Less fear and more transparency key to fighting cybercrime

Head of UK cybersecurity urges vigilance on Dublin visit which has significant EU safety role

We live in ignorant bliss of the cyber threats security agencies have averted. It’s the nature of the beast that the agencies involved don’t make public the threats and therefore the public never get a real picture of what’s going on – and how close these threats came to reality.

There is a certain Hollywood effect about it all, conjuring up images of agents whispering in the safety of steel-lined bunkers, facing off against hackers cowering over keyboards in eastern European boltholes. The reality of cybersecurity and how states are dealing with it, however, are generally a lot less dramatic.

Ciarán Martin, head of the UK's National Cyber Security Centre (NCSC) at the British intelligence centre GCHQ, is the point-man on how to tackle it and he appears anything but mysterious.

At a recent address to the Institute of International and European Affairs (IIEA) in Dublin he quickly raised this “Hollywood” effect – the spy-novel suspense that has come to surround cyber threats in an era of rogue states and political sabotage.


“Fear and mystique has been the enemy of sound public policy,” he said during a speech that touched on a new more enlightened approach to web-based crime in the UK – a crucial philosophy of openness and demystification.

“Western societies I think hamper themselves from doing cybersecurity well by spreading that fear, by not explaining very clearly what the risks are and the likelihood of it to materialise,” he told his audience.

“Everyone . . . is more likely, certainly in terms of the devices in your pocket, to experience serious transnational organised cybercrime than you are to experience the Russians.”

Mr Martin was in Dublin not just to help cool this cybercrime fever, but to conduct a series of high level meetings with Irish agencies – gardaí, Defence Forces, and our own National Cyber Security Centre – as part of his agency's policy on international co-operation and understanding.

He promotes the idea that a greater level of security awareness and basic protections on an individual (person or entity) level will pay off profoundly on a national one.

It is this thinking that has cast the UK’s NCSC as “the most transparent public cybersecurity agency in the world”, he said, one that releases “unprecedented” levels of information for widespread consumption.

Speaking later to The Irish Times, Mr Martin said public communication was an essential part of its activities – even though it is based in the opaque world of GCHQ (Government Communications Headquarters).

“We believe it does have impact because it means that we can give people information which they can act on in a way that we couldn’t previously and that really matters in terms of attacks that are already happening. But also we can make it easier for them to protect themselves into the future,” he explained.

“I think in the period ahead it’s a clear sort of set path for us that we are going to be declassifying lots of information. There is some risk in that but it’s a managed risk because we believe the effectiveness far outweighs the risk.”

In the western world of the free internet, he believes, the opening period of the 21st century brought challenges in relation to how we adapt in a new digital epoch.

"We have really struggled in the first phase of the internet age to get public policy right. And I think that is changing. And it is changing here in Ireland; there is a lot more attention on it."

Less optimistic

That may be so – and Mr Martin would have some knowledge given his dealings with Irish State agencies – but it is not what emerged in a recent, less optimistic Comptroller and Auditor General (C&AG) report. In fact the audit, published in September, found that Ireland’s NCSC appeared to have no strategic plan, and raised questions over its funding structures.

Established in 2011 with a view to “securing critical national infrastructure”, the C&AG found that an oversight body set up to monitor the centre’s performance had not met since 2015.

Of further concern was that Ireland is responsible for the security of services provided across the EU by multinational companies who have their European headquarters here. The C&AG found it necessary to critique the lack of any review on the NCSC’s performance.

As for funding, it noted an initial investment of €800,000 had dropped significantly between 2012 and 2015 before rising to almost €2 million last year.

Although a far larger operation for a far larger country, the UK equivalent, established in 2016, received an initial budget of £250 million (€287 million) to fund a staff of 850.

Big Tech spends billions on its own security and states are concerned chiefly with threats to the public and national security

In terms of the vision outlined by Mr Martin, and its apparent ability to deliver on it, there would seem to be a significant gap between the two agencies. However, in response to queries on the C&AG report from The Irish Times, the Department of Communications – which oversees Ireland's NCSC – played down the flagged deficiencies.

It said the objectives of the centre had changed and its functions have “evolved significantly” since the C&AG report. It is “making vital improvements to the country’s ability to respond to serious cyberattacks”. A new strategic plan will be published in 2019.

The department said it was satisfied there was sufficient funding in place – rising from €430,000 in 2012 to €3 million today – and the centre was expected to have 28 staff by the end of the year, trained in cryptography, malware analysis, software development and broader cybersecurity.

The NCSC, it said, was responsible for implementing the EU’s Network and Information Systems Directive that provides security for so-called digital service providers.

“These include online sales platforms, search engines and cloud computing companies . . . the NCSC is finalising regulations to ensure these obligations are met.”

Mr Martin deftly, and not surprisingly, side-stepped any question the C&AG report on his Irish counterpart might have alarmed him.

“It will be for the Government [in Ireland] to respond to that,” he said. “What matters to me on a day-to-day basis is that if we have got something that is of shared interest to the UK and another jurisdiction, have we got somewhere competent to put that information and work with the other country to our mutual advantage? And with the NCSC here we do have that.”

It is a vote of confidence, one that seems to bring us away from whether we are equipped to deal with a problem, and back to understanding, and helping others to understand, what the problems potentially are.

Mr Martin breaks these into three categories: bad state actors – the 2017 North Korean malware attack on the UK’s National Health Service that left staff reduced to working with pen and paper – and the more likely criminal attacks on corporations, followed by individuals and small organisations.

Big Tech spends billions on its own security, “as they should”, and states are concerned chiefly with threats to the public and national security.

Only a small number of people need “obsess” about high-end security, he believes; for the rest of us, a reasonable understanding of digital safety will suffice in a world increasingly reliant on evolving technology and our understanding of it.

Looking back since the internet crept tentatively into the new millennium, Mr Martin reflects that its natural evolution was one in which people willingly offered personal data in exchange for free services. It was, perhaps, an early, innocent and trusting relationship that preceded any understanding of the need for diligence. At all levels.

“Funnily enough,” he told his audience at the IIEA of this free-flowing trade in data, “that is not the way to keep information safe. And we have suffered from that.”