delinea.com
Open in
urlscan Pro
199.60.103.114
Public Scan
Submitted URL: https://go.delinea.com/e3t/Ctc/I7+113/d2lz3704/VWl1_m8fSDLzVYqrCh10KbX0W52hptB59RfwMN8DGmCv7mmzdW5BWSxg6lZ3nLW2L4zwf1PY...
Effective URL: https://delinea.com/events/podcasts/100-protecting-citizens-online-at-the-uk-national-cyber-security-centre-with-cia...
Submission: On February 22 via api from CA — Scanned from CA
Effective URL: https://delinea.com/events/podcasts/100-protecting-citizens-online-at-the-uk-national-cyber-security-centre-with-cia...
Submission: On February 22 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
/search?searchString=&activeType=
<form action="/search?searchString=&activeType=">
<input type="text" id="site-search" class="hs-search-field__input" name="searchString" autocomplete="off" aria-label="Search" placeholder="">
<script nonce="">
// Add event listener for search button click
const el = document.querySelector('.header-links-search');
el.addEventListener("click", addFocus, false);
//add focus to search field once it displays
function addFocus() {
setTimeout(function() {
document.getElementById('site-search').focus()
}, 500)
}
</script>
<button aria-label="Search"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="24" height="16">
<title>Search</title>
<path fill="#fff"
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</svg></button>
</form>Text Content
Skip to content
Services
Support
Contact
Blog
Search
Search
* Products
▼
* Protect Privileged Access
* Secret Server
Discover, manage, protect and audit privileged account access
* Privileged Behavior Analytics
Detect anomalies in privileged account behavior
* DevOps Secrets Vault
Manage credentials for applications, databases, CI/CD tools, and services
* Account Lifecycle Manager
Discover, secure, provision, and decommission service accounts
* Secure Endpoints and Devices
* Server PAM
Manage identities and policies on servers
* Privilege Manager
Workstation endpoint privilege management and application control
* Enable Remote Work
* Connection Manager
Monitor, record and control privileged sessions
* Remote Access Service
Secure remote access for vendors and third-parties
* Delinea Platform
* Delinea Platform
Seamlessly extend Privileged Access Management to provide just-in-time
access with easy, adaptive controls
View the Platform
* Solutions
▼
* By common security issue
* Audit and Compliance
* Incident Response
* IT Complexity
* Privileged Access
Management Maturity
* Remote Workforce /
Secure Remote Access
* Service Account Management
* Zero Trust / Least Privilege
* By industry or sector
* Cyber Insurance
* Education
* Energy & Utilities
* Financial Services
* Government
* Healthcare
* Telecommunications
* By role and responsibility
* Cybersecurity Management
* DevOps
* IT Management
* Resources
▼
* Resource 1
* All Resources
* Analyst Reports
* Case Studies
* Conferences
* Datasheets
* Demos
* eBooks
* Free Tools
* Glossary
* Resources 2
* Infographics
* Podcasts
* Product Documentation
* Solution Briefs
* Videos
* Webinars
* Whitepapers
* Trials
* Promo Panel
*
* Company
▼
* About Delinea
* Delinea Overview
Seamless privileged access without the excess
* Leadership
Meet the team at Delinea
* Board of Directors
Our strategic advisors
* Company News
Read the latest Delinea News
* Careers
Discover your possibilities
* Contact Us
Here to help you define the boundaries of access
* Why Delinea
* Why Delinea
Proven leader in Privileged Access Management
* Trust Center
We’ve got you covered
* In the Press
Read the latest Delinea Press
* Social
Spread the word about Delinea
* Customers
* Customers
We work to keep your business moving forward
* Partners
▼
* Partner Program
* Program Overview
Partnership options with Delinea
* Partnership Inquires
Become a Partner or get in touch to talk
* Partner Resources
* Register a Deal
For Reseller, Technology and Trusted
Advisory Partners
* Partner Portal
All the resources you need, in one place
* Find a Partner
* Partner Directory
Search our worldwide Partner Directory
* Strategic Partnerships
Implement and operationalize PAM programs
* Integrations Center
Making your privileged access goals a reality
* Free Trials
▼
* Trials 1
* Secret Server
Discover, manage, protect and audit privileged account access
* Account Lifecycle Manager
Discover, secure, provision, and decommission service accounts
* Privileged Behavior Analytics
Detect anomalies in privileged account behavior
* Trials 2
* Privilege Manager
Workstation endpoint privilege management and application control
* Server PAM
Manage identities and policies on servers
* DevOps Secrets Vault
Manage credentials for applications, databases, CI/CD tools, and services
* Trials 3
* All Trials
Try one of our PAM solutions free for 30 days
* All Tools
Free Privileged Account Security and Management Tools
* Request a Quote
We’re here to give you pricing when you’re ready
Delinea Events > Podcasts > Episode 100 -
Protecting Citizens Online at the UK National Cyber Security Centre with Ciaran
Martin
Episode 100
PROTECTING CITIZENS ONLINE AT THE UK NATIONAL CYBER SECURITY CENTRE WITH CIARAN
MARTIN
EPISODE SUMMARY
As founding chief executive of the UK National Cyber Security Centre (NCSC),
Ciaran Martin sits at the intersection of national security, law, and politics.
In this episode, he and Joe discuss how the UK NCSC took on the challenge of
understanding security concerns and best practices from the private sector and
translating them into effective crisis communications and policy changes. They
share stories of cyber threats and attacks on critical infrastructure, and the
impact these incidents have on citizens financially, physically, and
psychologically. You’ll get a look at what it took to update the UK’s
cybersecurity posture, including understanding the severity of different types
of cyberattacks and data breaches, incident response, and threat intelligence,
to improve the country’s cyber resilience.
