Ciaran Martin: Resilience key to cyber defence

Ciaran Martin, former head of the National Cyber Security Centre in the UK and now a member of CyberCX’s Global Advisory Board, spoke recently with Fran Kelly on ABC’s RN Breakfast program about the rising risk to business from ransomware and cybercrime, as well as the evolving threat posed by nation-state actors.

Fran Kelly: Australia has seen a 13% increase in cyber-attacks over the past year as cyber criminals take advantage of large numbers of people working from home. In its Annual Threat Report, the Australian Cyber Security Centre says a cybercrime is now reported every eight minutes in Australia. Ciaran Martin is the former chief executive of the UK National Cyber Security Centre. He has just taken on a role as an adviser to the Australian cyber security firm CyberCX. Ciaran Martin, welcome to RN Breakfast.

Ciaran Martin: Thanks for having me, Fran. Good morning.

Fran Kelly: Ciaran, one of the findings of the Australian report is that the pandemic is changing the way cyber criminals operate. Can you give an insight into that? How has the pandemic changed cybercrime?

Ciaran Martin: I think that it has raised the profile of cybercrime in two ways. One is the sheer venality of it. Here in the UK, we saw a very similar spike in attacks as you have done in Australia, as reported by the ACSC. It was things like scams of fake government support schemes, fake PPE, even fake cures, which is particularly sick.

The second thing was that cyber criminals, although I think this was coincidental and not related to the pandemic, really upped their levels of so-called ransomware attacks because it was so profitable. They extorted companies and public authorities like healthcare for money. I think they did try to take advantage of us working from home, but I think it’s more or less just something that was already there.

Cyber criminality, it’s not politically motivated, they’re just in it for money and it has been a big, big problem. In terms of the average business and the average citizen, it is the one that is more likely to affect us than some of the other more high-profile nation state threats.

Fran Kelly: Yeah, I’ll come back to that. The Australian report says that one quarter of the incidents in Australia, and there were tens of thousands of them, hit targets associated with critical infrastructure. We mean education, health, you mentioned communications, transport. What does that mean in practice? How do the cybercriminals target critical infrastructure? And if it’s critical infrastructure, shouldn’t it be better protected? Is there a problem here?

Ciaran Martin: Well, I think 2021 across the world, particularly amongst the richer and allied countries, like the UK, Australia and the United States, has shown that there are vulnerabilities in critical infrastructure in terms of the real-life human impact. So, for years companies have been being quietly extorted and they have paid ransoms to get out of trouble.

This year in America, you have seen pipelines disrupted, leading to fuel shortages on the east coast of the US, you’ve seen meat plants disrupted, you’ve seen food retail in Sweden, you’ve seen schools in England and New Zealand, horrifically, the entire Irish healthcare system and the Roman vaccination booking system – have all been disrupted.

Because what this new, higher profile form of cyber attack, this sort of new wave of ransomware does is it doesn’t just steal data, that has been happening for years. It’s a sort of a silent crime. It’s not victimless, because people exploit data, use it for scams, use it to sell people’s personal data, use it for identity fraud, but this actually disrupts healthcare, disrupts education, and disrupts people’s ability to buy fuel and food. So, I think the real world consequences of cybercrime have become more visible in 2021 than they ever have.

Fran Kelly: And the stakes are higher, if we’re talking about some of the ransomware attacks, one of them it appears was a hack on Eastern Health in Melbourne that had real health impacts; surgeries had to be delayed. It was something called a Ryuk ransomware variant. Are you saying, when you said most of these ransomware attacks are not politically motivated, Alastair MacGibbon I note, who was head of our cyber security force, says that these kind of attacks, it’s not the Axis of Evil states creating all this crime, it’s a bunch of criminals after money. If that is the case, can we breathe a little easier in a sense? Not that we want crime running rampant in our lives and around our critical infrastructure, but if this is not state actors, does that make it less of a threat in a security sense?

