Ciaran Martin, founding head of the UK’s National Cyber Security Centre (NCSC) and now Professor of Practice at Oxford University, says that he wants technology leaders to “take a measured approach” to cyber risk. Speaking to delegates at Qualys EMEA Security Conference in London last week, he told how the cyber threat landscape isn’t necessarily […]
Ciaran Martin, founding head of the UK’s National Cyber Security Centre (NCSC) and now Professor of Practice at Oxford University, says that he wants technology leaders to “take a measured approach” to cyber risk.
Speaking to delegates at Qualys EMEA Security Conference in London last week, he told how the cyber threat landscape isn’t necessarily worsening, but it is becoming more complex and nuanced. That, in turn, demands both stronger legislation and more government intervention, he argued.
Speaking to a packed room of cybersecurity and enterprise technology leaders, Martin laid out a clear case for risk alignment.
“Is your company enriching uranium?” he asked rhetorically. “If you are a provincial solicitor, your threat profile is probably different from a major law firm advising sanctioned oligarchs.” It was a call for realism over hysteria – to understand both your organisation’s value to attackers and what kind of harm an intrusion could cause.
‘The Big Four’ and shifting threatscapes
Martin reiterated what he once warned the UK Parliament in 2014: that Russia, China, North Korea and Iran — “the big four” — remain the dominant cyber adversaries. Russia, he said, had shifted tactics.
While once its state-backed groups targeted political institutions, now it is largely criminal gangs chasing cash and data, acting with apparent impunity.
“Russian police and the state turn a blind eye to it,” he said. “These gangs started being political but now they’re after anyone with money and data.”
China’s threat profile, he noted, is evolving. “Historically the biggest data thief in the world,” Martin said, China has moved on from merely hoarding intellectual property to preparing for major cyber disruption — “if it needs to.”
That capability, he suggested, would likely be reserved for a geopolitical flashpoint such as Taiwan. Even so, China has never launched a major cyberattack on a Western country. “That remains true — for now.”
NCSC founder Ciaran Martin, now a Professor of Practice at Oxford University
The techniques used by adversaries, especially China’s “steal now, decrypt later” approach, are increasingly focused on exploiting the structural weaknesses of ageing infrastructure. Yet Martin again counselled context. “Modern China has never invaded anyone. These are capabilities they are developing — not yet deploying.”
Threat modelling over fearmongering
What Martin advocated for — and returned to frequently throughout his keynote — was strategic threat modelling. “We can’t have a cyber strategy unless we know who is attacking us and why,” he stressed. “What do they want that’s important to us? How will it hurt us?”
The 2021 ransomware attack on Ireland’s health service — which crippled diagnostics and disrupted cancer care for months — underscored how cyber incidents can spill into real-world harm, he said.
The crisis also showed how organisations are sometimes forced into impossible decisions: leaking patient data may be illegal, but what if refusing to do so delays treatment and endangers lives? And why is data protection legislated for, but basic cyber hygiene not?
There are many lessons learned from attack on Irish healthcare system, says Martin
Martin didn’t dismiss these ethical grey zones, but stressed that for most organisations, the focus should be less on dramatic hypotheticals and more on likely disruptions. “You need to get into the minds of the people who are going to attack you,” he said. “What’s the objective? Politics, data, money?”
And even then, the attacker’s sophistication matters. “Running a major offensive cyber operation requires time, resources and infrastructure,” Martin said. “Most threat actors still don’t have this.”
While some rogue individuals have made headlines, the feared lone-wolf hacker turned out to be far less of a danger than anticipated. “Cyber terrorism didn’t really take off,” Martin said, recalling the 2016 hack of a French TV station TV5 Monde — which turned out to be “Russians pretending to be extremist Muslims.”
AI, hyperbole and the need for precision
Regarding artificial intelligence, Martin dismissed the doomsday narrative proliferating across popular media.
He pointed to a widely reported story from 2022 on an AI drone that had ‘killed’ a human operator, only for it to later emerge that the incident had taken place during a simulation. “Even in the wildest moments of Covid, The Times didn’t run with wacky stuff about the pandemic,” he said. “But people will believe anything about AI.”
Martin said the real risk from AI lies not in Terminator-style killer robots, but in the lower barrier to entry it creates for criminals.
