The National Cyber Security Centre chief, Ciaran Martin, has suggested that it’s a matter of ‘when not if’ the UK suffers a very serious attack on the country’s elections or critical infrastructure.
He argues that the UK should expect to see such an attack within the next 24 months.
This type of category one (C1) attack – one that disrupts infrastructure like energy suppliers and the financial services sector, and election interference – has not been experienced by the current security chief.
The most serious attack on the UK so far was the WannaCry ransomware attack in May last year, which disrupted UK hospitals and organisations across the globe. It was categorised as a C2, impact, as there was no deemed risk to life.
However, Martin expects an attack – similar to those experienced by the US, France, Ukraine and other parts of Europe – is imminent.
>See also: UK organisations failing to prepare for cyber attacks
“Most comparable western countries have experienced what we would consider a category one attack so we have been fortunate in avoiding that to date,” said Martin.
During an hour-long interview with the Guardian, he continued: “I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack.”
He admitted, like many security leaders in business, that total protection was impossible. “Some attacks will get through. What you need to do [at that point] is cauterise the damage.”
“Martin is absolutely right – it’s only a matter of time until the UK suffers a crippling attack,” said Kevin Bocek, chief cyber security strategist at Venafi. “Adversaries have already tried to manipulate elections and target critical infrastructure in Europe and US . Escalation of hostilities – whether criminal or by nations – is one of the most basic rules of human history. Much of the reason the UK is so vulnerable is that many organisations – both in the public and private sectors – are simply bad at doing the basics right. With security teams being pulled from pillar to post by constant attacks, they don’t have the time to take care of a number of key precaution. It’s precisely these oversights which can let attackers in.”
Pressure is building on UK organisations from hackers, with the NCSC recording 34 C2 attacks and 762 C3 attacks since it opened to December last year.
>See also: Under attack: the UK exposed to constant hostile cyber threats
“Organisations must accept that traditional defences – firewalls, anti-virus, IDS etc. are simply not enough and emphasis needs to shift away from just blocking attackers, to detection and rapid mitigation as soon as an attack begins, said Piers Wilson, head of Product Management at Huntsman Security.
“This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems – sorting real threats from the background noise of systems and network operation; freeing up security analysts to deal with the real problems as quickly and efficiently as possible. In the digital age, everyone – from the government and critical infrastructure organisations to businesses and charities – needs to accept that they can’t stop every attack at the boundary. Shifting their focus will help to keep them and the rest of the UK safe.”
Where are these attacks coming from?
North Korea was blamed for the WannaCry ransomware attack in May, while Russia has also been accused of instigating state-sponsored hacks on western countries.
“What we have seen over the past year or so is a shift in North Korean attack motivation from what you might call statecraft – disrupting infrastructure – through to trying to get money through attacks on banks but also the deployment of ransomware, albeit in a way that didn’t pan out in the way the attackers wanted to,” Martin told the Guardian.
>See also: Ransomware represents ‘25% of cyber attacks’ as hackers target UK
“What we have seen from Russia thus far against the UK is a series of intrusions for espionage and possible pre-positioning into key sectors but in a more controlled form of attack from others.”
Since the NCSC’s opening, it has worked on building defences to cyber attacks and growing the UK’s cyber offensive capabilities with GCHQ and the Ministry of Defence: “Offensive cyber will be an increasing part of the UK’s security toolkit,” according to Martin.
The skills crisis
During the interview, one of the key challenges Martin identified was encouraging more girls to consider engineering and computing as a career. Only 32% of the NCSC’s 700-strong workforce are female, although half of the roughly 20 senior management posts are held by women.
>See also: Knowledge is power in the fight against cyber attacks
The lack of qualified security personnel and historic underinvestment in cyber security are key factors in the why the UK should expect a C1 attack in the next two years, according to Wilson.
“Within 2 years there will be over 1.5 million security jobs unfilled globally, meaning that there simply aren’t enough resources in the UK to cope with the growing threats facing our critical infrastructure. The figures released yesterday point to a significant increase in reported attacks, let alone those that pass undetected. Before the digital era, it was relatively simple to prevent and stop attacks to infrastructure, but now it’s much harder. There’s often no easy way to block all of these potential attacks at the perimeter, and trying to do so will just result in security analysts becoming overwhelmed by the sheer volume of probes and false positives that mask real issues.”