Protecting national interests: Balancing cybersecurity and operational realities
With cyber threats becoming increasingly sophisticated and targeting critical infrastructure, in this Help Net Security interview, David Ferbrache, managing director of Beyond Blue, discusses the current state of cybersecurity readiness and resilience.
Ferbrache talks about the complexities of managing both traditional and digital infrastructures, the critical role of regulatory bodies, the urgent need for public and private sector collaboration to counteract these threats, and much more.
With the increasing sophistication of cyber threats targeting national infrastructures, how do you assess the current state of national cybersecurity regarding readiness and resilience?
Cybersecurity is one of the most evolving aspects of national security, with a changing threat landscape, new attack tactics, and an increasingly complex and interdependent critical national infrastructure.
While we still depend on traditional national infrastructure providers like water, oil, gas, and electricity, we increasingly rely on the digital ecosystem. This means the key questions are: how do we identify these new critical infrastructure providers, and how can we encourage the right behaviors regarding security and resilience?
Legacy technology still presents the greatest challenge for traditional infrastructure. Many systems can be decades old and run outdated architecture. Retrofitting their environments and safely embedding security is expensive and demands difficult conversations between providers and regulators over where those costs should fall.
When it comes to digital infrastructure providers, we face very different challenges. We need to understand which of these providers are critical, recognize that they are often global in extent, and choose the right regulatory model, ideally cooperating with other nations as we do so.
Ultimately, the UK needs to defend its national interests against cyber attacks, and GCHQ and the NCSC will always have a key role in monitoring and disrupting cyber attacks. The NCSC’s Active Defence initiative is an excellent example of what can be achieved, particularly if the government and industry work in partnership.
Given the recent reports of intensifying cyber warfare tactics, what are the most critical areas where national cybersecurity measures are currently lacking?
A significant challenge we face today is safeguarding the information space against misinformation, disinformation, manipulation and deceptive content. Whether this is at the behest of nation-states, or their supporters, it can be immensely destabilising and disruptive.
We must find a way to tackle this challenge, but this should not just focus on the responsibilities held by social media platforms, but also on how we can detect targeted misinformation, counter those narratives and block the sources. Technology companies have a key role in taking down content that is obviously malicious, but we need the processes to respond in hours, rather than days and weeks.
More generally, infrastructure used to launch attacks can be spun up more quickly than ever and attacks manifest at speed. This requires the government to work more closely with major technology and telecommunication providers so we can block and counter these threats – and that demands information sharing mechanisms and legal frameworks which enable this.
Investigating and countering modern transnational cybercrime demands very different approaches, and of course AI will undoubtedly play a big part in this, but sadly both in attack and defence.
In light of the guiding principles for ICT regulators, what role do you believe regulatory bodies should play in shaping national cybersecurity strategies?
One of the key issues we face when developing new regulations and policies is designing them to suit the needs of different sectors and the broader regulatory frameworks they operate under.
There are ways we can encourage better cyber behaviour using market forces, such as promoting standards such as Cyber Essentials, enabling the Cyber Insurance market or requiring greater transparency in corporate reporting.
But when it comes to introducing new regulations at a national level we need to recognize that cybersecurity regulations work best when aligned to well established regulatory models and structures. So, how does cybersecurity link to operational resilience or safety regulation? What role should the regulator play in encouraging cybersecurity investment by regulated bodies? How do existing supervisory models and sanctions apply?
Regulations certainly play a role in improving security, but they must be aligned to specific markets so they are achievable and fit for purpose.
What are the challenges and potential limitations of implementing zero-trust architecture at a national level, particularly within critical infrastructure sectors?
The biggest challenge critical organizations face when adopting zero trust is legacy infrastructure. Zero trust often conceptually sounds very attractive to these organizations but when they start to map it against their IT estate they realise it’s a long process that could take years to implement. They need to be able to sell that to senior executives, and also show progress and business benefit along the way.
Another hurdle is around Operational Technology and Industrial Control Systems. Safety is often the number one priority within industrial environments, and that can demand that in emergencies people have to act rapidly and decisively. “Break Glass” access can be vital and zero-trust models need to allow for those contingencies.
How crucial is the collaboration between the public and private sectors in enhancing national cybersecurity? Can you provide examples of successful collaborations and their impact?
“Today there is very little, if any, distinction between the public and private sectors. The majority of our infrastructure lies in the hands of the private sector and society is heavily dependent on these services.
Cybersecurity around critical infrastructure is a joint team endeavour between public and private sector organizations.
Done well it brings public and private sector organizations into a dialogue, and understanding of the dynamics in both sectors, and an alignment of incentives. For example, we have seen the establishment of the Financial Sector Cyber Collaboration Centre bringing the NCSC together with financial firms to protect the sector.
We have also seen the benefits it brings in tackling cybercrime more generally, including taking down the infrastructure used by organized crime groups and disrupting their operations. Most recently we saw the takedown of LockBit 3.0, an operation led by the NCSC and NCA, but also involving many organizations from the cybersecurity industry. It’s only by working together more collaboratively that we can share data on patterns of attacks or coordinate the takedowns of criminal operations.
Overall, for me, there is no real distinction between the public and private sector, because they both form part of the community action we need to understand cyber threats and counter them.