By Ciaran Martin and Rick Ledgett, Managing Directors of Paladin Capital Group
Some years in cyber security are relatively quiet; in others, events wake us up to particular themes about the reality of digital insecurity in the modern world. 2021 has proved to be one of the most significant years in cyber security for some time. As we exit that year, we are at an inflection point. How we respond collectively – between the private and public sectors and among like-minded countries – will determine the future safety and resilience of our vital, shared digital homeland.
2021 was different. For most of the course of cyber security history, hacks have inflicted damage largely invisible to the general public. People may hear about strategically significant espionage against their own country, or their company might be harmed by the theft of valuable intellectual property. More directly, they may have been scammed out of some money, or received notification that their personal data was now in the unauthorised hands of persons unknown.
But 2021 changed that across the western world. Disruption of everyday life became a reality for many. Long lines formed outside east coast gas stations following the disruption of the Colonial Pipeline by hackers. Across the Atlantic, a charity running some 50 schools in London was disrupted; in one case the digitally controlled gates didn’t open. Swedish Coop grocery stores – one fifth of the country’s food retail and the sole provider in some isolated areas – gave away free food because the largely cashless economy couldn’t cope with a supply chain compromise of American software in its payments systems. As we write, 300 food stores in the north of England are experiencing the same thing. Most cruelly, especially during a pandemic, more than 100 American hospitals fell victim to disruptive cyber attack, Italy’s capital Rome suffered disruption to its vaccine booking system, and Ireland suffered the first-ever targeted attack on an entire national healthcare system. The common factor in all these attacks appears to have been ransomware, inflicted by organised cyber crime based out of Russia. Regardless of the source of the harm, however, it was a painful reminder of endemic cyber insecurity and national vulnerabilities of the highest order. Ransomware intensified the economic harm long associated with cyber crime: one proxy metric is the toughening of insurance requirements, the proliferation of exclusions, and the exit of some key players from the market. And as an already tumultuous year in cyber security drew to a close, the exposure of the vulnerability in one of the building blocks of the modern Internet, known as Log4j, drew attention once again to some of the intrinsically insecure ways our technology has evolved.
In the meantime, the higher end of the threat didn’t go away. The year started with the fallout of Russia’s sophisticated and damaging operation against SolarWinds’ many strategically important customers, and China’s reckless operation which left thousands of on-premises servers vulnerable and required a superb FBI operation to uninstall the malware. A ransomware attack on Kaseya (a key software supplier) which caused disruption from Scandinavia to New Zealand even indicated that criminals are picking up nation-state level techniques, a truly frightening prospect.
But if the incidents were forceful and sometimes unusually dramatic reminders of the threat, important positive developments occurred in the US and wider international community of like-minded countries. There has been an unprecedented policy focus to try to protect and strengthen our online security. President Biden was already in the process of assembling a hugely impressive cyber security team at the top of his administration when the Colonial hackers struck. His detailed Executive Order, with far-reaching implications for federal government cyber security and the vast industry supplying it, is a potential gamechanger.
Globally, leaders of the free world started to grapple collectively with the problem in a way hitherto unseen. Those of us who, like the authors, have worked with policymakers for years to improve cyber security watched in mild astonishment at the inclusion of a detailed paragraph in the G7 leaders’ communique pledging to work together to counter ransomware. That has been followed up with the meeting of a remarkable coalition of some thirty countries working together on issues like tightening up the flow of money to criminals via cryptocurrency. The US’s Cyber Command has intensified the tactical disruption of hackers who are often based beyond the reach of law enforcement, and statements from London and Ottawa suggest that the UK and Canada are joining this effort, with both countries expanding the institutional scope of their offensive capabilities to combat the criminals.
These are very welcome developments to tackle the most immediate problems, and must be continued and intensified in 2022. There also remains a pressing need to rethink how we protect critical infrastructure and improve its resilience, a discussion that’s only just beginning and one that needs accelerating. But other, less immediately noticeable initiatives could have just as much, if not an even greater and more beneficial, impact on our online security in the future.
Two issues stood out in 2021. One was the widespread introduction of regulatory standards for Internet of Things (IoT) products and services. When IoT first came along, it was tempting to see the explosion of internet connections it caused as an exponential increase in risk. But because IoT partly changes the online business model, from one where we give away personal data in return for access to web based services, to one where we pay for objects and services to run them, there is a security opportunity. IoT means security standards are easier to develop and implement. Singapore has led the way with IoT security legislation, followed by the EU, with new rules for the world’s biggest single consumer market. The UK now has a bill before Parliament to ensure that the sort of sloppy security that has polluted our digital infrastructure for too long – things like easy-to-guess default passwords that can’t be changed – will no longer be lawful. This is really welcome progress.
