Protecting Citizens Online at the UK National Cyber Security Centre with Ciaran Martin

Joseph Carson:

Hello everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the episode, Joe Carson, Chief Security Scientist and Advisory CISO at Delinea. And today we've got a very special episode, which is going to be really fantastic. I'm really excited.

There's a very special thing is that this is episode 100, so we've now had 100 episodes over a long time and it's pretty impressive, but we've also passed over 300,000 listeners, which is impressive as well. So out of all of our episodes with 300,000 listens with episodes, so a really great achievement. I'm really excited to hit this milestone.

And for that, I'm joined by a really fantastic person I've got to see speak many times in the past, and really pleasure to spend the time on today's episode with. So welcome to the show, Ciaran Martin. So Ciaran, do you want to give us a bit of a background to who you are, what you do, and some fun things about yourself?

Ciaran Martin:

Well, thanks very much for having me, Joe. Thank you. Not just for having me, but congratulations on your 100th episode. Fantastic achievement. So I'm Ciaran Martin. I'm based in the UK. I'm originally from Northern Ireland, not far from you. And I was the founding Chief Executive of the UK National Cyber Security Center. So I spent seven years, roughly just short of that, at GCHQ in the UK, firstly setting up and then running the National Cyber Security Center for four years. I stepped down towards the end of 2020 with a bit of a slightly extended tenure to cope with the pandemic. Really interesting actually working in a high security but also mixed classification environment during the ravages of COVID and the sudden move to home working and so forth.

And for the last three and a half years I've been teaching government and cybersecurity at the University of Oxford and working with a bunch of cybersecurity companies and writing and doing some charity work and doing podcasts and stuff like that. So brilliant to be here, and hello to Estonia.

Joseph Carson:

Yeah, fantastic. That's excellent. It's really great to hear, Ciaran. It's impressive. One of the things I'm always curious about, did you have a cybersecurity background? What was your background? How did you get into the industry?

Ciaran Martin:

So one of my rules in cybersecurity, my number one in fact, my probably only rule for survival is, don't pretend you have expertise that you don't have. Cybersecurity is a discipline of many different varieties. There's core technical stuff and there's very general stuff. And I honestly argued against my own appointment. I owed my senior job at GCHQ, and I'm not making this up, to Edward Snowden. Because I've worked with the intelligence agencies before on legal and political crises, mostly the human intelligence agencies in the UK who got caught up in a bunch of quite serious challenges. Legal, political challenges around alleged complicity and torture and rendition of Guantanamo and other DTNAs during the post 9/11 period, and what the Americans may or may not have been doing.

So I had quite a lot of experience in that sort of interface between national security and the law and politics and the constitution and so forth. So then all of a sudden Snowden hit GCHQ. And GCHQ had largely been immunized from these other developments. It didn't really have any experience, didn't really have a policy department. Communications and outreach wasn't really used to explaining what it did. So I went off to do that. But as with all sort crises, you're there, or with the exception perhaps of COVID, you either succeed or fail within six months. So it was, "Well what's the long-term plan for me here?" And they said, "Well, you could run cybersecurity. Want to step up our mission?" I said, "But I don't know anything about it."

In fact, I went back to Northern Ireland at Christmas that year and told one of my oldest friends, somebody I'd known since I was four, so nearly 35 to 40 years at that point. And said, "I might take up this role in cybersecurity." And he said, "But what do you know about computers?" I spent my first year, as well as the Snowden stuff, just really getting to learn the subject, but listening to the technical experts. I was blessed with some fantastic technical experts, people who went on to play major roles in the development of the NCSC. And they said, "Look, if you want to get a strategic backing, political backing, money to do things that we could really do, we've got some brilliant ideas but nobody's listening."

So the job was to build a partnership with them. And in a sense the NCSC was a deal between me and the technical experts to bring the general... GCHQ's cybersecurity experts were amongst the best in the world and getting people of that quality and that technical expertise to work for government wages was miraculous, but they really were driven by a sense of mission. But they were doing it very much behind the wire, behind barbed wire in an organization with no mobile phones, for example. So how could you advise businesses or civilian bits of government dealing with huge payment systems, for example, how could you advise them on cybersecurity when you couldn't literally pick up the phone to them or they couldn't pick up the phone to you? Could we even access them by normal email? And we thought we better change all of this.

So my background, long-winded answer, my background was not in cybersecurity at all. I had to learn it from scratch. I've since developed quite a lot of expertise, not so much technical, but if someone says to me, "There's been a major IP theft from a British university," I probably will predict pretty accurately who that was. If they say, "Well, so-and-so's locked out of a healthcare network in the United States," I can probably predict who that was and so forth. But I did not have a deep technical background.

