Ransomware is your biggest threat, NCSC CEO’s tells business

As head of the National Cyber Security Centre, Lindy Cameron believes company leaders must improve preparedness and resilience by educating staff – and themselves

Lindy Cameron is a difficult person to reach. That’s understandable: as CEO of the National Cyber Security Centre (NCSC), she’s at the forefront of the UK’s fight against computer security threats. While it’s tough for a journalist to negotiate an interview, it’s reassuring that she’s dedicated to her task. 

The NCSC provides advice and support for public and private sector organisations, helping them avoid computer security threats. Cameron took the helm in October 2020, succeeding inaugural CEO Ciaran Martin, who stepped aside after four years in the job.

Ransomware presents the most immediate danger to the UK

Her assessment of cyber threats, themes and advice should be required reading for CIOs and other members of the C-suite. Indeed, on the rare occasions she has spoken in public since taking up the role, she hasn’t held back.

For instance, in March she warned of the UK’s need to be “clear-eyed about Chinese ambition in technological advancement”. Speaking in her first address as CEO, she chided China’s “hostile activity in cyberspace” while adding that “Russia [is] the most acute and immediate threat” to the country.

Ransomware: an immediate danger 

The former number two at the Northern Ireland Office has over two decades of experience working in national security policy and crisis management. She was equally forthright and insightful in October’s keynote speech at Chatham House’s Cyber 2021 conference, where she reflected on her first year at the NCSC and identified four key cybersecurity themes. The most alarming is the pervasiveness of ransomware, the scourge of business leaders.

In May, US cloud-based information security company Zscaler calculated that cybercrime was up 69% in 2020. Ransomware accounted for over a quarter (27%) of all attacks, with a total of $1.4 billion demanded in payments. And those figures didn’t include two hugely damaging breaches that occurred in 2021, marking an elevated scope for bad actors.

July’s ransomware attack on multinational remote management software company Kaseya affected thousands of organisations and saw the largest ever ransomware demand of $70 million. The REvil ransomware gang that claimed responsibility for the attack ordered ransoms ranging from a few thousand dollars to multiple millions, although it’s unclear how much was paid. The gang said 1 million systems had been impacted across almost 20 countries. While those numbers are likely to be exaggerated, the attack triggered widespread operational downtime for over 1,000 companies.

The Kaseya incident came two months after the attack on Colonial Pipeline, one of the largest petroleum pipelines in the United States. The attack disabled the 5,500-mile system, sparking fuel shortages and panic buying at gas stations. Within hours of the breach, a $4.4m ransom was paid to DarkSide, an aptly named Russian hacking group. Despite the payment – later recovered – the pipeline was down for a week.

“Ransomware presents the most immediate danger to the UK, UK businesses and most other organisations – from FTSE 100 companies to schools; from critical national infrastructure to local councils,” Cameron told the October conference. “Many organisations – but not enough – routinely plan and prepare for this threat, and have confidence their cybersecurity and contingency planning could withstand a major incident. But many have no incident response plans, or ever test their cyber defences.”

Managing and mitigating cyber risk

The sheer number of cyberattacks, their broader scope and growing sophistication should keep CIOs awake at night. The latest Imperva Cyber Threat Index score is 764 out of 1,000, nearing the top-level “critical” category. Other statistics hint at the prevalence of cybercrime in 2021: some 30,000 websites on average are breached every day, with a cyberattack occurring every 11 seconds, almost twice as often as in 2019.

Cybersecurity organisation Mimecast reckons six in 10 UK companies suffered such an attack in 2020. In her Raconteur interview, conducted a fortnight after her appearance at Chatham House, Cameron reiterated her concerns.

“Right now, ransomware poses the most immediate threat to UK businesses, and sadly it is an issue which is growing globally,” she says. “While many organisations are alert to this, too few are testing their defences or their planned response to a major incident.”

Organisations can prevent the vast majority of high-profile cyber incidents we’ve seen following guidance we have already issued

Despite the headline-stealing attacks, businesses aren’t doing enough to prepare for ransomware attacks, says Cameron. Cyber risks can and must be managed and mitigated. To an extent, CIOs and chief information security officers (CISOs) are responsible for communicating the potentially fatal threat to various stakeholders.

