Ciaran Martin is what is known in Whitehall as “a safe pair of hands”. In the 23 years he spent working there he held a number of senior roles within the Cabinet Office, which included negotiating the basis of the Scottish referendum with the Scottish government and being director of security and intelligence. He was also responsible for (and I am not making this up) “spearheading the equalising of the royal succession laws between males and females in the line”. Before that, he had been private secretary to the permanent secretary at the Treasury and then principal private secretary to the cabinet secretary. When the government set up the National Cyber Security Centre (NCSC) in 2016 he was appointed its first director. He now basks as a professor in the luxurious environs of the Blavatnik School of Government at Oxford University.
Folk with that kind of background generally don’t go in for hyperbole. And yet Martin has recently been all over the mainstream media warning that “nobody is safe from Russia’s digital pirates” (the Spectator), that the “sale of semiconductor factory to Chinese-owned firm presents a bigger UK risk than Huawei” (Daily Telegraph), that UK schools have been “held to ransom” by Russian hackers (BBC Radio 4) and so on. And now here he is in Prospect magazine under the headline “We have privatised our cyber security. The winners are the hackers”.
In the piece, he tells a revealing story about what happened when the Queen officially opened the NCSC in 2017. He writes: “A senior government minister confided to me, at the margins of the festivities, their concern that the launch of this new department in GCHQ to fight digital threats represented ‘the nationalisation of cybersecurity’. But the opposite problem is emerging: we are privatising national security risk.”
The case study he uses to make this point is (tactfully) drawn not from UK experience but from the US. It’s the ransomware attack on the Colonial Pipeline system that took place in May. The pipeline takes oil from Houston in Texas to the eastern US; about 45% of all fuel consumed on the east coast arrives through it. It is therefore a critical piece of the country’s infrastructure. The attack affected some of Colonial’s corporate systems, but not the computer systems that managed the pipeline. Nevertheless, Colonial halted all of the pipeline’s operations in an attempt to contain the attack. It also paid a $4.4m ransom, apparently with the assistance of the FBI.
It was the largest cyber-attack to date on an American oil infrastructure target. The government issued an emergency declaration for 17 US states and Washington DC to try to keep fuel supplies running. And the FBI managed to retrieve some of the ransom using methods of which the rest of us can only dream.
Martin’s point is that “it was the company, not the hackers, who shut down the pipeline, apparently because it could not run its services profitably because of the damage done to its business processes”. This was a decision it was perfectly entitled to take under current laws, but while the company did not consult the US government beforehand, it fell to the government to deal with the fallout. He writes: “Washington had to suspend safety regulations concerning the transport of fuel by road and issue guidance to citizens to prevent panic-buying and the storing of fuel in unsafe containers. It then sent the FBI after the hackers. Yet it had no involvement in any of the decisions that made such actions necessary; those were taken by the firm’s executives.”
Does that remind you of anything? What it brings to mind for me is the way, in the run-up to 2008, banks were able to gorge themselves on ultra-risky derivative products that eventually came unstuck and brought the world’s financial systems to their knees. The banks reaped the profits of that investment spree, but it was national governments – and their hapless citizens – who paid the price of bailing them out.
Something similar is going on in the cyber-security sphere. Virtually every company and organisation now has – indeed has to have – an online presence. But many still take only rudimentary cybersecurity precautions and are sitting ducks for hackers. For most of companies, that’s a matter for them and their boards of directors - it’s their lookout if a ransomware attack makes them insolvent.
But if what they do makes them a part of the country’s critical infrastructure – water, electricity, fuel supply, communications, logistics, food supply, healthcare, schools and so on – maintaining lax cybersecurity ought to be a criminal offence. If commercial organisations want to privatise commercial risk then that’s their business. But national security is our business, not theirs: that’s why GCHQ set up the NCSC. So, reading between the lines of Martin’s obvious concern, are we learning that British firms are still not taking security seriously?
What I’ve been reading
Credibility gap
How Does Britain Maintain Relevance in a Changing World? is a fascinating tour d’horizon by Tim Marshall. I’d say the answer is with difficulty.
Fear factors
A sobering Tweetstream by Michael Bang Petersen on the pandemic and the chronic erosion of trust
Fuel for thought
Shortage Nation: Why the UK Is Braced for a Grim Christmas is a nice explainer by Tim Harford on why economists still don’t understand why we run out of petrol at the pumps.