 Good morning everybody. Big crowd. You are all very welcome. With the light left here and I'll introduce them in a moment. Fokker Murphy is my name. Let's put this right back down in law enforcement. Just a few housekeeping issues. Mobile phones to silent please. The institute encourages tweeting but the mobiles have to be on silent. We're very lucky to have Ciaran Martin. Ciaran is the current chief executive officer of the National Cyber Security Centre in GCHQ in the UK. In his address today he'll talk about the pioneering work of the National Cyber Security Centre and the role it plays in developing government policy. Mr. Martin will discuss how the Centre protects both national and business interests from major cyber attacks and helps people understand the risks around cyber security. Our event will be as normal. It'll last about an hour. The first 30 minutes or so will be Ciaran's presentation which will be on the record. And the second half we will have an opportunity for questions and answers which will be in one of the chat posts. As you know you can't attribute, but you can refer to the comments in that you can't attribute them to any speaker or to any other person who is present at that stage. Ciaran Martin was appointed Chief Executive Officer of the National Cyber Security Centre on the 15th of March 2016 having previously held a role of GCHQ's Director General for Cyber Security since February 2014. And as the CEO he leads the Public Facing London Centre, the UK's technical authority on cyber security, aiming to make the UK the safest place to live and do business on time. Previously he held further positions as the Cabinet Office's Constitution Director, Director of Security Intelligence and Principal Private Secretary, the Cabinet Secretary. The whole area of cyber security is very complex to a lot of us. I hope that Ciaran will be missed by some of that this morning. And give us some ideas about what we can do to defend against the threat going forward. So, Ciaran, you're very welcome. We're delighted to have you on the floor as yours. Thanks for asking. It's very generous of you and very generous of the round of applause given they haven't actually done anything yet. Just leave these here. They're dangerous, dangerous objects. Very nice to be back in Dublin. Hope it's more successful than my last visit because I'm from Trone and I was here in September for the All Ireland Final, so I'll just get out of the way for any dubs in the room. Thank you. I was just talking downstairs to the former Justice Minister, Nora Owen. It was a pleasure to see who was observing the way in which this subject of cyber security is shrouded in mystique and glamour. Indeed, there's a Hollywood dimension to it. We have attackers who seem to hover for working from Russia and North Korea and so forth. They are expert. In the words of the President of the United States, they weigh £400. They cannot be stopped. They are undefeatable. And there is nothing we can do. And I was asked to perhaps shed some light on this mystique and I'm going to start by saying that my objective today, sadly, from your point of view for the next few minutes, is to bore you and get you thinking about everything else other than that to de-glamourise this subject because, as I will go on to argue, fear and mystique has been the enemy of sound public policy, good human behaviour, good corporate risk management, good cyber security and so on. And if you remember nothing else from what we're trying to evangelise around the National Cyber Security Centre in London, is that there's a handful of us in any society who will obsess about cyber security. It's our job. It's our business. For everybody else, just be good enough and safe enough to get by on a reasonable risk management basis in your daily lives. We're all going to depend on digital services. We're going to depend on them for critical public services. We're going to depend on them for corporate prosperity. We're going to depend on individual convenience and the general happiness and wellbeing in our lives. To do that in a way that's safe enough doesn't involve you being a cyber security expert. Understanding risk, understanding what's most likely to happen to you and taking those sensible steps accordingly. So I'm going to start by splitting the threat into three. What's common to all aspects of the threat is that it springs from the way in which the internet evolved. Nobody really designed the internet and it sprang from the sort of liberal democratic open society values of European enlightenment as transported into western parts of the US. And it evolved in a way in which the price of entry into digital services by and large for the last 20 years of the mass internet has been to tell a company or a government lots of information about yourself for free and get a service for free. And funnily enough, that's not the best way to keep information safe. And we've suffered from that. It's nobody's fault. Let's accept the world as it is what we'd like it to be. And that means that at national level we need to worry about three quite different but overlapping sets of threats. There's a critical services in which we all depend. Now in terms of people who might attack those it will often be hostile states. More often than not it will be hostile states. So in the UK we've had one significant experience of this which was last May in English and Scottish hospitals a North Korean ransomware attack. What was interesting about that apart from it was extremely challenging to deal with and illustrated the disruption to public services that could happen from cyber attack. What was interesting about that was it was unintentional. It was an attempt by the North Korean state to raise money by blackmailing people. It was a really badly executed attack which meant it spread into all sorts of areas that the attackers didn't want it to because if you're trying to blackmail people from money then the English and Scottish National Health Service is a pretty silly place to go. More seriously, in terms of de-glamourising the threat but trying to understand it it remains the case that whilst as the new commissioner Drew Harris was reminding me last night there has been lots of cyber-enabled harm it's still the case that as strictly defined no one on the planet as far as we know has yet been physically hurt as a result of a cyber