Last week, major UK companies including British Airways, Boots and the BBC were hit by a ransomware attack. A Russia-linked criminal gang called Lace Tempest is thought to have been responsible, stealing the personal data of staff via a third-party payroll platform. The group has demanded a ransom, otherwise it will publish sensitive information online – potentially including names, addresses, National Insurance numbers and bank details – by the end of the month.
This high-profile case is no outlier, however. Also this month, the University of Manchester and Leytonstone School in London have faced as-yet unidentified attacks.
The Covid-era rush to remote working and Russia’s invasion of Ukraine have exacerbated the risk of cyberattacks. The threat from criminals and hostile nation-states is growing. Since the start of the war, Russian-based phishing attacks against email addresses of European and US-based businesses have increased eight-fold, according to the IT firm AAG. In the UK, the crime of “computer misuse” increased by 89 per cent to 1.6 million offences in the year ending March 2022, compared with the year ending March 2020, according to data from the Office for National Statistics.
Lindy Cameron, CEO at the UK’s National Cyber Security Centre (NCSC), the UK government’s cybersecurity arm, tells Spotlight that dealing with both cybercrime and state-affiliated attacks is a gargantuan task. Sometimes the tricky thing is deciphering between the two.
“The challenge in cyberspace is that it’s much harder to be clear… where actors may be enabled or permitted by states but not necessarily directly tasked by them,” she says. “It’s complex and difficult.”
Hailing from Belfast, Cameron became Britain’s most senior cybersecurity official in October 2020, at the peak of the pandemic and shortly before the levels of online crime escalated. The civil servant had previously held senior roles at the Department for International Development and the Northern Ireland office.
[See also: Cybersecurity in the quantum age]
The Ukraine war has highlighted the growing threat of hostile states, she says. “Cyberspace has been one of the battlefields in which [Russia] is contesting this war. Although the biggest threat we see to the UK in terms of cybersecurity day-to-day is cybercrime, in particular ransomware, it’s reminded people that we should be mindful of what states are capable of.”
The war has also served as a reminder that the “defender has a vote”, she says – by being prepared and building resilience, countries can actively protect themselves. A recent report from the European Cyber Conflict Research Initiative has highlighted the “incredible resilience and determination” of Ukrainian cybersecurity forces in the face of an “unprecedented operational tempo” of attacks from Russia, including distributed denial-of-service attacks (DDoS), disinformation and data weaponisation – where information is manipulated to mislead, harm or gain a competitive advantage.
Ukraine’s defences have also been bolstered through collaboration with international partners, another key tenet of Cameron’s role. Earlier this year, Ukraine’s cybersecurity team visited the NCSC to share knowledge on their response to Russian attacks so far. The UK has also provided support to Ukraine through a £6.4m cyber-defence programme, which has helped to protect the country’s national infrastructure.
Ukraine has been at the forefront of a “constant barrage”, says Cameron. “These are our colleagues who are facing something quite extraordinary,” she continues. “Many cyber defenders think of themselves as experiencing hand-to-hand combat but the only hand-to-hand combat we’ve actually seen in the last year has been in Ukraine. I’m very conscious that they really are on the front line of this.”
[See also: Small businesses urged to improve cybersecurity]
Geopolitical relations around cybercrime have vastly improved in recent years, says Cameron. This includes cross-border counter-ransomware initiatives. Just this week, the NCSC released a joint advisory document with multiple international cybersecurity partners warning against Lockbit, the most deployed ransomware “variant” across the world in 2022, which has infiltrated organisations across critical sectors including financial services, food and agriculture, education and healthcare.
“There is a much wider exchange of views and understanding of what the criminal ecosystem looks like in different countries,” she explains. “I’m much more confident that I understand the different organisations that pose a threat to the UK.”
But while intelligence-sharing may have increased, individual businesses and organisations are still catching up. Last week’s attack on British Airways, Boots and the BBC affected a third-party payroll services provider called Zellis, which all the companies used. Zellis uses a file transfer software called MOVEit, which was the target of the attack.
