Lessons learned, presented by the UK's NCSC.
NCSC head Martin offers lessons from the British experience in cyberspace. Nathan MItchell
the cyberwire logoSep 9, 2019

Lessons learned, presented by the UK's NCSC.

Cyberspace is an artificial global commons with significant similarities to the other two natural commons: the oceans and outer space. And there's at least one significant asymmetry in cyber conflict that recalls piracy on the high seas: the asymmetry that obtains between the aggressors and their targets. The former has no real stake in a stable, peaceful cyberspace.

The final keynote speaker at the Billington CyberSecurity Summit was Ciaran Martin, CEO of the UK's National Cyber Security Centre. He began with a description of the realities of the environment in which we live. We find ourselves, Martin argued, defending open, digital societies. Prosperity is a social concern, and critical infrastructure presents a serious national risk. Cyber security is at base about defending a way of life. We face a formidable set of adversaries. Russia is a determined, aggressive, disruptive opponent. Our commercial environment today is one in which our businesses are under routine, continuous Chinese assault. North Korea and Iran are active and implacably hostile. Transnational cybercrime has become, cumulatively, a grave threat to the digital economy. And state actions have come to have serious collateral effects quite apart from the effects they're designed to have on their intended targets. Both WannaCry and NotPetya illustrate this. (Martin didn't name these, referring to them respectively as North Korean and Russian operations that apparently outran their intended targets.) And it’s worth noting, again, that none of the four state bad actors or the many criminal gangs have any particular stake in an open, reliably useful Internet.

Operating in this world has led Martin to three conclusions. First, "Government matters." The Internet is a public good, but well-intentioned calls for public-private partnership have proven, he argued, “a recipe for inaction.” Instead, governments should take responsibility for detection, resilience, and making technology safer. That third responsibility he particularly emphasized. It’s too easy, Martin said, to succumb to what he called “producer capture,” the sort of Hobson’s choice of security design big companies in his view too often offer their customers: use my approach or nothing. Second, we must "think carefully about our own footprints." Cyberspace may be an operational domain, but fundamentally it's a peaceful domain, and we must act in cyberspace with this in mind. Finally, governments need to look to the future, and that means looking for effective deterrence.