Cyberattacks are different from other shocks as they aren’t readily perceptible. They are deliberate and can be internal and external. They hit every aspect of an organisation – human resources, finance, operations and more – making them incredibly hard to contain.

“The impact of a ransomware attack on victims can be severe,” Cameron continues, “and I’ve heard powerful testimonies from CEOs facing the repercussions of attacks they were unprepared for. Attacks can affect an organisation’s finances, operations and reputation, both in the short and long term.”

Building cyber resilience 

CEOs can’t hide behind their security teams if breached by a cyberattack. Cameron warns that defending against these incidents can’t be treated as “just a technical issue” – it’s a board-level matter, demanding action from the top. 

“A CEO would never say they don’t need to understand legal risk just because they have a General Counsel. The same applies to cybersecurity.” 

Cybersecurity should be central to boardroom thinking, Cameron adds. “We need to go further to ensure good practice is understood and resilience is being built into organisations. Investing resources and time into putting good security practices into place is crucial for boosting cyber resilience.”

Cameron notes that the NCSC’s guidance, updated in September, will reduce the likelihood of becoming infected by malware – including ransomware – and limit the impact of the infection. It also includes advice on what CIOs, CISOs and even CEOs should do if systems are already infected with malware. 

Cameron, who was previously director general responsible for the Department for International Development’s programmes in Africa, Asia and the Middle East, echoes Benjamin Franklin’s famous maxim: “By failing to prepare, you are preparing to fail.” 

There’s a wide range of practical, actionable advice available on the NCSC website, she notes.

“One of the key things I have learned in my first year as NCSC CEO is that organisations can prevent the vast majority of high-profile cyber incidents we’ve seen following guidance we have already issued,” she adds. 

Low-hanging fruit

At the Chatham House event, Cameron acknowledged that small- and medium-sized enterprises are especially vulnerable to cyberattacks. “I completely understand this is getting harder, especially for small businesses with less capability,” she said. “But it is crucial to build layered defences that are resilient to this.”

SMEs are the low-hanging fruit for cybercriminals, as they usually don’t have the budget or the access for sufficient IT support or security. “We appreciate smaller organisations may not have the same resources to put into cybersecurity as larger businesses,” Cameron says. 

The NCSC has produced tailored advice for such organisations in its Small Business Guide. This explains what to consider when backing up data, how to protect an organisation from malware, tips to secure mobile devices and the information stored on them, things to bear in mind when using passwords and advice on identifying phishing attacks.

Criminals will seek to exploit a weak point, which could include an SME in a supply chain. Larger organisations, says Cameron, have a “responsibility to work with their suppliers to ensure operations are secured. In the past year, we have seen an increase in supply chain attacks with impacts felt around the world, underlining how widespread supply networks can be.”

Supply chain concerns

Supply chain attacks were another of Cameron’s four key themes at the Chatham House conference. Such vulnerabilities “continue to be an attractive vector at the hand of sophisticated actors and … the threat from these attacks is likely to grow,” she said. “This is particularly the case as we anticipate technology supply chains will become increasingly complicated in the coming years.”

The most infamous recent supply chain attack was on SolarWinds, said Cameron. According to the former CEO and other SolarWinds officials, the breach happened because criminals hacked a key password – it was solarwinds123. This highlights the importance of strong passcodes for companies large and small. 

“SolarWinds was a stark reminder of the need for governments and enterprises to make themselves more resilient should one of their key technology suppliers be compromised,” Cameron said at Chatham House.

The two other areas of cyber concern she promoted were the vulnerabilities exposed by the coronavirus and the development of strategically important technology. “We are all increasingly dependent on that technology and it is now fundamental to both our safety and the functioning of society,” she said of the latter.

On the former theme, Cameron said that malicious actors are trying to access Covid-related information, whether vaccine procurement plans or data on new variants. 

“Some groups may also seek to use this information to undermine public trust in government responses to the pandemic. The coronavirus pandemic continues to cast a significant shadow on cybersecurity and is likely to do so for many years to come.”

CIOs must keep this in mind as many organisations grapple with post-pandemic ways of working. This involves more remote workers using personal or poorly protected devices on unsecured networks, all of which play into the hands of bad actors.

