Inside the UK’s Cyber Strategy: Richard Horne on Resilience, Risk, and AI
Season 2 Episode 28 •Show Notes
Richard Horne, CEO of the United Kingdom’s National Cyber Security Centre (NCSC), joins host Frank Cilluffo to explore how the UK is strengthening cyber resilience across critical infrastructure, private industry, and international partnerships. Drawing from his experience in both government and the private sector, Horne outlines NCSC’s approach to tackling advanced threats, closing resilience gaps, and collaborating with allies on systemic cyber defense. The conversation spans ransomware, AI, supply chain risk, quantum cryptography, and how organizations—large and small—can better prepare for disruption. Horne emphasizes the growing complexity of the digital threat landscape and urges a pragmatic, contest-oriented mindset to keep pace.
Main Topics Covered:
-
The mission and structure of the UK’s National Cyber Security Centre (NCSC)
-
Cyber resilience through exposure, defenses, and consequence management
-
Gaps in critical infrastructure protection and supply chain vulnerabilities
-
Use of AI and automation in both defense and attack
-
International collaboration and the importance of Five Eyes partnerships
-
Quantum computing and the need to prepare cryptography for post-quantum threats
Key Quotes:
“AI is almost like… when we moved from wooden [tennis] rackets to composite rackets. Was that an advantage? It was an advantage to both sides. […] If you stick with a wooden racket, then ultimately you’re going to be overcome.”
— Richard Horne
“We see many cyber attacks exploiting zero-day vulnerabilities that frankly shouldn’t be there. And the quality of code that we have in our hardware, software… is a big issue.” — Richard Horne
“In the world we’re in, we all need to recognize we have a responsibility for cyber security for ourselves and for others.” — Richard Horne
“The relationship with the U.S. and the Five Eyes really does underpin especially our understanding of the most advanced threat.”
— Richard Horne
“You’ll often see sort of ransomware attacks against some small company you’ve never heard of and then potential front page impact the next day.” — Richard Horne
Related Links:
UK National Cyber Security Centre (NCSC)
Guest Bio: Richard Horne has served as CEO of the UK’s National Cyber Security Centre since October 2024. Prior to that, he was a Cyber Security Partner at PwC UK, where he advised global leaders on cyber risk strategy and led responses to major incidents—including the 2021 ransomware attack on Ireland’s health service. He previously led cyber risk management at Barclays and played a key role in developing the UK’s first national cyber security plan during a stint with the Cabinet Office. Richard holds a PhD in Mathematics and has represented the UK in cybersecurity forums at the OECD, European Commission, and ISO.
Transcript
1
00:00:00,000 –> 00:00:01,000
Richard Horne [00:00:00]:
Exposure, defenses and consequences.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:02]:
Awesome. Yeah.
3
00:00:02,000 –> 00:00:03,000
Richard Horne [00:00:02]:
And those three together form resilience. And what we see time and again is organizations hit by ransomware realizing just the enormity of the task of rebuilding a whole interconnected technology system that they rely on, that they don’t probably understand.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:20]:
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Richard Horn. Richard is the CEO of the UK’s National Cybersecurity Center. I’ll let him explain a little bit to some of our viewers what that entails. Prior to that, he had leadership roles in the private sector, both at PwC in the United Kingdom as well as Barclays Bank, and also did a stint inside the Cabinet Office when the UK put together their first national cybersecurity strategy. Really excited to sit down with Richard today. And Richard, thank you for joining us.
5
00:00:04,000 –> 00:00:05,000
Richard Horne [00:01:04]:
Thank you, Frank. And I should say War Eagle.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:01:06]:
War Eagle. Yeah. And I’m going to get to that in a second. And a PhD in mathematics, so you’re a lot smarter than me, so please take that in mind while we have our conversation. But I think many of our viewers are familiar with NCSC, some intimately, but others not so much. And I thought it’d be good to start with the UK’s role and where NCSC fits into that.
