The National Cyber Security Centre (NCSC) published its 2021 Annual review in November, some five years after its formation and 10 years after the publication of the UK’s first national cyber security strategy.
Timed to coincide with its release, the NCSC also launched several informal – and undeniably well made – interviews with senior NCSC staff. Noticeable in both the Review and the interviews is that the NCSC is particularly proud of the interventions it has made on behalf of the nation, including the Protective DNS service (PDNS).
When novel issues and risks emerge – think health and safety, money laundering, or environmental protection – capitalist societies prefer to allow markets to take care of them: initial resistance is overcome, legislation is passed, regulators are appointed, compliance frameworks are published, and businesses are then left to get on with it.
Sub-industries are created to address these risks, their costs are passed onto the consumer, and any residual risk is insured. Government is expected to remain “small”.
Cyber risk is different. Cyber risk is simultaneously a business risk and a national security risk. The inability to make steel, or to generate and distribute energy, is a commercial risk to the corporations whose business models rely on those activities. However, to the nation states dependent upon their operation, any interruption of or damage to these vital functions is potentially existential.
The Colonial Pipeline attack is an example of what former NCSC CEO Ciaran Martin calls the “privatisation of national security risk”. In that instance, the corporate network of a US pipeline operator was attacked, in response to which the flow of fuel was ceased, causing national chaos, even though the pipeline infrastructure was unaffected. The decision to stop the flow of fuel was a commercial decision, made independently by a private sector organisation.
More than a decade since cyber security went mainstream, there is a growing sense that the market has failed to take care of the problem. Market failure is now discussed by beleaguered policy-makers and disappointed private equity firms alike.
No silver bullets for ransomware
Ransomware is, in the words of RUSI and BAE Systems, in danger of spiralling out of control, with Britain suffering the second-highest number of “double extortion” attacks after the US.
It is also a form of cyber attack that threatens life, as witnessed by the attacks against the Health Service Executive of Ireland in May of this year, which is reported to have cost the Irish Government around €600m.
The financial losses due to ransomware attacks have been so great that Lloyd’s of London, which writes around one-fifth of cyber risk globally, is now discouraging its syndicate members from taking on additional risk next year. To stem the losses, many insurers are now halving the cover they offer.
Hoping for things to improve does not appear to be a viable policy option. Despite tough rhetoric in certain quarters about offensive cyber operations, there are no silver bullets to solve this complex issue. Many observers in the US and UK feel that a tipping point has been reached, and that greater regulation is now inevitable.
The Australian Government recently passed legislation rendering all cyber attacks against critical national infrastructure (CNI) reportable to the Australian Signals Directorate. The Australian Government will now be able to step in to protect assets immediately prior, during or following a significant cyber attack.
The G7 communiqué issued after the Cornwall summit in June augurs an era of coordinated cyber diplomacy. Economic sanctions for nations providing safe havens to cyber criminals are another option, problematic though this would be in the case of Russia. International treaties may establish cyber norms between states, determining what is considered fair game or off-limits.
A ban on ransomware payments would appear sensible for those industries where there is no obvious threat to life, as would making it harder to move cryptocurrencies.
However, endorsement would certainly be incomplete, and a ban could potentially invoke the law of unintended consequences by further skewing the insurance market and/or driving the problem underground.
Ramping up resiliency
One requirement that most observers agree on is a need for increased national resilience. Mounting losses have been accompanied by a steady increase in what states are prepared to do to take up the slack left by the market.
The formation of the NCSC, brought about in part due to pressure from governor of the Bank of England Mark Carney, blazed a trail that many countries are now emulating.
The establishment of the Active Cyber Defence (ACD) Programme in 2017 reflected a willingness to “do stuff” and to help those least able to help themselves, rather than philosophise about cyber security. ACD now includes a range of services and tools, including PDNS, which protects six million public sector and health workers in around 2,000 organisations.
In 2020, PDNS was a principal component of NCSC’s pivot to protect the NHS and the vaccine supply chain, which technical director Ian Levy describes in his recent interview as his “NCSC highlight” in the past 12 months.
It is unreasonable to expect CNI operators to exclusively own national security risk, even if they own or operate the associated infrastructure. Hospitals should be focused on keeping citizens alive and healthy, rather than combating international crime.
That is not to infer that CNI operators do not have a critical role to play. Policy-makers should acknowledge that CNI operators are not born equal: some have invested heavily in sophisticated cyber defence programmes, whereas others are struggling.
Programmes such as ACD can go much further and achieve much greater impact if the will exists to take further calibrated risks and push boundaries. Bold, ambitious initiatives designed to reduce harm at scale should be at the heart of any nation’s cyber defences.
If losses in the private sector continue to mount, we may well see government-led active measures being broadened across societies.