Watch the video or scroll down to listen to the podcast:
Subscribe or listen now:
* Meet the Podcaster
* Full Transcript
Joseph Carson
Joseph is Chief Security Scientist and Advisory CISO at Delinea, an active
member of the cybersecurity community, and a frequent speaker at cybersecurity
events globally. He has 25+ years’ experience in Enterprise Security &
Infrastructure and is a Certified Information Systems Security Professional
(CISSP). Joe is also an adviser to several governments and cybersecurity
conferences. (ISC)² Information Security Leadership Award (ISLA:registered®)
Americas Winner 2018.
Joseph Carson:
Hello everyone. Welcome back to another episode of the 401 Access Denied
Podcast. I'm the host of the episode, Joe Carson, Chief Security Scientist and
Advisory CISO at Delinea. And today we've got a very special episode, which is
going to be really fantastic. I'm really excited.
There's a very special thing is that this is episode 100, so we've now had 100
episodes over a long time and it's pretty impressive, but we've also passed over
300,000 listeners, which is impressive as well. So out of all of our episodes
with 300,000 listens with episodes, so a really great achievement. I'm really
excited to hit this milestone.
And for that, I'm joined by a really fantastic person I've got to see speak many
times in the past, and really pleasure to spend the time on today's episode
with. So welcome to the show, Ciaran Martin. So Ciaran, do you want to give us a
bit of a background to who you are, what you do, and some fun things about
yourself?
Ciaran Martin:
Well, thanks very much for having me, Joe. Thank you. Not just for having me,
but congratulations on your 100th episode. Fantastic achievement. So I'm Ciaran
Martin. I'm based in the UK. I'm originally from Northern Ireland, not far from
you. And I was the founding Chief Executive of the UK National Cyber Security
Center. So I spent seven years, roughly just short of that, at GCHQ in the UK,
firstly setting up and then running the National Cyber Security Center for four
years. I stepped down towards the end of 2020 with a bit of a slightly extended
tenure to cope with the pandemic. Really interesting actually working in a high
security but also mixed classification environment during the ravages of COVID
and the sudden move to home working and so forth.
And for the last three and a half years I've been teaching government and
cybersecurity at the University of Oxford and working with a bunch of
cybersecurity companies and writing and doing some charity work and doing
podcasts and stuff like that. So brilliant to be here, and hello to Estonia.
Joseph Carson:
Yeah, fantastic. That's excellent. It's really great to hear, Ciaran. It's
impressive. One of the things I'm always curious about, did you have a
cybersecurity background? What was your background? How did you get into the
industry?
Ciaran Martin:
So one of my rules in cybersecurity, my number one in fact, my probably only
rule for survival is, don't pretend you have expertise that you don't have.
Cybersecurity is a discipline of many different varieties. There's core
technical stuff and there's very general stuff. And I honestly argued against my
own appointment. I owed my senior job at GCHQ, and I'm not making this up, to
Edward Snowden. Because I've worked with the intelligence agencies before on
legal and political crises, mostly the human intelligence agencies in the UK who
got caught up in a bunch of quite serious challenges. Legal, political
challenges around alleged complicity and torture and rendition of Guantanamo and
other DTNAs during the post 9/11 period, and what the Americans may or may not
have been doing.
So I had quite a lot of experience in that sort of interface between national
security and the law and politics and the constitution and so forth. So then all
of a sudden Snowden hit GCHQ. And GCHQ had largely been immunized from these
other developments. It didn't really have any experience, didn't really have a
policy department. Communications and outreach wasn't really used to explaining
what it did. So I went off to do that. But as with all sort crises, you're
there, or with the exception perhaps of COVID, you either succeed or fail within
six months. So it was, "Well what's the long-term plan for me here?" And they
said, "Well, you could run cybersecurity. Want to step up our mission?" I said,
"But I don't know anything about it."
In fact, I went back to Northern Ireland at Christmas that year and told one of
my oldest friends, somebody I'd known since I was four, so nearly 35 to 40 years
at that point. And said, "I might take up this role in cybersecurity." And he
said, "But what do you know about computers?" I spent my first year, as well as
the Snowden stuff, just really getting to learn the subject, but listening to
the technical experts. I was blessed with some fantastic technical experts,
people who went on to play major roles in the development of the NCSC. And they
said, "Look, if you want to get a strategic backing, political backing, money to
do things that we could really do, we've got some brilliant ideas but nobody's
listening."
So the job was to build a partnership with them. And in a sense the NCSC was a
deal between me and the technical experts to bring the general... GCHQ's
cybersecurity experts were amongst the best in the world and getting people of
that quality and that technical expertise to work for government wages was
miraculous, but they really were driven by a sense of mission. But they were
doing it very much behind the wire, behind barbed wire in an organization with
no mobile phones, for example. So how could you advise businesses or civilian
bits of government dealing with huge payment systems, for example, how could you
advise them on cybersecurity when you couldn't literally pick up the phone to
them or they couldn't pick up the phone to you? Could we even access them by
normal email? And we thought we better change all of this.
So my background, long-winded answer, my background was not in cybersecurity at
all. I had to learn it from scratch. I've since developed quite a lot of
expertise, not so much technical, but if someone says to me, "There's been a
major IP theft from a British university," I probably will predict pretty
accurately who that was. If they say, "Well, so-and-so's locked out of a
healthcare network in the United States," I can probably predict who that was
and so forth. But I did not have a deep technical background.
Joseph Carson:
And I think sometimes for me, I sometimes think that's sometimes the best thing,
is because it allows you to come in with rather than a single point of view, it
allows you to come in with much more policy base. And I think one of the things
we've always been missing in cybersecurity industry is we've got a lot of great
people with those technical skills, but we didn't have a lot of people with
great communication and great understanding of policy based skills. And I think
that's always a great thing to have people coming in and bring that into the
industry to help us communicate better, to help us be able to put things, and
what it means for the business or what it means for citizens.
So I think for me sometimes not having the skills, it doesn't mean you can't do
the job, it just means you have to surround yourself with great people who had
the skills, but you become that interface, you become the translator to how that
converts into either policy or communications or best practices. So I think
that's always a great thing and having people coming into the industry, that
might have had a different background sometimes in service sometimes and
communication or even marketing, can really change the way we do it in the
industry. So I think that's a great thing.
