NCSC CEO: Why we should run towards crises to elevate cyber security
National Cyber Security Centre CEO Lindy Cameron, the 2022 Computer Weekly UKtech50 Most Influential Person in UK IT, reflects on a career immersed in crisis management, and how she is using this to elevate cyber security standards across the country
National Cyber Security Centre (NCSC) CEO Lindy Cameron has spent her life running towards crisis after crisis. Growing up in Northern Ireland during the Troubles has, she says, “probably given me a slightly unhealthy interest in conflict and crisis”.
Healthy or not, this interest has served her well as a foundation for a career that has spanned the world of national security. In stints spent at what was then the Department for International Development, the Foreign Office and the Cabinet Office, Cameron worked both in Iraq and in Afghanistan, where she ran the Helmand Provincial Reconstruction Team.
“The unifying theme above all has been crisis leadership,” she says. “A lot of my international development career was focused on understanding conflicts and crises and leading through them.
“The other theme I suppose has been systems leadership. I’ve often been in a part of the system where you don’t get to just assert your leadership and tell people what to do, but you have to bring people with you.
“[In Helmand] I had a wide international team, so there’s been a theme of being able to pull people together across the system and get them to work as a team for the greater good of the organisation.
“Then the third bit has been the international perspective. Although this is a job which is very much focused on keeping the UK the safest place to live and work online, it is understanding that international context of how geopolitics changes that.”
Any cyber security leader will recognise this wealth of experience as highly relevant to their work, and it is fair to say it stood Cameron in good stead when she arrived at the NCSC in 2020, right in the thick of the biggest public health crisis to hit the UK in living memory.
The wake-up call
Covid was indeed a unique challenge to face when taking up a new role, but perhaps not in the ways you might expect. Cameron explains: “I am a crisis veteran. I have always tended to run towards crises rather than away from them. Not much keeps me awake at night, and it’s not as if I was worried about Covid in terms of a professional challenge.”
The challenge was more of a personal one. Getting to know a new organisation during Covid required her to flex different muscles and adapt to a new style of learning.
“It’s been a real lesson in actually probably personal learning style,” says Cameron. “I’ve really reflected, looking back, on how much I learned by just watching the context and understanding the conversations that were going on around me.”
In December 2020, shortly after taking charge of the NCSC, Cameron was faced with the ultimate on-the-job lesson when a Russian state-backed cyber attack exploiting SolarWinds’ network management technology compromised the systems of multiple organisations around the world.
“The unifying theme above all has been crisis leadership”
Lindy Cameron, NCSC
It has become a cliché in the security world to talk of “wake-up calls”, but in a very real sense, this was exactly what SolarWinds provided.
Cameron describes the attack as a very powerful reminder, both to governments and private sector organisations, that although we rightly treat ransomware as the most pressing threat, the role of state advanced persistent threat (APT) groups in large-scale cyber attacks is often overlooked.
But because SolarWinds gave people cause to think about the wider threat landscape, their own exposure to it, and the nature of the risks they faced, in effect it elevated the cyber conversation, says Cameron.
“It wasn’t so much a lightbulb moment, it was more a moment of realising it was an opportunity to really move this onto the mainstream agenda,” she says.
“That was followed quite closely by Colonial Pipeline about six months later in a way that reminded governments that a major incident – in theory to a private sector company – in the critical national infrastructure [CNI] space, actually didn’t remain private sector for long – it suddenly became an incident of national significance.
“For me, that connected the cyber security world with the world I’m very comfortable in, which is the world of understanding threats to the UK and understanding how we then respond and what we do about it.”
Cyber goes pop
Since Cameron took over at the NCSC, a series of incidents, from the continuing Covid pandemic to SolarWinds, from Colonial Pipeline and Kaseya during the spring and summer of 2021 to Log4Shell last Christmas, and since February 2022, to Russia’s war on Ukraine, has elevated cyber in the minds of not just organisational leadership and security professionals, who have been tested in their approaches to risk and crisis management, but the wider public, too.
Indeed, just hours after our conversation, Channel Four premiered the first episode of a new prime-time cyber drama, The Undeclared War, which portrays a fictionalised version of an NCSC-like unit operating within GCHQ.
However, Cameron says she is not particularly surprised to see security entering the public discourse. “I suppose partly because, with the wider experience I’ve got, I’ve seen people get really interested in the security world, in different aspects, whether it’s a humanitarian crisis or whether it’s counter-terrorism and organised crime,” she says.