Joseph Carson:

And I think sometimes for me, I sometimes think that's sometimes the best thing, is because it allows you to come in with rather than a single point of view, it allows you to come in with much more policy base. And I think one of the things we've always been missing in cybersecurity industry is we've got a lot of great people with those technical skills, but we didn't have a lot of people with great communication and great understanding of policy based skills. And I think that's always a great thing to have people coming in and bring that into the industry to help us communicate better, to help us be able to put things, and what it means for the business or what it means for citizens.

So I think for me sometimes not having the skills, it doesn't mean you can't do the job, it just means you have to surround yourself with great people who had the skills, but you become that interface, you become the translator to how that converts into either policy or communications or best practices. So I think that's always a great thing and having people coming into the industry, that might have had a different background sometimes in service sometimes and communication or even marketing, can really change the way we do it in the industry. So I think that's a great thing.

Ciaran Martin:

I think you need both-

Joseph Carson:

One of the things I'd like to go-

Ciaran Martin:

So I'm slightly double-backing on myself.

Joseph Carson:

Yeah.

Ciaran Martin:

I was just going to say, I think you need both. I'm slightly double-backing on myself. I think if you think about, so the first full year of the NCSC's operation, those people were really interested in it, we had 55 different countries come to see it. And so you got used to hosting all these senior people. We had the then Prime Minister of Estonia as I recall. And a lot of them would say, "Can we see your comms team?" I'd say, "Sure, of course you can meet the comms team, but can I ask why?" He said, "Well, really impressed the way you give accessible user-friendly advice." I said, "Yeah, but what's it based on?"

One of the things before in the NCC in the UK, we had two organizations dealing with cybersecurity. We had GCHQ dealing with deeply technical, mostly secret stuff and not communicating to anybody. And we had the CERT, which was the other way around. It was very good at communicating and outreach to the business community and to the rest of government and to the ordinary citizen. But didn't have specific expertise, it didn't have much that you couldn't get from the commercial sector.

So it's putting those two things together. And you're right about communications. I mean, the very best sort of cybersecurity professionals, somebody with technical skills and brilliant communication skills, but they're as rare as hen's teeth. I was blessed that Ian Levy, Dr. Ian Levy, the Technical Director, was one such person that was fantastic. But one of the reasons he was so good was that he was a cybersecurity genius who could also communicate highly effectively. It didn't always run smoothly. You do take your risks with that sort of thing. And those fantastic moments where Ian... You'd have thought he would go all over the world convincing people, persuading them, building these hugely powerful partnerships.

But I recall once he went to Australia and made a speech where he said, and this was core NCSC philosophy, he said, "You don't need to block all cyber attacks, you just need to make yourself a little bit of a harder target." So he said in his own inevitable way, "My job is not to stop cybercrime in the UK. My job is to send it to France," forgetting that in the digital age these things don't really stay in Australia. They get back to France within like a minute. And so I had a rather amused and thankfully very mature teasing from Guillaume Poupard, my French counterpart, rather than any more serious diplomatic incident.

Joseph Carson:

That's actually very funny. So one of the things I'd like... I had recently on, Tanel Sepp, who's the Estonian cyber ambassador on the show, and one of the things that he brought up which was really interesting was that, for many years governments didn't really take cybersecurity that seriously. They may have had it as important part within, but not from a national cybersecurity perspective. And in Estonia it didn't become important or really that visible for the government until it was around 2007, when they had the state sponsored cyber attack from Russia to Estonia. And then of course you mentioned the Snowden side.

What existed before the National Cybersecurity Center in the UK and what was different... You mentioned that there was CERT, there was GCHQ. What was there before and then what was the trigger point to bring it together? As you mentioned, the need to have something, an agency or a service to provide best practices and communication to businesses and citizens. What was the driving point? What was before and what was bringing it together? What does that look like?

Ciaran Martin:

Well, perhaps happily we didn't have the forcing function of the devastating attack as Estonia did in 2007, which really was an outlier. And it's hard to think of another country that suffered such a sustained onslaught on critical functions that early. Indeed, I think had Estonia happened five, certainly 10 years later, there would've been much more serious repercussions because people of the international community understood that sort of thing much better than say 2017 than it did in 2007. 2007, it was like, "What's going on here," and so forth.

And I think that, I mean speaking to the UK experience, there are probably three phases and I think the US and many western European countries are broadly similar in this. So there's phase one, which is until in the UK's experience until about 2009, slightly earlier in the US, where you just didn't care at all. You didn't have a policy, you didn't have a strategy, nobody was responsible for it apart from a few enthusiasts in different military or security organizations. That's 2009.