Ciaran Martin:
I think you need both-
Joseph Carson:
One of the things I'd like to go-
Ciaran Martin:
So I'm slightly double-backing on myself.
Joseph Carson:
Yeah.
Ciaran Martin:
I was just going to say, I think you need both. I'm slightly double-backing on
myself. I think if you think about, so the first full year of the NCSC's
operation, those people were really interested in it, we had 55 different
countries come to see it. And so you got used to hosting all these senior
people. We had the then Prime Minister of Estonia as I recall. And a lot of them
would say, "Can we see your comms team?" I'd say, "Sure, of course you can meet
the comms team, but can I ask why?" He said, "Well, really impressed the way you
give accessible user-friendly advice." I said, "Yeah, but what's it based on?"
One of the things before in the NCC in the UK, we had two organizations dealing
with cybersecurity. We had GCHQ dealing with deeply technical, mostly secret
stuff and not communicating to anybody. And we had the CERT, which was the other
way around. It was very good at communicating and outreach to the business
community and to the rest of government and to the ordinary citizen. But didn't
have specific expertise, it didn't have much that you couldn't get from the
commercial sector.
So it's putting those two things together. And you're right about
communications. I mean, the very best sort of cybersecurity professionals,
somebody with technical skills and brilliant communication skills, but they're
as rare as hen's teeth. I was blessed that Ian Levy, Dr. Ian Levy, the Technical
Director, was one such person that was fantastic. But one of the reasons he was
so good was that he was a cybersecurity genius who could also communicate highly
effectively. It didn't always run smoothly. You do take your risks with that
sort of thing. And those fantastic moments where Ian... You'd have thought he
would go all over the world convincing people, persuading them, building these
hugely powerful partnerships.
But I recall once he went to Australia and made a speech where he said, and this
was core NCSC philosophy, he said, "You don't need to block all cyber attacks,
you just need to make yourself a little bit of a harder target." So he said in
his own inevitable way, "My job is not to stop cybercrime in the UK. My job is
to send it to France," forgetting that in the digital age these things don't
really stay in Australia. They get back to France within like a minute. And so I
had a rather amused and thankfully very mature teasing from Guillaume Poupard,
my French counterpart, rather than any more serious diplomatic incident.
Joseph Carson:
That's actually very funny. So one of the things I'd like... I had recently on,
Tanel Sepp, who's the Estonian cyber ambassador on the show, and one of the
things that he brought up which was really interesting was that, for many years
governments didn't really take cybersecurity that seriously. They may have had
it as important part within, but not from a national cybersecurity perspective.
And in Estonia it didn't become important or really that visible for the
government until it was around 2007, when they had the state sponsored cyber
attack from Russia to Estonia. And then of course you mentioned the Snowden
side.
What existed before the National Cybersecurity Center in the UK and what was
different... You mentioned that there was CERT, there was GCHQ. What was there
before and then what was the trigger point to bring it together? As you
mentioned, the need to have something, an agency or a service to provide best
practices and communication to businesses and citizens. What was the driving
point? What was before and what was bringing it together? What does that look
like?
Ciaran Martin:
Well, perhaps happily we didn't have the forcing function of the devastating
attack as Estonia did in 2007, which really was an outlier. And it's hard to
think of another country that suffered such a sustained onslaught on critical
functions that early. Indeed, I think had Estonia happened five, certainly 10
years later, there would've been much more serious repercussions because people
of the international community understood that sort of thing much better than
say 2017 than it did in 2007. 2007, it was like, "What's going on here," and so
forth.
And I think that, I mean speaking to the UK experience, there are probably three
phases and I think the US and many western European countries are broadly
similar in this. So there's phase one, which is until in the UK's experience
until about 2009, slightly earlier in the US, where you just didn't care at all.
You didn't have a policy, you didn't have a strategy, nobody was responsible for
it apart from a few enthusiasts in different military or security organizations.
That's 2009.
The UK had a short cybersecurity strategy in 2009 with principally sum of 5
million pounds, roughly 6 million euro allocated to it. So not really
reflecting... A sort of fairly low prioritization. And I think phase two
would've begun in the UK there's a much more serious strategy in 2011 with more
money attached to it. But even then, I think phase two is 2009 to the mid-teens,
and I think that phase is sort of characterized by what you might call
interested inertia or active inertia.
There's a lot of talk about it, there were strategies and so forth, but actually
the strategies in both the UK and the US and lots of other places where, let's
shout at the private sector and tell them to share information. Do you remember
information sharing? In our field we started to call information sharing the
hopes and prayers of the cybersecurity industry, and let's do public-private
partnerships without specifying what they were you asked then.
So the third phase I would did from 2015, and then the NCSC comes in 2016, and
there were a bunch of long forgotten political circumstances that drove that.
There was this brief period, largely forgotten around the UK, between the
general election of May 2015 and the Brexit referendum of June 2016. So a
13-month period where the conservatives had won unexpectedly a small overall
majority. And there was a finance minister, chancellor, as we call it, called
George Osborne. He was very interested in cybersecurity, he was assumed to be
David Cameron's successor. They were in a position of real strength until they
lost the referendum and they decided that cybersecurity strategies that they'd
been pursuing were failing and they wanted new ideas.
So we were in this happy position where we had strong political sponsorship.
Cybersecurity was a strategically important, but not partisanly contentious
issue. I mean, basically one of the things I was blessed with for most of my
time in government and cybersecurity was that the only thing people cared about
was whether you're any good or not. Healthcare in the UK is very ideologically,
so is education, so are lots of other things. But cybersecurity, there's no real
fault line in it. So as the government wants to do a bit more, "Have you got any
good ideas? Will you do it well?" And people would criticize you if you didn't
do it well, but not for other things.
