UK’s ‘next cyber crisis’ likely to come from mistake or misfortune – outgoing NCSC head
Ciaran Martin believes major security incident is still more likely to come from ‘unintentional consequence’, rather than attackers’ expertise
Outgoing National Cyber Security Centre chief executive Ciaran Martin has said he believes the next cyber crisis the UK faces is likely to be a chance collision of staff error and lack of insight on the part of the attackers.
Martin, who stepped down from the helm of NCSC last week, said just as 2017’s WannaCry ransomware attack had not deliberately targeted the NHS – despite going on to create chaos for health-service systems running on outdated Microsoft software – a similar situation could happen again.
"My guess would be the next cyber crisis will probably be, at least in part, an unintentional consequence of an attacker not really understanding what they're doing," Martin told the BBC in an exit interview.
His fear, he said, was that someone working in a company or government department would make a small mistake that left an important system open to ransomware. He did not specify departments that may be particularly vulnerable.
Martin became GCHQ’s director general responsible for cybersecurity in 2013 and oversaw the creation of the National Cyber Security Centre – an executive agency of GCHQ – after the 2015 general election. He left the role last week to become a professor of practice in public management at Oxford University’s Blavatnik School of Government.
His successor at NCSC is Lindy Cameron, the former second-in-command at the Northern Ireland Office.
In the BBC interview, Martin also broached security concerns related to reliance on Chinese technology – after the government U-turn over Huawei's role in 5G telecommunications.
"We have never been in any way naive about risks associated with Chinese technology," Martin said, suggesting the UK needed to do some hard thinking about how to position itself.
Martin was more sanguine on the level of danger posed by Chinese-owned social-media firm TikTok, despite US president Donald Trump declaring the firm a threat to domestic security.
"The amount of personal data it collects, people need to be aware of," Martin said, but "it is slightly less than some of the others".
Martin is more concerned about Russia’s position in the cyberthreat rankings, but insists activity – such as accusations of interference in 2019’s general election – has not yet had a demonstrable impact on UK politics.
“We are talking a lot more about political interference in 2020 than we were in 2014," he said. "It shows that there is an ongoing threat to democratic processes."
But he added: "It is not the case in my judgement that there has been sustained high-quality effective disruption of UK politics by the Russians."
Martin said it should not be the job of UK intelligence agencies to regulate political debate.
"No-one wants to live in a country where the likes of parts of GCHQ or MI5 are in charge of verifying political information in the midst of an election," he said.
Government publishes advice for smaller firms and promises ‘sweeping’ rule changes to open up billions of pounds of public contracts
Outgoing data-protection watchdog tells MPs that ‘ministers and government are not walking the talk’ on freedom of information
Firms that breach guidelines could face multimillion-pound fines
Industry groups express concern as Nicola Sturgeon indicates use of app may be required from the first week of December