attack. It's not to say it can't happen and in the very recent past we very strongly believe and have publicly said that the Russian state has set a Ukrainian power station on fire which by definition could have hurt somebody. Thankfully it did not but it shows you the extent of what might happen but let's also be realistic about this it has not yet happened so we need to guard against that sort of disruption including disruption that imperils physical safety to critical services. So that's the first sort of set of threats and you can see where I'm going with this that is obviously something that national governments will want to worry about. The second set of threat is around the corporate sector. Every year the digital department in the UK does a survey of businesses around cyber breaches and it has concluded that 43% of respondents which you believe to be a fairly accurate response sample have experienced significant cyber breach in terms of personal data and so forth. Average cost ranging from a small number of thousands of pounds for small businesses and to much higher figures for larger businesses. And that sort of corporate health issue is around intellectual property, it's around customer data and so on. I will come back to that. And then the third set of issues is around the safety of individuals, small organisations, charities and so on. The devices in our pockets and all of that. Those demands for money that people are seeing and so on. And here I'll give you an example. We know of one small business near to one of our major sites. We've become familiar with the case of a small hairdressing salon of four staff receiving a ransomware notice for £1,600 paying it because they believed they had no choice. But suffering four days of disruption where they couldn't get any appointments because the system for appointments booking had gone down. Having to notify all their customers under law that their data had gone. And thankfully the small business remained afloat and has recovered from it. But it was a near death experience for the company. When we look at that issue from the national policy and national security point of view it's of zero strategic significance. But how many of those are of national? What's the aggregate number by which it becomes a national issue? And certainly I would assert in our strategy and work is based on assuming that whilst at the one end you can worry about power station security and security of elections. Something we might come on to in discussions the worry about protecting things that are fundamental to our way of life to values, to our ability to go out and do an organised society successfully at a national level. But if you have too many of those ransomware attacks on small businesses on hair salons, on small shops on people's individual phones then at a time where everyone across the west is betting on the digital future with a serious threat to public confidence in the digital economy and a first order public policy problem. So when in the UK after the 2015 election the government decided it was going to have a proper and serious look at cyber security it fundamentally decided and this wasn't an easy thing to do it sounds very simple now but it fundamentally decided that the national strategy was going to look out for two things high end national security but the digital well being of the citizen of the security centre within the intelligence and security community but with a much more public and outward facing function to lead on that and that's the organisation I've got the privilege to lead. What sort of things are we doing? I'm going to presage that by talking about some of the reasons why we've evolved and stopped doing things that we believe as a government like other western governments in the past. One is western societies I think hampered themselves from doing cyber security well by spreading that fear by not explaining very clearly what the risks are and how they're likely to materialise everyone in this room is more likely certainly in terms of the devices in your pocket to experience serious transnational organised cyber crime than you are to experience the Russians and defending yourself against that requires different approaches to some of the things you might see in terms of combating the most aggressive state actor. The way I illustrate this is that good defences start with understanding the threat and one of our primary customers if you like is UK government departments. So we can give the big threat picture here's how the digital attack map of the world works but frankly if I'm talking to the secretary of state or the permanent secretary the head civil servant of the department of work and pensions which is the social security department they don't really give a monkeys about the Russians and nor should they because they pay over 100 billion pounds in social security benefits so the big risk in that department is money and the people who target money are organised criminals if you're talking about the foreign office diplomatic communications and all the rest of it then you worry about hostile states those are two completely different defensive approaches but if you don't explain that rationally calmly with some evidence then you're not going to arrange your defences correctly and it's the same here whether you're talking about law firms whether you're talking about pharmaceuticals and so forth understand the sort of risk that you're running so to give you another example from the private sector the police have worked at the request of the law society about assessing the risk to the legal sector if you're and when I give presentations to the legal community in London about the contents of that report the only thing anybody remembers is that when they talk about the Russians those who deal substantially with clients who have interests in that part of the world have got a very specific thing to worry about those who don't do not and have a more generic threat end of story and you can go away and organise your defences accordingly so that's increasing fear mongering with good evidence based publicly disclosed risk assessment the second is correcting advice which is so impractical to the point it's actively damaging so we will all I'm sure have had access to and being told about to in our view spectacularly bad pieces of cybersecurity advice the other one is to organisations