Since Joe Biden entered the White House the US has been hit by a barrage of damaging cyberattacks. But the former chief of the UK’s National Cyber Security Centre (NCSC) gives Biden “top marks” for his cybersecurity response so far while contrasting it with the “neglect” by his predecessor Donald Trump.
Ciaran Martin, who helped launch the NCSC in 2016 to provide cybersecurity advice and support to the UK’s private sector, led the government organisation until stepping down in the summer of 2020. NCSC is part of the Government Communications Headquarters, or GCHQ, the headquarters of Britain’s cyber spooks.
In a wide-ranging interview with Verdict, Martin discusses his time at the NCSC – including his regret about China – the current state of US cybersecurity and how to tackle the ransomware problem.
In the time since Martin’s exit from the NCSC, the US has elected a new president and has been targeted by some of the worst cyberattacks in its history.
They include the mass-hack of IT software company SolarWinds, which resulted in up to 18,000 customer organisations, including many important tech companies and government agencies, installing a malicious update; a zero-day exploit used against some 30,000 US on-prem Microsoft Exchange servers; crippling ransomware attacks against Colonial Pipeline and meat processor JBS; and a supply chain ransomware attack against IT vendor Kaseya.
Amid this baptism of fire, Martin is full of praise for Biden.
“I would give top marks in these early days to the Biden administration so far,” says Britain’s former top cyber spy. “It is early days, but they’ve been faced with a massive set of casework.”
Days after being confirmed as president in December 2020 and in the wake of the first reports on the SolarWinds hack, Biden stated that cybersecurity would be a “top priority” for his administration.
It’s a theme that has continued throughout the first year of his presidency, with Biden repeatedly talking tough on cybersecurity and warning that a “cyber breach of great consequence” may lead to a “real shooting war”.
While words come easy, Martin believes that Biden has backed them up with action.
He singled out the 34-page executive order aimed at improving US cybersecurity, describing it as “the most comprehensive piece of specific public policy ever issued by an American administration on cybersecurity.”
Biden also gets “kudos” for investing “political capital” in international relations in cyberspace. The fact that limited discussion time was dedicated to ransomware during Biden’s summit with Putin in June demonstrates how seriously the US is taking the threat, Martin says.
Biden has also won praise from Martin for his improvements in cybersecurity personnel, highlighting the appointments of Anne Neuberger, Jen Easterly and Rob Joyce in key national security positions.
“We’ve gone from a period where there was no cybersecurity advisor in the White House from 2018 to probably the most stellar team of cybersecurity professionals ever assembled in any government,” says Martin.
He adds: “I could not be more encouraged by the effort, attention and quality of the Biden administration on cybersecurity.”
Biden trumps Trump on cyber response
The assessment is in stark contrast to Biden’s predecessor. Trump often publicly contradicted his intelligence officials, on one occasion saying they should “go back to school”. This souring of the relationship culminated in Trump’s firing of director of Homeland Security Chris Krebs for rejecting the former president’s election conspiracy theories.
Martin says the US government has gone from an “absence” of cybersecurity talent under Trump – “with the exception of Chris Krebs” – to a “talented and expert team”.
According to Martin, there was “neglect in the final years” of the Trump administration when it came to cyber. But did this help create an environment that encouraged the recent spate of attacks against US organisations?
Martin doesn’t think so, but says it “certainly didn’t help”.
“We’re all playing catch up from a series of technologies developed and implemented in the 90s and early noughties, which are fundamentally less secure than they should be,” Martin explains. “We need a sustained long-term effort to catch up on that… But if political leadership takes a few years off in that effort it doesn’t help anybody.”
Despite Biden’s “impressive” start, the US faces deep-rooted structural problems when it comes to cybersecurity, says Martin.
This stems from America being a “private sector-led country,” he says. While the Biden administration has classified ransomware as a national security threat, the response “by default” would land in the hands of the private sector running much of the US economy, such as healthcare.
“That’s a real dilemma for them,” says Martin. “You’ve got something that’s quite clearly a national security threat – the threat to the wellbeing of patients in hospitals, it doesn’t come much more national security than that.”
Martin compares the situation in the US to the Irish health system after it was crippled by a ransomware attack, leading to cancelled appointments. The response was led by the Irish government, with its Taoiseach publicly stating they would not pay the ransom demand or negotiate with the criminal hackers, despite the threat to leak patient data.
“I’m not making any criticism of [the US] for it, but trying to crack that nut is going to be one of the hardest tasks facing them,” says Martin.
“I’m not directly responsible for a gigantic bundle of national risk anymore”
Martin has been a civil servant since 1997. He was appointed to the board of British intelligence agency GCHQ as head of cybersecurity in 2013. In 2015 he recommended the creation of the NCSC to protect the UK from cyber threats and improve its cybersecurity.
