The winged ninja cyber monkeys narrative is absolutely wrong: Former NCSC chief

"Look where we are now in the United States," says Ciaran Martin, formerly the founding CEO of the UK's National Cyber Security Centre (NCSC), now a professor at the University of Oxford.

"We have official government advice in force today asking people not to panic buy gasoline, or petrol as we call it over here, and put it in plastic bags," he told the AusCERT cybersecurity conference on Thursday.

"If you wanted an illustration of the impact of cyber harms, it will be hard to think of a better one."

Martin is of course referring to the Colonial Pipelines ransomware attack and subsequent shutdown of their operations. The company paid the almost $5 million ransom, but it wasn't enough to stop the disruption.

"In a sense, this feeds all those warnings over years, over decades, about really difficult cyber impacts -- cyberwar, cybergeddon, and all the rest of it," Martin said.

It feeds the narrative that NCSC technical director Dr Ian Levy has called the winged ninja cyber monkeys.

"[They're] just sitting there in bedrooms in suburban England, suburban Australia. Teenagers, unstoppable, hacking everything, and there was nothing we could do to stop them," Martin said.

"The panic on the east coast of the US at the moment seems to be fuelling that narrative. Except it's wrong. It's absolutely wrong."

In Martin's view, what's happening is something much more prosaic.

"We have a bunch of criminals, they're in over their heads, operating out of Russia. They've even issued a partial apology for what they've done, because what they were trying to do, yet again, is exploit basic weaknesses in corporate security all over the world to make money. And they've gone too far," he said.

This ransomware crew didn't realise they were hacking the IT systems of a pipeline company. They didn't realise that would cause the company "for whatever reason" to shut down the pipeline.

According to Martin, this has been just another "accidental spiralling out of control", where a series of structural weaknesses in the way we do cybersecurity and the way organisations are incentivised has led to "a public impact which is very, very serious".

Four years ago this week, for example, malware that was being used as part of North Korea's continuing attempts to steal or otherwise gain hard currency went viral. That resulted in ransomware problems for the UK's National Heath Service, but it also took out the passenger information screens at German railway stations.

The following month, Russia's NotPetya attack on a Ukrainian software company caused global disruptions. It forced shipping giant Maersk to reinstall 4,000 servers and 45,000 PCs, and cost them hundreds of millions of dollars.

It even shut down production at Cadbury's chocolate factory in Tasmania, Australia.

"I'm sure it was not central to the Russia-Ukraine tensions," Martin said.

We need absolutely to demystify cybersecurity

"Cyber threats, cyber risks, they're not catastrophes. Cyber harms are the aggregation of small harms. Hype, fear, uncertainty, doubt, that is our enemy," he said.

When he left the NCSC in August 2020, Martin produced a simple taxonomy of cyber harms, based on what he'd actually seen during his six and a half years with the organisation.

It boiled down to three simple categories: Getting robbed for cash, intellectual property, or other data; getting weakened by espionage, political interference, or pre-positioning for a later attack; and getting hurt.

The last category included cyber attacks that destroyed data, ransomware, and what he called "catastrophic cyber attacks" -- and that final category had an asterisk against it.

"That's because that is the one thing that has not happened," Martin said.

"There have been all sorts of cyber attacks. There have been many, many of them, and the one thing that we can still say, thankfully, is that the official death toll caused by cyber harms is zero."

In Germany last year a patient died following a ransomware attack on a hospital in Duesseldorf, which caused her to be re-routed to a hospital more than 30 kilometres away. However, a police investigation found that she probably would have died anyway.

Martin pointed to the large number of examples of "very, very basic security lapses, leading to quite high impact, including "a very controversial election leak".

During the lead-up to the UK's general election in 2019, someone working for former trade minister Liam Fox had used a personal Gmail account to bypass restrictions on working from home.

Fox's personal email was hacked by Russia. Eventually, a 451-page dossier of emails, including classified documents relating to US-UK trade talks, ended up in the hands of opposition leader Jeremy Corbyn.

"We need absolutely to demystify cybersecurity. We have to treat it as an ordinary business risk," Martin said.

"This is the reality of cyber harms. It's not glamorous. It's not individual catastrophes. It's all sorts of nebulous, pernicious, nasty little incidents, exploiting basic weaknesses to add up to a big, big social problem."

Related Coverage

• Colonial Pipeline cyberattack shuts down pipeline that supplies 45% of East Coast's fuel
• Ransomware is growing at an alarming rate, warns GCHQ chief
• Ransomware is now a national security risk. This group thinks it knows how to defeat it
• Time to patch against FragAttacks but good luck with home routers and IoT devices
• Ransomware just got very real. And it's likely to get worse
• Microsoft warns: Watch out for this new malware that steals passwords, webcam and browser data