which is the most important thing you can do is to educate your staff how to spot a dodgy email being sent to your corporate network and make sure that they don't click on that link that's the really important thing you can do now if you can do that as an organisation that's brilliant but it's next to impossible to do it and certainly not a sensible way to base your entire organisational cybersecurity there's a world-class cybersecurity expert constantly sought after across the world for his expertise he has published a blog which I recommend to you on the NCSE website called the Serious Side of Pranking it's about how he almost fell for a spoof email a link sent to him by a prankster who had fooled senior figures in the White House and the UK Home Office and almost almost got him because it was that good if that's somebody a PhD in maths and 20 years of experience in top level cybersecurity and he almost got done what hope is there for the rest of us with 300 emails a day so you should assume that people are going to click on these links and instead you should worry about what happens when the compromise happens and that is how defences should be organised the other spectacularly bad piece of advice I'll mention is password guidance last year in one of our proudest moments the US thought leader who had devised most western password guidance the basis of most western password guidance this century more or less recounted his views and said that his thinking had evolved based on some of the work that we published through a German academic because what we'd done was we had commissioned this German academic to research what was the cumulative impact on the average human being of modern day password guidance so given the number of digital services most people had most people used if you followed the following advice which we've all heard use long complex passwords change them every 30 days and use a different one for each service which used to be what the advice was if you actually followed that it was in psychological and mathematical terms the equivalent would be asked to memorise a new 600 digit number every month in other words it is physically impossible to do I talked to a former member of the UK cabinet the other day it may be identifiable but it was in public so it's fine this is a person who argued an impossible case in front of the European Court of Human Rights in Strasbourg for the UK government on prisoner voting in French so he's not a stupid man he's an extremely clever man and he talked about when he was appointed to the cabinet we gave him a device that he could not use he could not follow our security procedures that is our fault not his we were making technology far too hard for people to use so now we've changed password guidance and we're saying things like use password managers and if you have a couple of things that you really care about then you use that top of the state of the art security because you want higher protections for the things you care about we weren't building in resilience into our into our systems you look at some of the compromises people just walked off with with everything you look at what happened in the United States where the office of personal management in fact database of all US civil servants was hacked and the attacker spent hours and hours just copying the entire database before anyone noticed we've learned from that it doesn't mean that the equivalent databases in the UK could never be hacked but there are trigger mechanisms to say look there's been two hours of anomalous activity rather than the 24 hours that that sort of attack happened and then finally and most powerfully there was a sense of unnecessary secrecy about this there are elements of what we do which are deeply classified there are accesses to attackers that we can never talk about but frankly and this is a real cultural challenge for security and intelligence agencies understanding the threat is not enough one of the drivers for change system was deep and in my view entirely justified frustration among senior political decision takers that they felt brilliantly informed about the threat and that was powerless to do anything about it because we told them that it was all very secret and gave ourselves a pat in the back that we had such a deep understanding of the threat but of course from their point of view of frustration in the last two years we have probably declassified more information more threat information than ever before and I think we lead the world in declassifying threat information and we have managed to do that more safely than I would have hoped cybersecurity does lend itself to disguising the ultimate source of a data set and that means if you look at three weeks ago when the joint UK US Dutch action against the Russians following the antics of Russian personnel and the Hague one lesser notice part of that is there is an eight page technical document on our website saying this is what these GRU intrusions look like at a technical level and anybody in the world can go on the website download those eight pages of indicators run them through their system look at the URLs look at the destinations see if they're connected to any of them and if so take some action and that is gold dust that is mitigating the actual threat that is making the job of the Russian attackers harder so it's those sorts of practical steps that we're taking so where does all this where does all this lead to I think it leads to a more activist approach in pursuit of a safer internet in both the realms of national security and the digital security of the citizen so at the sort of national security end we do need high end capabilities we do need a full suite of tools such as diplomatic calling out of unacceptable behaviour such as declassifying the information as I've just talked about to give people access to the sort of information they need to get rid of threats and we need to do things like building in resilience into critical systems on the latter point we are trying to do a programme of work over many years where we at the point at which legacy systems which are inherently insecure are phased out that we get in there in the new system and make it automatically safer so if you take for example something we're doing right now which is the Bank of England developing a new system for interbank payments clearance so trillions