NCSC Director: Imminent ‘category one’ cyberattack will be undefendable
Dr. Levy believes that cybersecurity fearmongering is seriously endangering organisations, as people are led to believe that they are completely helpless.
Peering deep into the dark and dangerous cybersecurity future at the Symantec Crystal Ball event, a formidable panel of industry experts presented their predictions for the next five years. Among this group was the famous Dr Ian Levy, Director, National Cyber Security Centre (NCSC).
The NCSC Director foresees a cyber incident on a never before seen scale that will ultimately be the driver of vital and positive change in the approach organisations take to security and risk.
Dr Levy said: “I think predictions in cybersecurity are quite difficult because it is such a fast moving thing, but I am going to make one that I am reasonably confident about. Sometime in the next few years we are going to have our first category one cyber incident; this is when you need a national response to it.”
Five years is a lifetime in cybersecurity, an industry that could be argued as unparalleled in the speed of its evolution. In light of recent attacks such as the devastating, category two, WannaCry ransomware attack, it is not hard to imagine something more terrifying lurking up ahead.
“When we have had that category one incident, the first thing that will come out is that it is an unprecedented sophisticated attack that couldn’t possibly be defended against. There will be a bit more investigation, and then it will come out that there were a couple of people in that organisation who did something that subverted the otherwise perfect technical cybersecurity stuff,” said Dr Levy.
It is a typical reaction to assume that when a crippling cyberattack hits its mark and causes major damage, it is a deeply sophisticated, cutting edge attack. Dr Levy does not believe this will be the case when the first ever category one attack strikes.
“Because it will be our first ever category one there will be an independent investigation, I think what will really come out is that it was entirely preventable. Those two people, who did something to subvert the awesome technical cybersecurity thing, were just doing their job. The things they were being asked to do from a cybersecurity standpoint were basically impossible, and they made a mistake.”
Here, NCSC Director Levy points to the ongoing lack of understanding and appreciation of the colossal weight of the burden that security professionals are expected to carry, still believing that a security investment and a tick on the checklist constitute impenetrable security.
“It turns out that the organisation that was breached did not really understand what data they had, what value it had, or what impact it could have outside of the organisation. You will then get to the board and the board will say: ‘we bought best-in-breed, we went to the market, and the market said we can protect you from anything with our magic box, and we bought the magic box, so it’s not our fault.’ Then they will work out that you cannot outsource risk.”
Dr Ian Levy has previously stood steadfast against firms capitalising on the chaos of the threat landscape, decrying those that are “peddling medieval witchcraft”. Here he outlines the vulnerabilities sewn by those that claim to offer watertight protection at a time when nobody can realistically guarantee it.
Instead of throwing money at the shiniest new security package to integrate or bolt on to your organisation, Levy strongly encourages the implementation of cybersecurity risk management, and he believes it is essential.
Cybersecurity firms pilloried by GCHQ technical director over “witchcraft”
NSA, Microsoft, North Korea or YOU: Who’s to blame for WannaCry?
Windows XP puts UK police at ransomware attack risk
Levy said: “With the trajectory I see at the moment around how cybersecurity is talked about, how people put militaristic analogies around it and make people feel like they cannot defend themselves – it is actually really dangerous, and that is what we want to try and fix.
“We want to publish data, we want to publish evidence, and make sure that people really understand risk management properly, because in the end cybersecurity is just risk management. You do legal risk management, you do HR risk management, you do finance risk management. Why is cybersecurity so fundamentally different? I don’t think it is.”