And I think the politics of this mattered for, despite the huge convulsions
politically in the UK, of the remainder of that decade. And it was for those
unfortunate enough to follow British politics, it was a pretty juicy period, not
marked for stability.
Joseph Carson:
I remember it well.
Ciaran Martin:
But throughout those years, remarkably I had a stable strategy. It wasn't one of
those strategies that kept being rewritten every year. I had strong political
sponsorship because I ended up serving three conservative prime ministers in
short order, Cameron, May for most of the time, and then Johnson. Decent amounts
of funding. And I think importantly, the right balance between political backing
and operational autonomy. So I remember when WannaCry hit in 2017. And WannaCry,
just by bad luck, hit the UK quite hard. And also by worse luck, hit the health
service more than other sectors.
It was in the middle of a general election campaign. And again, for those who
follow British politics, the health service and election campaign is pretty
sensitive stuff. But I remember talking to 10 Downing Street over the course of
that fateful weekend in May 2017 and saying, "Look, we might need to do this
that the other. We might need to go on TV. We might need to issue this
guidance," et cetera. And they just said, "Go and do it. That's what we set you
up to do. We trust your judgment. We're not in any position to second guess
you." That's perfect. It's, give a strong political backing but don't interfere
in the operation. So we were very, very blessed with actually the strong support
of the governing system. And that actually really matters if you're trying to do
anything in government, on cybersecurity or anything else for that matter.
Joseph Carson:
Yeah, I think that's vital as well is they get the support and be able to go and
make things happen. Definitely the WannaCry and NotPetya were too massive
significant impacts to the industry, not only was with the healthcare but also
on supply chain as well. And that show as well, it's not just about the impact
that it has on individual countries, but also the impact that it has basically
across multiple countries and through supply chains as well that really
indicated that the country borders in the digital space were no longer really
there. And that meant cooperation and transparency and working together became
very, very important.
And I think, not only the WannaCry triggered the need to do something but
NotPetya triggered the need to cooperate and work together as governments. I
think that was a pivotal moment.
Ciaran Martin:
I think that's right. And looking back on the period, and I was appointed in
December 2013, I left at the very end of August 2020, and that whole nearly
seven year period, not NotPetya, WannaCry sort of six week period and the weeks
around it were the most difficult. And the reason they were most difficult
wasn't just because they were the two biggest incidents that affected the UK in
my time. And you could make cases that there were other very big incidents, they
were very close together, they had significant ramifications to the UK. But I
think what makes them so sort of memorable in a bad way, two things. One is,
they were both accidents. I mean not complete accidents, in that they were
maliciously started, but both went way beyond the intent of those behind them.
So North Korea was clearly on a spree of stealing more cash from financial
institutions and wrote this terrible worm that just went all over the place in
ways, that until Marcus Hutchins heroically sinkhole it, it was going mad all
over the world. NotPetya, I don't think you're being nice or appeasing of the
Russian state to say that Cadbury's chocolate making plant in Tasmania,
Australia was not its target when it went for Ukrainian tax software. So it was
that accidental.
Frankly, in both of those cases, if the attackers, the aggressors had been
better at their jobs, we would've had less damage. And I think that sort of
collective vulnerability that you spoke of was really damaging. And the second
and related thing was, we talk about what's the impact of cyber attacks, and
certainly in both those cases, I mean nobody thinks anybody died. Although when
you start messing with healthcare systems, you never know quite what the
long-term consequences are going to be. There's clearly significant economic
damage, but we were just also jumpy.
I remember a few weeks after NotPetya, so WannaCry was what? May. NotPetya was
June. And I remember at some point in July, children were younger then, and I
was at some kids' birthday party in a nearby village and Number 10 phoned. And
they said, "What are we going to do about Heathrow? Have you got a sitrep on
Heathrow?" I said, "What are you talking about? What's going on Heathrow?" And
they said, "Well, there's all these queues because there's a major cyber attack
on BA at terminal five. And so I called BA, because by then because of all their
other issues we had a good operational relationship and they said, "Look, this
is just an IT outage, send your guys in. But we'll check, we can prove." And we
did and it was complete IT failure.
What was really interesting about that was just, and I was pleased that Number
10 were interested in watching and so forth, but NotPetya and WannaCry had sowed
this fear that our way of life, are essential, normal everyday life, could be
just so easily disrupted. That actually, when your bulk standard IT outage,
which let's be realistic these things happen, running big IT networks is hard
and et cetera, et cetera, there's this automatic assumption that this must've
been malicious. Turns out it was just another IT failure.
So I think that's sort of pernicious. You talked about Estonia in 2007. You
talked to Ukrainians just before the war, the cognitive impact, the
destabilizing psychological menace of cyber attacks is really quite disturbing.
You talk to Australians when their medical details were threatened with being
leaked and so forth after the Medibank attack. I think we sometimes understate,
just that how pernicious, not just economically but psychologically, cyber
operations can be.
Joseph Carson:
Yeah, absolutely. I think that's one of the big things for me is that we always
look at the financial side. And also, then we look at the mental impact on those
victims is... It's sometimes, when you look at a financial impact, I've always
heard, and one of the most common things is, that it's easier to get your money
back from a cyber attack than it is to get your identity back. If your identity
is stolen, then it can be abused quite significantly into many other things. And
then also your most sense of details, if you look at the Vastaamo case in
Finland where it was about basically psychological... A psychiatrist notes that
got basically disclosed, some of the most sensitive things you don't even tell
your children or partner or anyone else. You're telling a psychiatrist on
getting those details out. There's a lot of really mental and psychological
impact to the victims.
And even to the point where even some of the more recent attacks, where it even
has life-threatening impacts. I remember one of my roles many, many years ago.
Was responsible for the Northern Ireland Ambulance service, and when my systems
weren't working, people died. And that's one of the things that you have to
realize and we're now into that point where the systems are so dependent on
technology and connectivity, is that when they're out for a sustained amount of
time, that yes, there is inadvertent and indirect impact on people. Whether it
being the mental side or even threatening people's lives.