of pounds a year going through that system how do we make it resilient to attack we can't make it immune from attack but how do you make it that you cannot take out the entirety of this system that is something we're working on right now how do you configure the social security system the new universal credit in a way that of course no 100 billion pound system is going to be safe and defraud and theft but how do you make sure that it's impossible to defraud the entire system and we believe we built in and published details of how we've done that so that's the national security sort of end of the threat of the first of the triplet that I started off with before I finished the second one is in business as well as giving business some of this information I think there is something about the cultural aspect of this and so in September we published the guidance to corporate boards with five questions on what sort of issues executives and non executives and boards should worry about why did we do that well again in the past we got this wrong we used to advise corporate leaders that the solution to cyber security was to run their business well and for those of you in the room who are corporate leaders I'm sure you could have worked that out all by yourselves without any need of government help what we didn't have was what do we as the national security what do we think actually matters in the technical sense you would not if you take an analogy with something like pension liabilities or health and safety you would not just leave that to generic questions about risk management and good governance you would actually have some people and the whole board being equipped to understand a little bit about how these things work so the five questions I won't go through them but they're designed to say look do you have somebody who understands the protection of the team who own the security of the network do you understand and how do you manage the risk of your supply chain and your contractors do you actually understand how your approach to countering those phishing emails that I talked about work so as well as giving businesses the sort of information that they need we give them the the sort of tools to get a little bit more technical to manage the risk of that effectively and one of the most exciting things is at the consumer end at the personal end of it as well as overturning frankly mad previous guidance we're trying to reduce the number of incidents in which we have to rely on individual decisions it goes back to that point no one here in this room needs to be world-class at cyber security just good enough to manage your own lives and certainly we don't want people to have to take hundreds of individual security decisions every day every time they open an email we're doing some quite frankly cool stuff on reducing the incidences and the impact of those types of emails we did a pioneering study with our tax authority HM Revenue and Customs which was the most spoofed brand in the United Kingdom if you've been in an audience like this in London three years ago and done a show of hands who has had an email offering them a tax refund from a fake HMRC website virtually every hand would have gone up that's no longer the case because we've worked with them to adapt a long-standing internet protocol about how you authenticate your identity online and the way it works is it says don't deliver the email send it to us instead in the first full year of the operation of that program we stopped half a billion spoofed emails from people pretending to be HMRvenue and Customs as well as stopping half a billion attacks and giving us half a billion data points on who was doing the attack the beauty for me in that is that's half a billion fewer instances where somebody had to take a judgment as to whether or not that email was trustworthy that's the sort of thing another thing briefly before I finish what we've done is even when those emails do get through if we know the destination is bad and someone clicks on the link we've made it impossible from a government network to reach that destination we've just blocked it it's consensual thing it hasn't needed any new legal powers but it now means that even if all else fails and somebody working in a government organization clicks on that dodgy link it just says sorry you can't go here because we know it to be bad and again we capture the data on that so we're trying to do these things rather than just wallowing fear rather than just wallowing despair and just throw our hands up in the air we're trying to do these incremental things to make the internet automatically safer and why does that matter? because it matters to the attackers even the Russians even the best of the hostile states rely on these basic weaknesses they're only as good as they need to be either in work harder we want the atings to need to be deployed at the minute it's too easy and to conclude I just want to mention a little bit about where all this fits in in terms of cooperation so I've had a series of excellent discussions yesterday with Irish Government counterparts I'll be doing that later on today I think we're looking at greater enhanced bilateral cooperation across threat sharing across critical national infrastructure protection and across that technological innovation for those interested in the impact of Brexit on that there isn't any and I say that as a matter of objective fact because the sorts of things we're doing do not depend on legal powers or agreements that are dependent on European Union membership so the sorts of things we're agreeing now I can come back next year and have they double an NCSE over to London to review progress whatever happens in the negotiations on the future relationship but to conclude in a more philosophic point this is the ultimate global issue and there are competing visions of the internet out there now in the way that they weren't in the past there's the free internet that we want to make safer and there's the controlled less free totalitarian state balkanized internet which is gaining traction elsewhere and I would say whatever else happens in terms of geopolitics that I would hope that we in Europe in North America and across the western world are on the same side on that and we should rally behind these improvements to keep the internet free and make it safer thank you very much for listening