The NCSC quickly faced an unprecedented crisis in the form of the WannaCry ransomware attack. In May 2017, the malware ripped through computers running outdated Microsoft Windows operating systems, demanding $300-$600 in bitcoin to unlock them. More than 300,000 computers were affected globally – including those at the UK’s National Health Service, causing mass-cancellations of appointments and operations.
Martin says that while the NCSC “didn’t get everything right” in its response to the attack, it “gripped” the situation and was “out there telling people what was going on”.
He contrasts this to the pre-NCSC days when two young men from Staffordshire hacked TalkTalk in 2015, causing £77m in damage and breaching the data of 156,959 accounts with the telecommunications company.
The “government was nowhere with that incident”, Martin says.
During his tenure, Martin helped establish the Active Cyber Defence programme, which built partnerships with the private sector to conduct operations such automated takedowns of malicious sites. He says it had “a real impact”, bringing the average time that a malicious UK site was hosted down from a day to an hour.
But the thing he’s most proud of is the NCSC’s ability to attract and retain “top technical specialist talent” into the civil service and “really make it work for the benefit of the country”.
He adds: “We really showed that you can do proper hard, technical work in government and do it well for the benefit of the country at large.”
But there is one area in which Martin wishes he had done more. The strategic control of technology, from telecommunications networks to semiconductor factories, has become a defining theme in the battle for supremacy between China and the West. Looking back, it’s an area that Martin wishes he’d been “more assertive” in flagging when he had a seat at the table in government.
According to Martin, the Huawei 5G debate was “just a proxy” for the “emergence of a really important contest between the West and China for technological supremacy”.
He adds: “That’s a really hard problem because a lot of it’s about economics rather than tech, so it’s going to require a really clever response from within and between Western governments. We’re at the outset of that and I wish I’d pushed that more quickly.”
Since stepping down from the NCSC in the summer of 2020, Martin has become a professor of practice in the management of public organisations at the University of Oxford – a role he is “enjoying enormously”.
Despite the switch to academia, Martin remains plugged into the cybersecurity space. He advises NATO and is an advisory board member at US cybersecurity venture capital group Paladin Capital. Among the startups he is helping is UK-based Garrison, which stores secure web isolation.
How has he found the change of pace since stepping down as NCSC CEO?
“I’m not directly responsible for a gigantic bundle of national risk anymore,” he says. “So it’s not so much a change of pace but a change in the weight of responsibility.”
Reversing the ransomware scourge
While no longer leading the organisation responsible for the UK’s cyber response, Martin continues to speak on important topics such as ransomware.
Martin is unequivocal when it comes to the reason why the file and system-locking malware is running rampant: “Every discretionary factor is pointing in favour of the criminals”.
He breaks this down into three principal factors: the safe haven for cybercriminals in Russia; the “systemic weakness of so much of Western cybersecurity”; and the ease with which criminals can collect payment using cryptocurrencies.
Solving each of these factors will not come easy, but Martin believes they must be explored and then applied in tandem.
The global hub for ransomware gangs is Russia. A status quo exists where criminal groups are left untouched by local law enforcement – provided they don’t target Russian organisations, with ransomware often coded to avoid systems where it detects the Russian language.
“You need to try and make this a problem for Putin,” Martin explains. “He’s not directing this activity, but he is sheltering it.”
Another tactic, suggests Martin, could be more offensive cyber disruptions, such as the Emotet botnet takedown in January 2021. The Europol-coordinated international law enforcement operation seized the computer servers distributing a versatile banking trojan described as “the world’s most dangerous malware”.
Such operations are rare, in large part due to the complexity of coordinating across multiple borders.
But organisations should not wait for action from law enforcement. They need to continue improving their own cybersecurity to ensure they’re not the lowest hanging fruit for attackers.
“The slow, long, hard slog to improve Western cybersecurity will continue and hopefully the silver lining of this dark cloud of ransomware at the minute is that more and more organisations will invest properly in backups and emergency capabilities,” says Martin.
This alone can’t be banked on and governments need to find a way to disrupt the flow of money to cybercriminals. One approach, says Martin, is to have a “serious discussion” about whether banning ransomware payments would work. Another is to explore the regulation of cryptocurrencies, which at the moment allow criminals to collect ransom payments (largely) out of the reach of law enforcement.
And finally, the ransomware insurance model needs to be “fixed” so that organisations aren’t incentivised to pay, says Martin.
“None of these three things will fix all of this or most of it any time soon,” he says. “But we need to have a serious look at all three.”
And even then, we are likely to be stuck with ransomware forever: “We’ll never, I doubt, eliminate ransomware. But will we move some of those arrows that are currently pointing in favour of the criminal to pointing in favour of the defender? We’ll see.”