7
00:00:06,000 –> 00:00:07,000
Richard Horne [00:01:33]:
Yeah, yeah. So the NCSC was set up 10 years ago, so it was one of the first sort of national bodies to be set up for cyber security, really with this whole remit of sort of getting after the challenge of a lot of the information we need is in secret domain and we need to get it in public hands, private sector hands, and to bring private sector and government together, so to be that hub. So that was kind of a lot of the original drive. And so we sort of overlap and partner with NSA, CISA, FBI and others in, in the U.S. system. We’re part of GCHQ, so the signals intelligence organization.
8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:02:12]:
Our NSA or Canada CSE.
9
00:00:08,000 –> 00:00:09,000
Richard Horne [00:02:15]:
Absolutely. And I think that’s really important for us because a lot of the information on the most advanced threats, you know, comes from signals intelligence. And so to be the ones creating the intelligence, as well as sort of driving use of it to raise our defenses is really important. And there’s probably three main parts to our, what we do. One is raising the overall levels of defense and resilience across the UK as a whole, across all organizations, and particular emphasis on CNI. Second area is leading defenses against the most advanced threats. And you know, China is clearly the pacing cyber threat, but you know, many others are available and, and then the third area is being the national technical authority for cybersecurity. So being able to issue really technically grounded advice, guidance and steers both for government and the private sector that people can rely on and doesn’t have a vested interest, but it’s kind of, yeah, we can be that authority for the UK.
10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:03:17]:
Awesome. And having seen it both from the private sector’s perspective, who’s an important customer in terms of information sharing and now the government’s perspective, what are some of your initial thoughts here? Cause I do think what makes the National Cybersecurity Center in the UK unique is that it’s coupled with GCHQ. And does private sector have an ability to drive requirements, information needs or how does that work?
11
00:00:10,000 –> 00:00:11,000
Richard Horne [00:03:45]:
So, yeah, it’s really at the heart of our ethos is bringing private sector and government together and all the different parts of government. So when I was in the private sector, I was leading a certified instant response company. So NCSC certifies incident response commercial organizations so that when a, when there’s a major cyber security incident, we have the ability to scale using commercial providers and point victims of cyber attacks to these commercial providers to get help and support and then share the information back. So we did a lot of that and worked some big incidents and we uncovered something called Operation Cloud Hopper, which we worked with NCSC where we discovered compromise of the big IT service companies and onwards work from that. So it’s a great example of how it works. Private sector sees things that government doesn’t see and being able to pull…
12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:04:36]:
And vice versa. Right?
13
00:00:12,000 –> 00:00:13,000
Richard Horne [00:04:37]:
And vice versa, absolutely, that’s right. But it really is important to get that all working together. And so we have all sorts of schemes where we work with private sector. We have something called an i100 where we have the ability to second people in either full time for a short period or a day a week for a longer time or a day a month or whatever it is, to work on specific things with us where we can pull those two views together and we have literally hundreds of people working with us in that way from the private sector. And then we have other schemes as well where we work with the private sector and pull that kind of unique secret view together with the unique private sector view and bring them together.
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:05:18]:
Which is awesome. And in the counterterrorism environment, I was always somewhat jealous of what the UK was able to do. They would call it the rich picture and they would literally, so it is bringing together that rich picture in this case in the cyber domain. And that is critical because you got to understand what you’re dealing with before you can actually a, determine whether you go after it through conventional means, unconventional means, or cyber means. And that’s pretty cool. Let’s talk a little bit about the threat. And we’ve had a number of guests on speaking about the threat from different perspectives, from space all the way down to more traditional, but from a UK perspective.
15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:06:03]:
And if I’m not mistaken, you do an annual assessment out of the NCSC. Anything unique come out of the 2024 assessment, which was months after you were on the job.
