Yes, you’ve scared us. Now what do we do?’ That’s the question GCHQ’s director general of cybersecurity, Ciaran Martin, has found himself facing a lot, as the agency expands from protecting government and military assets to advising British businesses on how to protect themselves.
Accept the inevitable
The first thing to accept is that you can never stop all attacks. “The sheer scale of hostile activity on many organisations means that, eventually, some will get through,” Martin says. “What’s important is how you manage those.” That goes even for the most security-sensitive of institutions: between 2010 and 2013 the Ministry of Defence suffered 3,892 security breaches, both physical and cyber-related.
GCHQ’s own website, which suffers frequent DDoS attacks, was on one occasion taken down for several hours. “You need a playbook ready for how you will react when an incident occurs,” says Martin. “You may not be able to hold off a breach but, by having procedures in place, you can quarantine them, isolate the damage and keep the organisation running.”
Protect what’s really important
Bearing in mind that breaches are inevitable, it’s important to decide what can be sacrificed. “I’ve been a government official for 20 years and when I started the culture was about protecting absolutely all information,” Martin says. “Now we have to take a much more risk-based approach, figuring out what is important and why.” He points to the takedown of GCHQ’s website as an example. “Although I’d prefer that hadn’t happened, it is not business critical to this organisation,” he says. “That was very far from a disaster. There are risks in my organisation that could have much more impact, so I spend much more attention, much more money and employ far more people on those.”
Guard your interior
The fundamental weakness of any wall, whether in the physical world or the cyber, is that it still needs to allow legitimate traffic in and out. “Perimeter defence is just about rising the barrier for entry into your system so that you’re not an easy target,” Martin says. But as all walls can be breached, so relying on perimeter defence alone is insufficient. “You need both perimeter defence and active internal monitoring to look for spikes, or unusual patterns of activity,” he continues. “In some of the most well-known compromises, something as simple as monitoring the use of power on a network could have caught them.”
A tactic private companies are increasingly adopting from intelligence agencies is to attempt to use data collection and analysis to predict attacks before they occur. But to access the data needed for real, useful insight, collaboration will be essential. “There needs to be information sharing between companies who are normally competitors.” Martin says. “The financial sector has made great strides because they face a measurable financial threat every day, so they’ve set aside commercial rivalries to pool their data. And because they’re of a sufficient size they’ve been able to build systems that can process all this. Once you have access to this data, having systems actually able to make use of it is a key constraint.”
An organisation’s greatest weakness is increasingly not technological, but human. “System administrators are your key vulnerability,” Martin points out. “If they’re compromised then systems like encryption offer no further protection.” Yet malicious insider activity is less of a threat than accidental breaches. “People need to upskill significantly in cyber security, so being punitive isn’t always the best response ” Martin says. “It’s more important to focus on making procedures simple and accessible. We estimated that if you took all the advice about complex passwords, for the average number of systems that a person needs access to, it’s the equivalent of asking them to remember 660 digits every month. It’s better to design systems that may be mathematically less secure in the abstract, but are a lot more likely to actually be implemented to a decent standard.