National Cyber Security Centre Director Richard Browne: Managing resilience
Having been with the National Cyber Security Centre (NCSC) since 2014 and led each of the State’s two national cybersecurity strategies to date, Richard Browne was appointed as NCSC Director in January 2022. He speaks with Ciarán Galway about his current priorities and emerging trends in cyber risks and threats.
What are your reflections on your time as a Director of the National Cyber Security Centre?
While I was nominally appointed full time in January 2022, I had been in the role as Acting Director since July 2021, having previously held roles in the NCSC between the end of 2014 and late 2020.
Two or three things have changed in that time. First is the much more public character of the challenges, not least since the ransomware attack on the HSE, as well as other high-profile incidents in the UK and the US.
Second is that the cybersecurity industry in the State has grown significantly, both in terms of international and domestic companies. We have 7,500 cybersecurity employees in the private sector alone, which gives you an idea of the scale of the industry here.
Third is the geopolitical tension; we cannot overstate the implications of the Russian invasion of Ukraine and the widespread use of cyber-enabled tools in that conflict, which just goes to show how dramatic and kinetic a situation can get.
What are the main functions of the NCSC?
Typically, we describe the NCSC as having three primary functions:
The first function is that it undertakes full spectrum cybersecurity incident response. Anything from relatively small-scale incidents to coordinating the response to major national cybersecurity incidents. This involves an amount of national security work along with cooperation with other entities in their jurisdictions, exercises in training and planning, and resourcing those activities.
The second function the NCSC performs is building resilience across the State’s public and private sectors through a variety of different actions. These include supporting skills development, supporting companies in their development, by sharing information on best practice, and by publishing guidance and supporting documentation on an ongoing basis.
The final function is enforcement and compliance. We have a very significant role in the regulation of critical infrastructure in the State with regard to cybersecurity. We have designated a substantial number of entities as critical infrastructure; as operators of an essential service. Through a series of assessments and audits, we ensure an ongoing programme of compliance with a designated standard for cybersecurity.
How has the NCSC led national cybersecurity policy, including coordinating the National Cyber Security Strategy 2019-2024, to date?
Until 2020, I held a dual policy and operation role, so the 2015 and 2019 strategies happened under my remit. Now, however, policy is dealt with by a separate part of the Department. Regardless, the NCSC still has an active role in contributing to the policy discussion, both within the Department and across government, not just within cybersecurity either, but also into defence, justice, foreign affairs, and related spheres.
What progress has been made on implementation of the 2019 strategy?
The 2019 strategy contains 20 deliverables. Under each of those is a series of individual stepping stones. The vast majority of those are either delivered or well underway. Some of them have been passed out by time in the sense that the EU legislation has leapfrogged them. This will be dealt with in the upcoming mid-term review.
I think that the NCSC itself has moved on beyond that which was explicitly identified on the strategy. The strategy pointed out that the NCSC would need to be substantially reinforced and the Government’s decision last year made on the foot of the capacity review of the organisation suggested that the organisation needed to expand to 45 staff by the end of 2022 and to at least 70 by year-end 2024. That is well underway. We will surpass 45 in 2022 and hopefully grow to 62 next in 2023.
On the mid-term review, that process is well underway now and the NCSC is fully participating in it. To an extent, this review will have to call out the things that we have achieved, that we need to do more on, and particularly call out the areas from the 2019 strategy that have been surpassed at the European level.
One of those obvious requirements is the need to expand our existing Network and Information Security [NIS] compliance regime. That regime is built upon the 2016 EU Network and Information Security Directive. We were seeking to expand our existing application of that directive. However, the EU has published and agreed a revised NIS2 Directive, so that supersedes our existing plans.
What do the Cyber Security Baseline Standards mean for public service bodies?
Last year, the 2019 strategy established the Cyber Security Baseline Standards to build cyber resilience across all public service bodies. This was undertaken by a group of ICT experts from across Government and led by the NCSC and the Department for Social Protection. In other words, it is a standard which everyone in the public sector should meet.
Following on from that we established an operational group of IT Security professionals – the Government Cyber Security Coordination and Response Network (Gov CORE). The Gov CORE is now tasked with implementation of that standard, alongside information-sharing, incident response, and capacity building across the public sector. In turn, the Gov CORE will develop that standard further, using its own certification tools which will receive a legislative basis in the next couple of years.
By the end of 2024, thanks to NIS2, the Civil Service will become legally obliged to meet those standards and there will be a compliance system in place for public administration bodies. In practical terms, that means we have a very tight timeline. This will be very challenging for many different types of organisations and structural changes will be required.
However, in many ways, the intervening period is a fantastic opportunity to reconfigure and reconsider the role of public sector ICT, assessing legacy systems, and preparing for what will be a significant challenge between now and 2025.
What are some of the emerging trends in cyber risks and threats that the NCSC is observing?
