Your cyber intelligence source

NCSC founder Ciaran Martin: 'Britain leads the way'

The government trailblazer speaks exclusively to SC Media about the future of global cybersecurity 

Industry veteran Ciaran is the brains behind the UK National Cyber Security Centre, part of GCHQ, and Professor of Practice in the Management of Public Organisations at the Blavatnik School of Government, University of Oxford.

As a cyber pioneer, he led a fundamental shift in the UK’s approach to security in the second half of the last decade. Ciaran successfully advocated for a wholesale change of approach towards a more interventionist posture and this was adopted by the government in the 2015 National Security Strategy, leading to the creation of the NCSC in 2016 under his leadership.

Here he speaks to SC Media UK editor Alicia Buller about Britain's cyber future:

Ciaran, how do you think the UK’s National Cyber Security Centre (NCSC) is leading Britain’s security battle?
At the time it was set up, the NCSC was a pretty radical departure from the way the UK and most other countries were doing things – there was a lot of talk about the fact we needed to set up a single point for cybersecurity. Governments had been quite passive until then and we wanted to take a lead from the US.

We decided that we needed to be more activist about cybersecurity. We are trying to help configure organisations better so they are better able to deal with attacks. For example, if you think back to the TalkTalk breach in October 2014, it was the first time in British history where a cyber incident led the national news but the government was absent from it as it didn’t have any agency or authority.

But today the NCSC has a really strong voice and is able to offer advice about what to do. And it’s just not a voice – it’s a mechanism. If you take the heightened cyber fears around the Ukraine war – the NCSC gave quite a lot of advice on what you can do. At a time when it’s really fashionable to bash state institutions, the NCSC actually has hundreds of highly-skilled people that the private sector would kill for if they could.

How has the UK cyber landscape changed since you set up the NCSC in 2016?
It’s always been the case that technology keeps changing but, increasingly, so much of these determinants are based around non-tech factors. And there’s only so often you can tell people to change their behaviour.

At what point do you start bringing out mandates? What’s more, the politics of the internet are changing – it’s no longer a single internet, it’s a US bloc, a Chinese bloc and wider blocs.

Ten years ago, to do cyber well you could just contain networks in a single organisation. Now there is a whole range of nation state attacks and economics to consider. I am still really positive about our progress… if you go around the world, there is lots of debates about the NCSC model being copied. Our model has stood the test of time.

While you’re here Ciaran, should the UK make it illegal to pay ransomware fines?
In principle, it should be made illegal to pay ransoms, but there are many people whom I respect who disagree. In most walks of life it is normally illegal to give money to criminals, even if you’re in a desperate situation. I would start a policy review on the presumption that burden-of-proof would be on those who think they should not be illegal to prove their case.

At some point we do need to produce a robust published policy analysis to look at the pros and cons. My starting point would be unless there are extremely powerful reasons not to ban ransomware payments then we should think about making them illegal.

Given the rise in ransomware and data breaches, isn’t it time for a ‘Cybercom’ regulatory body?
I wouldn’t support that. Cyber isn’t a thing in its own right. It should be part of business risk as usual. All operational resilience is related to cybersecurity. The missing link today seems to be around corporate governance – how do you put cyber into the rulebook for companies? They may not have primary force of legalisation but organisations still have to obey them.

And finally, what role does insurance play in protecting Britain from the cyber baddies?
The cyber insurance industry has been likened to a ‘maturing teenager’ – we need to conduct a hard-headed analysis of the way that cyber insurance is going.  There is much more scope to involve the insurance industry in cybersecurity.

 If we get it right, cyber insurance is huge part of the solution. We need to have a better discussion around how to price harm, risk and protection. How much does a data breach cost? Most of the figures are invented. How do you incentive against ransomware? This is a technical discussion that could be transformative if we get it right.

 Cian Martin conducted this interview with SC Media at the International Cyber Expo.