The UK had a short cybersecurity strategy in 2009 with principally sum of 5 million pounds, roughly 6 million euro allocated to it. So not really reflecting... A sort of fairly low prioritization. And I think phase two would've begun in the UK there's a much more serious strategy in 2011 with more money attached to it. But even then, I think phase two is 2009 to the mid-teens, and I think that phase is sort of characterized by what you might call interested inertia or active inertia.

There's a lot of talk about it, there were strategies and so forth, but actually the strategies in both the UK and the US and lots of other places where, let's shout at the private sector and tell them to share information. Do you remember information sharing? In our field we started to call information sharing the hopes and prayers of the cybersecurity industry, and let's do public-private partnerships without specifying what they were you asked then.

So the third phase I would did from 2015, and then the NCSC comes in 2016, and there were a bunch of long forgotten political circumstances that drove that. There was this brief period, largely forgotten around the UK, between the general election of May 2015 and the Brexit referendum of June 2016. So a 13-month period where the conservatives had won unexpectedly a small overall majority. And there was a finance minister, chancellor, as we call it, called George Osborne. He was very interested in cybersecurity, he was assumed to be David Cameron's successor. They were in a position of real strength until they lost the referendum and they decided that cybersecurity strategies that they'd been pursuing were failing and they wanted new ideas.

So we were in this happy position where we had strong political sponsorship. Cybersecurity was a strategically important, but not partisanly contentious issue. I mean, basically one of the things I was blessed with for most of my time in government and cybersecurity was that the only thing people cared about was whether you're any good or not. Healthcare in the UK is very ideologically, so is education, so are lots of other things. But cybersecurity, there's no real fault line in it. So as the government wants to do a bit more, "Have you got any good ideas? Will you do it well?" And people would criticize you if you didn't do it well, but not for other things.

And I think the politics of this mattered for, despite the huge convulsions politically in the UK, of the remainder of that decade. And it was for those unfortunate enough to follow British politics, it was a pretty juicy period, not marked for stability.

Joseph Carson:

I remember it well.

Ciaran Martin:

But throughout those years, remarkably I had a stable strategy. It wasn't one of those strategies that kept being rewritten every year. I had strong political sponsorship because I ended up serving three conservative prime ministers in short order, Cameron, May for most of the time, and then Johnson. Decent amounts of funding. And I think importantly, the right balance between political backing and operational autonomy. So I remember when WannaCry hit in 2017. And WannaCry, just by bad luck, hit the UK quite hard. And also by worse luck, hit the health service more than other sectors.

It was in the middle of a general election campaign. And again, for those who follow British politics, the health service and election campaign is pretty sensitive stuff. But I remember talking to 10 Downing Street over the course of that fateful weekend in May 2017 and saying, "Look, we might need to do this that the other. We might need to go on TV. We might need to issue this guidance," et cetera. And they just said, "Go and do it. That's what we set you up to do. We trust your judgment. We're not in any position to second guess you." That's perfect. It's, give a strong political backing but don't interfere in the operation. So we were very, very blessed with actually the strong support of the governing system. And that actually really matters if you're trying to do anything in government, on cybersecurity or anything else for that matter.

Joseph Carson:

Yeah, I think that's vital as well is they get the support and be able to go and make things happen. Definitely the WannaCry and NotPetya were too massive significant impacts to the industry, not only was with the healthcare but also on supply chain as well. And that show as well, it's not just about the impact that it has on individual countries, but also the impact that it has basically across multiple countries and through supply chains as well that really indicated that the country borders in the digital space were no longer really there. And that meant cooperation and transparency and working together became very, very important.

And I think, not only the WannaCry triggered the need to do something but NotPetya triggered the need to cooperate and work together as governments. I think that was a pivotal moment.

Ciaran Martin:

I think that's right. And looking back on the period, and I was appointed in December 2013, I left at the very end of August 2020, and that whole nearly seven year period, not NotPetya, WannaCry sort of six week period and the weeks around it were the most difficult. And the reason they were most difficult wasn't just because they were the two biggest incidents that affected the UK in my time. And you could make cases that there were other very big incidents, they were very close together, they had significant ramifications to the UK. But I think what makes them so sort of memorable in a bad way, two things. One is, they were both accidents. I mean not complete accidents, in that they were maliciously started, but both went way beyond the intent of those behind them.

So North Korea was clearly on a spree of stealing more cash from financial institutions and wrote this terrible worm that just went all over the place in ways, that until Marcus Hutchins heroically sinkhole it, it was going mad all over the world. NotPetya, I don't think you're being nice or appeasing of the Russian state to say that Cadbury's chocolate making plant in Tasmania, Australia was not its target when it went for Ukrainian tax software. So it was that accidental.

