Diary of a cyber attack

Mike Fell, NHS England:
Hello and welcome back to the Cyber Sessions podcast. I'm your host, Mike Fell, the Exec Director of Cyber Operations at NHS England.

In today's episode, ‘Diary of a cyber attack’, our guests are going to be sharing their first hand experiences of managing critical cyber incidents, some of which are at a national level. I'm really thrilled to be joined by Paul Chichester, National Cyber Security Centre: or Chich from the National Cyber Security Centre, Tim Carr and Sarah M from NHS England.

I'm going to kick off with a bit of a one to one interview with Chich before we go into a panel discussion, so let's open up with some questions to get some insight from that national perspective. So would you like to introduce yourself, Paul, and tell our listeners a little bit about your role?

Paul Chichester, National Cyber Security Centre:   
So my name is Paul Chichester, National Cyber Security Centre. I am currently Director of Operations at the National Cyber Security Centre (NCSC), which is part of GCHQ and that is where I have spent now, over 30 years of my public sector career working in the field of intelligence and security and previous to the NCSC role that I took up in 2016, I did a variety of roles across technical roles, mainly in operational roles, across as I say, the intelligence and security world.

Mike Fell, NHS England: 
Great. And a question I often get asked with a very different but kind of national role involved in cyber is what motivates you to do such a damn hard, challenging and important role? What is it that makes you get out of bed for that?

Paul Chichester, National Cyber Security Centre:   
Well, again, it's probably the same as all of us or many of us, certainly in, you know, a lot of us working in the public sector. I think I mean, partly because it is so challenging and hard but important, right? I think we're you know, a lot of us are motivated by those sorts of challenges, be it we, you know, we like a technical challenge or an operational challenge or a clinical challenge or whatever. But I think that's important. I think you know everybody I'm sure when you know in the health service will recognise the importance of their role and the importance of our role in the cybersecurity world to hopefully allow them to operate effectively and safely and securely for as much of the time as possible. 

So I think just sort of you know that that mission purpose I think is a huge element and the feeling that you're making a difference that you know, there's a sort of real world outcome in what we do in the cyber world. And certainly I think you know in, in the role that I have in the NCSC, which is really looking at managing national incidents and looking at sort of the threat and how we understand it, I think you can see real world impact when incidents have a negative impact, but you can also see where you are when things are working well or that you recover from an incident or you kind of get the systems back online and you can get services back online. So I think seeing that for me that that connection between what I'm also passionate about which is technology, but seeing that actually that's not just an end in itself, but actually the technology has a real link to real world people's lives. And that's the thing that probably has a massive motivation for me.

Mike Fell, NHS England: 
Yeah, I think it's as you as you start out by saying it's kind of those common things that do it and it's doing it some sometimes because it's hard and sometimes because of the mission, right isn't it?

And a different aspect, I know that you've been involved in the NCSC since its initiation back in 2016, and one thing that I think many people have appreciated within that time is that the move to be more transparent, particularly in the publication of annual reports, giving breakdowns about the scale of incidents, significant incidents and the impact across sectors and the reason I say that is because we quite often try and look for the unique aspects of what's going on in our own sectors and we've seen within the annual report for the last year, actually health increasing in terms of its kind of impact and that and where I'm getting to is what do you see as the most pressing cyber threats for health, but also how unique are they to health? Or is it just an endemic kind of thing where we've got more in common with other sectors than unique?

Paul Chichester, National Cyber Security Centre:
Yeah. And I think there's probably two parts. One is actually I think the not unique threat, which is ransomware, you know and the NCSC, appreciate the sort of plug for our annual report on some of these matters. But I think ransomware continues to be, as we've said, the most pressing threat to the UK writ large. It's indiscriminate. It can target any sector in the UK, any business, public or private sector. And it can have devastating consequences. So I think for us, the thing that is common across health and other sectors is ransomware. It's the thing that we spend a significant amount of our time in incident management and our response work dealing with and working with organisations. And I think it still does have the most immediate real world impact, and therefore people sort of feel it more than any other threat.

I think if I was sort of looking at more specifically sort of health, then it's people looking for personal data. And that can be criminals, but also can be nation states increasingly sort of seeing in the world of artificial intelligence and the ability to now crunch a large amount of data with very smart algorithms.

As we know, actually in you knowing that the way to improve UK health is through data and being data-driven and analysis driven. Our adversaries absolutely see that the same way, so I think also, I think increasingly remembering that as we see our own data as being vital to help us improve public services, our adversaries see the value of that data as well. And so we need to think about how we protect it as well as exploit it going forward.

