The Covid-19 pandemic, the continuing threat posed by ransomware, the growth in supply chain attacks and the strategic technology challenge posed by hostile nation states are some of the biggest cyber security challenges facing the UK today, National Cyber Security Centre (NCSC) CEO Lindy Cameron has said.
In a keynote address to Chatham House’s annual Cyber 2021 conference, Cameron said the events of the past year illustrated both the diversity and significance of the cyber security threats facing UK plc today, and will continue to do so.
“The coronavirus pandemic continues to cast a significant shadow on cyber security and is likely to do so for many years to come,” she said. “Malicious actors continue to try to access Covid-related information, whether that is data on new variants or vaccine procurement plans.
“Some groups may also seek to use this information to undermine public trust in government responses to the pandemic. And criminals are now regularly using Covid-themed attacks as a way of scamming the public.”
Cameron added: “Ransomware presents the most immediate danger to UK businesses and most other organisations – from FTSE 100 companies to schools, from critical national infrastructure to local councils. Many organisations – but not enough – routinely plan and prepare for this threat and have confidence that their cyber security and contingency planning could withstand a major incident. But many have no incident response plans, or ever test their cyber defences.”
In a wide-ranging speech delivered just over a year into her tenure as boss of the NCSC, Cameron reflected on the events of the past year, including a spate of highly significant cyber attacks, many of which could have been stopped or substantially mitigated by following simple and actionable steps.
She also touched on the commercialisation and abuse of largely unregulated cyber exploitation products, in the first public comments made by a UK public official on the growing scandal surrounding the development of Pegasus, a sophisticated mobile spyware tool, by Israel-based NSO Group, and its subsequent abuse by government users to spy on activists, dissidents, journalists and political opponents.
“Those with lower capabilities are able to simply purchase techniques and tradecraft – and obviously those unregulated products can easily be put to use by those who don’t have a history of responsible use of these techniques,” she said. “We need to avoid a marketplace for vulnerabilities and exploits developing that makes us all less safe.”
Security by default
Cameron also looked ahead to the imminent publication of the UK’s new National Cyber Strategy, which is due to be launched before the end of 2021 and will give the NCSC a refreshed mandate to build and enhance the UK’s security, with tougher regulation in some areas, increased support in others, and better protection across the board for citizens, with government leading the way.
“Investing in government cyber security will also mean the public sector’s buying power will help ensure the market provides good, secure technology by default,” she said. “This will be essential to realise the benefits of the UK’s long-term transition to a fully digitised economy.”
Cameron said that technologies and developments designed to benefit society would continue to be exploited by malicious actors of all stripes, and stressed the importance of making technology secure by default.
“Last month, we published our plans to move away from our past, prescriptive approach to assuring technology – such as encryption products and routers – based on point-in-time certificates,” she said.
“In the future, we will take a principles-based approach to security functionality and put much more emphasis on proportionality and the engineering practices of the developer, rather than running through a check-list of criteria that need to be met. This approach will be repeatable, evidence-based and, crucially, scalable, to ensure it delivers a real national-level impact by creating a market that rewards those developers who invest in their security engineering.”
Cameron said that by obtaining a “position of defensive strength”, the UK could become better placed to disrupt and impose costs on malicious actors, using a wider range of tools and powers, and leaning on diplomatic connections, intelligence agencies, law enforcement and the new National Cyber Force to take a “more activist leadership role internationally” and shape the global cyber environment so as to, for example, avoid a repeat of the Huawei-5G debacle.
“This will require a more interventionist approach to technology, from semiconductors to AI, quantum computers to connected places,” she said. “We need to foster and protect competitive advantage in the technologies critical to cyber space and mitigate cyber risk at an earlier stage by ensuring security is designed into the digital economy of the future. And we need to do more to ensure that debates about technology and internet standards support our future security and prosperity.”