Such cases show the security risks that come with having a supply chain. Cameron is keen to encourage businesses to choose their hardware and software providers carefully and ensure they are using up-to-date software. The NCSC is also working with the newly formed Department for Science, Innovation and Technology on guidelines that automatically factor security into products bought in the UK – for example, ensuring that connected devices can only be purchased if you can change the default password.
“The last year and a half have taught us the need to understand your supply chain and think about how it might be affected by future conflict,” she says. “We want people to stand back and understand the hardware and software they use, but we’ll also challenge the industry to think about how you build security into that technology from the start.”
Indeed, Cameron stressed the importance of adopting a “secure by design” approach at Chatham House Cyber 2023 conference earlier this week. Cybercriminals could exploit artificial intelligence for nefarious purposes, for instance, such as drafting convincing phishing emails or infiltrating sensitive information. “We cannot rely on our ability to retrofit security into the technology in the years to come,” she said. “We have to build in security as a core requirement as we develop [it].”
The MOVEit case also demonstrates the “concentration risk” of cyberattacks, with so many high-profile organisations using the same third-party providers. “That’s why we encourage people to map their supply chain and understand key dependencies,” says Cameron. The NCSC has free online tools to help businesses do this, such as its “exercise in a box”, which helps organisations find out how resilient they are to cyberattacks and practise their response in a safe environment.
Understanding your supply chain is particularly important for critical national infrastructure (CNI) sectors, which span the public and private sector and have varying levels of cybersecurity competence. Some CNI sectors demonstrate best practice, says Cameron, such as telecoms and financial services, while others, such as government, need improvement.
Last year, the Central Digital and Data Office – the UK government’s digital, data and technology function that sits within the Cabinet Office – published its 2022-25 roadmap for digital and data. This aims to join up the government’s digital systems, deliver better public services, and update all legacy hardware and software. In its roadmap, the government describes its own digital services as “slow, difficult to use and expensive to deliver”. It acknowledges the civil service’s “skills gap” and “varying levels of digital maturity”, and recognises that “the costly issue of legacy IT” is “a barrier to the delivery of great policy and services”. Cameron says she is “hugely supportive” of efforts to overhaul legacy systems “appropriately and sensitively”.
All organisations must take steps to protect themselves, says Cameron, because as threats increase, protection for businesses appears to be diminishing. Earlier this year, the insurance company Lloyd’s of London enshrined a new “cyberwar exclusion clause” into its cyber-insurance policies, meaning that attacks carried out by hostile states would not be covered. But the anonymous nature of cybercrime makes it difficult to tell whether an attack is an act of war or not. The NCSC is rethinking policy in this area and whether such events should be covered by general business insurance or specific cybersecurity policies.
However, the insurance market could also be a “potentially transformative part of building our resilience”, says Cameron. It could encourage businesses to adopt better practice. “Car insurance has played a huge role in ensuring people only drive cars they can get insured, when they have a licence and a decent safety record themselves, or they end up paying a high premium,” she says. “It helps to incentivise sensible preparation.”
Better preparation for cyberattacks might include limiting employees’ access to certain devices, apps or software that are deemed risky. For instance, the government recently banned TikTok – the Chinese-owned social media app – from all government devices over concerns around the sharing of sensitive information. It is still permitted for use on personal devices, although the app is blocked if used on parliament wi-fi on any device.
Given the security risks, should anyone in the UK be using TikTok? Cameron says it would be sensible for businesses to take a similar approach to government with their enterprise devices. While she doesn’t comment on individual liberties, she does say that everyone should be wary of hitting download too quickly. “For everybody, we would say, be mindful of what data you want to share and with whom. Every app you download is asking permission to have access to a wide range of information on your device. It’s important to think through – are you OK with that? Do you understand what’s being done with that? And what would happen if that was used for the wrong purpose?”
[Read more: “World leaders now understand that cyber is a big issue”: Lindy Cameron on her first year as NCSC CEO]