“Over the past 18 months, many organisations will have likely increased remote working for staff and introduced new online services and devices to stay connected,” says Cameron. “While this has offered a solution for many businesses, it’s vital for the risks to be mitigated so users and networks work securely. Our home-working guidance offers practical steps to help with safe remote working.”

Post-pandemic cybersecurity 

Providing other essential advice, Cameron underlines the importance for organisations of all sizes to build their cyber resilience. 

“It’s vital that organisations of all sizes take the right steps to build their cyber resilience. Educating employees is an important aspect of keeping any business secure. Staff can be an effective first line of defence against cyberattacks if they are equipped with the right understanding and feel they can report anything suspicious.”

Businesses should put a clear IT policy in place that guides employees on best practices, while staff should be encouraged to use the NCSC’s “Top Tips for Staff” training package. 

“These steps are about creating a positive cybersecurity culture and we believe senior leaders should lead by example,” she adds. 

The NCSC’s Board Toolkit is particularly useful for CIOs, designed to help facilitate cybersecurity discussions between board members and technical experts. It will “help ensure leaders are informed and cybersecurity considerations can be integrated into business objectives”.

These conversations are now critical, as advances in artificial intelligence, the internet of things, 5G and quantum computing multiply attack surfaces. Reflecting on the NCSC’s work since its inception five years ago, Cameron says the organisation has achieved a huge amount, including dealing with significant cyber incidents, improving the resilience of critical networks and developing a skills pipeline for the future. 

“This is delivering real benefits for the nation, from protecting multinational companies to defending citizens against online harm. However, the challenges we face in cyberspace are always changing, so we can’t rest on our laurels.”

This article was first published in Raconteur’s Future CIO report in November 2021

How critical infrastructure is dealing with the threat of cyber attacks

A crippling ransomware attack on one of the largest fuel distribution networks in the US has brought into sharp focus the cyber threats facing infrastructure of national importance

In 2020, the Cybersecurity and Infrastructure Security Agency alerted the US to the risk of a devastating cyber attack on a crucial system of national importance. On 7 May this year, the UK’s National Cyber Security Centre (NCSC) issued a stark warning along similar lines. By coincidence, it was the same day that hackers would cripple one of the largest fuel distribution networks in North America. 

The taking of the Colonial Pipeline brought the authorities’ worst fears to life. The ransomware attack disabled the 5,500-mile network, causing fuel shortages in the south-eastern states of the US and prompting the Biden administration to declare a state of emergency. Although the Colonial Pipeline Company’s CEO, Joseph Blount, controversially paid the $4.4m (£3.2m) ransom, the network was out of action for a week.

Transparency and trust are key to having robust and executable action plans. Everyone has a role to play in security

This case was “not shocking” to Sarah Lyons, the NCSC’s deputy director for economy and society. There had been warnings aplenty. Only three months previously, for instance, a hacker unsuccessfully attempted to poison the water supply of Oldsmar, a city in Florida. 

“The pandemic has exacerbated cyber attacks targeting organisations, including providers of critical national infrastructure, which will always be an attractive target,” she says. “The Colonial Pipeline incident confirmed our belief that any such attack could have wide-ranging societal ramifications. It also gave us a glimpse at the kind of attack with a physical impact that could materialise in future if connected places providing critical public services are compromised.”

Fatal warning: potential cyber-physical attacks

The way that critical national infrastructure has evolved to use interconnected digital networks makes it far more vulnerable than it used to be, according to Lyons, who believes that the risks could be even greater when 5G is more widely adopted. 

“Regulated industries such as telecoms and energy are being connected to unregulated services and suppliers,” she explains. “These industries, which we all rely on daily, are an attractive target for a range of threat actors, unfortunately. A successful attack could cause significant disruptions to key public services and compromise citizens’ sensitive data.” 

Lyons urges operators to “recognise that it’s vital that we ensure these networks are resilient to cyber attacks. In a worst-case scenario, a successful one could endanger people.”

George Patsis, CEO of Obrela Security Industries, agrees, warning that “the sky is the limit” when it comes to the extent of the damage that cyber attacks on critical infrastructure could wreak. “These have the potential to be cyber physical, putting many people’s lives at risk,” he says. 

Patsis uses the London Underground as an example. “Computers control the timing of when trains arrive at junctions. If someone were to infiltrate the network and alter their synchronisation by only a few seconds, it could cause multiple fatal crashes,” he says.

