The Security Circle
An IFPOD production for IFPO the very first security podcast called Security Circle. IFPO is the International Foundation for Protection Officers, and is an international security membership body that supports front line security professionals with learning and development, mental Health and wellbeing initiatives.
The Security Circle
EP 174 Ransomware Nation: Why Business Is Still Getting Punched in the Face with Jamie MacColl Senior Research Fellow in Cyber and Tech at Royal United Services Institute
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
EP 174 Ransomware Nation: Why Business Is Still Getting Punched in the Face with Jamie MacColl
Ransomware is no longer “just an IT problem.” It is a national security threat, an economic threat, and a direct threat to business survival.
In this explosive episode of The Security Circle, Yolanda interviews cybercrime expert Jamie MacColl, whose recent appearance on BBC Panorama put the UK’s ransomware crisis firmly in the spotlight.
Together they unpack the brutal reality facing organisations today: why businesses are still failing the basics, why boards are not listening until they get “punched in the face,” and how cyber criminals are exploiting weak fundamentals like poor patching, missing MFA, vulnerable suppliers and operational complacency.
From the chaos caused by attacks on UK retail, manufacturing and healthcare, to the rise of groups like Scattered Spider, Jamie explains why ransomware has become a business hostage crisis hiding in plain sight.
This episode dives into:
• Why ransomware should be treated like terrorism and organised crime
• The dangerous culture of silence stopping businesses learning from attacks
• Why “secure by design” and “secure by default” are still more slogan than reality
• How supply chain weakness is fuelling the next wave of attacks
• Why governments are struggling to legislate fast enough
• What businesses must do now to survive the next six months
If your organisation still thinks “it won’t happen to us,” this episode is your wake-up call.
Because in today’s world… complacency is expensive.
🔥 We love Thursdays.
https://www.linkedin.com/in/jamie-maccoll-b925a8127/
Jamie MacColl is a Senior Research Fellow at the Royal United Services Institute. His current research focuses on ransomware and other financially motivated cybercrimes, the UK’s national cyber strategy, and the role of private companies in global cyber governance. He is also currently a Senior Research Associate at Virtual Routes, a European think tank, and a Project Fellow at the Research Institute for Sociotechnical Cyber Security. Jamie holds an MPhil in International Relations and Politics from the University of Cambridge and BA in War Studies from King’s College London.
Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers
If you enjoy the security circle podcast, please like share and comment or even better. Leave us a fab review We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.
Speaker 2Hi, I'm Yolanda And welcome to the Security Circle Podcast, produced in association with IFPO, the International Foundation for Protection Officers. This podcast is all about connection, bringing you closer to the greatest minds, boldest thinkers, trailblazers, and change makers across the security industry. Whether you are here to grow your network, spark new ideas, or simply feel more connected to the world of protection and risk, you are in the right place wherever you are listening from. Thank you for being a part of the Security Circle journey..
YoyoJamie Nicole, honestly, I am thrilled to have you on the Security Circle podcast. Thank you so much for joining us. How you doing?
JamieI'm very well. Thank you.
YoyoNow we both know that I found you because I was just, I don't watch a lot of terrestrial tv. I've literally moved over to box sets and, you know, watching things, one episode after the other. But for some reason, probably because I work in cybersecurity, this Panorama program caught my eye around, you know, the threats around, businesses in the UK and ransomware and there you were giving a nice fine piece to camera on a couple of occasions. Literally, I was quite impressed with what you said. What was important to you when they engaged you in this program? In terms of what did you wanna get across?
JamieSo, I've worked on ransomware, I guess, policy, for. Four or five years now, um, at rci and, and before that was working in cyber threat intelligence in the kind of period where ransomware was starting to become a kind of more significant threat to organizations rather than just, you know, people's individual computers and endpoints getting, uh, encrypted and. I think the big thing for me to get across is that ransomware is a national security threat. It's an economic security threat. It's a threat to societal resilience. And that right now the UK system, let's say, like government system is probably not prioritizing it to the degree that it should. And that was the big message for me.
YoyoWere you, uh, were you nervous at all?
JamieNN not particularly just because ransomware as a topic is my sort of comfort zone. If they'd wanted to talk to me about anything else, it probably would've been. Um, so that's a, that's a warning for this podcast. Um, but, but you know, I've given evidence to parliamentary inquiries three or four times now on ransomware. Um, and that was, to be honest, that was probably a bit scarier than Panorama because I think with Panorama, unless you're a kind of. You know, politician who they're trying to catch out with a lie or like a CEO who's done something that they shouldn't. You are kind of, you're not like a, a hostile witness for them, if that makes sense.
