Outgoing NCSC CEO: Ransomware threat kept us up at night

Ransomware used “recklessly” by “amoral” cyber criminals is “one of the biggest scourges of the modern internet” right now, and a threat that has caused sleepless nights for many, particularly during the Covid-19 pandemic, according to former National Cyber Security Centre (NCSC) CEO Ciaran Martin.

In his first public speech since leaving the NCSC, which was delivered online to an invited audience of security specialists and journalists through the Royal United Services Institute (Rusi), Martin, who led the foundation of the national security body after having previously run GCHQ’s cyber security ops, reflected on his time there and on the cyber threat landscape to draw his conclusions.

“[Ransomware] is the most likely cause of the disruption of key services. It is undeniably a huge source of financial loss. It is the most likely way someone is going to suffer serious disadvantage, or get hurt, or even get killed, which may sadly have just happened for the first time,” said Martin, referring to the tragic death of a woman in Germany during a ransomware attack on a Düsseldorf hospital.

“Ransomware needs to be treated as a disruptive threat, not like data theft or espionage. Right up until my final hours at the NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service,” he said.

“For the attacker, the choice of the service would be incidental, they were just after money, but from the point of view of national harm that incidental choice of victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.

“Attacks on healthcare providers in Germany and the Czech Republic at the height of the pandemic were very scary. Sadly, it appears that the worst may have happened – we await the full details – but in any case, some researchers have begun to publish tentative evidence linking ransomware attacks on hospitals with poorer medical outcomes, including mortality rates.”

Martin went on to say he had some concerns about the tendency for security commentators and, to some extent, the media, to focus on catastrophic cyber risk, and warned that to do so risked skewing resources and policy towards things such as the army and the intelligence services, and neglecting softer targets such as healthcare or local government.

Martin said that the prospect of local government services being held to ransom – as happened in Redcar and Cleveland, for example – was about as far from the apocalyptic Hollywood vision of a cyber attack as it was possible to get.

“These are our schools, these are services for vulnerable people, these are environmental protection services, all have very real risk from fairly common techniques and tools, and it's this problem that we need to shout about to help people understand it,” he said.

Martin added that focusing on catastrophic cyber threat did not even help manage catastrophic cyber threat that well, because it risks drawing attention from more mundane aspects of security. Understanding the nuance, the complexity, and to some extent the detail of the cyber attacks perpetrated against the UK was, he said, crucial to efforts to “making our digital homeland safe”.