Frankly, in both of those cases, if the attackers, the aggressors had been better at their jobs, we would've had less damage. And I think that sort of collective vulnerability that you spoke of was really damaging. And the second and related thing was, we talk about what's the impact of cyber attacks, and certainly in both those cases, I mean nobody thinks anybody died. Although when you start messing with healthcare systems, you never know quite what the long-term consequences are going to be. There's clearly significant economic damage, but we were just also jumpy.

I remember a few weeks after NotPetya, so WannaCry was what? May. NotPetya was June. And I remember at some point in July, children were younger then, and I was at some kids' birthday party in a nearby village and Number 10 phoned. And they said, "What are we going to do about Heathrow? Have you got a sitrep on Heathrow?" I said, "What are you talking about? What's going on Heathrow?" And they said, "Well, there's all these queues because there's a major cyber attack on BA at terminal five. And so I called BA, because by then because of all their other issues we had a good operational relationship and they said, "Look, this is just an IT outage, send your guys in. But we'll check, we can prove." And we did and it was complete IT failure.

What was really interesting about that was just, and I was pleased that Number 10 were interested in watching and so forth, but NotPetya and WannaCry had sowed this fear that our way of life, are essential, normal everyday life, could be just so easily disrupted. That actually, when your bulk standard IT outage, which let's be realistic these things happen, running big IT networks is hard and et cetera, et cetera, there's this automatic assumption that this must've been malicious. Turns out it was just another IT failure.

So I think that's sort of pernicious. You talked about Estonia in 2007. You talked to Ukrainians just before the war, the cognitive impact, the destabilizing psychological menace of cyber attacks is really quite disturbing. You talk to Australians when their medical details were threatened with being leaked and so forth after the Medibank attack. I think we sometimes understate, just that how pernicious, not just economically but psychologically, cyber operations can be.

Joseph Carson:

Yeah, absolutely. I think that's one of the big things for me is that we always look at the financial side. And also, then we look at the mental impact on those victims is... It's sometimes, when you look at a financial impact, I've always heard, and one of the most common things is, that it's easier to get your money back from a cyber attack than it is to get your identity back. If your identity is stolen, then it can be abused quite significantly into many other things. And then also your most sense of details, if you look at the Vastaamo case in Finland where it was about basically psychological... A psychiatrist notes that got basically disclosed, some of the most sensitive things you don't even tell your children or partner or anyone else. You're telling a psychiatrist on getting those details out. There's a lot of really mental and psychological impact to the victims.

And even to the point where even some of the more recent attacks, where it even has life-threatening impacts. I remember one of my roles many, many years ago. Was responsible for the Northern Ireland Ambulance service, and when my systems weren't working, people died. And that's one of the things that you have to realize and we're now into that point where the systems are so dependent on technology and connectivity, is that when they're out for a sustained amount of time, that yes, there is inadvertent and indirect impact on people. Whether it being the mental side or even threatening people's lives.

And we're starting to see some, I think it was one of the ransomware cases in Germany that happened just a few years ago, where a patient was on route to hospital and had to be diverted and ultimately basically wasn't able to get the treatment they needed. So we're starting to see that massive impacts on the outcome and I think this is really where we're really starting to, not just look at the financial impact of cyber effects, but the human impact. I think that makes a big difference.

Ciaran Martin:

So I think that's right. I mean that Finnish case you mentioned, the mental health organization. I mean the Finnish case was just absolutely revolting, and you want a guide to how unscrupulous and amoral cyber attackers are, then there you go. I think on the other point about dependence, critical systems dependence on IT, I think we need to understand this a bit better. Because when actual life and limb is at stake, we're actually quite good.

So when we started worrying about cyber and people started talking about Cyber Pearl Harbors and Cyber 9/11s and all this stuff that we now basically, I think correctly, think is nonsense. People said, "Well, you can bring planes out of the sky and so forth," which actually you can't really. So by way of illustration, another accidental IT failure this summer, last summer now, in summer of 2023 in the UK, the National Air Traffic System, that computer fails. Now it wasn't a cyber attack, but let's say if it had been a cyber attack would've been exactly the same. Because it failed accidentally I think people knew that there'd be a backup system, you could land them essentially using radio. Planes might be delayed, there might be major economic disruption and lots of annoyed people who are in the wrong place or massively delayed or whatever and miss their key meetings or miss their family wedding or whatever it is. So it's not pleasant, but nobody's at risk of injury or death. So we're good at that when it's a critical system.

Similarly, you can hack a railway signaling system, but the trains will stop and they'll be delayed rather than continued high speed and crash into each other, and that's as it should be. What we're not good at, and I'm not criticizing this, it's just an observation, is when someone hacks a hospital administration system. Not an operating theater, the operating theater is working just fine. But who's next in the operating theater? We don't know because the system's down and everything gets delayed and so forth.