Mike Fell, NHS England:
Yeah, those are themes that are absolutely at the heart of NHS England's approach to threat management as we increasingly operate with population scale datasets for the benefit they can bring in, and data genuinely does save lives in public health initiatives as well as in in day-to-day engagements. So that's super helpful and you touch on some of the bits there and I can't avoid the opportunity of having somebody with such an erudite history in the intelligence community as yourself, of getting towards the territory of the more capable adversaries that that you're experienced with. You know, we use language like the nation states and the zero days here, but at the same time we can't forget that the UK is a nation state and also a highly capable cyber actor. So against that, is there any times when you've been genuinely kind of amazed at the ingenuity or capability of an adversary in an incident?

Paul Chichester, National Cyber Security Centre:  
I'm not sure where the word sadly is the word, but sadly yes. I mean sort of you know, but it you know again as somebody who sort of looks across that sort of landscape of how ultimately you can exploit technology. And I was a pen tester for a long time and you know, red teaming and I've done offensive cyber operations and things like that over many years. So you kind of definitely look at any anytime you're looking at an incident, I suppose you're  looking at it through multiple through multiple eyes and there definitely are times where you look at something and go, OK, that was quite, quite an interesting technique.

Some may know that you know at Cyber UK, which is our big sort of a yearly event, we always do a talk where our technical director for incident management does a talk around the things we've seen in the previous 12 months and that have been different or interesting or quite innovative. And so yeah, there definitely are. I mean I think we, shy away from saying too much publicly about that part because we don't want to sort of motivate people to either copy or to build on that. But I think there are definitely times where you see that. And to some degree, I think that that's motivating for us as well. If we're seeing that and we're detecting it, then it means we're probably doing something right in, in terms of understanding that we again it's back to the challenge.

So there's definitely things that I think we can learn from that. And I think that the key thing and to take away maybe from all of that is that the threat’s not static. So actually our adversaries are be it criminals or states are constantly innovating, are constantly coming up with new ideas. I mean, arguably, criminality is at the heart of, you know, those that we see who can innovate at pace on very often on things, and so how you've seen, you know how we've seen the ransomware threat evolve to, you know, purely be about encrypting data and making it unavailable to now sometimes not even doing that bit and jumping straight to the extorting departments and saying we're going to leak, you know, the organisation. So we're going to leak this information. So you definitely sometimes have a grudging respect for the people behind this. And so, yes, I think, you know that there are sort of moments where you do look at, look at that and then the key for us will always be and therefore, how do we take a learning approach from that?

So we need to be looking at that and then improving our own defences and I think that's the other thing to say that whilst the threat isn't static, those of us that sort of work in this domain also can't be static in our defences. We constantly need to be changing them, adapting them. This is a very agile environment and sometimes that can be difficult for organisations because a change in the way that we might need to defend might have an impact from an operational point of view and trying to get people to understand that can sometimes be difficult. So yeah, there's definitely a lot that we take away from those kinds of experiences.

Mike Fell, NHS England:
Yeah. And I think that's a really interesting point you make there about, the innovative aspects of it, like a running of an organisation, you need to focus on the foundations and the innovative to keep your market share as well. And I think certainly for we'll probably touch on this within the panel later on, but some of the frustrating and language you use there about sadly and frustratingly but some of the frustrations and sadness in the incidents that we see within here is the foundational controls which could prevent a good number of these, such as you know, weak passwords being used, not patching critical vulnerabilities, and those things that whether it be criminal or otherwise, is going to use as the first step to try and get in at the at the lowest level.

And then moving to the next theme about how we position and this change culture that the NCSC having that front door has been and security can often, more so in the past I think, be accused of being in the shadows and of playing the intelligence card and sharing everything that we could do. And this then becomes layered in structures like ours where we're operating a national security operations function for a sector which then has a really close partnership with yourselves operating at the national level too. Can you talk us through what are the things that actually make an incident of interest to yourselves at NCSC, as opposed to something that should just be handled at a local level.

Paul Chichester, National Cyber Security Centre:   
Yeah. I mean, primarily we're driven by the scale of the impact.

So our role is to ensure that the most serious incidents are coordinated and are managed effectively so helping where we can. So that might be in an organisation that is critical to the UK, that doesn't necessarily have the experience or the capacity to handle a major incident. So you know it might mean leaning in on one particular incident where the impact is again broad, be that from operational disruption, be that from the scale of the data theft or what have you. So we definitely sort of look at it from that impact point of view. I think also where those incidents needs are more complex in terms of the organisations involved. So that might actually where certain sectors or you know an incident in a certain sector has an impact on broader sectors and it's that sort of either cascade risk or the risk that cuts across government.

You know, but if you can deal with an incident within a sector, then sometimes that that's fine for our role and the reason the NCSC would get involved is when you're trying to coordinate multiple bits of government to manage an incident at scale.

