| Huewire

Computer Weekly talks to GCHQ’s National Cyber Security Centre operations director Paul Chichester and former NCSC chief executive Ciaran Martin on Russia, China and Salt Typhoon

Bill Goodwin

Bill Goodwin,
Computer Weekly

Published: 11 Dec 2024 17:00

Russia is focusing its cyber attacks against Ukraine, rather than stepping up its attacks against the West in response to decisions by the US and the UK to allow Ukraine to use long-range missiles on Russian territory.

In an interview with Computer Weekly, Paul Chichester, the director of operations of the National Cyber Security Centre (NCSC), part of the Government Communications Headquarters (GCHQ), said that Russia had not used cyber attacks to respond tactically against increasing military support for Ukraine.

Russian cyber operations have been at a high level since the start of the Ukraine conflict, but Russia’s primary purpose remains to support military operations on the Ukraine battlefield, he said.

Former NCSC CEO and founder Ciaran Martin, now a director of security skills and training body the SANS Institute, said initial predictions that the Ukraine war would lead to a concerted cyber campaign against the West had not materialised.

“Going into the war, there were two big predictions,” he told Computer Weekly. “One was that Russia would use heavy cyber effects against Ukraine. They have tried that, but the impact can be debated.

“But the other assumption was they would try much more aggressive cyber blips, if you like, against Western allies of Ukraine,” added Martin.

“But no serious scholar of cyber security thinks they’ve done [that]. It’s observably untrue.”

Salt Typhoon

The NCSC said it’s keeping a watching brief on attacks by Chinese hacking operation Salt Typhoon, which has hit US telecoms networks, including AT&T, Verizon and Lumen Technologies, placing the personal information of millions of people at risk.

The attack, which has reportedly been underway for at least two years, has given Chinese hackers access to unencrypted messages and voice calls, and has enabled them to target the personal information of senior political figures in the US.

Chichester said the British intelligence services were trying to assess the impact of the threat on the UK.

“We’re still learning what that threat is,” he said. “It appears to be very focused on the US at the moment, but that doesn’t mean we’re complacent. We will continue to look at the UK angles to that and respond to them as and when they occur.”

The UK’s introduction of the Product Security and Telecoms Infrastructure Act 2012, which came into force this year, placed legal duties on manufacturers of electronic and home devices to protect consumers and businesses from cyber attacks.

Chichester said that the act, together with telecoms security regulations that are being phased in over the next couple of years, aim to design-out vulnerabilities that could be exploited by attacks like Salt Typhoon.

“I think that the UK has been considering these kinds of vulnerabilities for some significant time, and has brought forward legislation and regulations with [telecoms regulator] Ofcom and others to absolutely try and increase resilience against those kinds of attacks,” he said. “We all know that defenders make mistakes, and that’s all an attacker sometimes needs. But genuinely a lot of the things that are being required of operators in the UK are things that I know the US are looking at, and other countries are as well.”

Martin said that UK telecoms companies and the NCSC were aware of weaknesses and vulnerabilities in the telecoms network, and it was a question of how quickly they can be rectified before they can be exploited by threat actors.

“I think there are certain advantages that allow the UK to try to manage Salt Typhoon-style operations which aren’t available to allied countries,” he said.

Chichester said that much of the “tradecraft” used by cyber security attackers in Salt Typhoon and other attacks had been anticipated by government and industry ahead of time.

Although it’s not possible to know every attack plan, simple strategies such as telcos separating operational and management infrastructure will reduce the risks.

“Just putting certain requirements and security around the administration of those networks cuts off a lot of vectors,” he said. “You might not know how the adversary is going to do it, but if you architect it in a certain way, then that’s what gives you resilience.”

The UK government is working with telcos collaboratively to develop security regulations and technologies to block a variety of potential attacks, said Chichester.

This has led to a “back and forth” between the NCSC and telcos, to see what might work, and what security measures are possible.

Attribution of attacks

One long-running debate is whether governments are right to attribute hacking attacks to the nation state responsible. Former NCSC CEO Martin said that where the identity of a nation-state hacker was known, it should be disclosed unless there were good reasons not to do so.

Chichester said that identifying an attacker publicly can make it easier to get the message across to companies that they need to take action.

“At the end of the day, if you want to communicate to people, we’ve got to make it about people, either the adversary or the victim,” he said. “You’ve got to tell a story. I think [naming an attacker] is a really powerful communications tool that we would like to use where we can. And so I think it helps defenders.

“It helps you kind of think and visualise, because, you know, as an organisation, OK, do I care about Russia, China or Iran?” added Chichester.

The cyber security director said the NCSC and the UK government publicly attributed cyber attacks for a variety of reasons, including to build coalitions and increase the political cost of cyber attacks.

“I don’t think anybody genuinely thinks that attributions or public indictments or sanctions will ever prevent a state from doing this, but that is not what it’s about,” he said.

But when an attribution is accompanied by a court indictment naming individuals responsible for a hacking operation, that can be a powerful tool, said Martin. “That does give you credibility,” he added. “It really does.”