Ciaran Martin: Well, Alastair was my colleague and opposite number during part of my time in the UK Cyber Security Centre and now works with me at CyberCX. I think he’s right about the profile of cybercrime and he’s been right about it for years. But I think it’s two different problems that require two slightly different approaches.

So, the cybercrime epidemic is just about money. There’s ways of defending that, there’s better protection of data, there are sort of routine protections because cyber criminals tend not to be as sophisticated as a nation state. With some obvious exceptions, the average business has relatively little to fear from, say the Russian state. The Russian state does harbor this criminality and needs to be held accountable for that. The nation state threat is out there, but it’s different. It tends to be targeted. So, China has for years been stealing intellectual property from companies in places like Australia, the UK, the US, the European Union. Russia has been hacking for strategic benefit. They are two separate problems but what’s common to both of them is resilience.

So those human impact stories, the disruption to healthcare and so forth, it’s all about resilience. It’s all about not just the technical aspects of how you do cyber defence, but how do organisations plan for when an attack happens? How do you keep going? Frankly, you look at the experience of Irish healthcare, nobody particularly cares whether or not they can withstand the cyber attack or how well they respond technically to it. They care about whether they can keep patient care going and I think that’s what organisations need to be thinking about. Resilience is the key word for defence in the years ahead.

Fran Kelly: You mentioned China there. In July this year, Australia joined 40 other countries (including the US and the EU) to accuse Beijing of being responsible for the hacking of Microsoft Exchange servers. We don’t normally see that kind of attribution. But you have a view about China here, which is that China is not doing what Russia has done, which is proving how it can hack and therefore that sort of remains a threat there in the wings, but rather, changing the way the internet works, it’s about China’s dominance of technology. What do you mean?

Ciaran Martin: Well, it’s both. So China, like Russia, hacks, it hacks our companies. It did that very reckless attack that you rightly mentioned Fran, that allies attributed to it, which left a lot of entities, particularly in the US, vulnerable to criminal attack. It was an extremely reckless attack, and the Western alliance was right to call it out. But in a sense, that is cyber aggression, and our job is to defend and be as resilient as possible.

But what is happening in China is different than what is happening in Russia. Russia’s just hacking; China is developing a huge tech ecosystem of giant companies, and trying to change the way the internet works, the way traffic flows, the way in which material can be blocked, intercepted and read and so forth to make it more authoritarian, and it works. Russia does not have the big beasts of tech that China does. China has a technological way of life.

25 years ago, when the internet was taking off, we were talking about it as very much an American-led model, very consistent with Western values and Western ways of doing business. We perhaps naively thought that this is the only way you can do this new technology. State control of it was really, impossible. Well, actually it’s not, and it has been used for increasingly authoritarian purposes in places like Xinjiang and it’s been used to do things like the social credit score. Countering that is very different.

It is not about cyber security; it is about our own economic innovation and resilience. It is about our ability to build our own companies to have that choice to have industrial capability that’s capable of keeping the internet free, open, and safer. There’s a direct and in some respects, existential challenge to that model from China. That’s a really hard problem. It requires a whole of government approach within nations and requires a coordinated approach between nations, and a lot of it’s about economics, trade and regulation, not just the technicalities of cyber security.

Fran Kelly: Alright, Ciaran, thank you very much for joining us.

Ciaran Martin: Thank you so much.

Fran Kelly: Ciaran Martin is the former chief executive of the UK’s National Cybersecurity centre. He is an adviser to cybersecurity firm CyberCX. Those comments he was making at the end there, there’s a phrase apparently that they’re quite fond of in the UK, when they say that “if Russia is stormy weather, China is climate change”. In other words, as he mentioned, they’re an existential threat.

This is an edited transcript of an interview with Ciaran Martin on ABC RN Breakfast. You can listen to the audio of this interview here: https://www.abc.net.au/radionational/programs/breakfast/cyber-attacks-rise/13542760