Dont let cyber security be driven by fear, warns NCSC chief (ZDNet)

As cyber attacks and hacking incidents increase in frequency and scope, it’s important that organisations and governments don’t revert to a fear-based approach to cyber security: it won’t help users and it doesn’t help to prevent attacks.

Reflecting on how cyber security guidance has changed since the UK’s National Cyber Security Centre started operating in 2016, NCSC chief executive Ciaran Martin said the cyber-arm of GCHQ began as if its job was scaring people into staying safe online. But now the approach is based around promoting a deeper understanding of threats, he said.

“Four years ago, as GCHQ and government, we were still reluctantly in the role of the ‘Monsters Inc’ Top Scarcer. We still had to convince people about the threat and that it was all very scary and so forth,” said Martin, comparing the government’s approach to cyber security to that of the Pixar movie during a keynote address at Infosecurity Europe 2019 in London.

That created worry for organisations, Martin said, who for fear of cyber attacks, outsourced cyber security because they were concerned they couldn’t get to grips with the problem — and that wasn’t necessarily the correct approach.

 “That wasn’t the answer: the answer was people needing to own the problem for themselves,” said Martin.

“So in the last few years, we’ve been moving away from a fear-based approach to cyber security towards a pragmatic one where we’re trying to enable people to get on top of the problem,” he added.

SEE: A winning strategy for cybersecurity (ZDNet special report) Download the report as a PDF (TechRepublic)

A holistic approach to 5G security

The NCSC’s chief was speaking following several months of argument and debate over Chinese technology firm Huawei potentially building 5G network infrastructure for the UK, and what that could mean for national security.

The Trump administration in the US has already banned Huawei infrastructure from the country. In the UK, the cabinet has been split over the issue, while several national publications have run scare stories about worst-case scenarios with China controlling 5G services like autonomous vehicles, and the damage that could be done by suddenly turning 5G off.

Martin argued that the debate should be about 5G as a whole, rather than around one particular supplier.

“We have to get 5G network security right — and that’s a much bigger issue than the national identity of suppliers. We’ve had all sorts of debates about the globalisation and the role of China; there’s an absolutely legitimate debate to have, and we’ll talk about it more when the government has reached a final decision,” he said.

But for now, Martin said, cyber security experts need to analyse and discuss the security of 5G as a whole, to ensure that the networks — whoever builds them — are as secure as possible, and that the public can be reassured.

“For 5G security as a whole, we really need as experts to be talking about each bit and what we need to do to secure them — and we need to do that in as orderly and objective a way as possible,” he explained.

“Because it’d be a real shame if one of the consequences of this 5G debate would be if we allowed the fear back into cyber security, where we had people scared of technology again because they shouldn’t be.”