Really good examples would be, I mean we'd stood up just before Wannacry hit and so, you know, played a role in Wannacry but NotPetya happened not long after, for those that are not au fait with all the language but NotPetya was the cyber attack that was ultimately attributed to Russia and that targeted Ukraine, but whilst it targeted Ukraine, it actually had a massive global impact because of the way it operated and so that touched pretty much every sector and business area in the UK and so again, you know that scale of impact is what drives us. I think just you know playing to the last question though also where we see something new or different, I mean, you know our job is to try to collect that understanding and share it.

So when we see, you know if we're seeing new or interesting or innovative techniques by an adversary that's being applied in one sector, we want to share that we want to then say, well, everybody needs to know how to defend against that, not just that sector. So sometimes we will take a role in an incident because actually there’s learning that the country can take from that. And so there's all really driven by, you know, the scale of the impact, but also the opportunity to learn are the two big drivers for us.

Mike Fell, NHS England:
Yeah. And that's really interesting seeing the parallels as well with those different layers with really similar ambitions within our cyber operations across the health sector and also the demands and requests that we rightly get for that rapid sharing of intelligence to help others protect themselves and learn from where we see innovative things and that and for us as a sector, you know over £350 million invested in cyber in health since WannaCry in 2017, which unbelievably nearly ten years ago now and the report into WannaCry was very transparent about the lack of communications, about the costs of that incident created and harm created by choices to disconnect from the Internet in the absence of having those information flows, something that is really different now because of the existence of centralised national capabilities and despite your youthful good looks, I know that you've been around cyber incidents for some time as well so what do you see in your role as the kind of big differences between five years ago, 10 years ago, both on the positive and the negative?

Paul Chichester, National Cyber Security Centre:  
Well, luckily this isn't videoed, so nobody knows that you're being overly kind on the youthful good looks bit, but I think what are the sort of key differences, the changes since then, I mean, obviously there's the sort of the impact of incidents because we are constantly more connected because we're constantly more reliant on technology, the impact of incidents are increasingly greater on society and organisations.

And organisations are still probably not realising that their operational resilience is underpinned by their technological resilience and I think not necessarily really understanding the link. I think people still think of technology as office automation and business apps of that kind of thing not realising that actually their business whatever their business is be it transport, logistics, health, military, you know, you pick a sector, but actually everything that whatever our mission is, whatever our business is, it's built on technology and more and more reliant on technology, which means I think we're seeing bigger scale impact on incidents.

I think the pace and probably many who sort of do this day-to-day may resonate in that. It feels like there's less downtime than ever before. So I think you know as an incident responder, you sort of feel like it used to be where you would surge, you would work really hard, you would deal with an incident and then your teams could have a bit of a downtime. You build that resilience and so one of the real challenges I think in this sector at the moment is both individual but organisational resilience. That's much harder now to build and therefore something we should, we should think more about. We certainly are in, in our teams and building in that resilience. So I think they're sort of things that you know the scale and the frequency of incidents has changed. 

I think things that haven't changed and you sort of touch on this are some of the root causes of those incidents. I think they still continue to be, as you say, things that we do, you know that we will have learned from WannaCry that we've learnt from other incidents. Around either patching or use of authentication, passwords, things like that. So you know there are definitely things change, but some things that are still I think we if we can really get after and fix as a community and we'll hope hopefully give us back some of that resilience and a bit more downtime.

Mike Fell, NHS England:
Yeah. Thank you. I think that very much chimes with experiences that we have and not least, you know that point about personal resilience and that, we're recording this at a time when within the health sector, we literally have an unprecedented level of live incidents at the moment in the public domain and the challenges that that place is on the amazing people that are involved with this is always front and foremost of my mind in that pastoral element to build the resilience, organisationally and for the individuals that are doing the inhuman to respond to these.

So speaking of those amazing people that are at the forefront of this, we're going to open up the discussion now and have a bit more of a broad conversation about how cyber teams do respond when an incident takes place. So I'm delighted to welcome Tim Carr and Sarah M to the conversation as well. So Sarah, would you like to introduce yourself?

Sarah M, NHS England:
Thanks, Mike, and thanks for having me. Hi everyone. My name is Sarah M. I'm Head of the Compliance and Engagement team in NHS England. So I've been in working in NHS cyber for 6 and a half years leading the communications on cyber security incidents.

Mike Fell, NHS England:
Great. Thank you. And Tim?

Tim Carr, NHS England:
Hi there, it's Tim Carr here, Senior Incident Manager within the Cyber Security Operations Centre with NHS England. While I was at University of Sheffield, I got interested in cybersecurity and joined NHS Digital back in the day, during the chaos of the first lockdowns around 2020 and I've basically been embedded in the SOC (Security Operations Centre) since then, building the incident management team with my manager over that time. But it's a big honour to be here. Thank you.

Mike Fell, NHS England:
Right, thank you. So I'm going to open up with some of the more emotive aspects of this and I know this will be something whether you are on the security side or the business side of things, there is an emotive kind of response for that and I'm keen to just hear what it what it actually feels like when you get that first alert to an incident. So Sarah on the comms side of things, what does that feel like when you first hear about an incident?