And indeed you mentioned the German case. I was reading the very good Emsisoft annual ransomware blog by Brett Callow, and he quotes a paper from the University of Minnesota Institute of Public Health where they've done a bunch of studies of US hospitals that suffered ransomware between 2016 and 2021. And they use all these things about different health outcomes and they look at individual cases and they estimate between 42 and 67 elderly American patients probably died because of ransomware attacks on hospitals. And that's very, very hard. If someone of advanced years is already quite ill, to what extent did the delay trigger their ultimate sad passing? You don't quite know. And it takes us outside of our own area of expertise, but clearly if you mess with healthcare administration, somebody probably suffers at some point.

The other point, just to go back to data, I think the other thing we need to get better understanding, although we're starting to get better at this, is the impact of data breaches and that sort of psychological destabilization. So thanks to GDPR and all other regulations we're all used to getting notifications saying your personal data is breached. Troy Hunt in Australia has done that marvelous, Have I Been Pwned? Service where we can all find where our emails are.

But the difference between... Oh look, I was on LinkedIn in 2012, God help me. So some old passwords out there on the dark web, fine. I'm not going to lose sleep over that. Compare the seriousness of that, not very serious, with the Finnish mental health data, which is extraordinarily serious. I think we started off thinking, oh, those are two data breaches. Well, they both are, that's true. But they're massively not the same.

And we need to think about ways in terms of regulation, criminalization, accountability, but also public reassurance and not reassurance. When do you get the public worried and when not. I reckon, within the next 10 years, and I'm glad this is after my time in government because I wouldn't like to be the first to do it, at some point somebody in a position of public authority is going to stand up after what looks like a large scale data breach and say, "Look, you know what? I really wish this hadn't happened, but it doesn't really matter." And that will be an important moment because then when the same person or the same government, whatever, stands up and says, "I'm really, really sorry, but this one actually matters. And you need to do this, this, this and be aware of this and change your bank account," whatever it is, they will sit up and listen.

And we need to get better at difference. So we need to get better at all sorts of things. Two things we need to get better at. One is, improving the resilience of critical systems that depend on software in the same way as we're quite good at protecting systems, hard industrial control systems. That's one thing. And the second thing is, getting better at understanding the severity and lack of severity of different types of data breaches.

Joseph Carson:

No, I completely agree. One of the things that I would say is that the classification of things needs to be very, very clear. And we talk about classification, not even just classification of data, but also classification of breach. What action does the victim need to take? Is it just that, this is a data breach and you need to take no action whatsoever because basically it's information that cannot be abused, or is it information that can be abused and therefore you need to monitor it. You need to be looking and checking to see if new credentials or new accounts are being created in your name. So having that monitoring side of things, especially around the financial aspect of things.

Then there's the, okay, these are the breaches and you really need to take action. You need to go change your credit card, you need to be aware, you need to make some type of action. Getting into those classifications of breaches I think is highly critical and important. Not all data is equal, as you mentioned. It's not the same. And different breaches can mean different things.

Ciaran Martin:

Completely, completely with you there.

Joseph Carson:

So I'd like to get a bit more into, what types of best practices or what types of things did the National Cybersecurity Center create? How did it get more being more proactive? Because one of the things is, I always say is that, for many years a lot of the agencies were only listening and taking information from the private companies and the businesses rather than turning it around and sending it back. What types of proactive things did the Center create, what initiatives or what programs to really make information available for businesses to take action?

Ciaran Martin:

Well, I think what I remember was, it was very fashionable to do all these charts with mission statements and so forth. But I remember trying to say, "Look, we should be able to trace everyone's job in the NCSC to some sort of useful outcome for the nation. And also we should be able to work out what are the main things we do." And we narrowed it into four things, not speaking for the current NCSC, it's been very ably led by Lindy Cameron, an another Northern Irelander, for four years now.

But in my day I think we focused on four things. The first was properly managing incidents. So if you mentioned, WannaCry, we were all over it. We were issuing guidance quicker than any other public authority. It was being quoted in the Australian Parliament and stuff like that, which was great. If you contrast say WannaCry with TalkTalk, which a major breach in the UK three years previously where the government said nothing and lots of people were panicking even though it turned out it wasn't that serious a breach. It was like if there's a major incident in effect in the UK, the NCSC will be all over it and we'll be all over managing its impact on the UK. So that was the first thing, and that was really, really core.

The second was, working out and directly helping to protect the most critical thing. So a good example of that, Theresa May calls a snap election, general election in 2017. We're aware of what happened in the US and elsewhere in 2016. How do you mobilize at scale, very quickly, large scale protection of the electoral systems. That's one example. But then you might do more longer term work. So for example, published a big blog on how we were doing the cyber protection of the new smart meter system, that sort of thing, the second thing.