YoyoI think there's always a worry, isn't it? That, that, uh, especially in cyber, we tend to get quite passionate about what we're doing, and we can almost kind of take ourselves down a rabbit hole. What's important to you when it comes to really communicating the clear message? Because even techies, you know, they can, they can almost wrap themselves up with, with their own language, but boards of directors, courts in particular, they need to hear it really clearly, don't they?
JamieI think so I think to be honest, what I tend to find effective is analogizing it with kind of crimes that people are more familiar with. Um, and obviously for ransomware, something like kind of kidnap for ransom extortion is an obvious, um, version of that. And certainly there's a lot of boards that will be more kind of familiar with that as a threat. I think the other, the kind of point that I always try to land with ransomware in particular is that it is an opportunistic crime. Um, and that anyone can be a victim of it. It doesn't matter if you are a local coffee shop or you are a FSE 100 company, anyone is vulnerable to it, and the criminals are very agnostic about who they compromise and extort.
YoyoAnd, and it's a bit like, um, I liken that to a lot of other type of criminals around fraud as well. They're also agnostic. They don't care about the impact, they don't care about the destructive element and the emotional impact on, on individuals when, when they perform what they do. Okay. Look, so. What's the focus right now? We've got a lot of security professionals engaged with listening to our guests, and they're always up for a bit of learning, a bit of security, vitamin shot for the brain. What should we be encouraging them to focus on right now in terms of if they're gonna do any three things in the next six months, what should they be looking at?
JamieWell, to be honest, I think the depressing thing with. Cybersecurity and cyber threats is that really the fundamentals have not changed that much in the time that I've been working on this over the last, I dunno, 10 years. Um, people are still mostly getting in through the same initial access vectors. The types of crimes that they're doing have not had to change much because they have continued to be effective, whether it's ransomware or business email compromise. Um. It is still unpatched vulnerabilities of, you know, internet facing remote access services. It's still MFA not being enabled on the right things. It's still phishing and spear phishing and that is quite depressing from my perspective, that as an industry that we, I think basically we have kind of failed in, in by a lot of metrics. Um, so if I am. If I'm a practitioner in this, I think that's probably the message I'm hammering to my board, which is we, we do, we, we need to be doing the basics better than we currently are. But that does often unlock need, require unlocking kind of senior support, whether for money or for people to say. Okay, we may be a bit more prepared to compromise on usability or delivery because we're gonna take security more seriously. in the, in the current climate where, you know, you, you only need to open the newspaper and in the UK there's a major kind of car manufacturer who's been been unable to manufacture cars like that. That tends to land the message more, I think.
YoyoMy former, uh, SecOps team, uh, leadership went, went there. Oh, really? I'll edit that bit out. But yeah, I've, I've even tried to reach out to a couple of them and I said, guys, you know what's going on? And of course, radio silence, massive radio silence. Um, but you mentioned a car manufacturer. Look, this happens to be a very prominent car manufacturer. Most people probably know who are talking about. In fact, Jamie, I've been quite. Uh, vocal in putting posts out on LinkedIn to explain more importantly, not just the disruption, uh, ground zero, but the disruption to the supply chain, which is now having a very significant financial and livelihood impact. Because we all know, uh, the supply chain in the car industry in particular is incredibly tight. It's precision tight, and it doesn't have any flexibility for, for disruption. So I think a lot of people will be looking at this model. Is it sustainable? But what would every other car manufacturer be doing right now looking at, crikey, what? What would we do if this happened to us?
JamieWell, I think it depends if they're treating it as a. As potential for kind of sectoral targeting as with retail earlier this spring in the UK and the us. Mm-hmm. Um, and I think that was, to use a cliche, a bit of a wake up call for that sector. Um, and certainly I think I would had conversations with CISOs in that sector in, in the spring where they were just saying, you know, it was kind of luck who ended up getting compromised in a way and who. Didn't. So I think, um, ex
Yoyoexplain that rationale for me, Jamie.'cause that raised my eyebrow. I'd love to know where that line of thought is coming from.
