Brian Lord OBE, ex-GCHQ Deputy Director, sat down with CBR’s Ellie Burns to talk about how the industry is creating a cyber mythology, perpetuating fear and ignorance in order to make money.
Cyber security in the 21st Century has captured the imagination of the masses, with experts and headlines rallying action against criminal masterminds who are hacking cars, pacemakers, governments, banks and businesses.
A picture is being painted by the cyber security industry, one that boasts spooks and technically gifted criminals as the main protagonists in a landscape dominated by warfare and cyber weapons – a picture that has created a ‘cyber mythology’ designed to “sell unnecessarily expensive solutions through fear,” according to Brian Lord OBE, former GCHQ Deputy Director for Intelligence and Cyber Operations.
Many would be quick to state that cyber fear is well founded, with recent revelations concerning the CIA coupled with attacks on the US election and businesses like Yahoo proving that the threat is very much real. However, Mr Lord, who is now Managing Director at PGI Cyber, argues that it is the exaggeration of what does exist that is to blame for fuelling false perceptions and the larger cyber mythology.
“This is particularly true at the higher end of the spectrum: for example, destructive cyber capability and cyber warfare; especially around the likelihood of occurrence and/or current levels of adversary capability. Concepts of what is “technically” possible are taken out of context and presented as likely and imminent, thus creating a distorted sense of risk,” Mr Lord told CBR.
“For example, it is “technically” possible to interfere with, say, a maritime vessel in a controlled, and semi-controlled testing environment. BUT the picture is much different when placed in the reality of conducting an attack that delivers: actual specific, useful, sustainable effect and doing so undetected and by-passing all other detection and indicators (including built in automated disaster and business continuity capability) and accounting for the technical idiosyncrasies of each and every vessel. To do the latter involves a level of capability, skill, time, money and most specifically intent that creates a very different perception of the real risk.”
Of course, many will argue that government and nation state-backed hackers do have the capability and resources to carry out such attacks – but still, Mr Lord argues that such attacks fail to deliver the destruction feared by the industry. Pointing to the Russian attack on Ukrainian power systems in 2015, Mr Lord said that effect was certainly achieved, but down time was short before recovery was achieved and the systems were back up and running.
“If one looks after the case of Junaid Hussain – the “terrorist hacker” and certainly at the very top end of IS’s “Cyber skillset”; he spent most of his time supporting the IS propaganda campaign rather than planning the destructive cyber terrorist acts that are reported as being likely, imminent and destructive,” said Mr Lord.
Mr Lord is better placed than most in regard to knowing the reach of nation-state hackers, as well as the possible destruction they could wreak on infrastructure and national security. He spent 21 years with GCHQ, serving in a wide range of roles at home and abroad.
“There is huge confusion about the relevance of stories of attacks on the National Infrastructure and Cyber terrorism and state theft of intellectual property, and so the basic and more boring, but by far more voluminous, low level criminal activity goes untreated,” Mr Lord told CBR.
That low level criminal activity is not immune from exaggeration, being yet another pawn in the cyber mythology. Much has been written about the cost of cybercrime, as well as the impending threat from the IoT – both of which are bolstered by weak arguments, according to the ex-GCHQ deputy director.
“The figures quoted for the alleged and predicted “loss” from criminal activity have now breached the magic “trillion dollar mark” although the basis for this calculation is weak and unjustified.
“And the less said the better about “white goods warfare” where hackers use your TV to hack your fridge; simply because both are linked through a single internet connection.”
Although admitting that cybercrime is on the rise and destructive capability is being gradually evolved and developed, the cyber hysteria being generated from the industry’s fear-mongering has some worrying, and possibly more dangerous, side-effects.
“This early exaggeration of the threat, and one where something imminent and dramatic never actually occurs in the form envisaged, simply creates complacency and inaction in areas that should be reacting to the more measured and proportionate reality.
“As a consequence, we allow the real threat to evolve and we fall further behind, rather than tracking and gaining ground and systemically reducing the risk and threat.”
So a culture of fear is being created – and that fear is easy to sustain. Not only is that fear easy to sustain, but security vendors can make a lot of money from the uneducated and scared.