The third and fourth are probably the most interesting because they were the most innovative. So the third was actually, and this was fundamentally important to the NCSC, it was there's a bunch of noise and pollution in the digital environment that nobody's doing anything about. Why is that? And it's because of economics because the market doesn't incentivize it. So let's take one area where the market does work, threat intelligence. The government has a tiny role in my view in threat intelligence because you've got brilliant companies producing lots of threat intelligence and actually working very well with government.

The government occasionally will get a bit that frankly the private sector is not allowed to get because of the powers granted to organizations like GCHQ or the NSA or Cyber Command or DGSE, and ANSSI in France or whatever it is. And the government can find ways of sharing that. But other than that, the market looks after its threat intelligence. Brand spoofing, now there's much more of a market in it, but back when I started very few people were doing domain name protection, we're using DMARC and so forth.

So the government, we said, look, "What are the most spoofed brands in the UK?" We came up with oh HMRC, the tax authority. HM Revenue and Customs. It's our most spoof brand as far as we can tell. HMRC came up with this, and said, "Let's do a DMARC pilot." We configured the DMARC pilot to not just to stop deliveries of impersonation attempts against the HMRC domain, but actually delivery to us so we could count them and see where they were coming from. We blocked 500 million in one year. So that's 500 million instances where faking didn't arrive in somebody's inbox, and they had to decide, can they trust us or not.

We did some automatic take down requests. So we always knew that if we went to a web host and said, "Look, we think your domain has been misused," they'd take it down, et cetera. But doing that manually was only a drop in the ocean. Doing it in an automated way meant that we got the average time today in the UK for a website, malicious website hosted in the country, down from 27 hours to 45 minutes. So we started doing stuff like that, looking at where the market wasn't working and doing direct interventions, not public-private partnerships or information actually that the government will do this. So that was the third thing.

And then the fourth thing was actually doing things like giving general advice. So instead of just working with the critical sectors and the defense and the national security industry. I think it's a slight caricature, but if you look at British government cybersecurity advice from say around 2012, you were saying to a mid-size charity or a small chain of florists or whatever it is, "You need the cyber defenses of a nation state." "But we're florists, we can't afford that."

Joseph Carson:

We got one person who's doing IT about 20% of their time.

Ciaran Martin:

Exactly. So we gave them things like logging in easy, that sort of thing where you showed them how to do things. We refined password policy, we got a behavioral psychologist to do that groundbreaking study, the brilliant Angela Sasse of UCL, who showed that current British government password policy based on American policy of 2003 meant that if you followed it and you had 25 accounts, which was the average at the time, then you were asking people to remember the equivalent of a 600 digit number that changed every month. So you had to change it. And so we gave simple...

And I remember one day, I remember when one of my children was at the transfer between primary and secondary school age, going around a whole bunch of schools, what you do in this country at that stage in life. And several of them, they had NCSE password advice for kids on the school notice board. And I thought, yeah, that's the impact here. And I was like, "Basically, here's what you do and here's how you do it and here's what general internet safety looks like." And that was a moment of real, I suppose, pride, that you had had some impact.

So those are the four things, incidents, critical protection, direct interventions, and bits of the ecosystem where the market wasn't working and guidance to everybody.

Joseph Carson:

I think that's great because one of the things is that is when we look at cyber attacks and we look at all the things, majority, a lot of them are opportunistic. But they're not targeting the critical infrastructure, it's a small businesses out there. It's the individuals, the citizens. So if the guidance doesn't apply to everyone, then you're missing a large part of the threat landscape or the threat, the targets that attackers go after. So absolutely, it should be cybersecurity for all.

Ciaran Martin:

I think that's right. The Russian state on the other hand, again, not being nice to the Russians, but they have no history of that type of commercial espionage attack. However, if you happen to be representing a bunch of high profile individuals with connections to Russia, then you might want to watch out. It's a bit like, it's important for everybody to assess their own risk. Then everyone is at risk for criminal ransomware type attacks or data theft attacks, but they're not particularly targeted. And that's where it does get a bit Darwinian. So whilst I wish, and we swiftly got over it.

But to go back to the story about Ian Levy and his Australia speech, whilst we joke that perhaps we should be more delicate. The idea that you're just trying to outrun another target isn't wrong. If you make cyber criminals work harder, they will be more likely to leave you alone and go somewhere else.

I think when you're running a national center though, it's really important that you're flexible and adaptable. So one case that stayed with me a lot, and it's all seeped out into the public domain by now, was a company called Mammoth Productions, which is now owned by ITV I believe, but at the time was independent, small. Based out of Northern Ireland, made documentaries and it was making a program that apparently provoked the ire of the North Korean state. And so the same people who went for the interview and went to Sony after the interview movie seemed to go hunting for them. And I think that's the government's problem.

