UK Intelligence Chief Details Cybercrime Disruption EffortsGCHQ's Jeremy Fleming Also Traces Impact of Russia-Ukraine War on Cybersecurity
Britain is taking the fight to cybercriminals by helping to directly disrupt their networks as well as block their access to tools, including malware.
So said Jeremy Fleming, director of Britain's security, intelligence and cyber agency, GCHQ, in an opening keynote speech Tuesday at the annual National Cyber Security Center's CyberUK conference in Newport, Wales.
The last CyberUK to be held in person was in Glasgow in 2019. "It's great to have you all here in person," Lindy Cameron, CEO of NCSC, told conference attendees on Tuesday.
On the cybersecurity front, of course, much has changed since 2019, not just due to the COVID-19 pandemic, but also the Russia-Ukraine war that began in February.
In March, NCSC - the public-facing arm of GCHQ - issued an alert to individuals and organizations alike, urging them to immediately review any use of Russian security products or services, given the security and availability risks doing so might pose (see: Using Russian Security Software? UK Says Risks Have Changed).
In his speech, Fleming further touched on what's new and different about the war on both the intelligence and cyber fronts. For example, for the first time in history, so many of the strategies and activities of the Russian military have been publicly disseminated for all to follow, he said. But at the same time, Western governments have also been aggressively releasing information, not least to try and counter Russia's disinformation strategies.
"This is modern warfare influenced and shaped by the democratization of information," he said. "And thankfully, the Ukrainians are excelling at it - we're proud to be playing our part in supporting their efforts."
Beyond 'Cyber War'
In the cybersecurity realm, meanwhile, while many pundits had predicted that Russia would cripple Ukraine's infrastructure via a cyberattack blitzkrieg, that has not come to pass.
"Perhaps the concept of a 'cyber war' was over-hyped," Fleming said. "But there's plenty of cyber about, including a range of activity we and partners have attributed to Russia. We've seen what looks like some spillover of activity affecting other countries. And we've seen indications that Russia's cyber operatives continue to look for targets in countries that oppose their actions."
Given that Britain is one of the countries working to counter Russia's invasion of Ukraine, "we have increased our efforts to ensure U.K. businesses and government urgently improve levels of cyber resilience, and ... with our allies, we will continue to support Ukraine in shoring up their cyber defenses," he said (see: Five Eyes Warns of Russian Hacks on Critical Infrastructure).
Speaking on a Tuesday CyberUK panel session featuring high-level British, American, Australian and EU cybersecurity officials, Rob Joyce, director of the U.S. National Security Agency's Cybersecurity Directorate, said the U.S. government is also seeing "spillover" from nation-state activity tied to the Russia-Ukraine war, which remains cause for concern.
So too does hacktivism in service of both Ukraine and Russia, said co-panelist Abigail Bradshaw, head of Australia's Cyber Security Center, which is part of the country's Signals Directorate.
Bradshaw said that actions by such "cyber civil vigilantes" can "introduce extreme unpredictability" by increasing "the opportunities for spillover and actually for wrongful attribution, and retribution and escalation, which in our world is highly problematic."
Beyond the war, Fleming in his keynote speech said overall "cyber risk" levels continue to increase due to other factors, including the Chinese government's push to "go further and faster, imbuing standards and technologies with their authoritarian, government-led values." While many of these activities have been publicly detailed, he said that others have not.
Other major concerns are that "cybercriminals are constantly evolving their tactics; the lines are blurring with hostile state activity," he said. In addition, "ransomware remains a real threat."
To help counter that threat, he said, GCHQ, together with the NCSC and the Ministry of Defense, stood up the National Cyber Force in 2020. "The NCF is already making a big impact. From countering disinformation to supporting the activities of the military overseas and to helping law enforcement to go after criminal gangs, it is improving the UK's defenses and imposing a cost on our adversaries."
For example, he said, the NCF, together with the NCSC and British law enforcement agencies, has continued to actively target criminal syndicates behind online crime.
"Alongside our partners, we have mounted operations to undermine their networks and prevent them from profiting from their crimes as well as denying them access to their cyber tools and malware," he said. "We are actively undermining the cybercriminals' assumption that they can act with impunity on the internet. We have disrupted criminals, making it clear that they are being observed and going after their ability to profit from illegal activities."
War's Impact on Ransomware
On the ransomware front, one notable trend is a reduction in the quantity of such attacks in the last month or two, the NSA's Joyce said during the CyberUK panel.
"There's probably a lot of different reasons why that is," he said, but noted that "knock-on effects" of the Russia-Ukraine war might be a significant factor. "As we do sanctions, it's harder to move money, and it's harder to buy infrastructure in the West," which makes for "less effective" attacks, he said.
Other cybersecurity trends detailed by Joyce included the recent sharp increase in the quantity of zero-day vulnerabilities coming to light. "The number in the last year that were uncovered and commercially exposed is off the charts. It's been exponentially increasing, how much we've detected."
Joyce also highlighted the "exploding prevalence" of proof-of-concept exploits for publicly detailed vulnerabilities and urged network defenders to watch closely for when such exploits appear.
"So, those of you who have to do defensive activities, you know that when the vulnerability is announced, that's a time to get ready," he said. "But if there's a proof of concept out there, that's the time to really be digging in … and be ready to explore and execute your defenses."
Panelists said there only ever seems to be an increasing set of challenges in the cybersecurity realm.
"'In terms of our region, well, it's all been blissful and very quiet' - said no one in cyber ever," Australia's Bradshaw said. "I love people who come and tell you how quiet it's been in cyber lately. It's, like, I've never experienced that, really."