“Fear is created by maintaining ignorance. Many people are not deeply technical. So by maintaining discussion at a high technical level, with technical language, the perception is being preserved that only a small number individuals can understand it. “Cyber” is perceived by most as a technical word to describe technical things.
“So, a threat is presented as unintelligible, and associated to high level of danger and risk. Therefore a disproportionate sense of fear is created. Those who control that equation control the market. The technique has been around for years – there were many self-serving reasons why priests in the Middle Ages ensured the Bible was only available in Latin. This is simply the 21st Century version.”
Ignorance and fear is great business for cyber security vendors, argues Mr Lord, as an informed purchaser can decide how to manage and mitigate the risks that they face. With the cyber security market so fragmented with so many solutions available, a knowledgeable customer could potentially be damaging for business.
“A cyber security vendor would always prefer to have a client who will buy what they are told, not what the client chooses,” Mr Lord said.
Not only is an ignorant customer an easy sell, but vendors can hike prices and make more money – capitalising to the full extent on the fear they are helping to perpetuate.
“If they can keep the price and margins high and sell into an increasingly bewildered and confused market then they will do so. Indeed some have built their business model (and thus profit projection) around such pricing models.
“And remember “Cyber security vendors” is an unhelpful catch-all that covers the spectrum of technology providers (bits of IT kit); consultants and service deliverers (people who tell you what to do and why) and training (education of others in the knowledge and skills needed to counter the problem). So it is inevitable that whichever type of vendor you talk to will give you a different solution.”
Following this business model, security vendors may actually be doing more harm than good in regards to cyber security. The perception that cyber security is very difficult to understand, thus the people who can do it are scarce and so very expensive, could actually be aiding the attackers and hampering the defenders.
“As opposed to Y2K, where the tactic worked, in today’s reality, these behaviours are causing purchasing inaction rather than action due to lack of knowledge and/or the size of the bill. Or rather purchasing happens after the breach rather than preventing one. And so the gap between the capabilities of the hostile actors and the victims grows yet further – because unlike Y2K, the endemic risk is actually real, and growing.”
The vendors do not stand alone as the only perpetrators of Mr Lord’s cyber mythology, with the PGI Cyber MD recognising that there is a “bit of Governmental unconscious complicity in this, primarily in how the Government attempts to set standards.”
“Standards are necessary to help a purchaser differentiate between what is good and not good. But when the standards themselves, create or influence a market to an extent where the cost of delivery (and thus purchase) is disproportionately raised (for example the Cyber Essentials or CCP certification) then the market can become warped.
“Worse, there are cases where the Cyber Security vendors “persuade” government through “consultation”, to set standards that immediately limits the numbers of companies or people who can deliver it (for example, CBEST, CTL Assessments). This of course affects the price. And I’m not sure Government’s past stance of simply absolving themselves of responsibility of how their standards are monetised in the private sector can work much longer. It is an area where I am hoping the new NCSC will take more ownership and develop more commercial awareness.”
So how can we stop the spread of this cyber mythology – as Mr Lord has pointed out, it is only causing inaction and hampering the efforts of the good guys. Pointing the finger at me as the media has a role to play too, Mr Lord advocates clarity and transparency, urging the industry to be balanced about how the threat is messaged.
“In no other aspect of risk do we try to encapsulate the full range from State activity to petty criminal/anti-social activity in the same narrative. Explain what the difference is and where it is and equally isn’t a risk.”
The industry, argues Mr Lord, also has to be honest about how “most businesses only face a threat from a very small spectrum of the threat landscape and so their solutions should be scoped accordingly.” According to the ex-GCHQ man, the solution should only cost the same amount for a year’s protection, rather than what most cyber security consultancies would charge for two or three days of work.
Finally, businesses should ask themselves the following questions:
- What Cyber risk actually means for them?
- Who they are threat from and why?
- What measures seem proportionate to treat the risk their organisation faces?
- What is a reasonable price to pay for that mitigation?
“If an organisation can answer these questions, then the risk is placed where is needs to be; treated like any other 21st Century Business Risk – no more and no less,” concluded Mr Lord.
“An informed demandeur of services puts any market back into balanced equilibrium. And if we want to close the gap on those who are taking advantage the lack of preparedness and protection that we have allowed to occur, then the quicker we can get to that position the better.”