In February 2020, as the spectre of COVID-19 loomed heavy, Ciaran Martin, then the chief executive of the UK’s National Cyber Security Centre (NCSC), spoke alongside his US counterpart, Chris Krebs, at a security conference in Munich.
During this discussion, the “early warning signs” of a coming ransomware storm lingered in the back of their minds, he tells IT Pro. Both saw the rumblings of an impending wave and were keen to emphasise the necessity to tackle this oncoming threat.
“It was almost like the start of a volcanic eruption,” he recalls. We were both very concerned about it and were saying that we really need to try and do as much as we can to limit this threat. But obviously, a month later, the world locks itself down due to COVID-19.”
Martin served as the founding chief executive of the NCSC from its launch in 2016 until mid-2020. Since leaving the institution, he's joined the University of Oxford’s Blavatnik School of Government, and in January was appointed as director of the SANS Institute’s CISO Network for EMEA, playing a key role in bridging the gap between industry stakeholders and government.
The widespread global shift to remote working that COVID-19 triggered presented challenges for security practitioners, organisations, and governments globally, Martin continues. In the three years since, the global threat landscape has evolved significantly amidst the emergence of highly capable, sophisticated cyber crime groups and state-sponsored threat actors.
The changing face of ransomware
2021 was, by all accounts, the worst year on record for ransomware – and cyber threats more broadly speaking. Research from AAG found more than 623 million ransomware attacks were recorded worldwide that year, marking a 105% increase against 2020. Similarly, AAG found more than one-third of organisations globally suffered an attempted ransomware attack.
While the threat landscape has ‘mellowed’ to some extent, with ransomware attacks decreasing in recent months, Martin admits there are still serious warning signs that shouldn’t be ignored. For instance, attacks against critical national infrastructure (CNI) and public services are still everpresent, he believes.
Earlier this month, the FBI published its 2022 Internet Crime Report, which highlighted the lingering danger of cyber attacks against CNI organisations across the last year. The bureau revealed it received 870 notices from CNI organisations affected by ransomware, with three of the top ransomware groups – LockBit, Hive and ALPHV/BlackCat – linked to 350 attacks.
The essential guide to preventing ransomware attacks
Vital tips and guidelines to protect your business using ZTNA and SSE
Given the hands-on learning experience of attacks such as the Colonial Pipeline incident, Martin says that the world needs to sharpen its focus on cyber resilience to ensure the next ‘big hitter’ can be repulsed or better managed by authorities.
“I think there are important lessons to learn from, particularly in terms of resilience,” he says. “We’ve always typically viewed ‘resilience’ as hard plant infrastructure. But I think post-pandemic with the ransomware increase, we are starting to think about cyber resilience in a ‘usefully mundane’ way.
“Every organisation, no matter what they do, should be thinking about ransomware. If you’ve got a computer network, there’s a serious risk you’re going to lose it at some point,” he adds. “It could be an accident, an IT configuration error, or it could be criminals coming in and demanding money. It’s about really asking what does losing your network mean to you?”
How ransomware operators can take out CNI
Martin is keen to highlight the Colonial Pipeline incident as a prime example of how easily an organisation can be compromised by non-linear attack methods, which he believes raises questions about the safety of broader CNI.
“What Colonial Pipeline showed us is that an ordinary commoner garden ransomware attack can actually take out the pipeline without touching the pipeline,” he says.
“It didn’t jump from the enterprise system into the pipeline. It messed up the company’s ability to organise itself so much that it forced them to make the decision to shut down the pipeline because they couldn’t operate it safely.
“Critical functions can be severely disrupted without attacking the critical functions, but just attacking the things that help you run them, which tend to be less well protected.”
With this in mind, looking ahead, Martin suggests it isn’t out of the question for a similar situation to unfold within key critical industries in the UK.
Take the national rail network, for example. Speaking in a hypothetical sense, Martin notes to wreak havoc on the country’s transport infrastructure, threat actors could conduct an attack in a similar fashion. No direct attack on infrastructure would be required, just the key background functions that make the network tick.
“Going and taking out the whole signalling infrastructure, for example, would be very difficult from a technical perspective. You’d need a very sophisticated operation, expertise, time, money, and a degree of luck,” he says. “But just deleting timetables, or staff rosters, or stopping people from paying suppliers or staff could cause major disruption. That’s what worries me.”
We’ve seen similar situations like this play out in the past, Martin notes, specifically with the attack on the Irish healthcare system in May 2021.
"Did a single piece of hospital equipment fail? No. It was fine. No operating theatres were losing power or any horror stories about equipment failing mid-operation,” he continues. “What happened is that due to ransomware, the booking system that said ‘you’re going to this hospital to see this doctor’ was disrupted. And, of course, that had a huge detrimental effect on healthcare.”
Horizon scanning to future-proof against CNI attacks
The 2022 Hornetsecurity ransomware attacks analysis
Stay ahead of the curve with the latest industry trends from our cyber security experts
Looking ahead, Martin says that horizon scanning by the relevant authorities will be key to ensuring the next major attack can be thwarted. This is an area he’s keen to praise the US and UK governments for – both of which have made significant strides in maintaining a vigilant posture amidst a troubling period.
“The UK has done a decent job with horizon scanning for threats,” he says. “As have the Americans. They’ve introduced a system which is analogous to what happens in air traffic accidents where if you have a near-miss or an accident, it triggers a formal review.”
Earlier this month, the Biden administration unveiled the National Cybersecurity Strategy – and CNI was a key focal point in this announcement. The cyber strategy touted the creation of minimum security standards for CNI operators, in addition to closer alignment between federal agencies to issue early warnings for security threats.
“I think the US strategy is really good,” Martin says. “Especially in terms of CNI requiring these minimum standards, but also putting obligations on software providers developing code. On the UK,” he adds, “I’m generally in favour of the current direction of government policy and the way this is working at present.”
‘Defenders get a vote’
Crucially, Martin maintains a positive outlook for 2023 and beyond. The last three years have proven that organisations and governments globally can contend with evolving threats and risk, he believes.
The war in Ukraine showcases this, Martin notes. In the weeks preceding the invasion, hyperbolic discussions over a veritable cyber onslaught on the West were commonplace and, while this failed to fully materialise, the incidents that did occur were relatively contained.
“Paul Chichester, director of operations at the NCSC, said that a key lesson of Ukraine is that ‘defenders get a vote’ – I think that’s a great outlook,” he says.
“In other words, yes, there’s lots of scary events going on out there, with a lot of hype and fear and an awful lot of risk. But let’s not fall into the trap of mistaking that for powerlessness and note having any agency or choice. We have a vote. There are lots of things we can do to protect against cyber attacks. And while we’re not going to be able to afford or have time to do all of these, we have a choice. I think there are grounds for optimism here.”
