Hacking the system: Martin on North Korea, Brexit and freezing the assets of oligarchs

WHERE ARE OUR BIGGEST GAPS IN CYBERSECURITY? I never lost any sleep over the big nation-state attacks because you have to accept that there are going to be attacks and our job is to repel them as best as we can. The things I always worried most about was ransomware in small but important organisations, such as health boards or local authorities. There are too many organisations that do important things like provide vital public services that are too susceptible to being extorted by criminal gangs. If they lose access to their networks, then there’s big trouble.

IS A LACK OF SKILLS HOLDING US BACK? I’m not what I would call a Cassandra on skills. It’s very easy and it can be a bit of a cop out to say there aren’t enough skills to do this. I was genuinely at the start of NCSC advised that it was too ambitious because there weren’t enough skills but if I’d listened to that we wouldn’t have it at all.

sudden unplanned change in business processes, but it was handled well,” he says.

As for how we build public trust in technology for the future, Martin believes with new tech- nologies such as AI and automa- tion, we have an opportunity to improve internet security, by design. “Te technology we use now

was mostly designed without security in mind,” he says. “Tat’s no one’s fault, it’s just the way it happened. We ended up with a set of services where people got free access to web services for the price of their personal data. Tat wasn’t great for security. Now, if govern- ment and industry work together properly, we can bake in security and resilience into the new tech- nologies. Tat’s the great security opportunity of the 2020s.” l

HOW CAN YOU TELL THE DIFFERENCE BETWEEN CRIMINAL GANGS AND HOSTILE NATION CYBER ATTACKS? Well, it’s never perfect and Wannacry was an interesting case in 2017 when it looked like criminals doing ransomware, but it turned out to be North Korea. But there are several indicators, and you can reach conclusions a lot of the time. GCHQ teams and indeed still serving individuals have been tracking the same Russian group for over 20 years. They leave digital footprints and they code in a certain way using the same words in Russian or broken English and you can see that it’s them again with a reasonable degree of confidence. There are also situational indicators; I’m not being nice to the Russians, but the Russians

don’t tend to steal personal data of random citizens.

HOW CAPABLE AS A CYBER NATION IS THE UK? The UK has a defensive way of thinking. We’re ranked number one in the world by the ITU [International Telecommunication Union] for cyber defences so there’s an element that we’re harder to attack than other nations. You then get into offensive cyber capabilities and I don’t really know where the UK ranks in that. We act with restraint and to legal and ethical standards that others don’t, so it’s a very hard thing to evaluate.

WHAT ABOUT BREXIT? I am not sure that Brexit – important as it is for a whole bunch of things – makes a huge deal of difference here. When I was in office at the NCSC, international relationships were incredibly important but membership of the EU in and of itself made relatively little difference one way or the other. Except in the field of data regulation, the continent of Europe is not a tech superpower. To remedy the current problems, we need broad alliances of likeminded countries going beyond Europe and beyond the Five Eyes [the intelligence alliance comprising Australia, Canada, New Zealand, the UK and the US].

TALKING OF TECH SUPERPOWERS – SHOULD WE WORRY ABOUT THE US AND CHINA? This is the great challenge of our age. The whole continent of Europe is in a real bind over the lack of its own technological base. It’s a real vulnerability. But it’s way more complicated than just saying we’re not doing enough to support innovation. We in the West face a competitor capable of planning over decades,

with a single, unified market of 1.5 billion, and an ambition to dominate technology. Competing with that is hard across a bunch of disparate democracies. But that’s what we’re going to have to do.

CARE FOR A RE-RUN OF THE EDINBURGH AGREEMENT? We will see, but I’m happily at the university now. Looking back, it was a very different engagement with Scotland and the Scottish Government but fascinating and, you know, I’m not commenting on the politics, but various participants emerged with credit from the process of dealing with such a highly contentious issue in such a constructive way. And whatever else was happening, the referendum itself was a process which, it seems to me, the Scottish people had confidence in.

WORKING FOR THE SBRC The work that the SBRC does is unique; the collaboration and connection it has with its partners has helped to cement its position as one of the foremost business resilience organisations in Europe. I look forward to working with Jude [McCorry, SBRC chief executive] and the team to support their vision and further enhance the organisation’s cyber security expertise.

BACK TO THE RUSSIANS Cyber is not a boxing ring where you’re only allowed to punch in a certain way. You can use the full tools of statecraft. If you take Russia, some things that work with other countries don’t work with Russia. So, attribution, calling them out diplomatically, Russians don’t care about that. Whereas actually freezing the assets of Russian oligarchs – for example some of the work that the National Crime Agency are doing – that does annoy them and have an impact.

FUTURESCOT | WINTER 2020/21 | 41

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68