I don't think you can reasonably expect a small company with two figures of staff who are doing something that's perfectly permissible, free speech country, make any documentary you like, as long as you're doing so responsibly and within the law, which they absolutely were. And then if a nation state comes after you, it's not their job to take all a nation state on their own. It is their job to protect themselves better from ransomware. It's everybody's job to protect themselves better from ransomware and other forms of criminality. It's not their job to take on a hostile nation state with elite cybersecurity powers. That is for the government.

Joseph Carson:

Especially, we are in the world now, where basically it's no longer just basically individuals with a specific set of skills, but we're now into whole supply chain of cyber criminals. And they all specialize, especially from you've got cyber mercenaries who are basically cyber attackers for hire that nation states will actually leverage. So it's really getting too difficult the ... organizations. It's a point that you need to do what you can in order to make yourself resilient as much as possible against the most common types of a cyber attacks.

But when the nation state comes after you, that's really where you start. You can't do it alone. And even I say that even countries alone can't do it alone. We all need to work together. We need to make sure that we have less places for safe havens for cyber criminals to operate. And the more we work together, the more collaborative that we can prevent and become resilient to nation state cyber attacks as well.

Ciaran Martin:

Absolutely. Two points on that. One is, the safe haven problem for cyber criminals is massive. It's probably, in my view, the single biggest problem in mainstream cybersecurity today. And there's limits to what we can do there. Russia, physically the largest country in the world harbors them and there's no prospect of that ending anytime soon. So that does mean that, I mean, I think sometimes we underestimate just how much that type of cyber crime has changed.

Policing, I'm not an expert in policing, but when I was being well brought up, my idea of the contract between citizen and police was, if you were the victim of a crime the police would, A, take you seriously and sympathetically, and B, go after the criminals. And then cybercrime emanating from Russia, they can't do either of those things. There's too much of it to give individual tailored attention to all but the most serious victims. Secondly, you can't go after them in Russia.

It does, to some extent, break the model of policing. So we have to build our defenses up. And that brings me to your other point, Joe, about international cooperation and some of that was absolutely fantastic, that I enjoyed. I remember during WannaCry having a long call with my then Israeli counterpart, Eviatar Matania, on a Sunday because that's the first day of the working week in Israel.

Joseph Carson:

When they started the working week.

Ciaran Martin:

Exactly. So they were telling us what to expect and what not to expect, which was hugely helpful. I remember, despite all the shenanigans with Brexit and so forth, the relationship with France was superb and improving all the time. I was in office. The relationship with the US was phenomenal and I don't think we could have done anything like what we achieved without the underlying capabilities of the US generously given in partnership.

So I think there's so much. We enjoyed a good partnership with Estonia and other Baltic and Nordic countries. And it was quite an interesting thing, with a few sometimes spectacular exceptions, it was very, very apolitical and very informal. It was just a bunch of people coming together. What have you got, what capabilities, what information? And trying to work it out from there.

Joseph Carson:

I think it was really important as well, I think as the UK was going through the nice Cyber Security Center kind of path and really establishing that the US really also started going through with the CISA and with Chris Krebs coming in and what they did. It's also very similar to becoming rather than just a intelligence and understanding the threats, but also becoming much more proactive and creating best practices, and sharing. I think that was a significant, for not just many countries following that same path, and then of course with Jen Easterly continuing that.

One of the questions I'd like to ask you as well is, recently the UK launched the AI guidelines as well because that's also becoming a big area of focus, especially with generative AI. What's your thoughts around the best practices and the guidelines that come out? And also EU then followed with the EU AI Act as well. Is there anything that you see evolving around that and what do you predict the coming year related to those?

Ciaran Martin:

Well, the easy answer to that is, let's have another podcast because there's so much to unpack there. I think three things, as briefly as I can. Firstly, we need to guard against AI doom mongering. I think having one of the frustrations is having just, I think, just won the argument against cyber, both distorting and infantalizing the distorted priorities away from the sort of mainstream protection of hospital administration networks, for example, and towards the sort of preventing things like planes falling out of the sky, that actually we were probably quite good at preventing it already.

Joseph Carson:

SKYNET's not happening anytime soon. It's not.

Ciaran Martin:

No, exactly. We need to guard against that type of doomerism. But that's not to say that there aren't real challenges, which is why I think actually taking a chunk of the problem... Because in the age of AI, how you protect against disinformation is different from how you protect against bias and public services, which is different from how you protect against massive disruption in the labor market, which is different from how you protect against misuse of AI in military context, et cetera, et cetera.

And so actually I think if you look at the UK's paper on AI risk, it looks at biochemical weapons as one of the most serious risks. And I think a lot of people who are more expert than me would agree with that. And it looks at cyber as something to pay attention to. And so I think the UK, US and other joint paper at the end of 2023, is really good in that respect because it's sober, balanced, specific.