JamieI think basically that no one's security is that great. Um, is, is the rub of it. And there may have been some, I dunno, there may have been some other, I don't, I've got nothing to back this up, but there may have been some other retailers that were using some of the same third party suppliers that. The retailers that were compromised were, which may or not be, have been the way in depending on who you ask. Um, so I, I think for Jet, for, for the car manufacturing. Given that the alleged threat actor behind this does have a history of targeting sectors in this sort of short period of time, I would hope that other manufacturers are thinking very hard about what should we be doing to not just harden our security, but. Be really focusing on kind of operational resilience and how we they continue operations without access to kind of key digital systems.
YoyoI'd like to talk about complacency,'cause I think you touched on it a little bit there, and I kind of wanna wrap that sentence up with complacency. I remember, you know, after seven, seven, uh, in London and we had, a few other terrorist attacks. The Met came out with a phrase of, you know, complacency is our worst enemy, and I've never forgotten that. I thought it was very, very apt for the time. But I can't help but think that even in the cyber space, the data protection space, we haven't really grasped that. We have an awful lot of very conscientious people, very focused on their segments within cybersecurity space, protecting data and infrastructure, for example, but. For some reason there seems to be a lack of real protectiveness. And I'm wondering if it's because we've got incredibly trained professionals, but they're not necessarily trained in risk mindset. My role is a risk mindset role, so I'm like one of those harbinger of doom or I can't do that'cause that could happen or it can't do that. But it's true. You know, we are trained to see that risk. Do we need to have more risk oriented focus? To make sure that the focus is in the right direction and for the right reasons, rather than just simply creating apps, creating APIs, creating infrastructure that isn't designed with my new phrase, which is secure by default.
JamieYeah, I agree with that. I think unfortunately, a lot of that though is not down to organizations that are buying. Software, but I guess particularly software as a service. Or even a lot of hardware because they are at the mercy of large technology vendors and their engineering practices. Um, and there is, there is definitely a push or there has been a push over the last several years to try and encourage, um, suppliers and software vendors to. Um, adopt, kind of secure by design and secure by default principles, which I think generally the sort of software industry has accepted the kind of idea of it. But at the moment. There are no real sticks to actually force vendors to go down that route. The, the, the EU has introduced some legislation, um, the Cyber Resilience Act, which does create some liability for software vendors, but I'm sort of remains to be seen what effect that will actually have.
YoyoYeah, because it's like, you know, doing the right thing, putting a burger alarm system in your house, but the burger alarm company not saying, oh, by the way, it doesn't work between 2:00 AM and 4:00 AM and not telling you that. And, and the risk. Is that clear? Uh, what, what about the challenge that businesses have right now?'cause they're really mine, uh, where you've got third party vendors. Loyal vendors, good vendors, vendors that are delivering a good service, but they're not willing to support with third party cybersecurity risk assessments. It's like. This isn't sector focused. This is really broad across industry and commerce. They're just waking up because it's become part of an audit process to have third party, uh, uh, management processes in place, certainly with banking, right? But it's like everyone's so slow to wake up to why this is such a good idea and why it can expose significant flaws in those partnerships.
JamieYeah, I think to be honest, the only thing. That is likely to change that. Is probably like regulatory requirements around supply chains because I, people often talk about kind of, you know, market incentives with supply chains and, you know, the vendors that are prepared to do those third party risk assessments or are, do meet the better standards are the ones that will ultimately like win out from a market perspective. But I, I just don't think the last 25 years of. Sort of, I guess particularly software development has shown that to be true. Um, there are, there are kind of bits of, um, legislation coming down the line in the uk, so like the cybersecurity and resilience bill, which, which is unfortunately only limited to a very small number of critical national infrastructure sectors. But that will create a lot more. Um, onus on, uh, CNI, so critical national infrastructure, um, providers to, uh, understand their supply chain and hold their suppliers to a higher standard. I think even to the extent where kind of a, a designated like government minister in the UK will be able to kind of intervene if they don't feel like suppliers are meeting a kind of requisite standard of cybersecurity and resilience.
YoyoLook, this is a long time coming and many of us, certainly on the sort of GRC, the governance risk and compliance space will be absolutely praying for this to come in'cause it's got nothing but good intention and will ultimately, spread the better. Good. But if we look at PCI, for example, it was only 2018 where only 52% of the organizations that needed to have those regulations in place to protect credit card data information actually had the compliance standard. That meant an awful lot of people handling our credit card data as consumers and not taking proper precautions. So. You know, what, what more does a business need than a big shakeup? Like what we're seeing in the retail sector, like what we're seeing in the car manufacturing sector is everybody just sitting back just thinking, okay, so it's not us for now. Uh, it's like every single house in the neighborhood getting burgled and yours isn't. There's gonna come a point where you think, um, alright, let's get ready.