Sarah M, NHS England:
Yes, I think first and foremost, I think it's kind of just getting that focus, having a live incident I think really brings that focus to your work. But there's always that anticipatory concern, particularly for the folks at the receiving end of a cyber attack. So it's really trying to understand what's happened quickly so that you can then move on and do the job at hand. And what's needed in that incident response piece.

But for me it's very much kind of that concern element and the human element that's at the end of it.

Mike Fell, NHS England:
And Tim, as somebody that often has to pick up the phone or e-mail or receive the call on that, how does it feel when you get that?

Tim Carr, NHS England:
Yeah, I think frankly, you know, there's always that element of dread, we are all human beings and it's that feeling of something big is kicking off. We're going to have to down tools and jump in to support an organise organisation here. But I do echo what Sarah says particularly with the context of us monitoring the National Health Service which is in my mind one of the crown jewels of the UK’s infrastructure, there's that sort of concern over the true impact on the ground floor you're thinking about, you know people on wards, thinking about patients and whether or not this incident you're about to jump into is going to be, causing clinical impact harm in patients.

I think very quickly though you do knowing that you have this role assigned to yourself, knowing that the jobs at hand and having the predefined playbooks, potentially you do sort of just crack on with the task at hand and in some ways you you enter that zone, that state where you're looking at effectively trying to fight a fire, fix the problems and remain professional. And it's sometimes you find yourself getting to the end of a day where you finally sort of decompress and you let out a big puff of air and it all comes to like what you've just dealt with, really.

Mike Fell, NHS England:
And Chich does it ever stop that kind of I think some of the words there, the dread, the anticipation. When you've got that industrial scale and when you're doing it day in day out, does that evaporate or is that ubiquitous?

Paul Chichester, National Cyber Security Centre:  
Yes or no. I mean, I think I suppose at a national level it's slightly different because for us normally the incident itself, isn't it, we're it's not our systems.

So that's sort of visceral feeling is slightly sort of second order. I mean you obviously care and you do this to make a difference and reduce the harm to the UK and the impact on the UK.

So you're certainly similar that, but I think from my perspective I think probably again the sort of different depending where you are in the organisation. But for me because like you know you've got an amazing team, you've got a lot of people that are dealing with this. So for me when a new incident comes in, there's probably two things really one is team resilience, you know and how do we make sure, because I think the one thing we know from experience is, actually it's making sure that you are thinking beyond the first 24 hours.

And actually, so we know how are you going to deal with this after 48, 72, seven days, 14 days. And so being the one that says, hang on a minute. Right. I know because and I'm sure it's the same like everybody wants to come in, right everybody. Because if you see something at a national level, you know, even people who are on holiday will be phoning in going oh we want to help, right. That's who we are. That's why we do what we do. But actually from a leadership position saying that's really appreciated we you know but actually, no, not now, because I'm going to need you in two days time and I'm sure that's, you know, very true in a big you know medical incident or, you know, be nationally managing that sort of challenge around resilience. And I suppose a second link to that is prioritisation. So because in in the back of my mind you know normally we’re juggling 10s of incidents at any moment in time. So there's how do we make sure we deal with this incident effectively but what's the impact of this incident on the others? Are we going to have to reprioritise things? Am I going to have to move people around? Am I going to have to sort of juggle that? 

Mike Fell, NHS England:
Yeah.

Paul Chichester, National Cyber Security Centre:  
And you know you alluded to the scale of the sort of challenges that you're dealing with in the sector health sector at the moment and so you know similarly, you know, how do you, sort of make sure that you're sort of prioritising around that. For me, particularly at our national level, that's how we sort of view it.

Mike Fell, NHS England:
Yeah. And it's remarkable, though similarities in terms of the human nature of, of the desire to help and that kind of leadership, the importance of that leadership role in pacing people for the marathon and all of those kind of more logistical elements of arranging it. We touched on a few I think of the elements there about what an effective response is involved with, Tim, you mentioned that the importance of a playbook and a structured approach, what are the other aspects that that you'd kind of advise listeners around what are the jigsaw parts of an effective incident response?

Tim Carr, NHS England:
I think it's rehearsing where you can and I don't want to emphasise that too deeply because to an extent it's like the famous quote ‘everyone's got a plan until you get punched in the face’. Like every incident is going to be very different and playbooks will only get used so far when you rehearse them in person, you might find that someone's on leave. You might find that an incident is just completely unprecedented in scale, but it certainly helps you understand the initial pain points.

Have you got the right contacts? Does everyone understand their role? Have you built out their documentation so that someone new to a team can quickly pick up a process and crack on with it. I think another part that we're really trying to make use of at the moment is having touching on sort of the advent of technology first businesses that Paul was discussing earlier is the idea of utilising this technology for the greater good.

