Wednesday 18 May 2022
Select a region
News

FOCUS: Who you gonna call?

FOCUS: Who you gonna call?

Thursday 19 August 2021

FOCUS: Who you gonna call?

Thursday 19 August 2021


From hackers based in their bedrooms to sophisticated multi-national organisations focused on bringing down critical infrastructure, or fixing a national election…cyber-crime is big business.

And it’s not just big business which needs to be afraid of being hacked – in the current connected world, it is a threat for every person and every organisation.

Enter CERT, or Cyber Emergency Response Team, which has just been created in Jersey by the government, under the leadership of Matt Palmer.

Matt_Palmer_2.jpg

Pictured: Matt Palmer is leading the Government's Cyber Emergency Response Team.

Currently it sits within the economy department, but in the future, it could be broken out into another ‘arms-length organisation.’

Its role is to help both the public, and private sectors, protect itself from cyber-crime…and to support those who are victims of an attack. 

Matt Palmer is a former KPMG auditor, who then led global security, IT and client-facing functions across most areas of financial services, with companies such as State Street bank and global broker Willis Towers Watson… as well as being a former Bradford district counsellor.

Matt_Palmer.jpg

Pictured: Mr Palmer has previously been a KPMG auditor and has also led global security, IT and client-facing functions across most areas of financial services, with companies such as State Street bank and global broker Willis Towers Watson.

Express asked him to describe the change in cyber threats in the last decade, from ‘bedroom hackers’ to carefully planned, targeted and sophisticated criminal activity…

Cyber has been used for advantage by nations since the days of Bletchley Park, but it’s easy to forget that most computer crimes weren’t even crimes in the UK until 1995. With a few exceptions, attacks were very unsophisticated.

Anyone could do it, and anyone did. In the last 20 years cybercrime has moved from being an amateur endeavour by disillusioned young people in basements looking to make a point, to a trillion-dollar global industry with a deep and complex market of illegal services and data. 

It’s worth putting a lot of time and effort into something for a million dollar payday just from a single compromise. Cyber criminals are now very capable, connected, and well-resourced. They are also often ruthless and willing to stop heart surgery, disrupt power grids, break businesses and poison water supplies to make money. 

Given the name, is CERT going to be focussed on ‘cure’ rather than ‘prevention?’

Much like a fire service, whilst major incidents are the highly visible bit, much of the day-to-day work is preparation and prevention. It’s not very glamorous, and not at all like a Hollywood hacker movie.

The CERT will work to understand the most critical cyber risks to the island, liaise with international partners to monitor global cyber threats, work across the community to help prevent attacks through advice and assistance, and help respond in an emergency.

Matt_Palmer_3.jpg

Pictured: "Much like a fire service, whilst major incidents are the highly visible bit, much of the day-to-day work is preparation and prevention. It’s not very glamorous, and not at all like a Hollywood hacker movie."

The CERT brand is internationally recognised and reflects a deep global history of response to computer-based attacks. It is easily understood by our international stakeholders and will help build trust in Jersey. It doesn’t fully reflect the preventative and advisory activity, but that doesn’t matter as long as everyone knows how we can help. I’m going to focus on communicating that and getting the job done well.

Is your focus going to be on dealing with low-level, high volume attacks like persuading individuals to part with some money; or high-level, low-volume attacks like attempts to undermine critical infrastructure, or influence national elections?

It’s not really a choice, if you ignore one you fail on the other. So called ‘advanced’ attacks, or ‘advanced persistent threats’ (APTs) are often just a series of simple attacks that have been carefully researched and prepared by an attacker with plenty of time and resources – organised crime or nation states.

This means basic controls such as good access management, encryption and two-factor-authentication help protect against both types.

Even minor attacks can have a huge impact on individuals and organisations so we will work to improve controls to protect against those, whilst keeping an eye out for the major attacks around the corner. We’ll focus on the actions that have the biggest impact for the island.

Given the sophistication of the latter group, which may involve some of the ‘best’ and well-resourced hackers in the world, how can Jersey realistically hope to protect itself? 

There’s no guarantee that incidents won’t happen, or that they won’t be severe – accepting that is hard.

Computer_Keyboard.jpg

Pictured: "Even minor attacks can have a huge impact on individuals and organisations so we will work to improve controls to protect against those, whilst keeping an eye out for the major attacks around the corner."

Major incidents are a lot less frequent or severe if you have good controls. The key is to take sensible precautions. At the end of the day cyber is just another risk, and it’s something we can do really well, if we put our minds to it.

