As someone who used to do a lot of long-distance running, Ciaran Martin says he “knows a bit about pacing himself”.
But the former boss of the National Cyber Security Centre (NCSC) doesn’t appear to be stepping out of the fast lane any time soon, despite leaving his role heading up the UK government’s cybercrime agency at the end of August – ending a 23-year stint in the civil service.
He has taken over as managing director of VC firm Paladin Capital, which invests into innovative cyber companies, combining this with his role as professor of practice in public management at the University of Oxford’s Blavatnik School of Government.
We sat down with Ciaran to chat about his new role, reflect on his time at the NCSC, and discuss the big cyber threats facing businesses.
Hi Ciaran and congratulations on your new job. Why did you decide to join Paladin Capital?
Paladin has got a good record in the UK and US investment circles, it’s been around for 20 years and works very well with, but is by no means beholden to, the security services.
The way Paladin operates is to look for propositions from proven technologies which can potentially fix a particular cybersecurity problem, whether that’s anomaly detection and AI, or how to train ethical hackers and defenders, things like that. We then look at whether these are commercially viable.
When I was at the NCSC I always asked industry to come up with ideas for the problems it could solve without Government intervention, rather making vague calls for partnerships. In a sense for me, Paladin is a continuation of that philosophy so I really enjoy it.
Was it a difficult decision to leave the NCSC?
I miss the NCSC, the people there were just absolutely amazing, it’s the best team I’ve ever worked in. Having sort of slightly stumbled into cybersecurity seven years ago, I love it, and there’s no better job in Government and cybersecurity than the one I just vacated.
But you can only do these things for so long and six and a half years is a long time. So for that reason it was the right time to go – we had a good handover and I think [new NCSC CEO] Lindy Cameron is superb and will be superb in the job. I have no regrets or rancour, it was the right thing to do because you throw yourself into these jobs and give it everything and you can only do that for so long.
Are you happy with what you achieved in six and a half years at the organisation?
We wanted to make a difference in cybersecurity – it sounds a bit corny but it’s true. The founding leaders of the NCSC all thought that there was huge potential in the UK, both in government within GCHQ, and the wider country, to make a difference in cybersecurity but that the structures to turn to good ideas and good outcomes weren’t there – it was all slightly hazy, talking about doing more private/public partnerships and sharing information.
We said no, let’s fix spoofing government brands, let’s take down bad websites, let’s organise our defences so we can go upstream, let’s build resilience into critical infrastructure. And of course, we didn’t achieve everything we wanted to, but we achieved quite a lot.
How does the role of the public sector differ to that of the private sector when it comes to cybersecurity?
It’s always been my view that there’s only so much of the problem that the government can and should be solving. I hope the NCSC gets well-funded in the forthcoming spending review and grows a bit, but I don’t think anyone at the NCSC wants it to grow exponentially and become a national IT helpdesk.
The only sustainable way forward for security is for the private sector to take care of it. It has a significant role to play and is at its best when it’s focused on solving specific problems. That’s what Paladin is looking for and I’m excited to do my bit to help.
Ransomware is one of the biggest cyber threats businesses face. Do you think more needs to be done to combat these attacks?
There’s a growing community of cybersecurity leaders and governments across the world that want to talk about ransomware more. The last year or so was dominated by policy and political debates about 5G, which is right and proper. But the here and now is ransomware and there’s so much more we can do by promoting backups and things like that.
Some ransomware attackers are trying to blackmail people by threatening to release the data, but essentially ransomware still mostly works by restricting availability, not by threatening confidentiality, and I think it’s a different calculation about payment if you can’t get the data rather than if you’re worried about it being published.
So I just think there’s more to do, and I think one area that is ripe for exploration is the de-facto self-regulation of market economics, particularly insurance. Insurers are becoming a bit queasy about the routine way in which corporate victims are paying ransoms. I would like to see a dialogue between government, business and the insurance industry about how to incentivise people to prioritise back-ups rather than the routine facilitation of payments.
You’ve publicly called for a ban on ransomware payments. Why do you think this would be a step in the right direction?
There’s been pushback from genuine experts saying a ban would drive ransomware payments further underground and so on. And maybe it would, but we need a serious policy examination.
What I do think is a little strange, is where our current UK and US law is on this issue; it’s nobody’s fault, it’s just a product of history. So for the UK, because extortion is based on trying to prevent terrorist kidnappings in the Middle East and North Africa in the early 2000s, it’s illegal to pay ransom if it’s to a recognised and proscribed terrorist group, but it’s legal to pay ransoms to, as I put it coming from Northern Ireland, ordinary, decent criminals.
I can see the logic of the recent US Treasury notice (which suggested sanctions could be brought against those who pay ransoms) and welcome the direction of travel, but I would sympathise with the view that says how are you supposed to know if the extortionist is on the US sanctions list?
And why is it okay to pay a criminal who happens not to be on the US sanctions list? So I do think we’re in a slightly odd legal position on both sides of the Atlantic.
As a 23-year civil servant, I’m acutely aware of the law of unintended consequences, and I think it needs to be looked at carefully. We need to promote backups, we need to look at the way insurance functions, and we do need to look at the almost casual way in which paying ransom has become routine.
Returning to your current role, are there any big opportunities around cybersecurity you think entrepreneurs should be focusing on to attract investors?
I think anyone who can crack ransomware would be great. AI security and protecting the computations and the outcomes is also really important, and I’ve been surprised how much focus there has been on the human dimension; how you make cybersecurity services and products available and get people using them wisely.