16
00:00:15,000 –> 00:00:16,000
Richard Horne [00:06:15]:
So I think probably the biggest thing that struck me that we drew out in our assessment is this sense of a widening gap. So we have the threat evolving at a real pace. Both the sort of sophisticated end of the nation state side of threat, but also the scale of ransomware and the likes of more moderate level threat. And that whole, and then as well the proliferation of cyber threat tooling and enabling smaller nation states to do some quite advanced things. So we have this kind of quite fast evolving threat picture. And then our defenses across society are kind of edging forward, but they’re not edging forward at the same pace of the threat. Equally, our exposure is increasing really rapidly.
17
00:00:16,000 –> 00:00:17,000
Richard Horne [00:07:03]:
So as a society…
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:07:05]:
And the attack surface continues to grow.
19
00:00:18,000 –> 00:00:19,000
Richard Horne [00:07:07]:
Absolutely. The attack surface and also the impact of a cyber attack because we’re becoming so dependent on technology, therefore the impact of an attack that takes that technology away from us is far greater. So that exposure is growing as well.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:07:22]:
And when you look at that, if you were to rack and stack, I mean, from a US perspective, you’d have the, the big bad actors, Russia, China, Iran, North Korea, you would have proxies which are becoming much more difficult to discern sometimes who’s the puppet, who’s the master. And it’s, it’s blurring pretty rapidly.
21
00:00:20,000 –> 00:00:21,000
Richard Horne [00:07:42]:
Yeah.
22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:07:43]:
And then you’ve got criminal enterprises that honestly four years ago, the capabilities they have today would be in the hands of very few nations, including maybe our own is the only two that would have had that capacity. So it is moving quickly. How do we get to the point where we’re not reacting, we’re building resiliency into our systems. And I know you’ve put great emphasis on resilience and I was happy to see that because we’re never gonna protect everything everywhere, all the time from every perpetrator and every modality of attack. But we damn well better be able to defend our systems or at least build some resilience into that. And how does that look from a UK perch?
23
00:00:22,000 –> 00:00:23,000
Richard Horne [00:08:24]:
So I think I would sort of break it down into, for the kind of moderate level sophistication like ransomware and what have you, we need all organizations to recognize it’s their job to defend themselves. We can’t do it for them because they’re running their systems, they’re running their IT, they’re making choices about whether they replace legacy or not. It’s their decisions and they need to encapsulate cybersecurity resilience in those decisions. And then for the more advanced threats, we clearly have more of a role to play in supporting getting after it. But for those sort of, those organizations sort of meeting their responsibility, I often talk about three, three things to think about as sort of exposure, defenses and consequences.
24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:09:04]:
Awesome.
25
00:00:24,000 –> 00:00:25,000
Richard Horne [00:09:05]:
Yeah. And those three together form resilience. So understanding your exposure both kind of directly to you and through legacy systems, through, through your supply chain indirectly, just kind of that totality of how exposed are you to cyber attack. The second area is defenses. Are you building the right, appropriate level of defenses for the, the exposure you have and therefore the, the risk you carry? And then the third area is consequence management, which is often overlooked in the resilience conversation, where if you have a, say, a ransomware attack or an, an attack that disables your IT, how will you continue operations and how will you rebuild and what’s your plan for rebuilding? And many organizations will say, I’ve got a business continuity plan, I’ve got a disaster recovery plan. And then you kind of dig into it, and the business continuity plan isn’t for the total loss of IT. Or they all start with sending an email or something like that. Or the disaster recovery plan is for rebuilding from individual systems failing rather than a total rebuild of all your IT, which is a huge, huge task. And what we see time and again is organizations hit by ransomware realizing just the enormity of the task of rebuilding a whole interconnected technology system that they rely on that they don’t properly understand.
