The world’s increasing reliance on the internet to run crucial infrastructure has shown how important cyber security is for utilities, businesses and countries. Former deputy head of GCHQ Marcus Willett tells Emily Moore how companies must mitigate their risks.
Sponsored Content
IF anyone had doubts about society’s reliance on the internet, the Covid pandemic highlighted, more clearly than ever, just how dependent people had become on cyber space for everything from work and maintaining connections with family to ordering groceries and keeping up with the news.
But, as world-leading cyber adviser Marcus Willett explains, while speaking ahead of last week’s Channel Islands Cyber Security Conference, such reliance on digital technology is only going to become ‘even more profound’.
‘People might ask why cyber security is so important and the answer is simple,’ reflected the former deputy head of GCHQ. ‘So much of our critical national infrastructure – from our energy supplies to our health services – is dependent on its connectivity to cyber space. That is going to grow massively in the next few decades as more and more of our everyday devices are connected to the internet.
‘As we look at a future of smart cities, smart cars and smart islands, it is vital that cyber space is secure and stable enough to support this shift. And those businesses and organisations which really get cyber security will better reap the dividends in terms of the innovation and prosperity which comes from being enabled digitally. This is something which really matters to our national and global future.’
While stressing the importance of cyber security, the senior adviser for cyber at the International Institute for Strategic Studies is quick to acknowledge the ever-evolving and complex nature of the threat landscape.
‘Even before Russia’s invasion of Ukraine, the picture was complicated,’ he said. ‘If you look back at the past few years, states have been highly active with incidents including Russia’s spying operation in which they took advantage of IT supplier SolarWinds in the US, the Chinese taking advantage of vulnerabilities in Microsoft exchange servers, tit-for-tat cyber operations between Israel and Iran, and North Korea trying to syphon money from the global banking system. You also had the Russian-based cyber criminal ransomware attack on the Colonial Pipeline, which led to gas shortages across much of America.
‘Since 2017, cyber crime has mushroomed to become rampant and the war in Ukraine has only added to the complexity of the situation, with Russia accused by experts of carrying out “an enormous cyber offensive” against Ukraine’s national infrastructure.’
The way in which the war has impacted the cyber landscape was the main subject of Marcus’s speech at the conference, which was organised by the CIISF and Cert.je.
‘At the beginning of the war, we didn’t see the level of destructive cyber operations that many people had expected,’ said Marcus. ‘While there were exceptions – including a satellite attack which affected communications in Europe – that general restraint could be viewed either as Russia trying to prevent an escalation beyond the conflict zone or of their belief that they would quickly seize Kyiv, occupy Ukraine and therefore need the country’s infrastructure for their own use
‘As the war has continued, though, and their attention has switched back to supporting separatists in the east of Ukraine, they have resorted to attempting to cause Ukraine massive disruption through cyber attacks.’
These attempts though, says Marcus, have been largely unsuccessful.
‘There are four broad reasons that Russia has failed in this approach, the first one being that the Ukrainians have had a lot of cyber security assistance from western governments such as the UK and the US,’ he explained. ‘This has helped them to bolster their situational awareness and technical capabilities. Then there is the game-changing help they have received from the Western private sector, including the likes of Microsoft and Google. Both companies have produced a huge number of reports which have not only shone a vivid light on the nature of cyber conflict but are also just one indication of their level of assistance to Ukraine’s cyber security.’
Underpinning this combined government and private sector support is Ukraine’s own cyber security expertise.
‘Critically, Ukraine has developed a tremendous understanding of Russian cyber operations, as Russia has been operating on their networks for many years,’ said Marcus. ‘As a result of their own expertise, international government and private sector support, Ukraine has done the basics of cyber security, the things that we urge all businesses, governments and organisations to do.’
This ‘basic cyber security’ – which Marcus says will ‘stop most of the nasty stuff’ – includes implementing good password protocols, patching, access controls, network monitoring and third-party auditing of the security approach, as well as asking suppliers for evidence of such auditing to try to minimise security weaknesses in the supply chain.
‘These processes will stop around 95% of cyber attacks and would have prevented a lot of the damage caused by incidents such as the SolarWinds attack,’ he added. ‘However, in recognition of the fact that 5% of attacks will succeed, it is also vital to think about recovery and resilience. Ukraine has done this through, for example, storing critical data in the cloud outside the country, and this is another lesson for company boards to learn.’
While Ukraine’s diligence has played a key role in minimising the effectiveness of the Russian attacks, Marcus’ fourth broad reason for ‘Russian failure’ has been that ‘Russia’s offensive cyber prowess may not be quite what we thought’.
‘Russian doctrine talks about the need to integrate cyber operations into a military campaign but, with one or two notable exceptions, they have failed to do that,’ he reflected. ‘As a result, some European cyber security officials have described the attempts as “poorly synchronised and inept”.
‘Russia has also found that, because their invasion of Ukraine is so morally wrong, a lot of private individuals and groups have tried to do stuff to Russian networks, which has revealed the poor state of Russian cyber security.’
Although such actions may be understandable, Marcus sounds a note of caution.
‘There are around 300,000 private individuals or groups – often referred to as cyber vigilantes or hacktivists – engaged in cyber activity every day,’ he said. ‘This is a cause of concern because not only are they likely to be contravening the domestic laws in the countries from which they are operating (such the Computer Misuse Act in the UK), but there is also a risk that their activity could be misunderstood or misattributed, which could risk escalating the conflict.’
Indeed, there is a general fear of a ‘spillover’ from the conflict, leading to a range of warnings from Western governments, with, for example, the US Cybersecurity and Infrastructure Security Agency launching its Shields Up campaign.
‘It is known that Russia has positioned capability on Western networks, including some that could be used against national infrastructure,’ said Marcus. ‘This sounds dramatic, but, as with Ukraine’s own defence, if the basic tenets of cyber security and resilience planning are followed, the risks can be significantly reduced. As part of this, it is worth noting that Ukraine has treated cyber security as a national risk, not as a technical subject left to technical people. If you translate that into a company setting, I would say Ukraine has done the equivalent of crossing the language gap that often exists between company boards and their technical people, and treated cyber security as a top business risk.’
Crossing that gap, Marcus continues, is key to securing a company’s future.
‘While Ukraine may have learnt the hard way, after enduring years of Russian attacks, it is a bad day, from a company’s perspective, if the first time your security is tested is when you are under attack,’ he said. ‘It is much better to have exercised that before so that not only are your systems stronger but you know how to recover and where you need to increase resilience should an attack take place.’
Having that resilience is, he says, vital if a company is to continue functioning after an attack.
‘While you build your defences, you have to accept that something may penetrate your system. And what happens then? In such cases, it is not just a technical problem but an issue which affects your bottom line, your ability to operate and your reputation with clients and shareholders,’ he explained. ‘There could also be regulatory fines or litigation if data have been taken and leaked. That is why it is so important for boards to ask the right questions of their people, to get the cyber security assurance they need.
‘As I said at the beginning, the world is becoming increasingly dependent on the internet. If you want to succeed and be competitive in a world in which digital enabling – and, unfortunately cyber threats – is going to become more and more widespread, then being good at cyber security is a necessity, not a choice.’