Cyber security ‘not taken as seriously as it should be’, warns NCSC’s new chief

Despite “huge progress”, the UK must not be complacent in the face of developing threats and new challenges, people at Queen’s University Belfast expect new chief Lindy Cameron to say in a virtual speech today (26 March).

Cameron also intends to highlight the recent SolarWinds attack, which targeted several US government agencies, and a Microsoft Exchange mail server vulnerability as examples of the real dangers still lurking.

Cameron took over as chief executive of the agency last October, succeeding Ciaran Martin who led its creation back in 2016.

“As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online,” she will say in her speech. “Ransomware remains a serious and growing threat, both in terms of scale and severity.”

She will also say: “You will have seen that earlier this week we published further practical guidance to the education sector after seeing a growth in ransomware attacks against schools, colleges, and universities. Ransomware is not just about fraud and theft of money or data, serious as both are. It’s about the loss of key services and unenviable choices for unprepared businesses.”

In her speech, Cameron will also suggest that basic cyber-hygiene is as important a life skill as knowing how to wire a plug, saying “we’re all too aware that cyber skills are not yet fundamental to our education”.

Setting out her vision for the NCSC – which is part of GCHQ – she will say: “The cyber-security landscape we see now in the UK reflects tremendous progress and relative strength, but it is not a position we can be complacent about.”

Cameron will also stress that cyber security is still not taken as seriously as it should be and that the UK’s “boardroom thinking”, simply does not embed such practices into their business models. “The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO [chief information security officer] as their finance director and general counsel.”

The new CEO will also highlight how organisations need to protect the “fantastic” science and technology envisioned in the Integrated Review from theft or acquisition by hostile states, and that organisations’ critical infrastructures are a hard target for those that would seek to disrupt it.

“We need to ensure that the ever-increasing amounts of data generated and processed by the internet services we use every day are properly protected and our privacy appropriately managed,” she will add. “We need to ensure that the next generation of commodity technologies don’t repeat the security mistakes of the past.”

Cameron will also demand that organisations “needs to ensure that its adversaries – be they state or criminal, traditional, or new – think twice before attacking UK targets”, and that future generations are better equipped to deal with this complexity than any of their predecessors.

The NCSC is the UK’s lead authority on cyber security, overseeing the response to cyber attacks and improving the cyber resilience of the UK’s national infrastructure.

Cameron previously served as director-general of the Northern Ireland Office, and has worked at the Department for International Development (DfID), responsible for programmes in Africa, Asia and the Middle East, which included work in Iraq and Afghanistan.