Ciaran Martin: Nobody plays politics with cyber

It starts with a click.

A link to an urgent call, an email with crucial information, a text with a ‘free’ item. Within seconds a network is compromised, data stolen, and a string of devastating consequences begins to unfold. But cybercrime is no longer the work of expert hackers targeting banks or small businesses. It has become a tool of global disruption, capable of paralysing hospitals, shutting down supply chains, destabilising governments and undermining democracy.

Few understand the scale of the problem better than Ciaran Martin, the brains behind the UK’s National Cyber Security Centre (NCSC). “We have to win this race”, he says. “It [a cyber war] is possible but not inevitable.”

Prior to launching the NCSC, Martin was head of cyber security at intelligence agency GCHQ, but he admits when he got offered the job, he “argued against” it. “I thought I didn’t have any great subject matter in the knowledge,” he says.

Backed by a team of “world-class people” and countless hours of studying, he found his footing. And it wasn’t long until he realised things had to change. “GCHQ had always had what they called an information security mission dating back to 1919. But its role was very much in the classified space. It was [to] protect British secrets, protect intelligence networks, protect military capabilities.

“But in the digital age, it was [now to] protect everybody and we were configured to do it almost exclusively from behind barbed wire with armed guards and no cell phones or mobile phones. So, it's not really the way you do cybersecurity these days.

“That’s the way we came up with the plan to reform the way we did things and establish a subset of GCHQ called the National Cyber Security Centre that was much more open.”

Setting up the centre was challenging, he admits, saying “governments often don't think that carefully about changing the machinery of government”.

But in the period between the 2015 general election and the 2016 Brexit referendum, pressure mounted for ministers to act. The October 2015 TalkTalk cyber-attack sparked nationwide panic, Martin explains to Holyrood. The hit on the telecommunications provider saw the personal details of around 160,000 people accessed.

“The reason to establish the NCSC came because of what they [the then Conservative-led UK Government] wanted to do, rather than because they wanted to have one. They wanted to manage incidents”, he says. “We didn't have that function of the state that you have for terrorism or public health. We didn’t have that for cyber. They wanted that, they wanted somebody who could coordinate safely with business in a way that protected national security.”

He adds: “Businesses were getting a bit fed-up, as indeed were politicians, with saying, ‘well, something very serious is going on, but I'm terribly sorry, it's all classified’.”

And Martin had barely settled into his role at the NCSC when crisis struck—the NHS was hit by its most severe cyber-attack to date. The WannaCry breach spread chaos across the UK and overseas, just two weeks after the centre had moved into its new headquarters. “It was a moment of considerable stress…It was a very tough time”, Martin admits.

You can’t conquer a country with cyber otherwise the Russians would have done it

But handling high-pressure situations was second nature to him. Before stepping into the world of cybersecurity, he had led the official negotiations on the framework for the 2014 Scottish independence referendum.

Cyber lies in “an awful lot of messiness around the devolved-reserved boundary”, he says.

While justice and policing are devolved matters, with Police Scotland handling “routine cybercrime”, he explains, cybersecurity policy falls under reserved powers.  But he argues that despite its complexity, such a system works. “You can't devolve it all and you can't reserve it all, you just can't.

“There are many examples where people say devolution doesn't work and [that] there isn't a strong partnership between the central and the devolved governments. I think cybersecurity is actually an exception. People don't fall out over ideology in cybersecurity, it's not like healthcare or education.

“We could do a big mapping exercise of who's responsible for what or we could just be a bit respectful. There are occasions where the UK has to say, ‘I have to be really careful what I say here because it's some classified national security equity’. But there are equally going to be areas where there's absolutely no way I can tell you what to do.

“Luckily, cybersecurity had the luxury of being an important but not controversial subject. Nobody played politics with it.”

Interestingly, he cautions people against buying into the hype of a country-wide cyber invasion, calling for a more “balanced narrative”. “You can't conquer a country with cyber otherwise the Russians would have done it.

“There’s this thought, which drives me mad, that it's all getting exponentially worse. It absolutely isn't. You hear all this hype, and a lot of it is for commercial reasons, that the threats are getting worse every day. Well, if that were actually true, it's been said every day for as long as I've been on cybersecurity, which is getting to over 12 years, so we wouldn't be here now. We wouldn't be talking on teams because all our computers would be wrecked.”

China, Russia, Iran and the North Korea have been ranked as the most dangerous nations for as long as Martin can remember. However, he admits the cyber landscape has changed as the war in Ukraine has “ratcheted up tensions and Russia's willingness to use cyber”, and China has shifted from amateur and sloppy attacks to “strategically and impactful spying operations”.

