As NCSC Head Ciaran Martin Steps Down, Other Countries are Emulating Model
Ciaran Martin, chief executive of Britain’s National Cyber Security Center, which is part of GCHQ (Photo: Mathew Schwartz)
Wanted: A new chief executive to take the helm of Britain’s National Cyber Security Center.
On Friday, the NCSC announced that its chief executive, Ciaran Martin, 45, will pursue longstanding plans to step down from his position by the end of summer 2020. A search is underway for his replacement to facilitate a smooth handover before his scheduled leaving date.
Martin’s upcoming departure serves as useful moment for reviewing the effectiveness of the NCSC model, which looks to have been highly successful at creating a one-stop-shop for private-sector organizations to interface with the government about cybersecurity matters, including investigating major incidents, defending against nation-state attacks and battling election interference. The model is now being emulated in other countries, although the U.S. remains a notable holdout.
The NCSC-style model is still very new. Martin, for example, was appointed to the board of GCHQ – Britain’s signals intelligence and cybersecurity agency – in December 2013, serving as head of cybersecurity. Following the 2015 elections, he recommended forming the NCSC as a branch of GCHQ. After the National Security Council agreed, NCSC formally launched in 2016 (see UK’s New Cybersecurity Strategy – No Strike-Back Required).
When NCSC launched, it was testing a new idea: Could a branch of a country’s intelligence agency effectively handle incident response at a national level, including running the country’s computer emergency response team?
To wit, NCSC included CESG – the information security arm of GCHQ – as well as the Center for Cyber Assessment, together with the U.K.’s computer emergency response team, CERT-UK, and the cyber-related responsibilities of the country’s Center for the Protection of National Infrastructure (see UK Stands Up GCHQ National Cyber Security Center in London).
National Incident Response
Three years later, the endeavor appears to have been a success, with NCSC continuing to liaise with the private sector to handle major security incidents. The organization is also working to put threat intelligence and other actionable information into organizations’ hands more quickly (see Intelligence Agencies Seek Fast Cyber Threat Dissemination).
“It has been the privilege of a lifetime to set up the NCSC and lead its brilliant people,” Martin says. “When we created the NCSC we set out to achieve something truly special, and I hope and believe we are leaving U.K. cybersecurity in much better shape. Challenges around securing technology are only going to get ever more complex so it’s right that after six and a half years that someone else takes this world-class organization to the next level.”
As a senior member of the civil service, Martin is restricted from announcing his post-government career plans until closer to his departure. But the Home Office said that he will take up a position as a visiting professor at King’s College, London, beginning in the fall of 2020.
On Friday, as part of Britain’s 2020 Honors List – honoring citizens who have made a notable impact on society – Martin was appointed “Companion of the Order of the Bath,” a ceremonial position that can be bestowed on members of the civil or diplomatic services, as well as the military.
The Cabinet Office declined to comment about whether Martin’s home address details were amongst the personal data that inadvertently leaked on Friday. Britain’s Information Commissioner’s Office, the country’s privacy watchdog, is investigating the data breach.
NCSC Has Seen 2,000 Security Incidents
NCSC employs about 1,000 people and has an annual budget in excess of £250 million ($330 million).
Speaking at the NCSC’s CyberUK conference in Glasgow, Scotland, in April, Jeremy Fleming, director of GCHQ, promised to more rapidly declassify attack data and feed it to the private sector. (Photo: Mathew Schwartz)
Since launching in 2016, the NCSC has handled more than 2,000 serious cybersecurity incidents that have targeted U.K. organizations (see 10 Cyberattacks Investigated Weekly by UK).
The NCSC also supported the British government’s first public attribution of online, state-sponsored attacks to Russia and three other countries (see Turla Teardown: Why Attribute Nation-State Attacks?).
NCSC has also led a drive to reduce criminals’ spoofing of U.K. government websites, including HMRC – the tax-collection agency – as well as marshalled a decline in the number of malicious websites hosted on U.K.-based servers.
“Ciaran Martin is leaving the UK state of cybersecurity measurably better than he found it,” says bug bounty and vulnerability disclosure expert Katie Moussouris, who helped the NCSC establish the British government’s vulnerability disclosure processes.
Ciaran Martin is leaving the UK state of cybersecurity measurably better than he found it.
Working w @NCSC helping to establish government-wide vuln disclosure process maturity with his teams was a highlight of my career.
Many thanks for Ciaran’s leadership in UK & global cyber. https://t.co/qklVjVELyx
— Katie Moussouris (@k8em0) December 28, 2019
The U.K. approach has now become a model for other countries, including Canada’s Center for Cyber Security, which is part of its Communications Security Establishment intelligence agency. Announcing the launch of the CCCS last year, the Canadian government said that it would be “a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.”
Speaking earlier this year at the at the NCSC’s CyberUK conference in Glasgow, Scotland, Scott Jones, who heads the CCCS, said Britain’s NCSC had been the model for Canada’s cybersecurity center.
“We’re doing the same thing, speaking publicly, with a public face, so for the first time, our senior [intelligence] officials are on our website, explaining what they do and what their roles are,” Jones told me.
With rising privacy awareness, as well as increasing attacks against Canadian organizations, he said the model had already found strong traction.
“The response has been overwhelming – very supportive from industry and Canadian companies wanting to work with us – both the smaller organizations that are wanting to work with us to solve certain cybersecurity challenges, up to the largest companies in Canada wanting to work with us to solve critical infrastructure challenges,” he said.
Other countries, including members of the Five Eyes intelligence-sharing alliance – formed in 1941 between Australia, Canada, New Zealand, the U.K. and U.S. – are taking a similar approach. In 2014, for example, the Australian government launched a Cyber Security Center – part of the Australian Signals Directorate and based at the Australian Security Intelligence Organization headquarters – to serve as the government’s lead agency for cybersecurity.
US Lacks Independent Cybersecurity Agency
One notable country that lacks a designated cybersecurity agency, however, is the United States.
Politically speaking, it’s not clear if many American businesses would feel comfortable allowing an incident response team from the National Security Agency – GCHQ’s sister agency in the U.S. – onto their premises to investigate a nation-state attack.
But some information security experts have been calling on the White House to create a one-stop-shop for national cybersecurity efforts, especially as a defense against information operations and election interference campaigns.
Last year, Alex Stamos, the former CISO of Facebook, said the U.S. desperately needed an independent U.S. cybersecurity agency devoted solely to defense and free from any military, law enforcement or intelligence responsibilities (see Election Security: FBI Combats Information Operations).
“In the run-up to the most recent French and German elections, the respective cybersecurity agencies of these countries had access to intelligence on likely adversaries, the legal authority to coordinate election protection and the technical chops to work directly with technology platforms,” Stamos said. “These organizations were independent enough to work directly with the relevant political campaigns, and their uncompromised mandates made them effective partners for multinational tech companies.”
With Britain and other countries now advancing the model of having a national cybersecurity center, is it time for the U.S. and other countries to catch up?