Here’s a question for security professionals to ponder: why are we only ever a few clicks away from disaster? It’s inspired by a recent presentation in Dublin by Ciaran Martin, CEO of the UK National Cyber Security Centre. On a visit to Dublin earlier this month, the UK’s cybersecurity chief stressed the importance of building resilience into critical systems, and into security planning more generally.
Martin pointed out that the internet is fundamentally not designed to be secure. So, asking someone who isn’t a security expert to follow complicated advice, about using passwords for instance, is an unfair burden. “We rely on millions of citizens to do impossible things to ensure cybersecurity,” he argued.
“You have to assume that people are going to click on things; worry instead about what happens when the compromise happens,” he said. Part of this effort involves fixing things the user has very little control over, Martin said. “Whilst education and training are important, what we want to do – and this is open to debate – is to make sure the interventions are as far up the food chain as possible.”
In other words, those in charge of the Government’s social welfare payments system need to make sure it’s near-impossible for a criminal to defraud it for millions with a simple phishing email. Nor should it be possible for a single rogue individual to steal sensitive information without raising an alarm.
Another part of a resilience strategy involves thinking about how much damage an attacker could do if they got into a system. That leads to building systems that don’t have an ‘off’ button. “Make it hard for an attacker to do systemic damage,” Martin said.
It also involves developing safe backup plans for when some part of the system isn’t available. Martin made an analogy with an air traffic control tower whose technical systems go offline. “The emphasis is not on recovering the system but [to prioritise] landing the planes in the old fashioned way,” Martin said.
The UK is already putting this approach into practice. The NCSC is working with the Bank of England while it phases out its legacy interbank payments clearance system. Part of the upgrade programme includes building in resilience, so a basic attack can’t bring down the entire system.
It’s encouraging to hear such a senior cybersecurity figure talk about the issue in these terms. Regular readers of this blog may remember Brian Honan talking about the need for resilience when developing cyber security strategies.