Why you and I will pay the price for the next big cybersecurity crisis – The Guardian
Ciaran Martin is what is known in Whitehall as “a safe pair of hands”. In the 23 years he spent working there he held a number of senior roles within the Cabinet Office, which included negotiating the basis of the Scottish referendum with the Scottish government and being director of security and intelligence. He was also responsible for (and I am not making this up) “spearheading the equalising of the royal succession laws between males and females in the line”. Before that, he had been private secretary to the permanent secretary at the Treasury and then principal private secretary to the cabinet secretary. When the government set up the National Cyber Security Centre (NCSC) in 2016 he was appointed its first director. He now basks as a professor in the luxurious environs of the Blavatnik School of Government at Oxford University.
Folk with that kind of background generally don’t go in for hyperbole. And yet Martin has recently been all over the mainstream media warning that “nobody is safe from Russia’s digital pirates” (the Spectator), that the “sale of semiconductor factory to Chinese-owned firm presents a bigger UK risk than Huawei” (Daily Telegraph), that UK schools have been “held to ransom” by Russian hackers (BBC Radio 4) and so on. And now here he is in Prospect magazine under the headline “We have privatised our cyber security. The winners are the hackers”.
In the piece, he tells a revealing story about what happened when the Queen officially opened the NCSC in 2017. He writes: “A senior government minister confided to me, at the margins of the festivities, their concern that the launch of this new department in GCHQ to fight digital threats represented ‘the nationalisation of cybersecurity’. But the opposite problem is emerging: we are privatising national security risk.”
The case study he uses to make this point is (tactfully) drawn not from UK experience but from the US. It’s the ransomware attack on the Colonial Pipeline system that took place in May. The pipeline takes oil from Houston in Texas to the eastern US; about 45% of all fuel consumed on the east coast arrives through it. It is therefore a critical piece of the country’s infrastructure. The attack affected some of Colonial’s corporate systems, but not the computer systems that managed the pipeline. Nevertheless, Colonial halted all of the pipeline’s operations in an attempt to contain the attack. It also paid a $4.4m ransom, apparently with the assistance of the FBI.</…….