And we're starting to see some, I think it was one of the ransomware cases in
Germany that happened just a few years ago, where a patient was on route to
hospital and had to be diverted and ultimately basically wasn't able to get the
treatment they needed. So we're starting to see that massive impacts on the
outcome and I think this is really where we're really starting to, not just look
at the financial impact of cyber effects, but the human impact. I think that
makes a big difference.
Ciaran Martin:
So I think that's right. I mean that Finnish case you mentioned, the mental
health organization. I mean the Finnish case was just absolutely revolting, and
you want a guide to how unscrupulous and amoral cyber attackers are, then there
you go. I think on the other point about dependence, critical systems dependence
on IT, I think we need to understand this a bit better. Because when actual life
and limb is at stake, we're actually quite good.
So when we started worrying about cyber and people started talking about Cyber
Pearl Harbors and Cyber 9/11s and all this stuff that we now basically, I think
correctly, think is nonsense. People said, "Well, you can bring planes out of
the sky and so forth," which actually you can't really. So by way of
illustration, another accidental IT failure this summer, last summer now, in
summer of 2023 in the UK, the National Air Traffic System, that computer fails.
Now it wasn't a cyber attack, but let's say if it had been a cyber attack
would've been exactly the same. Because it failed accidentally I think people
knew that there'd be a backup system, you could land them essentially using
radio. Planes might be delayed, there might be major economic disruption and
lots of annoyed people who are in the wrong place or massively delayed or
whatever and miss their key meetings or miss their family wedding or whatever it
is. So it's not pleasant, but nobody's at risk of injury or death. So we're good
at that when it's a critical system.
Similarly, you can hack a railway signaling system, but the trains will stop and
they'll be delayed rather than continued high speed and crash into each other,
and that's as it should be. What we're not good at, and I'm not criticizing
this, it's just an observation, is when someone hacks a hospital administration
system. Not an operating theater, the operating theater is working just fine.
But who's next in the operating theater? We don't know because the system's down
and everything gets delayed and so forth.
And indeed you mentioned the German case. I was reading the very good Emsisoft
annual ransomware blog by Brett Callow, and he quotes a paper from the
University of Minnesota Institute of Public Health where they've done a bunch of
studies of US hospitals that suffered ransomware between 2016 and 2021. And they
use all these things about different health outcomes and they look at individual
cases and they estimate between 42 and 67 elderly American patients probably
died because of ransomware attacks on hospitals. And that's very, very hard. If
someone of advanced years is already quite ill, to what extent did the delay
trigger their ultimate sad passing? You don't quite know. And it takes us
outside of our own area of expertise, but clearly if you mess with healthcare
administration, somebody probably suffers at some point.
The other point, just to go back to data, I think the other thing we need to get
better understanding, although we're starting to get better at this, is the
impact of data breaches and that sort of psychological destabilization. So
thanks to GDPR and all other regulations we're all used to getting notifications
saying your personal data is breached. Troy Hunt in Australia has done that
marvelous, Have I Been Pwned? Service where we can all find where our emails
are.
But the difference between... Oh look, I was on LinkedIn in 2012, God help me.
So some old passwords out there on the dark web, fine. I'm not going to lose
sleep over that. Compare the seriousness of that, not very serious, with the
Finnish mental health data, which is extraordinarily serious. I think we started
off thinking, oh, those are two data breaches. Well, they both are, that's true.
But they're massively not the same.
And we need to think about ways in terms of regulation, criminalization,
accountability, but also public reassurance and not reassurance. When do you get
the public worried and when not. I reckon, within the next 10 years, and I'm
glad this is after my time in government because I wouldn't like to be the first
to do it, at some point somebody in a position of public authority is going to
stand up after what looks like a large scale data breach and say, "Look, you
know what? I really wish this hadn't happened, but it doesn't really matter."
And that will be an important moment because then when the same person or the
same government, whatever, stands up and says, "I'm really, really sorry, but
this one actually matters. And you need to do this, this, this and be aware of
this and change your bank account," whatever it is, they will sit up and listen.
And we need to get better at difference. So we need to get better at all sorts
of things. Two things we need to get better at. One is, improving the resilience
of critical systems that depend on software in the same way as we're quite good
at protecting systems, hard industrial control systems. That's one thing. And
the second thing is, getting better at understanding the severity and lack of
severity of different types of data breaches.
Joseph Carson:
No, I completely agree. One of the things that I would say is that the
classification of things needs to be very, very clear. And we talk about
classification, not even just classification of data, but also classification of
breach. What action does the victim need to take? Is it just that, this is a
data breach and you need to take no action whatsoever because basically it's
information that cannot be abused, or is it information that can be abused and
therefore you need to monitor it. You need to be looking and checking to see if
new credentials or new accounts are being created in your name. So having that
monitoring side of things, especially around the financial aspect of things.
Then there's the, okay, these are the breaches and you really need to take
action. You need to go change your credit card, you need to be aware, you need
to make some type of action. Getting into those classifications of breaches I
think is highly critical and important. Not all data is equal, as you mentioned.
It's not the same. And different breaches can mean different things.
Ciaran Martin:
Completely, completely with you there.
Joseph Carson:
So I'd like to get a bit more into, what types of best practices or what types
of things did the National Cybersecurity Center create? How did it get more
being more proactive? Because one of the things is, I always say is that, for
many years a lot of the agencies were only listening and taking information from
the private companies and the businesses rather than turning it around and
sending it back. What types of proactive things did the Center create, what
initiatives or what programs to really make information available for businesses
to take action?
Ciaran Martin:
Well, I think what I remember was, it was very fashionable to do all these
charts with mission statements and so forth. But I remember trying to say,
"Look, we should be able to trace everyone's job in the NCSC to some sort of
useful outcome for the nation. And also we should be able to work out what are
the main things we do." And we narrowed it into four things, not speaking for
the current NCSC, it's been very ably led by Lindy Cameron, an another Northern
Irelander, for four years now.