A harder problem is securing a trustworthy industrial base for free and open technology. The G7 reaffirmed their commitment to this, and the US and the EU have opened discussions on a Transatlantic Tech Partnership. This is primarily because, for the first time in the history of modern communications technology, the western model faces a sustained challenge not just from state sponsored hackers, but real competition from the more authoritarian model of technology coming out of China. Staying ahead through innovation in secure, usable and free and open technology is now recognised as one of the most important strategic objectives of democratic societies.
None of these three hugely important issues – fixing the vulnerabilities of our existing legacy infrastructure; securing the technology coming onstream now like IoT; or building a sustainable base of innovation to keep technology free and open – can be solved without the private sector and the innovators and inventors who sustain it. That is why, after the pivotal year of 2021 passes, the years to come need to see sustained focus on how our societies nurture and foster secure innovation in technology. The job of policymakers is to create the right conditions for this to happen, and the job of the private sector is to step up and deliver.
2022 therefore represents a golden opportunity for those of us seeking to build better, safer technology. The issue is higher up the policy agenda than ever before, and policy changes should stimulate the market in a variety of ways. Political leadership focus is there. The requirements are increasingly obvious, important and urgent. The innovation and ingenuity can be further unleashed. This is a moment of opportunity that must not be passed up.
About Ciaran Martin
Professor Ciaran Martin, CB, is a Managing Director at Paladin Capital Group and Professor of Practice in Public Management at the University of Oxford’s Blavatnik School of Government. He was the founding Chief Executive of the UK’s National Cyber Security Centre, a part of GCHQ, on which he served at Executive Board level for six and a half years from late 2013 until August 2020. He led a radical overhaul of the UK’s approach to cyber security and the organisations running it, pioneering much greater Government engagement with industry, more transparency and sharing around threat data, a collaborative approach to international security partnerships with the United States, the other Five Eyes countries, and allies in Europe and elsewhere. Under his leadership, the UK rose from joint eighth to first in the International Telecommunications Union’s Global Cybersecurity Index. The NCSC model has been replicated in Canada and Australia and much studied in the United States. Professor Martin has received awards and recognition for his work in the United Kingdom – including being appointed Companion of the Order of the Bath by HM The Queen in December 2020 – and abroad in the US, Israel, Singapore and elsewhere. Prior to joining GCHQ, Martin was a senior civil servant in the Cabinet Office and HM Treasury, specialising in national security and intelligence, constitutional affairs (including negotiating the framework for the referendum for independence for Scotland in 2014) and public expenditure. Originally from Northern Ireland, he holds a first class degree from the University of Oxford.
About Rick Ledgett
Richard H. Ledgett Jr. is a Managing Director at Paladin. He is a recognized expert in cyber threats, spent nearly 30 years with the National Security Agency (NSA). He was its deputy director and acting chief operating officer from 2014 until his retirement in 2017. Ledgett began his NSA career in 1988. From 2012 to 2013 he directed the NSA/Central Security Service National Threat Operations Center (NTOC), responsible for round-the-clock cryptologic activities to discover and counter adversary cyber efforts. Prior to NTOC he served in the Office of the Director of National Intelligence in both the collection and cyber mission areas. Ledgett was the first national intelligence manager for cyber at the Office of the Director of National Intelligence. He was principal adviser to the Director of National Intelligence on cyber matters, overseeing the creation of the Unified Intelligence Strategy for Cyber, and leading cybersecurity work across the intelligence community. He served in a joint intelligence community operational activity, and as an instructor and course developer at the National Cryptologic School. Ledgett also spent nearly 11 years in the U.S. Army working in signal intelligence. Between the Army and NSA, he completed six field tours. Ledgett was awarded the National Security Medal in January 2018. He has also received the Distinguished and Meritorious Executive Presidential Rank Awards, the NSA Exceptional Civilian Service and Meritorious Civilian Service Award, as well as the National Intelligence Superior Service Medal. He holds a bachelor’s degree in psychology and a master’s degree in strategic intelligence. In addition to the National Cryptologic School, he has been an adjunct instructor at the Joint Military Intelligence College.