So we're trying to build in a lot of automations where possible to remove some of that administration overhead when we have a critical incident kicking off so that again removes some of that requirement from analysts to potentially run around and it's things are simpler, setting up meetings, setting up chats, pulling together files and pulling together templates, you can get an automation to handle all of those processes it frees up headroom for you to focus on some of the more critical aspects such as the initial questions to an organisation, the initial engagement and that you know those first few hours of an incident are really crucial in ensuring that everyone understands the role assigned to them and that the context of the incident is clear so that you can properly posture the response that you then generate.

Mike Fell, NHS England:
Yeah, I think you're right about responsibilities part. I'm always really conscious, particularly in dealing with third parties and those not closely involved necessarily of the acronym soup that get that just gets thrown at in the early stages between your NCSC (National Cyber Security Centre, your NCA (National Crime Agency), your GSG (Government Security Group), your Cabot, there's just a real acronym soup. I think that kind of signposting to what all of those are, and the roles that they play is key with it.

And Sarah, I mean, as a communications professional in this place, one of the real challenges is as we've alluded to there, preparations are key until you quote get punched in the face and the inevitability of that is that every incident is different because of the ambiguity that comes in. What would your advice be as how you can kind of ensure there is an effective response despite all of that uncertainty from a comms and awareness perspective?

Sarah M, NHS England:
Yeah. So like Tim said, it's having your kind of kit bag ready. It's having things such as your comms lines ready, to a point. So you've always got that starter for 10, you know, based on various different scenarios. So we've done a lot of scenario planning based on the kind of incidents that have happened over the years.

Making sure that your contacts are up to date as well. Having those key contacts with the key stakeholders who you know you're going to have to call upon.

And the needs of an incident so from a national comms perspective, it could be regional comms colleagues, it can be national EPRR  (Emergency preparedness, resilience and response) colleagues and things like that. So it's making sure that you've got those real contacts and those relationships as well existing that you can draw upon. And then like Tim said, making sure that you've got things templated such as emails that we I always send out to impacted organisations, for instance, just telling them, the basics of what's happened and what their key lines are going to be and also making sure that you've got those procedures and processes for escalation in place as well. But I think kind of I think most and foremost, I think it's, just keeping calm in the situation.

I think it's really easy for people to lose their heads sometimes in an incident. Keeping calm I think it's really really important.

Mike Fell, NHS England:
Yeah, I mean, a really really key attribute that keeping calm and I think it's that which enables some of the most fantastic work that I see of the coordination to actually make sure there is alignment on the communications bit because I think the trust inevitably comes in an incident response through consistency of messaging and if one organisation is saying something different or at a different time - there be dragons.

Sarah M, NHS England:
Yes, definitely.

Mike Fell, NHS England:
And kind of reflecting on that, I sometimes think my epitaph might be ‘it's lovely to meet you, sorry it’s in such circumstances’ because it's something that I seem to find myself saying regularly.

I think obviously the ideal would be to have strong relationships with organisations, that one's going to involve, be involved with in advance of something bad happening. The inevitability, I think with all of our roles is that the scale of what we're trying to achieve means that that's unlikely to ever be the case with it. So I'm really interested in the panel's views on how do you go about rapidly building those relationships in the kind of minutes, hours and days after an attack. How do you build that trust and get that coordination and everything that we're talking to?

Sarah M, NHS England:
From a comms point of view, so my role in the incidents tend to be that translation piece between the technical and the human.

So once the kind of key stakeholder call has happened, I then reach out to the organisation, sometimes speaking to chief execs or communications teams, to just kind of really put in a human context as to what has happened, why it's happened, you know, going back to Chich’s earlier point around the value of data.

I'm just putting in human terms of things like now, sometimes these attackers have like HR functions and customer service functions. And you know, things like that just kind of bringing it down to normal human language so that people have a better understanding. And I think just bringing the years of experience as well-being able to talk to them about what a typical time frame would look like and you know how things generally tend to play out. I think it is really useful, but it's just about building that trust and making sure that you do what you say you're going to do, and make sure that you follow up when you say you're going to follow up and just be there to be that supportive element I think for organisations.

Mike Fell, NHS England:
Yeah. And not that as far as I understand, you do have badges, but is that different when you come wearing the NCSC badge so to speak? Does that is the different dynamics about the building of that relationship in the early stage?

Paul Chichester, National Cyber Security Centre:  
A little bit well it plays a part, although I really can't stress enough what Sarah is saying around it's how you engage. It's the consistency of the engagement, the tone of your engagement, the you know at that point you're in, you know you're into human psychology, right? That's it. This is not sort of a technology problem at that point when we're engaging, if I'm phoning up an organisation.

