Russia-based criminals are still the UK's number 1 cyber-foe, NSO Group's wares a 'red flag' says NCSC chief
Chatham House speech targets non-state baddies as well as grey zone and nation states
A new national cyber strategy will be launched by year-end, the National Cyber Security Centre's chief exec has promised – while calling out spyware vendor NSO Group as a "red flag" for the UK infosec community.
Lindy Cameron told the Chatham House international affairs think tank that NSO Group was "something we raised a red flag about before, that the commercial market for sophisticated cyber exploitation products is an issue."
The malware vendor, which claims its flagship Pegasus iPhone-hacking software is only supplied to nation states, was in the UK public eye only last week after it emerged Pegasus was used by the Sheikh of Dubai to spy on his ex-wife's lawyers and entourage during a UK court battle.
"Those with lower capabilities are now able to simply purchase techniques and tradecraft," said Cameron, referring to the presentation of nation-state-grade hacking capabilities by "cyber-exploitation" vendors to paying customers.
She continued: "And obviously, those unregulated products can easily be put to use by people who don't have a history of responsible use of these techniques. So we need to avoid a marketplace for vulnerabilities and exploits developing that makes us all less safe."
New infosec strategy – and defence co-operation
The wide-ranging speech saw Cameron setting out her vision and priorities for the NCSC, having formally taken up the CEO post a year ago. There's no doubt that her unashamedly interventionist approach to regulating British businesses (including the cybersecurity sector) will continue:
Central to keeping the UK at the forefront of cyber security will be a new National Cyber strategy due to be launched before the end of the year, and with that a refreshed NCSC mandate to scale the impact that my organization delivers to build the UK's cyber security.
The new strategy follows on the heels of similar UK policy documents delivered in the last couple of years, including the Defence Industrial Strategy – which included a number of infosec-focused pledges.
Plenty of clues have emerged from government suggesting that relatively heavy regulation is coming to the UK's information security sector. Whitehall launched a supply chain review in summer, targeting managed service providers (MSPs) and their security practices – a review directly inspired by the SolarWinds attack, as well as lower-profile incidents.
"In the future," vowed Cameron, the NCSC "will take a principles based approach to security functionality, and put much more emphasis and proportionality on the engineering practices of the developer. Rather than just running through a checklist of criteria that need to be met."
This has already been seen in the Technical Annex to the Telecoms Security Bill, which sets 70 criteria that telcos and their suppliers must meet in order to continue in the UK market.
The new national cyber strategy may also include greater integration with the new National Cyber Force hacking unit, bearing in mind ministerial pledges from 2019 that committed Britain to hacking back at countries whose attack crews tampered with UK systems. While some commentators (most notably ex-NCSC CEO Ciaran Martin) have drawn a sharp line between cybersecurity and offensive cyber attacks, it seems that line isn't as deep as they would hope.
Russia number 1, China number 2
Cameron repeated earlier UK government findings stating that "cybercriminals based in Russia and neighbouring countries are responsible for most of the devastating ransomware attacks against UK targets," also alluding to other things Russia has done that targets Britain and its allies.
"How China evolves in the next decade will probably be the biggest single driver of our future cyber security," she said. "And we must be clear-eyed about this and in particular, protect ourselves against Chinese practices that have an adverse effect on our own prosperity and security."
- Money can buy you insurance against network break-ins but investing in infosec hygiene wouldn't go amiss, says new NCSC chief
- It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US
- UK umbrella payroll firm Giant Pay confirms it was hit by 'sophisticated' cyber-attack
- UK arm of international charity the Salvation Army hit by ransomware attack
She also spoke about standards-setting bodies and how those could be infiltrated by those who would seek to use the West's rules against itself by baking in values and standards that conflict with traditional liberal democratic norms.
Echoing a previous speech, Cameron added today: "But it's really important to remember that the vast majority of hostile cyber activity that most people in organizations in the UK will experience will come from criminals, not from nation states, and therefore absolutely central to the UK."
Regulation, intervention, counter-criminalism. Whether you like it or not, that's the way British infosec's going for the next few years. ®