Ben Russell, head of cyber threat response at the National Crime Agency (NCA), wants to get one thing clear. “We’re not a regulator – we’re not here to dish out fines,” he says. “We’re here to support businesses, investigate the criminals and try and catch people in order to help.”
The agency is not here to judge, or enforce anything in particular, but to help businesses if they have fallen victim to a cyberattack or data breach. Make no mistake about it either – it’s a question of ‘when’ rather than ‘if.’
“People used to say ‘this is what you should do to make sure this doesn’t happen to you.’ Well, the reality is it’s going to happen,” says Russell (left). “If people are running digital businesses in big companies, and even small businesses, the message they’re trying to send is you’ve got to assume you’re going to get hit by a cyberattack.”
As a result, Russell wants to make businesses feel more comfortable in confiding to the NCA when things have gone wrong. “There are a range of reasons why businesses are nervous,” he explains. “Sometimes they don’t want the regulators to be informed, sometimes I don’t think they want breaches to become public, sometimes I think they’re just getting incomplete legal advice.
“In most circumstances we believe that working with us is the right thing to do,” Russell adds. “It actually helps businesses. We don’t go around shouting what’s been happening unless there’s a massive overwhelming public interest. We are very comfortable dealing with sensitive information so we understand that businesses are concerned about their security – and we’re here to help.”
One example of a story which naturally had overwhelming public interest was the WannaCry attack which crippled the NHS in 2017. According to a report from the Department of Health in October, it cost the health service £92 million.
It proves an interesting example of how the NCA solves the most challenging problems and collaborate with other bodies. The NCA, in Russell’s words, aims to ‘find out who did it’, while the National Cyber Security Centre (NCSC) focuses on ‘how it was done.’
“The thing about WannaCry was I think it was the first time we’d dealt with a cyberattack that had really significant consequences beyond the cyber realm,” explains Russell. “NHS England, NHS hospitals up and down the country were working really closely with the NCSC, and what we were able to do, due to the national nature of the incident, was deploying police officers to hospitals and NHS sites across the country.
“The incident showed that it was a complex and challenging attack, but it showed what you’ve got in the UK system – this whole government response where we’re deploying officers from the intelligence agencies and policing side by side,” Russell adds. “That’s a really novel, positive and exciting approach I think.”
This is not to say that the NCA does not look elsewhere for inspiration, however. In the US, for instance, the agency works with the National Cyber Forensics and Training Alliance (NCTFA), based in Pittsburgh. “The US is fantastic,” says Russell. “What I think is so fantastic about the [NCTFA] model is it’s industry-led. It’s about the sector working with academia, the government, ourselves, the FBI and others, but it’s come from industry themselves, recognising the importance of sharing information.
“People like me can bang on about sharing information and how important it is to do that, but actually when businesses recognise about how important that is themselves and then start doing it and invite us along, I think that’s always the best model.”
Increasingly, organisations are realising the need for disaster recovery and incident prevention alongside the good security hygiene already drummed into them – and while there is plenty of good work taking place, the journey is a never-ending one. “When I started out working on cybercrime the adversaries were focusing very much on trying to infiltrate networks and hide in the background, and take people’s card information,” says Russell. “Now it’s so much more in your face – so much is quite confrontational, ransomware, extortion, and so much more really nasty stuff.
“It’s about identifying when it’s happened as early as possible and making sure you know how to respond,” Russell adds. “How are you backing things up in the right way? Do you have well worked systems and processes in place for incident response? Do you have protocols? Who do you need to inform? What are you telling the public, your customers, the board?
“People have started to understand that they need to practice their incident response.”