Don’t let cybersecurity be driven by fear, warns NCSC chief

Scaring people about cybersecurity doesn’t work, says Ciaran Martin - particularly when it comes to 5G, Huawei and China.

Huawei ban: Winners, losers, and what's at stake (a whole lot) ZDNet's Jason Cipriani and Jason Perlow talk with Karen Roby about how the security and trade brouhaha impacts everything from the future of regional carriers and the bottom lines of tech giants to 5G's prospects and consumer's pocketbooks. Read more: https://zd.net/2WzVRbq

As cyberattacks and hacking incidents increase in frequency and scope, it's important that organisations and governments don't revert to a fear-based approach to cybersecurity: it won't help users and it doesn't help to prevent attacks.

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

Reflecting on how cybersecurity guidance has changed since the UK's National Cyber Security Centre started operating in 2016, NCSC chief executive Ciaran Martin said the cyber-arm of GCHQ began as if its job was scaring people into staying safe online. But now the approach is based around promoting a deeper understanding of threats, he said.

"Four years ago, as GCHQ and government, we were still reluctantly in the role of the 'Monsters Inc' Top Scarcer. We still had to convince people about the threat and that it was all very scary and so forth," said Martin, comparing the government's approach to cybersecurity to that of the Pixar movie during a keynote address at Infosecurity Europe 2019 in London.

SEE: A winning strategy for cybersecurity (ZDNet special report) Download the report as a PDF (TechRepublic)

That created worry for organisations, Martin said, who for fear of cyberattacks, outsourced cybersecurity because they were concerned they couldn't get to grips with the problem – and that wasn't necessarily the correct approach.

"That wasn't the answer: the answer was people needing to own the problem for themselves," said Martin.

"So in the last few years, we've been moving away from a fear-based approach to cybersecurity towards a pragmatic one where we're trying to enable people to get on top of the problem," he added.

A holistic approach to 5G security

The NCSC's chief was speaking following several months of argument and debate over Chinese technology firm Huawei potentially building 5G network infrastructure for the UK, and what that could mean for national security.

The Trump administration in the US has already banned Huawei infrastructure from the country. In the UK, the cabinet has been split over the issue, while several national publications have run scare stories about worst-case scenarios with China controlling 5G services like autonomous vehicles, and the damage that could be done by suddenly turning 5G off.

Martin argued that the debate should be about 5G as a whole, rather than around one particular supplier.

"We have to get 5G network security right – and that's a much bigger issue than the national identity of suppliers. We've had all sorts of debates about the globalisation and the role of China; there's an absolutely legitimate debate to have, and we'll talk about it more when the government has reached a final decision," he said.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

But for now, Martin said, cybersecurity experts need to analyse and discuss the security of 5G as a whole, to ensure that the networks – whoever builds them – are as secure as possible, and that the public can be reassured.

"For 5G security as a whole, we really need as experts to be talking about each bit and what we need to do to secure them – and we need to do that in as orderly and objective a way as possible," he explained.

"Because it'd be a real shame if one of the consequences of this 5G debate would be if we allowed the fear back into cybersecurity, where we had people scared of technology again because they shouldn't be."

MORE ON CYBERSECURITY