Prepare for major cyber-attack, warns National Cyber Security Centre
The technical director for the National Cyber Security Centre, a part of GCHQ, has warned about the possibility for an unprecedented cyber-attack within the coming years.
Speaking at an event hosted by security software company Symantec, Ian Levy said he was “reasonably confident” that a major attack will happen, and that organisations should be prepared.
“Sometime in the next few years we’re going to have our first – what we would call – category-one cyber-incident; one that will need a national response.”
Levy said he expects the initial reaction to a category-one attack to be assertions that nothing could be done to stop it, but that an independent investigation will show that the attack was entirely preventable. Much of the blame, he said, should be levelled at organisations that don’t understand the data they have, and try to outsource their risk to firms that only mystify the process of cybersecurity.
“My concern is that, unless we start to put some science and some data behind cybersecurity, and start to demystify it, [a major attack] is really going to happen. I think we can stop it happening, but the trajectory I see at the moment around how cybersecurity is talked about – how people put militaristic analogies around it that make people feel they can’t defend themselves – is actually really dangerous.
“We want to publish data, publish evidence, and make sure people know how to do risk management properly. Because in the end, cybersecurity is just risk management. You do legal risk management, you do HR risk management, you do finance risk management. Why is cybersecurity so fundamentally different? I don’t think it is.”
Alphr asked Levy whether he thought a category-one incident would fundamentally change the power balance between government and private technology companies. Could something on the scale of a major attack to hospitals or infrastructure catalyse a push for greater regulation of technology makers and platforms?
“When there’s a flood do you regulate the pump stations? No.”
Levy added that he didn’t think mass regulation of a sector would be the right answer to a major incident. He also noted that it really depends what sort of technology company you are talking about when you speak about regulation. Widespread state control across the sector, in a reaction to a major society-wide attack, may not be the most useful solution.
Dr Jessica Barker, an expert on the human nature of cybersecurity and co-founder of security firm Redacted, told Alphr that it may indeed take a major attack to provoke a widespread security reaction: “A lot of work in cybersecurity comes from an experience of an incident, or a near miss, or seeing someone or something like you having that incident. So some organisations will increase their cybersecurity measures when they see a similar organisation facing an attack. So I hope we wouldn’t be that reactive, but that is what we often see in this space – that a big incident is what will galvanise change.”
Levy said that in the approximate 11 months since the National Cyber Security Centre came into existence, it has seen more than 500 incidents. Most of these are classed as category three, which means only a single organisation has been effected in some way, but 30 were category-two incidents – including the WannaCry ransomware attack that hit the NHS.
With the spread of interconnected Internet of Things devices, notably within the healthcare sector but also within transport and energy, there have been worries that a major cybersecurity incident could encompass a very direct threat to human life. Levy emphasised that viewing humans as the weakest part of the chain is “stupid”, and that more should be done to create tools that are understandable and demystify cybersecurity for all users.
“We’ve started saying people are the strongest link,” he said. “If you can leverage your people better, they can be the first and last line of defence in an organisation. I think that’s the learning people need to take: stop blaming the users, and make the systems usable.”