Ciaran Martin's speech to CBI

13 Sep 2017 10:34 AM

NCSC Chief Executive Officer, Ciaran Martin, delivers a speech to CBI on 13th September 2017.

Thanks Tom, and good morning – I’m enormously pleased to be here in the City but before I start I want to offer an apology: it’s my fault that you are sitting down so early instead of relaxing over coffee and cake.  I have to leave to fly to Estonia in two hours and even now I know there are at least two people who think I’ve already been talking for too long.

A huge thank you to the organisers for allowing me to come along anyway, and I wish I could stay to enjoy such a comprehensive agenda.  Every aspect of cyber security is covered and every aspect is important.

I am privileged to be the first head of the UK’s new National Cyber Security Centre, a part of GCHQ, based not far from here. We were opened formally by HM The Queen in February this year. We are bringing together, in a single place, the UK’s operational cyber security work.  It’s not easy.  But it’s essential.

That’s because we face a strategic challenge at global level – hence the summit in Estonia – but also at national level.  And that really means national – it means everyone with a role to play, whether that’s governmentindustry or the individual.  I am going to talk about each of those three in turn. 

One thing that’s common to all three is the importance of asking questions. 

When I joined GCHQ three and a half years ago my learning curve was steep.  The organisation is jam packed full of bright, creative, intuitive people who had forgotten more than I knew about cyber security.  I asked questions, constantly.  Even now I am often puzzled, but mostly and regularly blown away by the brilliance of the people that work for me and the innovative solutions they find so effortlessly to the largest of problems.

Then we as a government started asking questions. Why do we care about cyber security at a national level? What is the role of government? Which part of our society is key to our cyber defences in what ways? Why haven’t normal market forces taken care of more of the problem? 

This was nothing less than questioning a Western consensus on cyber security that had been around for nearly a decade. It said, roughly:

  • Governments should look out for the high end national security risks;
  • Governments should form (rather vaguely described) partnerships with the private sector; 
  • Information sharing should be encouraged because it was the answer to most of the problem;
  • The market would take care of the rest. 

But a lot of this wasn’t happening. The partnerships were there but weren’t achieving much in some cases. Information sharing uptake beyond the finance sector was poor. Corporate defences were weaker than they should be.

So, the result of this questioning was the launch of the National Cyber Security Strategy last year. It said we cared about cyber security for two reasons:

First, high end national security, threats to our way of life or our critical services.

Second, the threat to prosperity from an aggregation of cyber attacks that would damage consumer confidence.

And it set up the NCSC to deliver the response to the first threat and to provide the infrastructure for addressing the second. 

I think the past year has shown that this is the right framework. 

First, and most obviously, the big state threat, traditional espionage with a modern twist that can now affect our democracy, our critical national infrastructure and the lens through which we view the world.  The age-old national security dangers: classic enemy tactics with brand new shiny tools.

Second, the threat to our economic prosperity.  According to the most recent Cyber Security Breaches Survey, just under half of UK businesses identified a breach, or attack, in the last twelve months.  That is file loss.  Systems, corrupted.  Accesses denied.  Personal data, stolen.  *Just under half*.  The UK is one of the most digitally advanced and digitally dependent economies in the world.  The government must manage public confidence in the digital economy.  If trust in online services is lost, or if hundreds of thousands of data breaches become commonplace, that confidence is undermined, permanently and fatally.

The WannaCry attack that affected the NHS in May was an example of the more severe end of the threat – the sheer scale of the attack globally even if, as an attack designed to gain money, it appears to have been unsuccessful – and the wider impact cumulative attacks can have (the damage to relatively small NHS bodies in various parts of the country).  

And we’ve seen the attack on Equifax in the US. With the Information Commissioner, we are examining its impact on the UK and will provide a full update as soon as we can. 

So, this brings me to the UK’s response to these two areas of risk.

What more should we – government, business, the user – now be doing to have the devastating return effect?

Click here for full press release