And essentially I think the key thing with AI and cyber is that as ever there's a race on between good use and misuse of the technology. And history would suggest that there's some sort of equilibrium, which is that, if you can use AI automation for bad. If you can get WormGPT to say, "Write me something evil," you can get GoodGPT to write you something just as good, that will block it, maybe after a bit of a time lag. And providing that equilibrium holes we're okay, but we need to be really, really vigilant about that. So I think that's good.

So warn against doomerism. Good international approach in cybersecurity. The EU AI Act, I think first of all, there's some way to go on this. Secondly, I have some sympathy with the skeptics about it. I think fundamentally when I talk to politicians about cybersecurity, I say, "Look, first of all, what tone do you want to set on technology? Do you want to set the tone that this is an opportunity with some risks to be managed or potentially catastrophic risk with little upside?" So being careful. And I think the EU AI Act is a little bit, well, where's the innovation coming from, or are you just going to regulate somebody else's innovation?

The alleged concerns of the French president, I think if accurately reported, are ones that I might share. The fact that it seems to really go for regulation of research rather than product and services, I think. But again, all this is some way to run and details do matter. So we'll reserve judgment for a while. But I think some of the skepticism and concern about it being overly regulatory and not focused enough on European innovation and taking advantages of AI, is at this stage, appears justified and needs addressing.

Joseph Carson:

Absolutely. I think they're taking two very distinct different approaches, but it'll be interesting to see where the convergence eventually comes from both of them. One thing I did like around the UK's guidelines, which was in cooperation with CISA and a few other partners, was around really breaking down AI and these components because sometimes we bundle everything up on this massive broad perspective of AI. And really get into, focus around AI agents, about large language models, machine learning. So really broke it down into much more meaningful chunks and really focus around, let's get a baseline going and here's some guidelines that you can be proactive about. Where the EU AI Act was more about, let's restricting, auditing and getting into the really focus around what you must be doing. But not really breaking it down into the simple components of what the service is, ultimately that AI agent's doing or algorithm is doing, didn't really classify into the intention of the algorithm.

Ciaran Martin:

Completely. And I think splitting that down is really important. The great professor Michael Sulmeyer, formerly at Harvard and now in the US government once said to me, he said, "Oh, I'm saying this AI stuff, should be a little bit skeptical." He said, "Oh, absolutely." He said, sometimes when people say to me, "AI," I go, "You mean hard sums?" I think probably in these days we'd both say that's going a little bit too far. Maybe he wouldn't, I don't claim to speak for him. But there've been all their experts saying, "We wish we'd come up with a different term." Advanced high-speed content... But there's so many different applications of AI that sometimes I thinks the sheer breadth of the term doesn't help us.

Joseph Carson:

Absolutely. I think it's too broad. We need to simplify it and bring it down to really, what is the outcomes? I always like, I liked when Dark Tangent referred to it as predictions. What is the predictions making? And Alex mentioned it as, algorithm utilities, which I like some of those terms.

So Ciaran, it's been fantastic having you on and it's really been for me, it's always educational listening to you and some of the insights that you have and the journey you've been on. Where can people follow you or catch up with you? You mentioned you're doing some writing, are you writing blogs or are you coming up with your own book at some point?

Ciaran Martin:

Well, so I'm hanging in there on X, @ciaranmartinoxf, not posting very much. I'm on Mastodon at InfoSec Social, and using Bluesky a bit more frequently. My newest resolution is to write more. So I write some blogs on the backs of government website and I will possibly reactivate my Substack. But please, I will send you my stuff, Joe, and you can use your impressive and growing audience to amplify it. But yeah, I very much want to try. For various reasons, I didn't write as much in 2023 as I had done in previous years and would wish to. So if that's my New Year's resolution, and we're a bit into 2024 now, and I think I'll hope to have some stuff out in the future.

Joseph Carson:

Fantastic. It's been fantastic having you on. Always enlightening. And for the audience, definitely-

Ciaran Martin:

Congratulations again.

Joseph Carson:

Thank you. For me it's a milestone. I never thought I would get to... It's almost three years now and they're running. And what I enjoy is I get to talk to awesome people like you on a frequent basis. And that's for me, the value of the podcast is to want to share the knowledge, but also to get to chats on a frequent basis with amazing thought leaders and industry changers.

Ciaran Martin:

Well, thank you very much for having me.

Joseph Carson:

Thank you very much. So for the audience, again, it's been fantastic having Ciaran on. Tune in every two weeks for the 401 Access Denied Podcast, and to look forward to having more conversations and great insights going forward. And thank you, stay safe and take care.