Lindy Cameron’s first speech as CEO of the UK official National Cyber Security Centre (NCSC) – delivered to a virtual audience at Queen’s University, Belfast – itself was a sign of how important a hands-off, virtual world has become. She said that we shouldn’t feel comfortable – for two reasons: “Firstly, where we are isn’t good enough. And secondly, the context is becoming more challenging: the threat, the technology, the environment are all changing.”
Cyber security is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking, she warned. She suggested it’s a case of digital literacy – or lack of it – by executives: ‘CEOs should be as close to their CISO – their Chief Information Security Officer – as their Finance Director or their General Counsel’.
But, as she added, society has to do more thinking also: as it’s taken up online shopping and video conferencing due to the covid pandemic, ‘we need to ask ourselves when does the failure of these services move from being an inconvenience to being a national resilience problem’.
Reviewing the five years of the NCSC so far, she said; don’t under-estimate how radical a notion it was – ‘and indeed how unusual it still is – to combine secret intelligence with a truly public facing body committed to openness and transparency, intent on delivering for business and citizens’.
She said: “As our reliance on technology grows, from the institutional level down to the individual, so too will the opportunities for those who would seek to compromise our services, our systems, and our data.” Ransomware is not just about fraud – and theft – of money or data, serious as both are. “It’s about the loss of key services and unenviable choices for unprepared businesses of paying off criminals.” Insurance can really help to cover costs, but cannot be a substitute for better basic cyber security, she pointed out.
As for the odds against the UK and the democratic west in cyber terms; the NCSC has supported the public attributions of four states – North Korea, Iran, China and Russia – for having undertaken hostile activity in cyberspace.
Security is not yet a key factor for business and consumer choice, she said – presumably using the overall term security for cyber security; for that’s as true in physical security, she might have added.
As she set out, businesses don’t have tools to help them pick secure products for their enterprise IT and there’s no way for consumers to judge security. “So, businesses seek to outsource their risk to service providers or sweat their IT assets longer than is sensible.” And consumers aren’t offered security as a differentiator, only speed, convenience, and branding.
As for the future where the threat is more complex she set out what’s needed, a list where tech was strikingly anything but the whole answer; she called for specific agreement ‘about what good enough looks like’; shared intelligence, government leading by example, and academia and industry – cyber vendors and users of IT – all playing their part; and more cyber skills; and ‘the diversity of thought and background that is necessary to respond to a diverse threat’. Work also has to be done speedily enough, and as she made plain, IT users will still fall victim to cyber attack: “A good organisation is not just one that can defend itself, it is one that is resilient, can recover, and deliver its service, even when having fallen a victim to an attack.”
For the full speech visit the NCSC website.
Ms Cameron took up the role as CEO in October 2020 from Ciaran Martin. She was Director-General in the Northern Ireland Office and at the Department for International Development.