But in my day I think we focused on four things. The first was properly managing
incidents. So if you mentioned, WannaCry, we were all over it. We were issuing
guidance quicker than any other public authority. It was being quoted in the
Australian Parliament and stuff like that, which was great. If you contrast say
WannaCry with TalkTalk, which a major breach in the UK three years previously
where the government said nothing and lots of people were panicking even though
it turned out it wasn't that serious a breach. It was like if there's a major
incident in effect in the UK, the NCSC will be all over it and we'll be all over
managing its impact on the UK. So that was the first thing, and that was really,
really core.
The second was, working out and directly helping to protect the most critical
thing. So a good example of that, Theresa May calls a snap election, general
election in 2017. We're aware of what happened in the US and elsewhere in 2016.
How do you mobilize at scale, very quickly, large scale protection of the
electoral systems. That's one example. But then you might do more longer term
work. So for example, published a big blog on how we were doing the cyber
protection of the new smart meter system, that sort of thing, the second thing.
The third and fourth are probably the most interesting because they were the
most innovative. So the third was actually, and this was fundamentally important
to the NCSC, it was there's a bunch of noise and pollution in the digital
environment that nobody's doing anything about. Why is that? And it's because of
economics because the market doesn't incentivize it. So let's take one area
where the market does work, threat intelligence. The government has a tiny role
in my view in threat intelligence because you've got brilliant companies
producing lots of threat intelligence and actually working very well with
government.
The government occasionally will get a bit that frankly the private sector is
not allowed to get because of the powers granted to organizations like GCHQ or
the NSA or Cyber Command or DGSE, and ANSSI in France or whatever it is. And the
government can find ways of sharing that. But other than that, the market looks
after its threat intelligence. Brand spoofing, now there's much more of a market
in it, but back when I started very few people were doing domain name
protection, we're using DMARC and so forth.
So the government, we said, look, "What are the most spoofed brands in the UK?"
We came up with oh HMRC, the tax authority. HM Revenue and Customs. It's our
most spoof brand as far as we can tell. HMRC came up with this, and said, "Let's
do a DMARC pilot." We configured the DMARC pilot to not just to stop deliveries
of impersonation attempts against the HMRC domain, but actually delivery to us
so we could count them and see where they were coming from. We blocked 500
million in one year. So that's 500 million instances where faking didn't arrive
in somebody's inbox, and they had to decide, can they trust us or not.
We did some automatic take down requests. So we always knew that if we went to a
web host and said, "Look, we think your domain has been misused," they'd take it
down, et cetera. But doing that manually was only a drop in the ocean. Doing it
in an automated way meant that we got the average time today in the UK for a
website, malicious website hosted in the country, down from 27 hours to 45
minutes. So we started doing stuff like that, looking at where the market wasn't
working and doing direct interventions, not public-private partnerships or
information actually that the government will do this. So that was the third
thing.
And then the fourth thing was actually doing things like giving general advice.
So instead of just working with the critical sectors and the defense and the
national security industry. I think it's a slight caricature, but if you look at
British government cybersecurity advice from say around 2012, you were saying to
a mid-size charity or a small chain of florists or whatever it is, "You need the
cyber defenses of a nation state." "But we're florists, we can't afford that."
Joseph Carson:
We got one person who's doing IT about 20% of their time.
Ciaran Martin:
Exactly. So we gave them things like logging in easy, that sort of thing where
you showed them how to do things. We refined password policy, we got a
behavioral psychologist to do that groundbreaking study, the brilliant Angela
Sasse of UCL, who showed that current British government password policy based
on American policy of 2003 meant that if you followed it and you had 25
accounts, which was the average at the time, then you were asking people to
remember the equivalent of a 600 digit number that changed every month. So you
had to change it. And so we gave simple...
And I remember one day, I remember when one of my children was at the transfer
between primary and secondary school age, going around a whole bunch of schools,
what you do in this country at that stage in life. And several of them, they had
NCSE password advice for kids on the school notice board. And I thought, yeah,
that's the impact here. And I was like, "Basically, here's what you do and
here's how you do it and here's what general internet safety looks like." And
that was a moment of real, I suppose, pride, that you had had some impact.
So those are the four things, incidents, critical protection, direct
interventions, and bits of the ecosystem where the market wasn't working and
guidance to everybody.
Joseph Carson:
I think that's great because one of the things is that is when we look at cyber
attacks and we look at all the things, majority, a lot of them are
opportunistic. But they're not targeting the critical infrastructure, it's a
small businesses out there. It's the individuals, the citizens. So if the
guidance doesn't apply to everyone, then you're missing a large part of the
threat landscape or the threat, the targets that attackers go after. So
absolutely, it should be cybersecurity for all.
Ciaran Martin:
I think that's right. The Russian state on the other hand, again, not being nice
to the Russians, but they have no history of that type of commercial espionage
attack. However, if you happen to be representing a bunch of high profile
individuals with connections to Russia, then you might want to watch out. It's a
bit like, it's important for everybody to assess their own risk. Then everyone
is at risk for criminal ransomware type attacks or data theft attacks, but
they're not particularly targeted. And that's where it does get a bit Darwinian.
So whilst I wish, and we swiftly got over it.
But to go back to the story about Ian Levy and his Australia speech, whilst we
joke that perhaps we should be more delicate. The idea that you're just trying
to outrun another target isn't wrong. If you make cyber criminals work harder,
they will be more likely to leave you alone and go somewhere else.
I think when you're running a national center though, it's really important that
you're flexible and adaptable. So one case that stayed with me a lot, and it's
all seeped out into the public domain by now, was a company called Mammoth
Productions, which is now owned by ITV I believe, but at the time was
independent, small. Based out of Northern Ireland, made documentaries and it was
making a program that apparently provoked the ire of the North Korean state. And
so the same people who went for the interview and went to Sony after the
interview movie seemed to go hunting for them. And I think that's the
government's problem.
