NCSC founder: 'There's always going to be an arms race, but I remain an optimist'

An interview with former GCHQ chief Robert Hannigan

NCSC founder: 'There's always going to be an arms race, but I remain an optimist'

Founder of the NCSC, now back in the private sector, discusses the likely impact of regulation, the challenges facing CISOs and why despite the darkening of the cybersecurity landscape, he remains optimistic about our collective resilience.

Robert Hannigan is Head of International Business for BlueVoyant International and was part of the founding team. Until 2017, Hannigan was the Director of GCHQ, led the creation of the UK's National Cyber Security Centre (NCSC) and oversaw the UK's pioneering Active Cyber Defence Program. During his 20-years of public service, Hannigan was Prime Minister's Security Adviser and created the UK's first cyber security strategy.

Hannigan's public sector service and deep cybersecurity expertise puts him in an excellent position to determine the likely effectiveness of the vast quantity of regulation now coming at us thick and fast. How effective will regulation like the EU NIS2 directive directive, and the activities of CISA in the US, be in genuinely improving cybersecurity posture in private industry and also the public sector?

"This is a big year for regulation in Europe, the US, and to some extent in the UK," says Hannigan." Regulation matters. There has to be some carrot and some stick. Regulation is making boards look at cyber risk in a way they haven't done before. The good ones already have but this is going to force the rest to."

Image
Figure image
Description
Robert Hannigan, BlueVoyant

Regulations and legislation aren't the only things concentrating executive minds on the importance of cybersecurity. The constant drumbeat of attacks is taking its toll, and it's interesting to see the in the US, intelligence agencies are sharing more information about the changing nature of attacks.

Hannigan references an article carried by The Financial Times last month about how the attack landscape, and particularly the changing nature of attacks coming from China, are forcing investors and shareholders to rethink the nature of their responsibilities and also of their relationship with governments.

"I think the more companies and executive boards get hit and the more they read about others getting hit the more boards get focused on it," he says. "I think all the pressure is beginning to change things."

Is it as bad as it looks?

At first glance, the cybersecurity posture of the UK looks lamentably poor. A recent DSIT report found that 78% of UK businesses lacked any kind of formal incident response plan. One of the many worrying aspects of the hack on The Electoral Commission last year was the fact that the organisation had failed a Cyber Essentials audit around the time it was compromised. And in terms of cybersecurity that's one of the lower baselines available.

"Overall things have improved," Hannigan says. "But we are still making very basic errors. Some of the attacks that make the national press are quite sophisticated nation state attacks, but they often get in through basic poor IT hygiene. Things like phishing, poor password management, failure to patch, these are as old as the hills and people still aren't doing them!"

Basics aside, CISOs face a multitude of challenges.

"It's often a constant struggle for a CISO with the CFO to get the right budget," he says. "From a CFO perspective they'll say ‘well we could spend a limitless amount on this and how do we know it's well spent? How do we know what's going to reduce risk?'

"Skills are another problem and smaller companies in particular can't afford them, so the answer has to be outsourcing and automation for most companies as well as seeding more skills and getting that pipeline growing. We certainly need to be reaching the half of the population – women – who aren't fully engaged in the cybersecurity industry. The more we can do to tap that talent the better."

Another barrier Hannigan identifies is partly the fault of the cybersecurity industry and the sales strategies of 10 – 15 years ago.

"Proliferation of products and services is an issue. The trend I've seen the last few years is consolidation. That's partly about cost, but it's also about simplicity. I think we went through a period 10 years or so ago where there were just tonnes of products and the temptation was to buy a load of brilliant stuff, bung it in and hope for the best.

"I think you do need layered defences to get but it needs to be carefully thought through. It's not just a question of buying the latest shiny thing, plugging it and hoping it all works. I think most mature CISOs have got that now. So, there is consolidation going on and that's helped by cloud."

Indeed, in Hannigan's view cloud has been the big game changer in cybersecurity, which is ironic given that concerns about security slowed cloud adoption for a long time, particularly in heavily regulated industries.

"Microsoft has dedicated a lot of money and developers and expertise to security and it's paid off. I think GCP and AWS are doing the same. And that can be a real game changer as everybody moves to cloud."

Of course, the attackers are moving there too.

"We've seen a massive increase in attacks on the cloud environment, cloud-to-cloud and multi cloud attacks," confirms Hannigan." Nonetheless, I still think that what cloud offers in consolidation, visibility and capability will be a game changer for cybersecurity."

Where are the risks?

Hannigan points to the supply chain for the biggest source of risk facing organisations right now.

"I think supply chain is huge, for the obvious reason that if you're a cyber attacker you're not going to give up just because someone's security gets better. Attackers know where the soft underbelly is. And it gives them a fantastic array of targets."

And GenAI?

"I think it will be a game changer but there's a lot of hype. I think on the defence side AI is really going to help SOCs and busy teams to do what are now manual processes really quickly. It will help us do detection and ‘big' processing. That's really worth having.

"On the attack side, it's obviously making it easier to code and it's just making it easier to do social engineering better, phishing, deepfakes – it's just easier to do fraud and to do it fast and cheaply."

Hope springs eternal

Hannigan remains optimistic about the resilience of our companies and infrastructure in the face of cyberattacks.

"I am an optimist because I think we're putting right some of the basic stuff," he says.

"Secure By Design is quite big in the UK already ready but it's really cutting through via the Digital Markets Act in Europe and CISA in the US. It will improve the quality of hardware, software, development and security. Those things will really help over time and it helps other people to do the right thing. That raises the baseline."

"There's always going to be an arms race," he says. Cyber attackers will always keep moving ahead, but I think the baseline is rising. Overall security is better but it's going to take a few years. I remain an optimist."