In the second of our series of interviews with prominent cyber security figures, our Managing Director, Paul Harris, spoke with Martin Clements CMG OBE (pictured), to discuss the cyber threats facing organisations today and how they can prepare themselves to defend against them.
For those who may not be aware, Martin originally trained in computer and natural sciences and after twenty years in front-line operations, in Europe, South Asia and the Middle East, he took on a series of prominent leadership positions building offensive and defensive capabilities for Her Majesty’s Government (HMG), combining traditional techniques and skills with emerging innovations, especially in the fields of mobile, cyber and data. He went on to become an experienced executive and non-executive member of the top governance in his field, leaving the Foreign and Commonwealth Office from his final position of Director General for Technology and Transformation.
Martin retired from HMG in 2016 and is now a Senior Advisor to the Chairman and CEO of Credit Suisse Group as well as non-executive Chairman and Director at several other businesses. He is a partner at Vega Cyber Associates, where he has joined up with prominent figures from national security, academia and business to support top business leaders as their roles evolve in the digital age.
PH: Many thanks for taking the time to speak with me today, Martin, I know you’re extremely busy so, we’ll jump straight in.
We regularly hear about ‘sophisticated’ cyber-attacks on organisations, suggesting that they are conducted by Advanced Persistent Threats (APTs), or by those with APT like capabilities. But are APTs really such a threat to the average organisation and if not, what threats should they be concerned about?
MC: How many times have we heard of a ‘sophisticated’ breach only to learn that was a failure to patch, or something similarly simple that let the attackers in? It’s the basic mantra of cyber professionals: you need to get the basics right.
In my own view, organisations need to concern themselves first with threats deriving from criminal use of cyber, especially when associated with fraud. This is where the major losses occur and is where the real threat to most organisations lie. It is possible to be a direct target of a nation state, but generally a business will know if this is likely to be the case and should be taking special measures to protect its crown jewels, i.e. what that nation state might be after.
For the average organisation though, the threat from nation state operations is indirect: tolerating safe havens for some groups to conduct wholesale cyber criminality; and the escape of techniques and expertise (or experts) from the nation-state domain to the criminal domain.
Understanding your real-world threats is vital and organisations need to have proper intelligence about the attacks that are occurring against them, so you first need to have a good provider of cyber intelligence. Second, you need to draw from this knowledge, assessing the motivations of the actors looking to attack you. And finally, keep coming back to this. Threats are dynamic, constantly evolving to take advantage of external factors (e.g. new techniques), as well as specific ones, such as a company moving into a new market or making a change to its business strategy that leads it into new risks.
Whatever the threat uncovered, all organisations should be putting in the effort to adapt to these evolving dynamics and should also be assessing their security in all its variety. Security needs to become part of the backdrop to life for the entire organisation and not a special interest of specialists.
For the network defender, this also means that any defence must be assumed fallible, especially if the threat is a nation state with the luxury of time and/or expertise. This is one of the reasons why we all should talk of cyber resilience as much or more than we talk about cyber security: we all need to be ready for ‘a bad day in the office’, i.e. an intrusion.
PH: Criminals will use any means possible to achieve their goals. Organisations, on the other hand, must operate within the law and acceptable ethical practices, potentially creating a security gap in which criminals can profit. How can organisations ensure this security gap is filled?
MC: Organisations must try harder and attempt to recreate faithfully a full spectrum attacker’s modus operandi. As a young soldier in the Cold War, I was in a unit that had the responsibility to play the Soviet enemy in annual NATO exercises. In my view, the same is at least as possible in the cyber age and I would challenge all businesses to make this true.
Scenario planning or adversary simulation is a valuable tool for any organisation, whether they’re in denial (and need a shake-up) or pretty good at security already (and can benefit from a new challenge). But to be effective they need to be as realistic as possible and sponsored from the very top, giving it real patronage, assertiveness, and knowledge. Some will say this is unrealistic. Personally, I am unpersuaded that this is really that hard; it’s just uncomfortable and difficult to fit within a business culture.
PH: You mention the importance of gaining sponsorship from senior management, what is the current role of C-suite and senior leadership in security and how does this need to evolve? How should organisations engage their leadership in tackling their security threats?
MC: The current roles are, I am afraid, mostly still not engaged enough when it comes to cyber security. It should be an intimate engagement: leading security culture; understanding the threat personally and acting on that understanding; seeking independent assurance; sponsoring red teaming; leading by example in their own lives and behaviours; making sure the budgets match the threat (and the benefits of digitisation, which is what the cost should be measured against); carrying out exercises to prepare for when the worst does happen; developing the leadership—individuals, roles, governance—for the digital age.
PH: Just like the threats, the goal for network defenders has evolved, it is no longer realistic to expect a perfectly clean sheet from the blue team. What should senior leaders now expect from their security teams?
MC: They should expect them to keep probing their own defences until something breaks. There will be weaknesses and it’s important to find them before the bad actor does. But it’s not just about identifying weakness, whatever is revealed needs to be fixed, preferably first time. Of course, everyone deserves a second chance, or at least it is a sensible policy in my view to give them one, but do they really deserve a third chance?
PH: You mentioned earlier the threat posed by criminal organisations. Do you think recent public naming and shaming of nation state activity could result in nations turning towards these criminal groups to expand operations, whilst providing the cover of plausible deniability?
MC: There has been a revolution not only in the ability of a nation state to gather intelligence through cyber operations, but also to use these same operations as more or less deniable means of covert action, at a vastly cheaper price than anything that came before. It’s important to understand how basic this change is, transforming as it does the relationship between what were previously thought of as rather separate domains: the military and intelligence.
In terms of turning towards criminal groups as a cover, they might. But you must bear in mind that there are risks for states using groups in this way. They do not control them quite so directly and these are after all people who are motivated financially. In short, there is a risk of creating a monster and of your own state sector being corrupted. It’s not a panacea for nation states seeking deniability for their offensive cyber operations.
PH: One of the biggest stories of the last few years was in relation to Huawei and the dangers of Chinese technology within the technology ecosystem. How serious is the threat associated with adopting Chinese controlled technologies, such as Huawei, by Western corporations?
MC: The West has always had a near monopoly of the technology used as the internet developed. But it is losing that.
Clearly this matters, because there must be an advantage to having most of the technical ecosystem created in your own countries. I suspect in the long run that this less secret and more strategic aspect of the shift towards China will matter a great deal more than anything as simple as back doors and the like.