC launches UK’s first cyber incident helpline to support SMEs
- Ciaran Martin resigns as head of National Cyber Security Centre
- CyberScotland Week to return as pandemic drives up security threats
The 2017 WannaCry attack, Martin explains, is the perfect example of the “unintended consequences” of a cyber-attack.
Although the malware was not originally intended to target nations such as the UK, the situation quickly spiralled and created a global state of confusion.
“Cyberweapons are called viruses for a reason, they do infect unintended victims,” he says.
“WannaCry and NotPetya were deliberate attacks, but their impact on the UK and allied countries was accidental. So the two biggest incidents that we faced early on [at the NCSC] were both basically accidents.”
Martin notes that another issue he fears is beginning to rear its ugly head; the physical damage caused by cyber-attacks. Money and data can be replaced or recovered, lives cannot.
“Another thing we were reluctantly envisaging was that people would start to get physically harmed by a cyber-attack,” he says.
Last month, authorities in Germany launched a murder investigation after a patient died as a result of a cyber-attack on a hospital in Dusseldorf. IT systems at the hospital were taken down due to the attack, which meant an ambulance transporting a female patient was diverted to another location 20 miles away.
“This is the first death – that I know of – that’s directly attributable to a cyber-attack. That wasn’t the result of any state action or part of a military conflict, that’s a life lost in a cyber-attack, and it’s a concerning development.”