Indeed, last year, frictions intensified between the Chinese and UK governments after a group of MPs, including then SNP MP Stewart McDonald, were allegedly targeted by Chinese-state sponsored cybercriminals. Beijing called the claims “groundless”. And shortly before that, the US had dismantled a Chinese state-sponsored cyber operation, nicknamed Volt Typhoon, that had been targeting key public infrastructure like the power grid. Martin says: “It means that if there is serious tension between the US and China or the West and China in general over say Taiwan or something else and there's very heavy penetration of critical infrastructure, that's quite scary.

“Readiness [for a big, sustained attack on a critical institution] is patchy. People will freely admit that,” he continues. “But the thing that would worry me the most is this sort of Chinese Vault Typhoon threat… It is not about one big spectacular cyber hit on a country like the UK. It's about hundreds of smaller hits all at the same time.

“If it gets healthcare, you will have people struggling and potentially at risk. If it's not healthcare, nobody will die or get hurt but it will bring an awful lot of economic and social disruption, an awful lot of confusion and also confidence loss.”

But Martin doesn’t seem to think both the UK and Scottish governments’ pledge to put technology at the heart of public sector reform and NHS renewal respectively, exacerbates risks. “If hospitals can't schedule potentially lifesaving diagnostic consultations and operations, you're in big trouble. But I’m not sure it's about betting the farm on innovation. In fact, given we are already in digitised societies, if we don't keep up, the threat gets worse. Healthcare is a really good example of that. The biggest threat to, say, the NHS isn't overly depending on state-of-the-art computer systems that can get hacked. It's actually having really outdated rubbish computer systems that can't be protected.”

Martin, however, knows too well that malicious actors are using artificial intelligence (AI) to launch more sophisticated attacks. “It’s a simple arms race between goodies and baddies,” he says. I ask him if it has complicated efforts to keep up the pace with the evolving risk posed by cyber threats. “We have to win this race and it's too early to tell,” he answers.

The country should not get itself known primarily in tech for regulation

“Nowadays, the chances of a less capable state or group of non-state actors like a terrorist group getting their hands on cyber capabilities could cause a lot of havoc, possibly not to the extent of us seeing it as a war but causing a lot of disruption in health systems and things like that. Those chances are higher now because of AI, because of the proliferation of tools. That's something to be concerned about.”

With 14 months left until the 2026 Scottish Parliament election, I ask Martin if the votes are at risk of being influenced by deepfakes and other cyber-related security threats. “It [the threat] is both real and hyped”, he says. “You still see people talking about the Brexit referendum, during which I was still in office and didn't see any serious digital interference.

“I think it's really corrosive for a society if people don't accept the integrity of an election process. That means two things. You have to take any threat to elections very seriously, and there are real threats, but the other is you don't go around saying ‘it's inevitable that these elections are going to be completely hamstrung and invalidated by the Russians’. You don't say that without hard evidence, because then you've done their job for them.

“In that case you just wrecked the one most precious thing in democracy, which is trust.

“We have to be very hawkish about this, but we shouldn’t be worried about a giant national deception.”

He instead warns about potential disruption to election infrastructure, such as an attack that takes down the election register or voting machines.

Ciaran Martin was chief executive of the NCSC from 2013 until 2020

In 2020, Martin decided to step down from his role at the NCSC. “I was very tired. I had been doing it for nearly seven years and thrown everything into it.

“And I found myself saying, ‘back in 2015 we thought this’ and I thought it's probably time for somebody else to take over if you're talking about what you thought five years ago. I wanted to stay in cybersecurity because I loved it. I thought it was a really powerful field, but I'd had the best and most senior job in cybersecurity in government, so there's nowhere else to go. So, I departed.”

He went for the position of chief executive of Ofcom, but did not get it, and became a professor of practice in the management of public organisations at the University of Oxford’s Blavatnik School of Government.

Looking ahead, he urges the UK Labour government to tread carefully around legislation, citing the UK’s Online Safety Act and the EU AI Act – which aims to promote a “human-centric” approach towards the technology.  “I'd be cautious about moving forward – and some of this is at Ofcom’s discretion but quite a lot of it is actually later legislation from parliament. The country should not get itself known primarily in tech for regulation.

“We do need to innovate securely. You can't just legislate your way to security and safety online. There has to be a whole sort of business culture about it… In tech, there's no such thing as a regulatory superpower, and we’re about to find that out.”

He argues the Online Safety Act will not succeed and instead cause further tensions with tech magnates such as Elon Musk, who owns social media platform X and leads the US Government’s department of government efficiency – which aims to reduce national debt and save money.

Martin adds: “"It’s [the Online Safety Act] likely to fail because of US pushback".