A safe pair of hands

Ciaran Martin has been instrumental in thwarting criminals in their attempts to defraud billions of pounds from organisations and individuals. Now the leading cybersecurity expert is joining the fight against online crime in Scotland. Can we all feel a little safer?

Ciaran Martin, the former chief executive of the National Cyber Security Centre, is joining the fight against online crime in Scotland. But his connections to the country run deeper than his new board role with the Scottish Business Resilience Centre (SBRC) suggest. As lead official negotiator for the Prime Minister and Secretary of State for Scotland, in the run-up to the Edinburgh Agreement in 2012, he helped pave the way for the Scottish independence referendum two years later. His distinguished government career has seen him occupy various Cabinet Office roles including director of security and intelligence, from 2008-2011, and head of the cabinet secretary’s office from 2005 to 2008.

And now the Oxford University graduate is back in the city of dreaming spires to teach the next generation of Whitehall mandarins and international practitioners of statecraft, albeit with a 21st-century technology slant. I speak to Martin over Teams, and he’s enthusiastic about his new academic role as professor of practice in applied government at the university’s Blavatnik School of Government. “It’s a superb institution – it’s my old university and I love being in Oxford,”he says.

“We have students from more than 50 different countries on the masters’ course I’m involved with. But I think my mission, if that’s not too grand a term, is the promotion of public trust in technology and working out how governments can best do that.” Martin helped George Osborne establish the National Cyber Security Centre (NCSC) in 2015 following growing public concern about cybersecurity, and several high-profile data breaches, including that at TalkTalk. The organisation was inaugurated in October 2016 as the public-facing arm of GCHQ, in what was a genuine departure for the secretive world of Britain’s clandestine ‘listening post’. Over the course of the next few years, NCSC gained a reputation and much credit for thwarting literally billions of phishing and spoofing attempts plaguing citizens and businesses alike. When I ask Martin about his proudest moment in office, he pauses, before offering the Active Cyber Defence (ACD) programme, which he describes as “genuinely world-leading”. Aimed at the public sector, ACD beefed up the nation’s cyber defences with a suite of products and services, including an automated takedown to remove malicious content from the web, web check, the DMARC mail check service and the protective domain name service (PDNS).

He says: “We recognised that there are structural problems with the internet which people aren’t incentivised to fix; so, we thought how are we going to do this? But the fact that the UK share of phishing actually went down from 5.5 to 2 per cent over the next three years is testament to its success. NetCraft [the phishing service operator on behalf of NCSC] automated requests to website hosts to take down dodgy websites, and that was really clever, yet really simple.”

NCSC went about its work by helping to rationalise the vast digital footprint of government, removing outdated websites from the cluttered IT landscape. It was, in fact, a so-called ‘dormant domain’ that had led to the TalkTalk attack. “We helped clean all that up in government,” says Martin. Under Martin’s leadership, NCSC helped Britain’s public bodies take a lead on cybersecurity, and adoption of certain ACD tools has been universal in local government in Scotland. According to its annual review 2019, the web check service was in use by all 32 local authorities in Scotland, a 100% coverage rate compared with 97.75% across the UK as a whole. As for what Scotland should focus on as it updates its national cyber action plans – a process currently underway – Martin says: “It’s not for me to lecture the Scottish Government, and Scotland has many things going for it in cybersecurity. Take-up of the automatic protections available through the NCSC was very high when I left, and I expect they still are. And I include in Scotland’s advantages the way in which central government, local government, the emergency services and business come together and that’s why I like supporting really excellent organisations like the SBRC.“ If asked, I’d say the top three priorities would be the resilience of critical services, incident preparation – I’m pleased they’re taking Exercise in a Box [an online tool which helps organisations test their cyber attack responses] so seriously – and making it easy for small organisations and individuals to do good cybersecurity easily.”

He adds that Scotland is “actually pretty good at joining up cyber defence” but cautions: “Information sharing is useful, but we can rely on it too much: it’s not a silver bullet.” Covid-19 is inescapable when it comes to cyber, such has been the rise in cyber incidents in 2020 compared to the previous year. Martin is keen to talk about the subject, as it is deeply entwined with his interest in public trust in technology, which he describes overall as “okay, but a bit wobbly”.“ When it comes to public trust in technology, the lesson of 2020 is that technology is now essentially a public good,” he says. “I think the pandemic would have been far worse if technology hadn’t stepped up; the technology industry should be proud of its performance, as it faced a massive increase in demand, which it met.” He cites among the many heroes of the pandemic the BT and Vodafone engineers who kept people’s internet services running, for which he was pleased they received recognition in the Queen’s Birthday Honours. Migrating huge numbers of people to online working was also evidence of technology ‘passing its test’, and Martin praises the SBRC again for assisting businesses in Scotland make that transition. “SBRC did some good work with NCSC on these huge migrations to online working, which is highly risky; it was a sudden unplanned change in business processes, but it was handled well,” he says.