I don't think you can reasonably expect a small company with two figures of
staff who are doing something that's perfectly permissible, free speech country,
make any documentary you like, as long as you're doing so responsibly and within
the law, which they absolutely were. And then if a nation state comes after you,
it's not their job to take all a nation state on their own. It is their job to
protect themselves better from ransomware. It's everybody's job to protect
themselves better from ransomware and other forms of criminality. It's not their
job to take on a hostile nation state with elite cybersecurity powers. That is
for the government.
Joseph Carson:
Especially, we are in the world now, where basically it's no longer just
basically individuals with a specific set of skills, but we're now into whole
supply chain of cyber criminals. And they all specialize, especially from you've
got cyber mercenaries who are basically cyber attackers for hire that nation
states will actually leverage. So it's really getting too difficult the ...
organizations. It's a point that you need to do what you can in order to make
yourself resilient as much as possible against the most common types of a cyber
attacks.
But when the nation state comes after you, that's really where you start. You
can't do it alone. And even I say that even countries alone can't do it alone.
We all need to work together. We need to make sure that we have less places for
safe havens for cyber criminals to operate. And the more we work together, the
more collaborative that we can prevent and become resilient to nation state
cyber attacks as well.
Ciaran Martin:
Absolutely. Two points on that. One is, the safe haven problem for cyber
criminals is massive. It's probably, in my view, the single biggest problem in
mainstream cybersecurity today. And there's limits to what we can do there.
Russia, physically the largest country in the world harbors them and there's no
prospect of that ending anytime soon. So that does mean that, I mean, I think
sometimes we underestimate just how much that type of cyber crime has changed.
Policing, I'm not an expert in policing, but when I was being well brought up,
my idea of the contract between citizen and police was, if you were the victim
of a crime the police would, A, take you seriously and sympathetically, and B,
go after the criminals. And then cybercrime emanating from Russia, they can't do
either of those things. There's too much of it to give individual tailored
attention to all but the most serious victims. Secondly, you can't go after them
in Russia.
It does, to some extent, break the model of policing. So we have to build our
defenses up. And that brings me to your other point, Joe, about international
cooperation and some of that was absolutely fantastic, that I enjoyed. I
remember during WannaCry having a long call with my then Israeli counterpart,
Eviatar Matania, on a Sunday because that's the first day of the working week in
Israel.
Joseph Carson:
When they started the working week.
Ciaran Martin:
Exactly. So they were telling us what to expect and what not to expect, which
was hugely helpful. I remember, despite all the shenanigans with Brexit and so
forth, the relationship with France was superb and improving all the time. I was
in office. The relationship with the US was phenomenal and I don't think we
could have done anything like what we achieved without the underlying
capabilities of the US generously given in partnership.
So I think there's so much. We enjoyed a good partnership with Estonia and other
Baltic and Nordic countries. And it was quite an interesting thing, with a few
sometimes spectacular exceptions, it was very, very apolitical and very
informal. It was just a bunch of people coming together. What have you got, what
capabilities, what information? And trying to work it out from there.
Joseph Carson:
I think it was really important as well, I think as the UK was going through the
nice Cyber Security Center kind of path and really establishing that the US
really also started going through with the CISA and with Chris Krebs coming in
and what they did. It's also very similar to becoming rather than just a
intelligence and understanding the threats, but also becoming much more
proactive and creating best practices, and sharing. I think that was a
significant, for not just many countries following that same path, and then of
course with Jen Easterly continuing that.
One of the questions I'd like to ask you as well is, recently the UK launched
the AI guidelines as well because that's also becoming a big area of focus,
especially with generative AI. What's your thoughts around the best practices
and the guidelines that come out? And also EU then followed with the EU AI Act
as well. Is there anything that you see evolving around that and what do you
predict the coming year related to those?
Ciaran Martin:
Well, the easy answer to that is, let's have another podcast because there's so
much to unpack there. I think three things, as briefly as I can. Firstly, we
need to guard against AI doom mongering. I think having one of the frustrations
is having just, I think, just won the argument against cyber, both distorting
and infantalizing the distorted priorities away from the sort of mainstream
protection of hospital administration networks, for example, and towards the
sort of preventing things like planes falling out of the sky, that actually we
were probably quite good at preventing it already.
Joseph Carson:
SKYNET's not happening anytime soon. It's not.
Ciaran Martin:
No, exactly. We need to guard against that type of doomerism. But that's not to
say that there aren't real challenges, which is why I think actually taking a
chunk of the problem... Because in the age of AI, how you protect against
disinformation is different from how you protect against bias and public
services, which is different from how you protect against massive disruption in
the labor market, which is different from how you protect against misuse of AI
in military context, et cetera, et cetera.
And so actually I think if you look at the UK's paper on AI risk, it looks at
biochemical weapons as one of the most serious risks. And I think a lot of
people who are more expert than me would agree with that. And it looks at cyber
as something to pay attention to. And so I think the UK, US and other joint
paper at the end of 2023, is really good in that respect because it's sober,
balanced, specific.
And essentially I think the key thing with AI and cyber is that as ever there's
a race on between good use and misuse of the technology. And history would
suggest that there's some sort of equilibrium, which is that, if you can use AI
automation for bad. If you can get WormGPT to say, "Write me something evil,"
you can get GoodGPT to write you something just as good, that will block it,
maybe after a bit of a time lag. And providing that equilibrium holes we're
okay, but we need to be really, really vigilant about that. So I think that's
good.
So warn against doomerism. Good international approach in cybersecurity. The EU
AI Act, I think first of all, there's some way to go on this. Secondly, I have
some sympathy with the skeptics about it. I think fundamentally when I talk to
politicians about cybersecurity, I say, "Look, first of all, what tone do you
want to set on technology? Do you want to set the tone that this is an
opportunity with some risks to be managed or potentially catastrophic risk with
little upside?" So being careful. And I think the EU AI Act is a little bit,
well, where's the innovation coming from, or are you just going to regulate
somebody else's innovation?