JamieYeah, I mean a co I mean, um, a couple of years ago I did a big research project funded by the UK National Cybersecurity Center, um, which was on the impact of ransomware on UK organizations. And there's a couple of reports on the RUI website that people can look at, and I think one of my biggest takeaways from that was that, and until you get punched in the face. You are just, that is the only thing that's the, the most meaningful thing that will drive investment in it. And cybersecurity is getting compromised as, as a like a CIO or a ciso. That seems to be the most effective thing that can happen for you to be able to go to the board and say, this, this has happened because we don't have this, this, and this. And then suddenly that opens up the kind of. Budget and prioritization that wasn't there before. So maybe you're right. Maybe you have to, maybe everyone just needs to be burgled before they're gonna buy an alarm and get better locks.
YoyoWell, I like your phrase about getting punched in the face metaphorically, because what we're basically saying is, as an organization, unless you get punched in the face, your situational awareness is never gonna be as effective as it needs to be. You know, if your situational awareness is great from the outset,'cause you've had the training because you've had the understanding and you've had the, you know, the causes and consequences drummed in. It's a bit like what us girls have to do, Jamie, all the time when we go out in the dark, you know, we've always gotta look around us.
JamieI just as a follow up thought as well, um, not on going out in the dark, um, but I think. The other thing is that at the moment, the culture around cybersecurity incidents, well actually not just the culture, but also regulation we have around data protection does not encourage transparency and openness. So when a major cybersecurity incident happens, very little of it becomes public in some cases for good reasons, but that means that it's much harder for. To learn to derive benefits and learn lessons from historic incidents. And at the moment, we definitely need to create a. Uh, two things. Probably some sort of reporting requirements that where organizations do have to report whether to a named authority about, with more technical information on an incident. But then we also need to have a, a, a more of a culture, maybe a media culture where victims are not shamed. Um, because of an incident. And, and in some cases, you know, there are businesses that have probably been negligent, but they are also victims of a crime. And in most cases, victims of kind of organized criminal gangs who are sheltered by, by hostile states. Um, and I think we probably lose sight of that sometimes.
YoyoSo the analogy if we go back to the neighborhood is that the neighbors are getting burgled, but they're not sharing with the other neighbors how the, the method of entry, the mo, the motors operandi, they're not sharing. So the other neighbors can say, do you know what? I think we should definitely put some more locks on our upper windows if they're getting into the upper windows of all of our neighbors houses, we should put some more locks on
Jamiethey're not being burgled by local criminals. They're being burgled by. Experts,
Yoyoyou know,
JamieRussian or RU organized Russian gangs, who the, I mean, the analogy really would be, you know, when the London, hospitals, uh, were affected by a ransomware attack last summer, uh, which disrupted thousands of hospital appointments. Emergency care probably indirectly led to some deaths in my view. The phy, the real world equivalent of that is a, like an organized Russian gang who has links to Russian intelligence walking into those hospitals with guns and saying, you can't use any of your IT systems until you pay us a ransom. But that just doesn't that like, because it's digital, we don't treat that. The crime with the same seriousness as we would if it was physical. Um, and it's very hard to change people's minds on that.
Yoyofor those that were waiting for emergent appointments, that would've been subjectively very impactful.
JamieAnd actually my, my wife was giving birth in one of those hospitals last summer during the incident. So that, that was quite stressful. It was the kind of thing where I was like, I wish I didn't work in cyber because I would not know how potentially bad this disruption is.
YoyoI speak to a lot of people, you know, in my day-to-day that want to join this, the kind of cyber mission, you know, they're already in physical security space, for example, which is where I migrated from. They've already got a risk mindset. They've already got, you know, instant management experience. They've got business continuity and disaster recovery experience. They know how to run protocol, and they're quite good with legislative, issues as well. So really leaping into cyber, even in a non-technical role is not that hard of a transition. What would you say to somebody who is thinking about it? What would you say is the best thing to do? Come and join. Be curious.