“I think in some ways you have to take advantage of the fact that people want to have that conversation and use it to try to shape the debate. One of the great things about that drama is that people will be sitting there thinking: what would I do if that happened to me? Of course it’s a drama, so it will be dramatised, but I think getting that conversation going really matters.”
The challenge now, says Cameron, is to break that conversation out of a technical space and make it accessible to everyone, from organisational leadership to the average consumer.
“This should be no more challenging for CEOs than talking to their general counsel about the legal challenges the organisation faces or talking to their CFO about the financial risks the organisation faces,” she says. “We would expect CEOs to have a general understanding of the kinds of risk, but not for this to be shrouded in a level of technical language that means they feel disconnected.”
There is some responsibility on both sides, both towards CEOs to run towards the problem and ask the right questions to ensure they can understand what a cyber attack will feel like and what is the worst day they can possibly have, but also towards the security community not to answer those questions with an inaccessible lecture.
Lindy Cameron, NCSC
“I think we could do with doing a bit more of that,” says Cameron. “Some of these crises are teachable moments, but the onus is on us to try to communicate effectively and one of the things I am incredibly proud about the NCSC having done is actually trying to have that conversation with every sector.
“For example, some of the best advice we’ve given has been to farmers worrying what to do when their Single Farm Payment comes through, making sure they are not vulnerable to cyber criminals who see them as a risk in that moment.
“We target the guidance to people when they need it in a way that they can understand that and that is partly why we work with sectors to try to understand what it looks like from the sector’s perspective, as well as what it looks like from the expert’s perspective. Our advice is informed by deep understanding of the threat, brilliant technical guidance and what to do about it, but then actually understanding what the customer wants and needs that helps them fix it or respond to it.”
When it comes to threats to consumers, one of the things that sets the NCSC apart from many of its international peers is that it takes these just as seriously as high-end national security systems.
This is partly because a thousand small cuts can be as harmful to the body of the country as one big one, but also because it is in the UK’s best interests to make sure everyone can confidently engage with technology and get the best out of it. Not for nothing is the NCSC very keen on the government line “making the UK the safest place in the world to live and work online”.
Getting this right is very important because the things that we do and learn in our personal lives can have a very meaningful effect on our professional ones, something that is not lost on Cameron. “My dad was a personnel manager,” she says, “and so I was subjected to quite a lot of excellent health and safety advice as a child on wearing my seatbelt in the car because all the evidence showed you that you were safer at work if you also behave sensibly in your car.
“The way we behave with our own personal tech affects the way we behave at work. Better-educated employees, frankly, look after their own personal tech vulnerabilities better, and similarly, if you are nudged to do the right thing in your Gmail account or your bank account, then you’ll be a more responsible employee who is less likely to click on a dubious link.”
The good news is that the public does respond to the kind of outreach the NCSC engages in. Indeed, one of the more exciting parts of the job, says Cameron, has been watching how they do so, such as by using the Suspicious Email Reporting Service (SERS), launched at the height of the pandemic, which allows people to pass on phishing, scam and spam emails to the NCSC for analysis and action.
SERS has been a huge success, with millions of emails received, and the NCSC is now considering how to do similar initiatives to tackle other online harms, such as fraud, with its government partners.
Running up that hill
With a constantly evolving threat landscape amid the most challenging geopolitical upheaval the UK has faced since the Second World War, any cyber professional worth their salt will always have an eye on the future.
“This is definitely one of those big generational challenges,” says Cameron. “If I was to think about things that kept me up at night, it’s not so much the immediate nightmares, but more the long-term ones.”
Acknowledging that, ultimately, cyber is as much a human issue as a technological one, Cameron says one of her biggest priorities right now is to leave the security skills landscape in better condition than she found it. In 10 years’ time, she wants her successor to look back and be able to say that the NCSC did the right thing today, not just to make sure it has the talent it needs within its ranks, but more widely, that the UK’s burgeoning cyber industry has the talent it needs, and that its citizens know how to keep themselves safe online.
In terms of addressing the security skills gap, the NCSC has been at the forefront of investing in building careers in cyber today, through its support of startups such as retraining specialist Capslock, or the work of organisations such as the UK Cyber Security Council, which seeks to raise standards across the security profession.
Meanwhile, for the cyber pros of tomorrow, the NCSC’s work with young people, its support of cyber security degrees, bursaries, summer holiday code camp programmes, and in particular the annual CyberFirst Girls contest, has set a gold standard that other tech sectors can learn from.