The alleged concerns of the French president, I think if accurately reported,
are ones that I might share. The fact that it seems to really go for regulation
of research rather than product and services, I think. But again, all this is
some way to run and details do matter. So we'll reserve judgment for a while.
But I think some of the skepticism and concern about it being overly regulatory
and not focused enough on European innovation and taking advantages of AI, is at
this stage, appears justified and needs addressing.
Joseph Carson:
Absolutely. I think they're taking two very distinct different approaches, but
it'll be interesting to see where the convergence eventually comes from both of
them. One thing I did like around the UK's guidelines, which was in cooperation
with CISA and a few other partners, was around really breaking down AI and these
components because sometimes we bundle everything up on this massive broad
perspective of AI. And really get into, focus around AI agents, about large
language models, machine learning. So really broke it down into much more
meaningful chunks and really focus around, let's get a baseline going and here's
some guidelines that you can be proactive about. Where the EU AI Act was more
about, let's restricting, auditing and getting into the really focus around what
you must be doing. But not really breaking it down into the simple components of
what the service is, ultimately that AI agent's doing or algorithm is doing,
didn't really classify into the intention of the algorithm.
Ciaran Martin:
Completely. And I think splitting that down is really important. The great
professor Michael Sulmeyer, formerly at Harvard and now in the US government
once said to me, he said, "Oh, I'm saying this AI stuff, should be a little bit
skeptical." He said, "Oh, absolutely." He said, sometimes when people say to me,
"AI," I go, "You mean hard sums?" I think probably in these days we'd both say
that's going a little bit too far. Maybe he wouldn't, I don't claim to speak for
him. But there've been all their experts saying, "We wish we'd come up with a
different term." Advanced high-speed content... But there's so many different
applications of AI that sometimes I thinks the sheer breadth of the term doesn't
help us.
Joseph Carson:
Absolutely. I think it's too broad. We need to simplify it and bring it down to
really, what is the outcomes? I always like, I liked when Dark Tangent referred
to it as predictions. What is the predictions making? And Alex mentioned it as,
algorithm utilities, which I like some of those terms.
So Ciaran, it's been fantastic having you on and it's really been for me, it's
always educational listening to you and some of the insights that you have and
the journey you've been on. Where can people follow you or catch up with you?
You mentioned you're doing some writing, are you writing blogs or are you coming
up with your own book at some point?
Ciaran Martin:
Well, so I'm hanging in there on X, @ciaranmartinoxf, not posting very much. I'm
on Mastodon at InfoSec Social, and using Bluesky a bit more frequently. My
newest resolution is to write more. So I write some blogs on the backs of
government website and I will possibly reactivate my Substack. But please, I
will send you my stuff, Joe, and you can use your impressive and growing
audience to amplify it. But yeah, I very much want to try. For various reasons,
I didn't write as much in 2023 as I had done in previous years and would wish
to. So if that's my New Year's resolution, and we're a bit into 2024 now, and I
think I'll hope to have some stuff out in the future.
Joseph Carson:
Fantastic. It's been fantastic having you on. Always enlightening. And for the
audience, definitely-
Ciaran Martin:
Congratulations again.
Joseph Carson:
Thank you. For me it's a milestone. I never thought I would get to... It's
almost three years now and they're running. And what I enjoy is I get to talk to
awesome people like you on a frequent basis. And that's for me, the value of the
podcast is to want to share the knowledge, but also to get to chats on a
frequent basis with amazing thought leaders and industry changers.
Ciaran Martin:
Well, thank you very much for having me.
Joseph Carson:
Thank you very much. So for the audience, again, it's been fantastic having
Ciaran on. Tune in every two weeks for the 401 Access Denied Podcast, and to
look forward to having more conversations and great insights going forward. And
thank you, stay safe and take care.
OTHER EPISODES YOU MIGHT LIKE
THE STATE OF INFORMATION WARS WITH DAN LOHRMANN
In the wake of global ransomware attacks, we're joined by acclaimed
cybersecurity expert, author,...
THE RISE OF THE CISO WITH MERIKE KAEO
This week Joe Carson is joined by Merike Kaeo, CISO, board member, and technical
advisor, to...
CLOUD HACKS WITH CARLOS POLOP
The cloud has allowed users to access resources remotely and remain connected,
but it also can pose...
Blog
Login
Contact Us
Follow us on LinkedIn Follow us on Twitter Follow us on Facebook Subscribe on
YouTube Subscribe on YouTube
* Products
* Account Lifecycle Manager
* Connection Manager
* Delinea Platform
* DevOps Secrets Vault
* Privilege Manager
* Privileged Behavior Analytics
* Remote Access Service
* Secret Server
* Server PAM
* Solutions
* Audit & Compliance
* Incident Response
* IT Complexity
* Privileged Access Management Maturity
* Remote Workforce
* Service Account Management
* Zero Trust / Least Privilege
* Cyber Insurance
* Education
* Energy & Utilities
* Financial Services
* Government
* Healthcare
* Telecommunications
* Cybersecurity Management
* DevOps
* IT Management
* Services
* Professional
* Training
* Support
* Get Support
* Find Help
* Partners
* Program Overview
* Partner Directory
* Partner Portal
* Partnership Inquiries
* Register a Deal
* Strategic Partnerships
* Resources
* Analyst Reports
* Case Studies
* Datasheets
* Demos
* eBooks
* Free Tools
* Infographics
* Product Documentation
* Solutions Briefs
* Trials
* Videos
* White Papers
* Company
* About Delinea
* Why Delinea
* Contact Us
* Customers
* Careers
* News
* Trust Center
* Delinea Social
* Legal
© 2024 Copyright Delinea.
Privacy PolicyTerms of UseMSLASitemapYour Privacy Choices
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Cookie Policy
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices