How to 'Demystify' CybersecurityCiaran Martin, Former UK Cybersecurity Chief, on Managing Cyber Risks
To defend against cyberattacks, it's important to "demystify" cybersecurity and break it into risks that can be managed by any organization, says Ciaran Martin, the former director of the U.K. National Cyber Security Center.
In a Thursday keynote speech at the AusCERT computer security conference in Australia, Martin, now a professor at Oxford University, said the notion that cyber incidents can't be stopped is false.
In the case of the Colonial Pipeline ransomware attack in the U.S., the picture emerging is one of criminals in over their heads, he said, adding that the DarkSide group and its affiliates consistently exploit basic weaknesses in corporate security (see: Colonial Pipeline Restarts Operations Following Attack).
"They've gone too far because what they didn't realize was that by hacking the IT system of a pipeline company, that would then cause the company - for whatever reason - to shut down the pipeline," Martin said.
It's a story that is being repeated over and over, leading to a series of events that can add up to big problems, Martin said. But cybersecurity should be addressed in way that doesn't inspire fear in either the public or corporate board rooms.
"It's very easy to be terrified of cybersecurity," Martin said. "It's very easy to be infantilized by cyber risks and the hype around cybersecurity."
Colonial Pipeline shut down its operations as a precaution after its corporate systems, which included crucial billing systems, were hit by ransomware. The pipeline supplies about 45% of the heating oil, gasoline and jet fuel used on the U.S. East Coast. While the pipeline was shut down, gas stations in the region began running out of fuel.
Martin said the incident exemplifies how structural weaknesses in the way cybersecurity is implemented can lead to a serious public impact. But the incident also points to how cybersecurity should be broken down into manageable risks, he added.
In his keynote speech, Martin showed a slide listing key cybersecurity steps, including ensuring software is up to date, making sure partners and suppliers protect data and reviewing authentication methods used to access systems.
An essential step, he said, is making sure an organization knows what data it holds and who may most likely try to target it so the right security controls can be deployed. Most organizations, for example, are not going to be targeted by nation-states, he said.
"Just manage risk well enough," Martin said. "You don't need to have nation-state defenses."
Even with ransomware, it's not all doom and gloom, Martin said. Some organizations have shown remarkable resiliency. Take Polish video game developer CD Projekt, which was hit by a ransomware group in February.
Martin says the company practiced good incident response after it was infected, and it had good backups. CD Projekt refused to pay the ransom, and it also published technical details of the attack that helped the security community, Martin told the audience.
No one is asking small organizations or universities, for example, to be able to withstand the most skilled state hacking group in China, Martin said. He said it is far more important that they methodically build resiliency. A good example of that is the work done in the U.S. ahead of the 2020 election to mitigate cyber risks, Martin said.
"So understand the harms, have a risk-bask based approach - a realistic approach, and work with partners," Martin said. "We can get on top of this problem."