JamieI don't come from a technical background. I was a professional musician for 10 years. Still am, I guess, on the side. And then, I actually studied war at university, and international relations and started working in cyber threat intelligence, um, through that. And I think the thing with cybersecurity is that, so I, I played rugby as a teenager and as a young adult. And the good thing about rugby is that there, unlike football, I would say that there is. A position for all shapes and sizes and I think cybersecurity. Similarly,, there are positions for people of metaphorical all shapes and sizes, whether you. You know, are an expert in how people think and managing kind of human risk, whether you are interested in public policy or you, you know, you are interested in kind of 24 hour security operations center type roles. There is, there's something for everyone and I think the most important thing really is just to be curious. And read and listen to as much as you can pod podcast like this. Because I think if you are curious enough and you are prepared to kind of start again to some point, then I think, there's always gonna be a route in.
YoyoI remember I'm in a conversation with a very good friend of mine and she knows who she is and I said, you know, look, I know how an API works and I know in the different ways that we use APIs and I know that they're pretty great and we've gotta check certain things, you know? But I said, what? I dunno, and with non-technical specialists, we've gotta be so curious. It's like. What is it really? Do you know what I mean? Like, like what is it really? What is it? What does it look like? What does it feel like? What does it look like in an architecture diagram? And I think that's the approach you've gotta take. It's enough to see risk, to know that an API can bring wi it a certain amount of risk if you haven't got security checks around it, for example. But it's also enough to be curious about what it really does. And I, I would, yeah, I'd say that's the same across the whole of the cyber spectrum really.
JamieDefinitely, and I think that being one thing I found out pretty quickly in my previous job, but also this one is just you have to be prepared to ask stupid questions and look stupid as a non-technical person and ask people to explain something to you like you're a 5-year-old. Um, when with, with some technical. Kind of functions, because otherwise it's just. It can be hard to truly understand. Like you could, there's only, you can only black it up to a certain point basically, I think. Right,
Yoyoright, right. But you know what, I don't mind letting people think I am not as bright as I am and I don't, and I think, you know, if you are a type of person that you feel that you need to impress your knowledge on everybody, don't go into a non-technical cyber space where you're the. You are there to influence the way things are done. But listen, I wanna explain what an API is in the most simplest basic terms. It's so, so funny this, it's like a waiter in a restaurant. The, you know, you the customer, you look at the menu, you place your order, and then the waiter takes your request to the kitchen, which is the system. And the kitchen prepares the food, which is the data or the service, and then the way to brings it back to you in a way you can use. And now people are gonna be thinking, ah. Okay. An API is like a wager in a restaurant, and they'll never see it. They'll never see sitting down in a restaurant the same way again. And it doesn't have to be that complicated, does it?
JamieNo, I don't. I, I don't think so. I think, but, but, but being able to explain things simply with analogies is a skill in its own right. Which not everyone can do.
YoyoThat's reversible if you get a techie to try and explain to a board of directors why they need to change the rules on a scene, for example. Uh, because it's exposing a bit of risks. Maybe the rules aren't as, as tight and locked in as, as you know, it's like basically it's. Getting the machine to decide what it's gonna allow in and what it's not gonna allow in and what it's gonna prioritize for you to look at. But to get a non-technical person to explain that in a technical way can also be equally as challenging. Yeah, so I think I like that. That phrase, chief nerd translator, Jamie, where it, it's great. You understand the tech, you understand how it works. Okay, now I'm gonna put that in simple language and say we've gotta have a policy to make sure we check these rules on a regular basis to make sure that they're good for purpose. You know, it's like checking the tires on your car. You make sure they've got enough air in them on a regular basis, right? Boss? Yeah. Okay. Yeah, let's do that.
JamieI think we will probably have a generational shift at some point as well where we end, go on. You end up with senior business leaders who are more familiar with a lot of the kind of, um, basics of technology maybe than a lot of current. Executives just, just because of what they have grown up doing and the fact that have grown up in an environment where using, in the most basic sense, like using computers is more essential to day-to-day life than it was 40 years ago. Um, I think we will probably also end up in an environment, potentially legally, or from a regulatory perspective where. And we've, you know, that we're already in this situation in some count, uh, countries where that boards are kind of legally obligated to have more responsibility for cyber risk than they currently do. Um, which creates a more significant onus on executives to, to understand cyber risk and, um, I guess to have the right people in place at board level.
YoyoThere's now a lot more liability that sits with the CISO role. I mean, I, I had a conversation with a deputy CISO who said to me, I don't even know if I want that big job now.'cause it's just got such a burden of responsibility and liability with it. They've gotta take out particularly Yeah, yeah.