Or my team are, usually it'll be the first time that one of us has spoken about organisation, so we don't have that personal link. So what you're trying to do to really you know your question, I mean we do absolutely rely on the whole of our team setting the groundwork for us to call an organisation an incident. So ordinarily, you won't know us or you won't know the team, but you will have heard of the NCSC. And I think. I mean, it's back to some of the things you were saying that actually just knowing that you know there is a team that does this or that, you know, we have a responsibility or look you might not know us, but actually you will have worked with someone in the team or you might not know us. But actually here's our website and you know, here's a very quick description of what we do. So trying to as quickly as possible give somebody a sort of context that allows them to build that trust really quickly. And so I think for me, it's like we again, you know, trust is a complex thing. You might not know me, but you'll know somebody that we both know.

Or you'll have a joint experience or a shared experience, and so you're trying to build up a rapport in that in that way, at pace in a highly stressed environment.

And again we sort of try to understand that and try to be sympathetic, empathetic, in terms of who we're engaging with and how we engage. And again it's, you know, for those I think people who think about incident response, they do very often go oh, incident response. That's about rushing out and monitoring networks or helping technology. A lot of it is people, you know that the biggest part of our very often talk separately about sort of the mix of skills that you need an incident response. And the thing that I find most efficient these days in companies is not necessarily their technical response but their human response.

Like, what's your comms response? What's your HR response? How are you going to manage this for your staff? How are you going to manage this for your stakeholders? And that's the bit that I still think there's a gap people don't quite have an exercised or sort of built up that muscle memory around.

Mike Fell, NHS England:
It's something we really recognised in our space to the point of embedding clinicians within the cyber team such that we can do the translation of the language and really understand that the most effective ways to build those bits. And Tim, I'm kind of reflecting on an incident that I think you were in involved in and around where the national CSOC, the Security Operations Centre had to ring an organisation to make them aware that there was an ongoing attack and the response came back - yeah, it's a pen test.

We know about it and you and the team had to kind of navigate to explain that it was a pen test. It was just a penetration test. It was just not necessarily one that they had commissioned themselves with that. And I think you know you and your colleagues are really great at having that first point of contact bit. What are your kind of tips around building that trust with somebody quite often in the middle of the night or in a really stressful situation?

Tim Carr, NHS England:
Yeah. I mean I think that's been some great points already made. Touching on these, you know these building these relationships in advance where possible, touching on what Sarah is saying around the media engagement or comms engagement is vital for us as incident managers when we're in the midst of an incident, I guess yeah, in terms of the initial engagement in some ways we're looking to proactively tackle our branding, our engagement so that we're not looking at rapidly justifying what we're doing, rapidly building relationships.

You know, cold calling someone in the middle of the night and then asking who we are. And I think, you know, this is where it's worth shouting out some of the incredible work that Sarah has done in the past on the Cyber Associates Network, which is our forum for basically cyber experts and colleagues across the NHS in the England region. And through that we are able to sort of publish guidance, we're able to brand the CSOC and the cyber operations team. We're able to kind of discuss stuff slightly more informally, and anyone can kind of jump in there, so I sometimes jump on the forum to speak with members of various trusts and through that, you know, ideally that is building a more casual relationship, an understanding of who we are and what we're doing, so that when you do in the unfortunate and unlikely case of have an incident with one of these organisations there, hopefully more contextualised on who you are and what work is about to be done. We've done some presentations recently at the in person CAN (Cyber Associates Network) events where we go over the role that CSOC plays during an incident.

And that kind of again, is designed partly to contextualise our role, partly to sort of lay out what the expectations we would have from the org level to help them posture themselves better in the event of an incident, and I think it has been successful. It means that we can quite easily slip into these calls even though they are high stress, high stakes, we have that that engagement ready to go and we also have supporting things process side. We've got infographics to try and lay out what the CSOC are, car if they have for whatever reason, missed any of our branding or engagement exercises.

And I guess lastly, I think it's a great point by Chich on the on the sort of psychology aspect of it. We are in a way, we're moving completely away from technical skills here. We're moving, we're talking about soft skills and I think that's something that is coming to the forefront for us recently is trying to build learning plans internally for our incident managers because we have a lot of people I think apply for a SOC, the Security Operations Centre, they're thinking technically minded people and they're thinking technical skills which we absolutely need but those soft skills are absolutely vital particularly in the incident management space and we're trying to build out those learning paths to I think better expose incident managers to those more abstract skills you might need when you're engaging with complex relationships and similar.

Mike Fell, NHS England:
Yeah. And that's, I mean, that's something that I'm always really alive to I think not least because, you know, I say I got inside of the hard way which is learning how a computer works on top of broader skills and there's been some amazing successes. I'm not just saying this because we have an NCSC colleague with us, but in the professionalisation and the industrialization of routes to train people and skill them up. But that does of course need to be balanced, as you say with those broader skills and I hate the term soft skills because these are not soft skills, they're bloody hard skills.