With generative tools, it has become easier to convincingly spoof websites, mimic legitimate emails, and manipulate users through social engineering. “Especially when you combine AI with social engineering,” he noted.
Recently, Martin saw a demo at a conference that demonstrated the ease with which criminal gangs can create a fake airline website or email to reset a password.
Yet Martin doesn’t see AI as a runaway threat. “If it was getting worse, we wouldn’t be here,” he said, adding that most enterprise-level breaches still stem from known vulnerabilities or human error, not cutting-edge AI.
From passwords to policy
To that end, Martin supports efforts to legislate for secure-by-design principles — a topic he addressed during his keynote. Referring to the UK’s recently launched voluntary Software Security Code of Practice and its upcoming assurance framework, he said this would help curb the industry’s bad habits.
“We all remember when older CCTV systems used ‘1234’ as the default admin password,” he said. “The truth is, secure design costs money, and unless vendors are required to do it, not everyone will.”
Martin also pushed back against apocalyptic narratives around IoT. “You can’t turn off smart meters at scale because of how they’re designed,” he said. While it’s possible to cause disruption in a local area, a coordinated nationwide IoT attack would require capabilities on par with a hostile nation state — and likely only during wartime.
Ransomware bans and mandatory reporting
In his follow-up discussion with TechInformed, Martin expanded on the growing threat of ransomware and why he believes mandatory reporting — and ultimately, a ban on ransom payments — may be the only viable path forward.
Speaking from experience outside his NCSC role, Martin served as chair of an international advisory committee to the Australian government as it developed its national cybersecurity strategy. That process included a consultation on banning ransomware payments.
In the end, Australia opted against an outright ban, instead introducing mandatory reporting requirements.
“It’s very difficult to be the first country to do it…ultimately, I think Australia thought, ‘Why are we doing this now?’” Martin said, reflecting on the political and practical challenges of leading on such a contentious issue.
However, Martin believes mandatory reporting is a good first step for any country to take: “I can’t see the case against that. We need to measure the size of the problem. I’m not an expert in corporate governance, but I don’t see how you can pay some of these sums and not disclose them.”
In Martin’s view, the government’s forthcoming Cyber Security and Resilience Bill could help, particularly if it includes mechanisms like the EU’s NIS2 directive, which he supports.
“If we were still in the EU, we’d be doing NIS2,” he said. “The UK bill looks similar — critically important companies would have to take cyber security seriously.”
State-enterprise partnerships
Martin doesn’t believe that regulation is the enemy of business. In fact, he argues that the telecoms industry asked for regulation under the 2022 Product Security and Telecoms Infrastructure Act because voluntary compliance was proving commercially unsustainable.
“It gave them a level playing field,” he said. “Fixing vulnerabilities was expensive, and they wanted assurance that competitors would do it too.” Espionage and national security threats, such as those posed by Chinese state-backed groups like Volt Typhoon, create national costs but not necessarily corporate ones.
“If your data is exfiltrated and your systems still work, your customers may not even notice,” he said. “But the state loses out.”
This is why, Martin argued, collaboration between government and business is vital. “The law only works if you have strong partnerships. Telecoms and finance have shown what trusted forums can do. Cyber resilience isn’t just a legal obligation — it’s an economic one.”
Food, retail, and the ‘Everything, everywhere’ scenario
Recent cyberattacks on M&S, Co-op and Harrods have prompted a broader reflection on resilience in the retail sector.
Martin acknowledges that while there’s no shortage of food in the UK, instability and complexity are growing concerns. “Volt Typhoon is a low-probability, high-impact scenario,” he said. “If the costs of launching attacks continue to fall, we need to think nationally about resilience, not just company by company.”
In terms of food security, Martin says if one retailer goes down, we can handle it. The danger is if they all do…
He echoed former US cyber chief Jen Easterly’s warnings about “everything, everywhere, all at once” cyber assaults. “We’ve obsessed over power grids,” he said, “but taking one of those out requires years of effort, serious luck and funding. On the other hand, Colonial Pipeline was done by ordinary criminals using off-the-shelf tools.”
This is why incentivising long-term enterprise investment in resilience remains, in Martin’s words, “ultimately a matter of law.” But law alone won’t fix things — it must be combined with strong public-private partnerships, clarity around threat actors, and a renewed focus on foundational cyber hygiene.
“Understand your network,” he concluded. “Because if someone else understands it better, you’re in trouble.”