JamieParticularly in the US I think. But then, but then there is, there is, there is a potential. I think it's important that it's not just the CISO. Who is liable because otherwise you end up with them being scapegoated often for decisions that are out of their control or or prioritization about the broader business, which is out of their control. Mm-hmm.
YoyoNow at Rui, that's RUSI. We'll provide a link so that people can find, uh, links to docs. Uh, at Rui your research focuses on the national security implications of cyber crime. Yeah. What, what one is, has there been a program or, or, or a box set on TV that you thought, okay, this is probably the most realistic?'cause they all get a little bit. You know, farfetched, don't they, like Cobra did, um, we've got a couple of others floating around. What would you recommend for somebody who is interested in, in looking at genuine, you know, impact? Yeah. What would you direct'em to? I don't
Jamiethink there's much, I don't think there's much on cybercrime specifically, just because I think, uh. Media and by which I'm like, TV suffers from the same problems that I see kind of politically, which is that cyber crime is not as sexy as sort of Russian cyber attacks or China orran. Yeah, yeah, yeah. Sp yeah, like criminals are less cool than spies basically is the. The nub of it. I think there was a Channel four series called The Undeclared War, which came out a few years ago, which was set within GCHQ and was about a Russian cyber attack against the uk. I think that was pretty good. And I know they did a lot of consulting with. UK intelligence community when they were making it. So there's a few bits of it that are a bit silly, but I think, um, I think it captures a lot of the, like, oh, there's a cap. Um, a lot of the realities of it, um, and the. And, and, and to be honest, like captured quite a lot of what I see as the sort of conceptual debates about offensive cyber operations. So things like, are they escalatory? Um, like what kind of cognitive impact do they have on senior decision makers? So yeah, I, I think I'd recommend that. Um, and avoid things like the Netflix series Zero Day, which I thought was a bit silly. Um,
YoyoI couldn't get through the first episode of that, to be honest.
JamieAny Hollywood films basically. So probably, you know, trust the B, B, C and channel four would be my, my conclusion.
YoyoThe undeclared war was a absolutely, I feel like I need to go back and watch that. It was stunning. It was breathtaking actually. And it was, I felt like, you know, I remember when I was a kid and my dad, who used to be a deep sea diver used, couldn't get through the abyss because he said it was ridiculous. Um,
JamieI, I, I think, I dunno, maybe one of the problems is it is quite hard to make
Yoyoit
Jamiesexy. Something like this. Cool. Yeah,'cause so much of it is just someone sitting at a computer typing. And I've often spoken to journalists that have been making Doc, you know, and maybe this was the true to some extent with the Panorama documentary as well, like it's quite hard to make a compelling documentary about cyber crime when. Visually, there's very little you can include and also it is very hard to engage with the criminals as well. So you just end up talking to kind of talking heads like me, which is only kind of interesting up to a certain point. As a casual viewer,
Yoyoour post office got hit really bad last year. Um. Let's talk about recovery. How are they doing in terms of, you know,'cause that was a significant and impactful cyber attack. I know that they've had to have a complete rethink. They've had to look at strategy a lot more. What, what's the recovery like in real terms for an organization? Even when we compare what's happening with the car manufacturing industry in the UK right now?
JamieI mean, I have. Interviewed ransomware victims where the recovery has taken years, um, in terms of rebuilding systems and recovering, um, different services. I think particularly some of the. UK local councils that were hit, I mean, I think Hackney Council, which is a London Council, which probably services about three or a hundred thousand people, which was um, hit by ransomware in 2020. I think that recovery is still going on five years later. To some extent. Um, and obviously for, for u UK public sector organizations, they also can't pay ransoms. So they only ha the only choice they have is to kind of completely rebuild in some cases. So yeah, I think it's, it's devastating and it goes back to. In a lot of cases, and I think probably particularly if you don't have cyber insurance, it is going to save you a lot of money to stop or limit the impact of an attack in the first place than it is to try and recover from it.
YoyoAnd, and I love what you're saying, honestly, because it takes me back to basics again, if we've got our basics covered off, it does frustrate me a little bit, Jamie, when I see these kind of like sexy conversations going on around agent ai and you see them going on and you're like, come on, why don't you get all your service accounts sorted out first so that we're not dealing with like. People that are inside our information environments and we don't know who they are, let's just get the basics done around our naming credentials. Let's get some basics done around MFA. Let's get some basics done. I mean, there's, the list is just endless around the security hardening that, where the focus, I think should be, instead of looking ahead already. So we've leapt over ai. Hmm. Now we're on Agen ai, and it's like, come on too fast. The question is how do we get businesses lured by the sexiness of agen ai, for example, and its solutioning to, to stop focusing so much there, but keep focusing on the basics first.
