So-called cyber-attack insurance “cannot be a substitute for better basic cybersecurity,” the National Cyber Security Centre’s chief exec has said in her first major speech since taking office.
Lindy Cameron took over from founding CEO Ciaran Martin last summer and on Friday made her first public appearance since taking office. She used the speech to emphasise that infosec “is a team sport” that the UK plays “really well, both at home and beyond.”
Addressing recent fears over those types of attacks on online systems and networks that are never out of the news for long the days, Cameron said: “Insurance can really help to cover costs, but it cannot be a substitute for better basic cybersecurity, making ransomware attacks as hard as possible.”
Marking the importance that the government security establishment places on the event, former MI6 chief John Scarlett and ex-GCHQ boss Iain Lobban were both watching the online stream of the speech.
Cameron’s line here made an interesting contrast to the NCSC’s position in August last year, when it said that paying off ransomware crooks through the medium of insurance could be considered OK in some cases.
Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?
“Cybersecurity is still not taken as seriously as it should be, and is simply not embedded into the UK’s boardroom thinking,” she continued, lamenting how many British companies see proper infosec hygiene as an optional bolt-on or something for the insurance company to sort out after the disaster, believing everything will be all right on the night.
As the experience of various schools and colleges has shown over the past few weeks, that belief can be actively harmful.
The new NCSC chief was also quite blunt about continuing the GCHQ offshoot’s “interventionist approach” to security standards and also the wider market.
She said in response to The Register‘s questions: “I think it is an area where we need to help the market think about how to factor security in; whether, for example, there is a market for more secure products or volume – would you pay more to get a safer product of a certain kind – and actually, therefore, is that something that private sector organisations will be interested in supplying?”
That kind of interventionism is now central to how government intends to approach the UK infosec industry over the next few years, taking a much firmer stance on growing the industry itself as well as talking to makers of Internet-of-Things tat and making them pull their socks up.
It’s also a stance being echoed by US attitudes towards the wider tech industry. Last week it was reported that US president Joe Biden’s administration plans to force software vendors supplying the government into a mandatory vulnerability disclosure policy. ®