How well-resourced is CERT, and what will it do, on a day-to-day basis?

Government had the foresight to include provision in the Government Plan so we have some setup funds and an annual budget for two to three staff. Day-to-day, our team will be working directly with organisations across the island to support them to manage their cyber risks and help them when things go wrong. It’s a big mandate for a small team, but it’s a huge step forwards and the first in the crown dependencies.

The original plan was a pan-island approach which could deliver enhanced capabilities for both islands in the future, but Jersey’s government recognised the risk we were taking in cyber and opted to move ahead fast despite the pandemic. We’ll be looking at how we work in partnership with others to maximise value for money and we’re open to delivering jointly with Guernsey or the Isle of Man if that’s something they would like to consider.

What authority/power will CERT have - is it there to advise, or can it instruct as well?

Sitting in an ivory tower and shouting at people to do things never works. 

Internet.jpg

Pictured: "We’re here for everyone, there are no exceptions, and our remit is island-wide."

We want to be a ‘critical friend’ – someone you can rely on to help, but also to tell you the truth when you need to hear it. There are many different models for doing this and we’ll be working with the Law Officers, Ministers and others to make sure we have the right remit and authority to be effective in Jersey.

Will its support be aimed at Government entities, and the ‘arms length organisations’, or supporting private sector companies?

We’re here for everyone, there are no exceptions, and our remit is island-wide. We will be looking to prioritise work with sectors where we know from the island-wide risk assessment there are concerns, but whether you are a charity, business, or governmental organisation we’ll do our best to be here for you in the way you need. Government are actively developing their internal cyber capabilities so they can handle that - we expect to look outwards, not inwards.

Companies often pay hackers rather than risk the experience becoming public knowledge - what would you say to them, and could that be a barrier to them engaging with you?

Whether you pay or not, we’re here to help and will make no judgements. However, whilst paying may feel like a way out at the time, it’s usually a terrible idea.

Paying a ransom is paying a criminal to hurt you and others. The police don’t pay muggers to go away, they arrest them. The fire service don’t pay arsonists and the ambulance service don’t pay people to speed down a green lane, drunk and in the dark. Why would you?

Matt_Palmer_5.jpg

Pictured: "We want to be a ‘critical friend’ – someone you can rely on to help, but also to tell you the truth when you need to hear it."

Criminals don’t submit to KYC checks, so it may also be a breach of law and anti-money laundering (AML) regulations and potentially international sanctions. North Korea and Al Qaeda are both known recipients of ransom funds.

Companies pay because they don’t have confidence in their abilities to recover. Colonial Pipeline in the US a few weeks ago is great example of this. They could restore, but felt it would be too slow so chose to pay anyway. On the other hand, Ireland’s health service held firm and refused to pay; the hackers eventually let them decrypt the data for free.

Sometimes hacker groups just disappear with the money. Don’t rely on them to get you out of a fix. The Russian hacker group Darkside that was behind the Colonial attack has made $90m from ransoms because half of victims pay.

Once you’re on the list of known payers you can be targeted by others, like a bank account for the bad guys. The same is true with cyber cover – hackers are known to target people with cover, so if you tell people you’ve got it you are painting a target on your back. Cyber cover is a great idea, but letting the hackers find out you can pay, is not.

Instead of paying, test out a ransomware scenario in advance to make sure you can recover. Agree a board policy on ransomware payments so everyone is clear what is expected, and either keep your insurance cover secret or even better negotiate with your cyber insurer to include business recovery costs but exclude ransom payments. Make yourself an unattractive target.

LISTEN...

Matt Palmer spoke to Express in more depth about how CERT will work on a recent Bailiwick Pod...

Cyberfighting - the new emergency service

Subscribe to Bailiwick Podcasts on Spotify, Apple Podcasts, Deezer or Whooshkaa.

Sign up to newsletter

 

Comments

Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.

Once your comment has been submitted, it won’t appear immediately. There is no need to submit it more than once. Comments are published at the discretion of Bailiwick Publishing, and will include your username.

Posted by Scott Mills on
They are not hackers, they are crackers. Hacker are ethical crackers, used to attack system with the companies say so. Crackers are exactly that, just like safe crackers/cracking. You wouldn't hack into a safe. Lovely beaches
To place a comment please login

You have landed on the Bailiwick Express website, however it appears you are based in . Would you like to stay on the site, or visit the site?