JamieIt's unbelievably hard to be honest, and I feel like this, that, dilemma is being experienced across. Not just organizations, but also in the kind of space that I work in of like public policy where it's very hard for me to go out and get funding at the moment for what I would consider to be like core cybersecurity research because the only thing people care about is ai. And I think that will I, I think the kind of bubble will burst. To some extent at some point, and there will be some return to n normalcy. But yeah, to be honest, I dunno what the answer is for, um, I'm sure there will be ways in which AI is able to help do the basics. Um, but yeah, I'm not sure we're there yet.
YoyoNo, me too dangerously far away. I think that we're gonna see an awful lot more punches in the face before everyone realizes, oh, I'm a bit fed up with this. Yeah. Um, what's on your wishlist? So if you could, you know, if you could wave a magic wand or if you could have this legislation that did X, y, and Z, or you could change things drastically for the better, what would you wanna do, Jamie?
JamieI think there's a couple of things I mean, I think to go back to the conversation we were having earlier about secure by design and secure by default, I would be looking for, I think the thing that would interest me most is the US government creating legislation or regulation, which holds software vendors to a higher standard on there. On securing or engineering in a more secure way and probably creates a liability regime for that. I don't think if, so, the, as I mentioned, the EU has done work on that. Countries like the UK and Singapore and Australia are also considering it. But I think that has to happen within the US market and in the country where a lot of those companies are headquartered to. For that to have real. To create real change. And then I think the, in the uk I think I would really, and this is not really a cybersecurity point, but I would really like to see more resource and prioritization of cyber crime over. Not, not at the expense of kind of state threats, but, but like more money within the system going towards cyber crime investigation and prosecution. Because I think right now the between the kind of twin threat of Russian ransomware and the kind of new generation of English speaking. Hackers or criminals. So they're kind of scattered spider and the, you know, lapses and the calm. Um, I think the system is like really under strain at this point, and they're not able, they don't have enough resource to kind of, you know, simultaneously pursue disruption operations against Russian speaking groups while also investigating, uh. Charging some of the younger criminals based here.
YoyoNo, you're absolutely right. I was gonna ask you about Scattered Spider. Let's talk about these individuals. Take me through what you know, to the best of your experience around the, these types of individuals and what their motivations are. And I get that they're not, they don't have a singular motivation, but what makes somebody wanna do this?
JamieSo. So I need, so on the day we're doing this interview, two people, two of them have been charged again by the Met. Um, so I need to be slightly careful about what we say just for sort of contempt of court reasons. So, I won't name any individuals, but I think in the, in the broad sense, it's, it, the motivation is a mixture of. Financial, although I think the financial aspect is much less important than it is for, you know, like West African business email Compromise Groups or Russian ransomware groups, or the kind of fraud, you know, massive fraud industry in Southeast Asia. But it's a mixture of financial, but then also. There's, there is an ideological aspect to it, but it's not, I guess it's not political in the sense of like old school hackers, which was quite kind of libertarian and anti-government. It's more, I dunno, like a sort of nihilistic, um, like just burn everything down sort of ideology mixed with. Like the, the idea of kind of like kudos and one, one-upping your peers in these kind of broad criminal networks is super important as well. So it's kind of the thing that like you would expect modern teenage boys that spend too much time on the internet to be interested in essentially, um, increasing. It's, it's increasingly, it's also mixed up with things like sextortion and other kind of crimes that cross into the physical. Physical world as well. So it's like, it's a really, it's a really nasty period I think we're experiencing at the moment. And I would not, I would, I would not wanna be a teenager at the moment as well.
YoyoI think you've said that. Well, in fact, Robbie Williams said, you know, he struggles, as you know, with his mental health, and he said openly, I struggle with social media. Why would I wanna expose my 7-year-old child? Why would any parent wanna expose their 11-year-old child to that some, you know, many, many exposures that adults can't even deal with. So, no, I agree with you. I don't think being a teenager is easy right now.
JamieYeah. It's not to excuse the awful crimes that some of these people are committing, but it's like the system in the broadest sense is failing a lot of them at the moment.
