Following the interview in today’s Guardian with NCSC’s Ciaran Martin, talking about the matter of cyberattacks against the UK, security experts have offered the following response:
Chris Day, Chief Cybersecurity Officer at Cyxtera:
“Mr. Martin’s assertion that a major cyber-attack on the UK is a matter of “when, not if,” is spot on. Everyone in the public and private sectors should adopt that mindset because adversaries don’t discriminate. We’re seeing increasingly bold steps by nation state actors to disrupt everything from the electric grid to elections. Category one (C1) attacks on critical infrastructure have already occurred in places like the Ukraine, and the US has fallen victim to tampering in its democratic processes.
“Governments must shore up security programs to cover both defensive and offensive strategies. Most have done a reasonably good job on the defensive side yet many rely too heavily on outdated security tools. New technologies, like those employing a software defined perimeter (SDP), protect today’s complex, distributed IT environments in ways that traditional methods simply cannot. SDP establishes a secure, one-to-one connection between the user and network only after authenticating what they are entitled to see. Everything else on the network is hidden, which dramatically reduces the attack surface by preventing lateral movement by illegitimate users. From an offensive perspective, there is much work to be done. Most organisations don’t have the internal resources to simulate and assess how far an attacker can go by exploiting even a single vulnerability. My advice is to engage with an offensive-oriented cybersecurity firm that specialises in offensive-based services. Only then can you get a complete picture of risk and work to prevent something as catastrophic as a C1 attack.”
Stephanie Weagle, VP at Corero Network Security:
“The UK National Cyber Security Centre is right to be concerned with their preparation and ability to handle a Category One attack aimed at their critical infrastructure. Distributed Denial of Service attacks come in various forms, all of which are highly disruptive to the victim organization, impacting revenues, brand reputation and the ability to deliver critical services. The ability to take a critical website or system offline has never been easier with the proliferation of inexpensive, widely accessible DDoS attack tools, and the IoT fueling the capability for sophisticated and damaging attacks. As an organization becomes more reliant on Internet accessibility, it needs to ensure it has sufficient preventative controls in place to eliminate the cyber-threat should it become a target.
“Corero welcomes the priority that Government is placing on the issue of cyber security and the resilience of operators of essential services is a crucial part of this. We are highly supportive of the broad approach and high-level principles outlined in the NIS Directive, but as our research shows there is still some way to go. It is therefore critical that the forthcoming guidance, incident reporting and enforcement helps encourage and deliver higher levels of cyber security. While we understand the Government’s current preference for a light touch approach in the early stages of implementation, it is critical that the enforcement regime has teeth and results in the deployment of more sophisticated cyber defences.”