Most worrying is a lack of robustness in operational technology (OT) security, which Gartner defines as “practices and technologies used to protect people, assets, and information; monitor and/or control physical devices, processes and events; and initiate state changes to enterprise OT systems.”

Patsis says: “As OT increasingly becomes internet-enabled, it creates new attack avenues. There is now a big focus on securing OT in the same way we do the IT estate.” 

While he notes that the Colonial Pipeline affair has been a “huge driver” for improving OT security, Patsis stresses that there is much work to do in this area.

Unique challenge: securing operational technology

Theresa Lanowitz, head of evangelism at AT&T Cybersecurity, takes much the same view. “With the convergence of IT and OT systems, there has been an exponential growth in internet-of-things devices that has heightened concerns about the digital security of these systems,” she says. 

Lanowitz calls for a “mindset shift” in securing OT assets. “Legacy infrastructure has been in place for decades and is now being combined as part of the convergence of IT and OT,” she says. “This can be challenging for organisations that previously used separate security tools for each environment and now require holistic asset visibility to prevent blind spots. Attacks are coming from all sides and are creeping across from IT to OT and vice versa. Organisations should adopt a risk-based approach that recognises that there is no perfect security solution.” 

She continues: “Enterprises that strategically balance security, scalability, access, usability and cost can ultimately provide the best long-term protection against an evolving adversary.”

Has the Colonial Pipeline attack encouraged infrastructure providers to take more effective defensive measures? “Frankly, not enough,” argues Rob Carew, chief product officer at Arcadis Gen, the digital arm of Arcadis, a Dutch engineering consultancy. “There is still a disconnect between cybersecurity and critical infrastructure.” 

He suggests that cybersecurity is widely seen in the sector as an “add-on”, rather than intrinsic, when it comes to monitoring the health of critical infrastructure.

“The problem is compounded by ageing hardware and software technology, which can often be exploited through unforeseen vulnerabilities,” Carew says. “Transparency and trust are key in having robust and executable action plans. Everyone has a role to play in security. If it becomes a regular topic of conversations among asset owners, operators, managers, maintainers and the supply chain, it will become part of the organisation’s DNA.”

Actions, though, speak louder than words. While the Colonial Pipeline incident may have set alarm bells ringing, there is still – months later – high panic across the infrastructure network, with the cybercriminals seemingly better equipped to expose vulnerabilities and gain financially from doing so.

This article first appeared in Raconteur’s Future of Infrastructure report in September 2021

The worrying rise of ransomware as a service

The Colonial cyberattack that cost a US fuel pipeline $4.4m in May highlights why businesses need to treat the fast-emerging threat of ‘ransomware as a service’ more seriously

A wry observation doing the rounds among cybersecurity experts is that the hackers who’ve transformed ransomware attacks into a multibillion-dollar industry are more professional than their high-profile corporate victims. 

It was certainly no laughing matter for the CEO of the Colonial Pipeline, one of the largest fuel-distribution networks in the US, when an attack in early May disabled the 5,500-mile system, triggering fuel shortages and panic-buying at filling stations. Within hours of the breach, Joseph Blount controversially paid a $4.4m (£3.1m) ransom to DarkSide, the Russian hacking group that mounted the attack, on the basis that it was “for the good of the country”. Despite this, the network was still out of action for a week.

The Colonial Pipeline case is one of many similar incidents, which have increased sharply in number since the pandemic started but have tended to go under the radar, as the victims are understandably reluctant to publicise their security failings. This high-profile example has exposed the rise of so-called ransomware as a service (RaaS), which DarkSide and various other professional hackers are now offering. 

Ethically speaking, you have to consider that you are enabling cybercrime by paying a ransom

The number of cybercrimes committed worldwide in 2020 was 69% higher than the previous year’s total. Ransomware was involved in 27% of these and a total of $1.4bn was demanded, according to a report published in May by US data security company Zscaler. In the UK, cybersecurity specialist Mimecast believes that as many as 60% of companies suffered a ransomware attack during the year. 

Ransomware is on the rise (Soumil Kumar from Pexels)

“Covid-19 has driven a huge ransomware surge,” reports Deepen Desai, Zscaler’s chief information security officer. “Our researchers witnessed a fivefold increase in such attacks starting in March 2020, when the World Health Organization declared the pandemic.”

