GCHQ Warns of a Massive Cyberattack – Demands Companies to “Stop Blaming Users and Make Systems Usable”
GCHQ's National Cyber Security Centre has warned that the UK should be prepared for a major "category one" cyberattack. In comparison, the WannaCry ransomware that had hit the British government badly was considered as "category two".
NCSC is the division of GCHQ that is responsible for "protection of critical services from cyber attacks, managing major incidents and improve the underlying security of the UK Internet". The agency's technical director, Dr Ian Levy, said at the Symantec Crystal Ball event that while predicting cyberattacks is difficult, he was "reasonably confident" about one.
"Sometime in the next few years we're going to have out first 'category one' cyber incident," he said. "Category one is where you need a national response."
"Because it'll be our first ever category one there'll be an independent investigation and what will really come out is that it was entirely preventable. Those two people who did something to subvert the 'awesome technical cyber security thing' were just doing their job. The thing they were being asked to do from a security point of view was basically impossible and they made a mistake." - Levy.
"Stop blaming users, stop making infosec talk so difficult and just make systems usable"
He added that this category one incident would probably not even be a result of some "unprecedented, sophisticated attack that couldn't possibly be defended against," but a simple error made by someone "who was just doing their job". This actually doesn't sound very surprising as many of the past major cyberattacks have been successful not because some sophisticated, state sponsored cybercriminals used leaked NSA exploits but because a major company's security team neglected to install patches for widely known vulnerabilities.
"My concern is unless we start to put some science and some data into cyber security to demystify it, that's really going to happen," Levy warned. "I think we could stop it happening."
"With the trajectory I see at the moment around how cybersecurity is talked about, how people put militaristic analogies around it and make people feel like they cannot defend themselves – it is actually really dangerous, and that is what we want to try and fix."
He also made a strong point that the companies haven't built these systems for people. "Techies build systems for techies, they don't build systems for people," Levy said.
"People are the strongest link; if you can leverage your people better they can be the first and last line of defence for an organisation," Levy added possibly referring to the growing number of phishing and malware attacks targeting different industries (including tech titans if the latest CCleaner malware is any indication).
The NCSC director urged companies to "stop blaming the users and make the systems usable."