“I was very pleased to see that almost half the UKtech50 shortlist was female this year,” says Cameron. “And I think there is something about not missing the amazing female talent out there, making sure that talent also reflects the society we live in.
“But as technology shapes the world we live in, we need the workforce working on that to be a diverse workforce that understands how that affects everybody. Because, as we said, this is about how humans interact with it as well. So if we are narrow-minded about the workforce, we are narrow-minded about the opportunity.”
Lindy Cameron, NCSC
She adds: “One of the nicest things I did this year was I was going to hand out the prizes at the CyberFirst Girls competition. It was kind of the first out-of-school activity they’d had in two years of secondary school through Covid and so they were all disproportionately excited. But one of the really lovely things for me, a quite humbling thing, was there were a couple who were physically excited to see some senior women in the industry and there was a sense that they could imagine themselves there in the future in a way that, if they just look at an industry and see people who don’t look like them, they won’t have a chance to do.”
The second generational challenge, says Cameron, is how we still “do” cyber security in the long run, particularly in the face of the changing geopolitical situation.
One of the NCSC’s clearly defined roles is to think about the problems that others do not, marrying its technical expertise with the intelligence expertise that being part of GCHQ brings, as well as drawing on the security community itself.
“I don’t think I’ve ever seen government and the private sector working so well together as I’ve seen in this organisation – it is absolutely world-leading,” says Cameron. “But the question is, will that be enough to then understand the technology of the future and how that will shape cyber security and particularly the changing geopolitical context?
“A lot of the technology of the past has been developed on the West Coast of the US – that won’t be the case as much in the future. The question is, will we understand it as well? Are we setting up the standards bodies? The governance? Are we helping to shape it in a way that means we will be able to give the UK public confidence?
“That requires not only carrying on running towards the problems we understand now, but we also need to think about how the world will change in the next decade and what that will mean for cyber security.”
Happily, Cameron reckons the UK is in a good place here. With the NCSC acting as team captain, we started running up that hill much earlier and more effectively than others, she says, and this is evidenced by the emergence of more bodies that are running in the same direction – bodies such as the Government Security Group, spearheaded by national security adviser Stephen Lovegrove and Civil Service COO Alex Chisholm.
“We need to make sure we are not just responding to the huge demand we get from everybody else – different sectors, telecoms, etc,” she concludes. “We all need to be thinking about the issues that nobody else has thought about yet, and that, I think, is the big challenge going forward – but it’s a really fascinating one. I wouldn’t miss it for anything.”
NCSC CEO’s advice for CISOs
There is no disputing Cameron’s assertion that ransomware is the most clear and present danger facing UK plc, both in terms of its cost to the economy, but also in a human sense because it has the potential to deter people from engaging in the online world.
But security is about more than fending off snappily-named ransomware crews, so what advice does she have for CISOs?
“The big things for me are really making sure the whole organisation is resilient,” she says. “It’s using things like the Board Toolkit we’ve got to really make sure that you haven’t just got a well-prepared IT team, you’ve got a well-prepared organisation that understands where their critical data is, what they would do, where their critical systems are, and how they would respond in the first hours.
“Some of the scariest conversations I have are with people who are in shock when something has happened. They are trying to work out what they say to their workforce, what they say to their customers, what they say to the press. But when you’ve been through that scenario and gamed it, then actually you understand it is much less scary.
“Obviously, we are doing a huge amount to try to dial down that harm, but I think the better prepared that organisations are, the less scary it is and the better they are able to recover. We have seen this with Ukraine. One of the reasons that Ukraine has survived a significant onslaught has been that they knew what to expect and they were prepared for it.”
Cameron adds: “Ransomware is evolving. Criminals don’t sit and wait for us to put them out of business. They work out how they are going to evolve their money-making enterprises as the game changes. So I think it’s about being prepared for the evolution of the future, and if you’ve driven the basics through, that’s really important. And we’ve got lots of tools that really help people do that.”
She urges CISOs to take advantage of a crisis that may not affect their own organisation to create conversations that shift the dial towards security. The war on Ukraine is, again, a good example, because the conversations it created helped people understand that there was potential for cyber warfare to spill over in another WannaCry moment. This didn’t happen, there has been no specific uptick in threat to the UK, but critically, people talked about security – and that, says Cameron, is a positive step.