From hackers based in their bedrooms to sophisticated multi-national organisations focused on bringing down critical infrastructure, or fixing a national election…cyber-crime is big business.
And it’s not just big business which needs to be afraid of being hacked – in the current connected world, it is a threat for every person and every organisation.
Enter CERT, or Cyber Emergency Response Team, which has just been created in Jersey by the government, under the leadership of Matt Palmer.
Pictured: Matt Palmer is leading the Government's Cyber Emergency Response Team.
Currently it sits within the economy department, but in the future, it could be broken out into another ‘arms-length organisation.’
Its role is to help both the public, and private sectors, protect itself from cyber-crime…and to support those who are victims of an attack.
Matt Palmer is a former KPMG auditor, who then led global security, IT and client-facing functions across most areas of financial services, with companies such as State Street bank and global broker Willis Towers Watson… as well as being a former Bradford district counsellor.
Pictured: Mr Palmer has previously been a KPMG auditor and has also led global security, IT and client-facing functions across most areas of financial services, with companies such as State Street bank and global broker Willis Towers Watson.
Express asked him to describe the change in cyber threats in the last decade, from ‘bedroom hackers’ to carefully planned, targeted and sophisticated criminal activity…
Cyber has been used for advantage by nations since the days of Bletchley Park, but it’s easy to forget that most computer crimes weren’t even crimes in the UK until 1995. With a few exceptions, attacks were very unsophisticated.
Anyone could do it, and anyone did. In the last 20 years cybercrime has moved from being an amateur endeavour by disillusioned young people in basements looking to make a point, to a trillion-dollar global industry with a deep and complex market of illegal services and data.
It’s worth putting a lot of time and effort into something for a million dollar payday just from a single compromise. Cyber criminals are now very capable, connected, and well-resourced. They are also often ruthless and willing to stop heart surgery, disrupt power grids, break businesses and poison water supplies to make money.
Much like a fire service, whilst major incidents are the highly visible bit, much of the day-to-day work is preparation and prevention. It’s not very glamorous, and not at all like a Hollywood hacker movie.
The CERT will work to understand the most critical cyber risks to the island, liaise with international partners to monitor global cyber threats, work across the community to help prevent attacks through advice and assistance, and help respond in an emergency.
Pictured: "Much like a fire service, whilst major incidents are the highly visible bit, much of the day-to-day work is preparation and prevention. It’s not very glamorous, and not at all like a Hollywood hacker movie."
The CERT brand is internationally recognised and reflects a deep global history of response to computer-based attacks. It is easily understood by our international stakeholders and will help build trust in Jersey. It doesn’t fully reflect the preventative and advisory activity, but that doesn’t matter as long as everyone knows how we can help. I’m going to focus on communicating that and getting the job done well.
It’s not really a choice, if you ignore one you fail on the other. So called ‘advanced’ attacks, or ‘advanced persistent threats’ (APTs) are often just a series of simple attacks that have been carefully researched and prepared by an attacker with plenty of time and resources – organised crime or nation states.
This means basic controls such as good access management, encryption and two-factor-authentication help protect against both types.
Even minor attacks can have a huge impact on individuals and organisations so we will work to improve controls to protect against those, whilst keeping an eye out for the major attacks around the corner. We’ll focus on the actions that have the biggest impact for the island.
There’s no guarantee that incidents won’t happen, or that they won’t be severe – accepting that is hard.
Pictured: "Even minor attacks can have a huge impact on individuals and organisations so we will work to improve controls to protect against those, whilst keeping an eye out for the major attacks around the corner."
Major incidents are a lot less frequent or severe if you have good controls. The key is to take sensible precautions. At the end of the day cyber is just another risk, and it’s something we can do really well, if we put our minds to it.
Government had the foresight to include provision in the Government Plan so we have some setup funds and an annual budget for two to three staff. Day-to-day, our team will be working directly with organisations across the island to support them to manage their cyber risks and help them when things go wrong. It’s a big mandate for a small team, but it’s a huge step forwards and the first in the crown dependencies.
The original plan was a pan-island approach which could deliver enhanced capabilities for both islands in the future, but Jersey’s government recognised the risk we were taking in cyber and opted to move ahead fast despite the pandemic. We’ll be looking at how we work in partnership with others to maximise value for money and we’re open to delivering jointly with Guernsey or the Isle of Man if that’s something they would like to consider.
Sitting in an ivory tower and shouting at people to do things never works.
Pictured: "We’re here for everyone, there are no exceptions, and our remit is island-wide."
We want to be a ‘critical friend’ – someone you can rely on to help, but also to tell you the truth when you need to hear it. There are many different models for doing this and we’ll be working with the Law Officers, Ministers and others to make sure we have the right remit and authority to be effective in Jersey.
We’re here for everyone, there are no exceptions, and our remit is island-wide. We will be looking to prioritise work with sectors where we know from the island-wide risk assessment there are concerns, but whether you are a charity, business, or governmental organisation we’ll do our best to be here for you in the way you need. Government are actively developing their internal cyber capabilities so they can handle that - we expect to look outwards, not inwards.
Whether you pay or not, we’re here to help and will make no judgements. However, whilst paying may feel like a way out at the time, it’s usually a terrible idea.
Paying a ransom is paying a criminal to hurt you and others. The police don’t pay muggers to go away, they arrest them. The fire service don’t pay arsonists and the ambulance service don’t pay people to speed down a green lane, drunk and in the dark. Why would you?
Pictured: "We want to be a ‘critical friend’ – someone you can rely on to help, but also to tell you the truth when you need to hear it."
Criminals don’t submit to KYC checks, so it may also be a breach of law and anti-money laundering (AML) regulations and potentially international sanctions. North Korea and Al Qaeda are both known recipients of ransom funds.
Companies pay because they don’t have confidence in their abilities to recover. Colonial Pipeline in the US a few weeks ago is great example of this. They could restore, but felt it would be too slow so chose to pay anyway. On the other hand, Ireland’s health service held firm and refused to pay; the hackers eventually let them decrypt the data for free.
Sometimes hacker groups just disappear with the money. Don’t rely on them to get you out of a fix. The Russian hacker group Darkside that was behind the Colonial attack has made $90m from ransoms because half of victims pay.
Once you’re on the list of known payers you can be targeted by others, like a bank account for the bad guys. The same is true with cyber cover – hackers are known to target people with cover, so if you tell people you’ve got it you are painting a target on your back. Cyber cover is a great idea, but letting the hackers find out you can pay, is not.
Instead of paying, test out a ransomware scenario in advance to make sure you can recover. Agree a board policy on ransomware payments so everyone is clear what is expected, and either keep your insurance cover secret or even better negotiate with your cyber insurer to include business recovery costs but exclude ransom payments. Make yourself an unattractive target.
Matt Palmer spoke to Express in more depth about how CERT will work on a recent Bailiwick Pod...
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.
Once your comment has been submitted, it won’t appear immediately. There is no need to submit it more than once. Comments are published at the discretion of Bailiwick Publishing, and will include your username.