And there is a personal mission of mine to stop using the term soft skills for what arguably are actually the harder ones with that. And I guess that makes me kind of pivot to one of those harder kind of elements that we get within the communications aspect when we start talking about transparency.

I think I'm probably fairly well known for my views about the bleach of transparency and the differentiator between effective incident response and less effective, often hinging off the trust, the transparency and inevitably the public.
Being public about some of the impacts and what's going on.

But despite that, in doing so, I always acknowledge that the reality is that there are elements of this that are sensitive, that in some cases can't be shared or shouldn't be shared or on balance, need to be shared at the right time. And that's probably all the more kind of relevant for yourself, Chich, with access to information that your organisation have.

So how do we get that balance where we kind of bring the public trust with us and are transparent but also don't just fall into a binary world where people think that that means that you have to say everything, what's the key to that balance?

Paul Chichester, National Cyber Security Centre:  
I think for us that's partly by having a for a mix of minds in the room when you're making these calls. So for us, when we're managing incidents, we always have somebody from our comms team who's baked in or you know, part of our incident response. So they will always be there as that sort of conscience to say, well, almost coming in it from quite a, no, like, they're coming at this from, we're going to communicate everything. So tell me why we're not, and then there will be different voices in the room. But you need those different voices and perspectives.

And so I think for us it's making sure that we've got somebody from almost you know with that view of what the public would expect of us, what the public would expect us to be saying or what and also very often the cost of not being transparent, I think we always think about the risks of being transparent or if we say there's something bad will happen, there's a downside for not being transparent and sometimes we don't necessarily sort of bring that into the room or into the decision making. I think actually in my experience from doing this over years now and maybe similar to yours is that actually if in doubt, communicate right. If in doubt, be transparent.

Pretty much all the regrets I have is where I've not been transparent versus where I have. I don't sit and think ‘oh, if only I hadn't said that’. So I think there is something about reassurance as well. I think you know our job certainly nationally is feel that we want to be able to reassure the public if there is a major outage of the CNI (Critical National Infrastructure) or things like that. The challenge will be just to the sort of last part of your question around, sometimes we might know something, or sometimes we have an inkling. So sometimes it's the level of confidence we've got that might be low. And at that point, what do you communicate. So you know, you might have some guesses on who the person that's doing it is or you might, you know, you might have some views, but it's low confidence and actually then you have to, I think be careful because what you don't want to do is keep changing the narrative. I mean, it's back to what Sarah was saying earlier that you need consistent messaging in all of this. And I think so there's something there. Actually, normally where we're being thoughtful about our messaging is, is it consistent?

And is this likely to change? And if it is, then be clear that it's likely to change. So really sort of thinking through all of those. But I think you know it, transparency is important because the more we can get this message over and the more stories we can tell, the more people will realise that this is something important and they need to respond to.

Sarah M, NHS England:
Definitely. And I think  just to echo some of your points there. I think about level of confidence and the news that you're delivering. It is really important, making sure that you've got those right voices in the room when those decisions are being made. So our regional security leads, for instance are really useful in that room to have that voice of reason of what are the expectations from the system as well. It's always a tricky balance I think and there's no, there's no real right or wrong way and it very much depends on the incident. But we always aim to be as transparent as possible and aim to get, comms out in really kind of timely manner that's relevant to the audience as well. And that's mainly to prevent that kind of rumour mill from growing, which can happen very quickly.

Yeah. And also those knee jerk reactions which we saw from, you know, some of the aspects of WannaCry as well with people unplugging.

Yeah, it is very, very dependent. And also with it's for us when we're dealing with just an incident in an organisation for instance, it's very much dependent on their appetite as well for communicating. So it's very much an NHS England working in partnership with those impacted organisations and bringing those years of experience to help advise them and guide them through that. That kind of tricky part.

Mike Fell, NHS England:
Yeah, and couldn't agree more that yet another example where diversity of thinking, diversity of experience, is the key to this so that it's not the groupthink, just the security people from the experiences that we have and all of those aspects to it so.
Good. I'm going to start bringing things towards the conclusion now and I think you know another thing that struck me in what we were talking to there about one of the benefits of transparency is the business case for investing in cyber.

Part of the reason that actually I think hopefully everybody can agree that we have not made as much progress as one would have wanted to on this is that we've simply not had the quantifiable evidence base to really say this is a really compelling business case that stacks up in the health sector against the other pressing needs for investment and across wider society against the other things that, that money that could be spent on increasing cyber defences is spent on. And I know that's why one of the drivers for me in being public about the consequences and impacts of cyber risk here. And I think that pivots to the forward-looking element of the kind of final question that I'm going to ask which is the pace and the scale of the threat at the moment is significant and I think everybody would want to change the resilience and get to a world where we are not having to invest in as much in the incident response and are preventing and this.