Criminals seeking to exploit the network vulnerabilities created by the general shift to remote working during the Covid crisis either developed more sophisticated hacking methods or, seeking a shortcut, paid for RaaS. 

RaaS business model rings alarm bells

“RaaS has enabled even the least technically advanced criminals to launch attacks,” says George Papamargaritis, director of managed security services operations at Obrela Security Industries. “Gangs are advertising their services on the dark web, collaborating to share code, infrastructure, techniques and profits.” 

The RaaS model means that the spoils are split among three partners in crime: the programmer, the service provider and the attacker. “This is a highly structured and organised machine that operates much like many other legitimate organisations,” he adds.

The earliest reference to RaaS can be traced back to 2016. But, as Jen Ellis, vice-president of community and public affairs at Rapid7 and co-chair of the Ransomware Task Force, notes: “There are indications that it’s on the rise as more criminals take the chance to make a quick, easy and relatively risk-free profit by entering the ransomware market.”

This collaborative approach to ransomware attacks is terrible news for businesses, warns Ian Pratt, global head of security for personal systems at Hewlett-Packard. “Once, it was the preserve of opportunistic individuals who targeted consumers with demands of a few hundred pounds. Today, criminal gangs operating ransomware make millions from corporate victims in so-called big-game hunts,” he says. “This should have the alarm bells ringing in boardrooms.”

By educating themselves and their employees, business leaders can improve company-wide security protocols and so minimise the risk of ransomware attacks. Pratt explains that “users are the point of entry for most attacks”, accounting for 70% of successful network breaches. Malware is “almost always delivered via email attachments, web links and downloadable files”.

Prevention better than cure

Michiel Prins, co-founder of HackerOne, a vulnerability-disclosure platform connecting businesses with penetration testers, agrees. “Difficult as it may seem to prevent these attacks, prevention is always better than cure when it comes to ransomware,” he says. “This means maintaining a nimble and adversarial approach to cybersecurity that takes into account the perspective of an attacker, getting beyond traditional solutions that miss more elusive vulnerabilities.”

Prins argues that working with ethical hackers will “strengthen an organisation’s overall security posture”, as potential weak spots are reported and fixed “before serious damage is done”. Additionally, establishing a so-called bug-bounty programme, which rewards people for highlighting faults in the coding, “signals a high level of security maturity,” meaning that the criminals might look for easier prey.

If they do fall victim to an attack, should organisations accede to ransomware demands? CrowdStrike estimates that just over a quarter of victims end up paying the hackers to unlock their systems. Nearly 60% of UK businesses would enter negotiations, according to Sam Curry, chief security officer at Cybereason. 

Gangs are advertising their services on the dark web, collaborating to share code, infrastructure, techniques and profits

“We’d advise against paying ransoms. But in extreme situations, where lives are at risk or a national emergency is likely, it could be better to pay,” he says. “Before making that decision, it’s essential to notify your legal counsel, your insurer and the relevant law-enforcement agencies.”

Even when a business does cough up, there’s no guarantee that this will put an end to its problems. Peter Yapp, former deputy director at the UK’s National Cyber Security Centre and now a partner at law firm Schillings, cites the Travelex attack in December 2019 as an example. Many of the company’s web pages were still out of action two months later and a $2.3m ransom was eventually paid to the hackers. Later in 2020, Travelex sank into administration, “partly due to the losses and reputational damage caused by the attack”, he says.

Charles Brook, threat intelligence specialist at cybersecurity company Tessian, acknowledges that it’s a tough decision. “Ethically speaking, you have to consider that you are enabling cybercrime by paying a ransom,” he says. “But I can sympathise with organisations that may have no other option.”

There are other considerations, Brook adds. “If you pay, you could put a target on your back for further attacks. And, even after your files are decrypted, there may still be something malicious left behind.”

With the hackers in the ascendancy, Yapp believes that the government needs to step up its efforts to combat ransomware. “This has become such a serious problem that perhaps it’s time to lobby for the UK’s new National Cyber Force to fight back against these criminals in a different, military, way,” he suggests.

Perhaps the hackers won’t have the last laugh, after all.

This article was originally written for Raconteur’s Connected Business report, published as a supplement in The Times in June 2021