Former NCSC CEO Says the Winged Ninja Cyber Monkeys Story Is Completely Mistaken
‘We Absolutely Need to Demystify Cybersecurity. We Have to Treat It as an Ordinary Business Risk ‘, He Said.
In an AusCERT cybersecurity conference on Thursday, Ciaran Martin, formerly the founding CEO of the UK’s National Cyber Security Centre (NCSC) talked about the Colonial Pipelines ransomware attack that stopped all operations on its systems.
As a result of the ransomware attack, Colonial Pipeline, the largest fuel pipeline operator in the U.S had to pay almost $5 million ransom and still wasn’t enough to halt the disruption.
We have official government advice in force today asking people not to panic-buy gasoline, or petrol as we call it over here, and put it in plastic bags.
If you wanted an illustration of the impact of cyber harms, it will be hard to think of a better one.
“In a sense, this feeds all those warnings over years, over decades, about really difficult cyber impacts — cyberwar, cybergeddon, and all the rest of it.”
It feeds the story that NCSC technical director Dr. Ian Levy has called the winged ninja cyber monkeys.
The former NCSC CEO said there was nothing they could do to stop those behind the attacks as they are “just sitting there in bedrooms in suburban England, suburban Australia. Teenagers, unstoppable, hacking everything.”
What appears to be powering this story is the current panic on the East Coast of the United States. But according to Martin, it is a huge mistake. In his opinion, what’s happening is a bit more ordinary.
We have a bunch of criminals, they’re in over their heads, operating out of Russia. They’ve even issued a partial apology for what they’ve done, because what they were trying to do, yet again, is exploit basic weaknesses incorporate security all over the world to make money. And they’ve gone too far.
What’s worse is that the ransomware gang who hacked its IT systems wasn’t even aware they were attacking a pipeline organization, nor realized it would lead to the shutdown of the pipeline.
As stated by Martin, it was nothing more than an “accidental spiraling out of control”, where a succession of organizational flaws in the way we do cybersecurity and the way enterprises are motivated caused “a public impact which is very, very serious”.
Cyber threats, cyber risks, they’re not catastrophes. Cyber harms are the aggregation of small harms. Hype, fear, uncertainty, doubt, that is our enemy.
Based on his experience during the time spent working for UK’s National Cyber Security Centre, Ciaran Martin created a basic cybersecurity threats categorization that resulted in three uncomplicated categories:
- Getting robbed for money
- Getting robbed for intellectual property, or other sensitive information
- Getting weakened by espionage, political interference, or pre-positioning for a later attack including cyberattacks that crashed data, and ransomware attacks.
There have been all sorts of cyberattacks. There have been many, many of them, and the one thing that we can still say, thankfully, is that the official death toll caused by cyber harms is zero.
He also mentioned a very disputed election breach that occurred during the lead-up to the UK’s general election in 2019, an example of “very, very basic cybersecurity lapses, causing huge damage.
In this case, a person working for former trade minister Liam Fox had utilized a personal Gmail account to avoid remote work limitations.
Russia immediately hacked Fox’s email leading to an almost 500-page report of emails such as private papers related to US-UK trade talks ending up in the hands of Jeremy Corbyn.
He concluded by saying that cybersecurity needs to be demystified and treated just like an ordinary business risk.