That ultimately comes into learning the lessons and implementing them from the incidents that we've seen, we spoke earlier about, you know, the difference between five years, 10 years ago, is that there's a lot of foundational things that are still at the heart of it, so let's wrap up with what does work well and what can be improved to inform the future planning from the incidents that we all have sight of.

Tim Carr, NHS England:
I think, it's or touching on what Chich was saying earlier about the cadence of incidents. It does feel like it's increasing. I feel it's it seems to be a universal feeling. Certainly in the NHS, it feels like there is a greater amount of incidents kicking off on a given month and that is kind of counterintuitive when it comes to the lessons learned because you don't have time to resource your lessons learned if you're jumping immediately into a new incident and that's where we've tried to tackle it by having a running, from a process side, a running document tracking the things that could have gone better, could we have engaged with this org a different way? Should we have bought this person in? Did we monitor this part of the estate and similar like and it's basically to be empirical, it's a spreadsheet of items that are raised as pain points and it also, you know, lists things that have worked well for us and then that allows us to have a tracked item a tracked file.

But even if we don't have time immediately to jump back and say what went well, what didn't, we can come back to it at a later date and we can address it because we absolutely want to address it. It's absolutely vital that you know, you're iteratively learning and improving the processes because not only is the threat landscape changing, but you also just need to make sure that you're not getting stagnant with your approach to incidents, that's a really important piece of a puzzle, I think is making sure that you you're keeping an eye on where things might be slipping. And you're also recognising talent because again, psychology side, you need to make sure that you're calling out the wins because it generally just does encourage people to feel satisfied with the work that they're doing and to remain sort of engaged with the incidents that are kicking off.

I think outside of that, I'm not sure where we necessarily would pivot with the lessons learned outside of feeding back into process improvement, which is something that I'm hoping to do in my new role, moving to a consulting space where we begin to dedicate more CSOC resource to a dedicated team that centralised those pain points to then sort of feedback into a process improvement workshop and yeah, very much of a process side of things where I'm hoping that we can kind of begin to turn into a machine of feeding in and problems and outputting process improvements in solutions.

Sarah M, NHS England:
From a communications point of view I think it's continually improving and adapting communications, looking at what worked, what didn't work, making sure that feeds into any new and improved lines as well. One of the other aspects is how we work with organisations post incident as well to develop a case study or help them to share what's happened.

So, for instance, at our Cyber Associates Network conference we'll tend to have two or three organisations who are walking through step by step what happened in their incidents to share their learning and understanding as well. But we help facilitate that within a kind of safe space for them. And I think that's really important help kind of drive some of the messages home as well as the fundamental foundational items that we talk about.

Paul Chichester, National Cyber Security Centre:   
Tim, I think and Sarah, you know again agree with a lot of those points. I think finally from my perspective I suppose because I suppose we see that sort of national and international view.

I can absolutely, you know, promise you that the best and most cyber mature organisations in the world still have incidents. So if anybody takes anything away from this, it's when not if, right. It does not matter if you're sole focus as a board is cybersecurity and you have the best team in the world. You this isn't a case of stopping it, right? It's a case of what do you do when it happens. And so I think, you know, from a, if you take that as it's when not if, then an organisation the one thing I always say is be prepared. Can you demonstrate you were prepared?

Because it's like any risk management, right, if you sort of look at the risk, then actually very often you won't necessarily get criticised for it happening, but you might get ultimately it's difficult to defend these days, I think the fact that you didn't realise it could and will happen.

And so, you know, I think there's a huge amount of learning you can take from exercises, be it from the most mature organisation to ones that are just starting out on that journey, of realising the need to manage cyber risk. I would say sort of accept that it's when, not if and exercise what you would do and then start from that point and start the learning journey. But I think exercising, I've done this a lot with different boards, that the human impact of on individuals when faced with some of these scenarios, even when they go well, I kind of knew that. But when you're really exercising it all of a sudden becomes real. And I think that's where we've got to get to is sort of making it real for people.

And then making the necessary adjustments and spending the amount of money we've got wisely to treat the biggest risks so that that's where I would probably come from.

Mike Fell, NHS England:
And what finer point to finish on than that. I mean I think it's a little bit like customer service, isn't it? It's not the fact that something goes wrong that that leads you feeling at the end of it. It's how the problem was resolved, isn't it and that's what exercising and preparedness is, is ultimately they're all about. So thank you. So that brings today's episode to a wrap. I'd like to say a huge thank you to Chich, to Tim, to Sarah for all those candid insights and sharing those invaluable experiences and advice as well.

We've covered a lot of ground today and you know, I think what's really come out is that the importance of cyber incident response not just being about the technical aspects but the people, the communication, the psychology that we've gone into there as well about understanding how we can better influence to prevent these things, but also just the when not if kind of approach to the mentality going into this.

So if you did enjoy today's episode, then please do share it with your colleagues. And don't forget to subscribe to our podcast for more similar cyber insights. Thank you very much for listening.