The geopolitical environment is very fraught, as everyone understands, but we have not yet seen direct manifestations of the kinds of attacks experienced in the rest of Europe. We have seen some in parts of Europe that are not necessarily direct, rather they are accidental overflows of less aggressive emanations. At the same time, the likelihood and consequences of this kind of thing happening are high. It is something that we cannot ignore.
The risk of ransomware and cybercriminal activity remains extremely high. We have observed daily incidents of this type, not just here but across Europe. We are now starting to see the actors targeting smaller entities for several reasons. This is partially due to the fragmentation of the actor groups responsible for this activity, including because security forces, police, and intelligence services have had a lot of success against these groups recently and they have been disrupted. Others have gone underground for other reasons.
Primarily, larger entities have become better at protecting themselves and are much less likely to pay ransoms because they have backups. They can afford to turn around and rebuild from scratch. Smaller entities may not have that luxury and may be more likely to pay, which is what we are seeing.
Another trend we have noted is the rise, once again, of hacktivism whereby website defacement, small scale DDoS, and other low level, small-scale cyber activity is undertaken with political or personal motivation. In recent months, we have started to observe an increase again, sometimes in association with events in eastern Europe. Fundamentally, the consequences of these attacks are minimal; they are small scale nuisance attacks, but they tend to get press, which is the intention.
Can you discuss how your response to the HSE ransomware attack manifested? How did that materialise?
The initial incident response process lasted between 10 and 14 days, depending on your perspective, by which point the majority of HSE services were back up and running again. There is still some ongoing clean-up and rebuilding of networks one year on, but that is quite normal with a case like this.
In some ways, it was quite remarkable how quickly the HSE was able to get its network back up and functioning even though core elements of it had been damaged. The HSE itself, as well as people from several other private sector companies throughout the State ,stepped in and helped us in rebuilding individual networks in the hospitals.
It was an entirely preventable incident. A significant number of similar incidents never got through the system. Either we were able to stop them, or the network operators managed to stop them themselves.
There were at least three occasions referenced in the independent report on the attack commissioned and published by the HSE. This is partially because the HSE was so badly stressed as a consequence of the Covid crisis. It is also down to the fact that they were reliant on private sector operators who missed obvious signs that there was something very badly amiss.
For example, the Department of Health had a very serious incident the day before and they spotted it immediately, called us and they never had the incident. So we were able to help them stop the incident before it ever came to anything. That is the model we try to pursue.
“It is fundamental to the corporate governance of any organisation in 2022 and you should not be treating safety as something distinct from cybersecurity because they are both on the same page.” Richard Browne, Director, National Cyber Security Centre
Cybersecurity, when it is done right, should be boring. It should be dealt with before there is any media coverage or flashing lights or drama. If you are in a large-scale incident response process, something has gone wrong somewhere.
What are the lessons of the single most significant cyberattack in the history of the State to date?
Ultimately, the lessons are very straightforward. Firstly, this was a preventable incident. As such, there is the need to proactively manage risks and manage networks. Having a coherent system of operations for monitoring threats is important, particularly for a large-scale network. Secondly, we need to have a proper incident response plan in place. In any network, cyberattack must be treated as a ‘when’ rather than an ‘if’ and work on the basis that it will occur.
Finally, there is a serious question as to how we manage resilience more generally. We were very lucky with the HSE incident in many ways because most of our larger hospitals remained operational. Next time, that might not necessarily be the case. There is a real question as to how we build redundancy into systems and how we can fall back onto other older segregated systems, not just in healthcare, but across the State’s critical infrastructure.
What is your vision for the future of the NCSC?
The NCSC’s long-term strength has always been that it has led on a technical basis. We have led on our reverse engineering and our cybersecurity incident response capability. We need to continue to consolidate that.
In the first instance, we need to have a single pane of glass for end-to-end visibility of incidents in the State and an ability to respond quickly and proportionately. We have a significant capability already and we need to continue to develop that. There are many lessons we can learn from our colleagues throughout Europe and in the US. It will never stop; there will never be a point where we are finished or done.
To ensure this, we must have an evolving, best-in-class national strategy involving coherent, continually amended legislation, a skills base, and technology; this is an ongoing project. The short-term goal is that, when we move into our new facility next year, we will have that security operations centre that gives us that ability, backed by legislation that allows us access in a transparent, open, non-intrusive way. We need to be able to see what is happening in the world and to respond.
Furthermore, I think we have significant work ahead of us in terms of developing the cybersecurity sector in the State for public sector and national security goals, but also economic development. This is a slightly arcane point, but because of the State’s history and our relatively benign foreign policy context, we have not developed some of the technology that some other states have in terms of information security, and around cybersecurity more generally. We are having to develop those now ourselves, quite late in the day. This is an opportunity to do so in a best-in-class way by learning from other states.