YoyoAgreed. Agreed indeed. What's the government's limitation of responsibility, do you think? Because it used to be that the, the National Cybersecurity Center said, look, it's not, it's not down to us, you know, you've gotta take responsibility. And now they're come and kind of saying, we're gonna do more. What's, what's their position that you can speak to on this?
JamieUh, I guess it depends which part of government we're talking about. Um, I think. So, yeah, the na, the National Cybersecurity Center is kind of predominantly focused on protection of critical national infrastructure, but then also pushing out, I guess, guidance to the rest of the country. Um, there's definitely been a sea change recently, which you just alluded to in the kind of messaging from the NCSC, um, and their last annual report. I'm, I'm sort of like paraphrasing said something to the effect of the, you know, businesses are not keeping up with the threat and it's sort of as bad as it's ever been. The problem is, is the NCSC is not a policymaking organization. It can't pass legislation, it can't set regulation. So it's down to the department for science, uh, uh, innovation and technology, which does cyber policy. And I think they're, they're a bit more. Subject to the, to the current government, sort of broader growth mission, which is quite anti-government intervention and anti-regulation, um, which has come at quite a bad timing. For cybersecurity, I think because I do feel like we're in a bit of an inflection point at the moment where things don't seem sustainable. Um, but I just don't think that the government is up to the challenge of that. And then I guess the third part of the system is the kind of law enforcement and criminal justice. Um. Part of the system. And I think, and to go back to those kind of teenage cyber criminals, it's, it, it takes so much effort to investigate and bring charges against them. But then the sentencing guidelines, it is kind of like, okay, you're gonna go, you're gonna. Be on, have a suspended sentence for six months to a year, even though you've caused half a billion pounds damage to a major UK organization. And that is not, does not seem sustainable to me either. Equally, I don't think we should be locking up neurodivergent 17 year olds for 20 years as they might want to do in the us So it's a, it is just like a, it's a really difficult problem, which. Is not getting enough political attention or public debate, I don't think, um, if we compare it to kind of terrorism 20 years ago, and that's, they're not completely the same and obviously people dying from terrorism is worse, but there was serious public debate about what is the best strategy for countering terrorism, what sort of legislation is required, what sort of resourcing is required for law enforcement and intelligence? Agencies and I just, that's just not happening with cyber at the moment.
YoyoJamie, I can't tell you how you've literally solidified everything that's been floating around in my head for the last six months.
JamieOkay, that's good to hear.
YoyoI feel like there's other people that out there that have the same concerns about the almost, we're almost too segmented, aren't we? Is there a country that's getting this right? Is there a model out there that we should be looking at?
JamieI mean, there's parts of the eus approach that I like, particularly around, I guess, requiring higher levels of. Cybersecurity of certain sectors, but then also the kind of secure by design approach that we talked about with technology vendors. I think politically that's not really viable in a lot of countries at the moment because it's seen as to interventionist and to kind of anti tech or anti-growth. Um, I think the, like Australia tends to be pretty good and I think their last national cybersecurity strategy I think was like. An interesting kind of middle ground between the EU and the more what I would characterize as kind of laissez fair approach of the UK or the us. Um, so they're like, they've just set up a cyber safety review board, like the one that the Biden administration had, which investigated some of the really significant incidents during the time of the Biden administration. I think. There's generally maybe clearer messaging there about kind of what the roles and responsibilities are of government versus the private sector, and I think that's something that's really important in the uk that government really clearly says, this is what we do and this is what you need to do, and if you don't do that, these will be the consequences. Um,'cause it's just too vague at the moment and I think there's probably also too much of an expectation that government will come and help you if in the worst case scenario, which I think as we're seeing with Jaguar Land Rover at the moment, that's probably unlikely that that will actually happen.
YoyoYeah, yeah. Uh, crikey. Where to go from there? All I can say is, um. Jamie, listen, it's been really thought provoking. I think you've made an incredible amount of sense. I wanna keep you in my virtual board of advisors in terms of cyber legislation, and I'd love for you to come back next year and talk specifically to the legislation that's had some time, you know, to be socialized and we can talk about how effective it is and whether we can see a sea change going in the right direction.
JamieThis time next year, we may also have some dedicated legislation on ransomware in the UK as well, which includes the first sort of national payment ban. So we might see the effects of that as well.
YoyoJamie, big fan of you. Thank you so much for coming onto the security circle. Much appreciated.
JamieThanks for having me.