As for how we build public trust in technology for the future, Martin believes with new technologies such as AI and automation, we have an opportunity to improve internet security, by design.“The technology we use now was mostly designed without security in mind,” he says. “That’s no one’s fault, it’s just the way it happened. We ended up with a set of services where people got free access to web services for the price of their personal data. That wasn’t great for security. Now, if government and industry work together properly, we can bake in security and resilience into the new technologies. That’s the great security opportunity of the 2020s.”

Hacking the system: Martin on North Korea, Brexit and freezing the assets of oligarchs

WHERE ARE OUR BIGGEST GAPS IN CYBERSECURITY?
I never lost any sleep over the big nation-state attacks because you have to accept that there are going to be attacks and our job is to repel them as best as we can. The things I always worried most about was ransomware in small but important organisations, such as health boards or local authorities. There are too many organisations that do important things like provide vital public services that are too susceptible to being extorted by criminal gangs. If they lose access to their networks, then there’s big trouble

IS A LACK OF SKILLS HOLDING US BACK?
I’m not what I would call a Cassandra on skills. It’s very easy and it can be a bit of a cop-out to say there aren’t enough skills to do this. I was genuinely at the start of NCSC advised that it was too ambitious because there weren’t enough skills but if I’d listened to that we wouldn’t have it at all.

HOW CAN YOU TELL THE DIFFERENCE BETWEEN CRIMINAL GANGS AND HOSTILE NATION CYBER ATTACKS?
Well, it’s never perfect and Wannacry was an interesting case in 2017 when it looked like criminals doing ransomware, but it turned out to be North Korea. But there are several indicators, and you can reach conclusions a lot of the time. GCHQ teams and indeed still serving individuals have been tracking the same Russian group for over 20 years. They leave digital footprints and they code in a certain way using the same words in Russian or broken English and you can see that it’s them again with a reasonable degree of confidence. There are also situational indicators; I’m not being nice to the Russians, but the Russians don’t tend to steal personal data of random citizens.

HOW CAPABLE AS A CYBER NATION IS THE UK?
The UK has a defensive way of thinking. We’re ranked number one in the world by the ITU [International Telecommunication Union] for cyber defences so there’s an element that we’re harder to attack than other nations. You then get into offensive cyber capabilities and I don’t really know where the UK ranks in that. We act with restraint and to legal and ethical standards that others don’t, so it’s a very hard thing to evaluate.

WHAT ABOUT BREXIT?
I am not sure that Brexit – important as it is for a whole bunch of things – makes a huge deal of difference here. When I was in office at the NCSC, international relationships were incredibly important but membership of the EU in and of itself made relatively little difference one way or the other. Except in the field of data regulation, the continent of Europe is not a tech superpower. To remedy the current problems, we need broad alliances of like-minded countries going beyond Europe and beyond the Five Eyes [the intelligence alliance comprising Australia, Canada, New Zealand, the UK and the US].

TALKING OF TECH SUPERPOWERS – SHOULD WE WORRY ABOUT THE US AND CHINA?
This is the great challenge of our age. The whole continent of Europe is in a real bind over the lack of its own technological base. It’s a real vulnerability. But it’s way more complicated than just saying we’re not doing enough to support innovation. We in the West face a competitor capable of planning over decades with a single, unified market of 1.5 billion, and an ambition to dominate technology. Competing with that is hard across a bunch of disparate democracies. But that’s what we’re going to have to do.

CARE FOR A RE-RUN OF THE EDINBURGH AGREEMENT?
We will see, but I’m happily at the university now. Looking back, it was a very different engagement with Scotland and the Scottish Government but fascinating and, you know, I’m not commenting on the politics, but various participants emerged with credit from the process of dealing with such a highly contentious issue in such a constructive way. And whatever else was happening, the referendum itself was a process which, it seems to me, the Scottish people had confidence in.

WORKING FOR THE SBRC
The work that the SBRC does is unique; the collaboration and connection it has with its partners has helped to cement its position as one of the foremost business resilience organisations in Europe. I look forward to working with Jude [McCorry, SBRC chief executive] and the team to support their vision and further enhance the organisation’s cybersecurity expertise.

BACK TO THE RUSSIANS
Cyber is not a boxing ring where you’re only allowed to punch in a certain way. You can use the full tools of statecraft. If you take Russia, some things that work with other countries don’t work with Russia. So, attribution, calling them out diplomatically, Russians don’t care about that. Whereas actually freezing the assets of Russian oligarchs – for example some of the work that the National Crime Agency is doing – that does annoy them and have an impact.