26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:10:25]:
And from a US perspective, we’ve sort of designated 17 sectors to be critical. There’s a couple that I think have to be on that list that aren’t like space, but there are a few maybe that are, that can be reexamined, re looked at. But if you were to look at it from a US perspective, I mean, financial services, because they’re in it for the business and without it, they’re out of business. The old Willie Sutton principle – Why rob banks? That’s where the money is. So they’ve clearly started to invest and there’s some regulatory objectives they need to meet very regularly. Electricity, if you don’t have power, you don’t have banks, you don’t have anything else. But then you’ve got some laggards in the US, like water in particular. But so essential to public safety. How would you sort of rack and stack? And I don’t want you to give As, Bs, Cs.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:11:18]:
We’re not, this isn’t a university class per se, but do you think most of your critical infrastructure is where it needs to be?
28
00:00:27,000 –> 00:00:28,000
Richard Horne [00:11:27]:
So, no, I don’t think.
29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:11:29]:
And it’s certainly not in the US.
30
00:00:29,000 –> 00:00:30,000
Richard Horne [00:11:30]:
Yeah, I think across, you know, across our nations and across the world. Yeah, we’re not where we need to be and you know, we see and especially when you think about supply chains.
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:11:40]:
I’m glad you brought that up.
32
00:00:31,000 –> 00:00:32,000
Richard Horne [00:11:41]:
So in the UK, for example, we had a, a cyber attack against a, a blood laboratory provider and that impacted two big London hospital trusts and so that impacted healthcare provision by a supplier that supplied a critical service to them. So we, and we see that play out again and again and again and you’ll often see sort of ransomware attacks against some small company you’ve never heard of and then potential front page impact the next day kind of thing. And you think, wow, I’ve, you know, how, how is it that our system works like this? But it’s because we’re so interconnected and the supply chains flow so much. So absolutely. I think some, some areas have made real progress.
33
00:00:32,000 –> 00:00:33,000
Richard Horne [00:12:22]:
You know, financial services and especially the big banks have had a lot of regulatory attention in this area and have made huge strides. But as you say, it’s a pressing issue for them.
34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:12:31]:
In their best interest.
35
00:00:34,000 –> 00:00:35,000
Richard Horne [00:12:33]:
Yeah, yeah. So, yeah, there are some really good examples of what can be achieved, but it takes time and it takes focus and yeah, that’s something. We’re all on that journey together.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:12:45]:
And if I’m not mistaken, NCSC is taking a smart approach. You can’t look at everything all the time, but looking at where you can have, where systemic risk is and where you can have systemic impact on the positive side, is that some of the thinking in terms of the analysis and where you can get the biggest bang for your buck or your pound?
37
00:00:36,000 –> 00:00:37,000
Richard Horne [00:13:06]:
Yeah, absolutely. So, yeah, we see ourselves, we have such a broad role to play, supporting regulators, supporting individual companies, charities, government departments. But also we do take, we have a whole scheme which we call Active Cyber Defense, where we’re looking for opportunities to make a scaled impact. So a great example is something we do call share and defend, where we collate from all sorts of different sources, some commercial, some from our monitoring, some from our intelligence, just all sorts of indicators of malicious links. And then we send that in real time to our Internet service providers in the UK so they can start blocking in real time. And we’re just starting to understand the impact of it. And it’s phenomenal that the amount of clicks on links that are getting blocked because of that service. So it’s not a silver bullet.
38
00:00:37,000 –> 00:00:38,000
Richard Horne [00:14:01]:
But if we can sort of, through interventions like that, take noise out of the system and allow us to focus on, therefore, what really matters beyond that.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:14:09]:
And then it allows you and the security service to focus on the greatest risk. Right? So it sort of, it’s all triaging, prioritizing. If you were to look at it at a medical sense in terms of trying to have the greatest consequence. By the way, active cyber defense is a, it’s a big issue that’s being rediscussed here in the United States. Anything you want to share in terms of the ACD concept?
40
00:00:39,000 –> 00:00:40,000
Richard Horne [00:14:35]:
I think for us, you know, it’s something we started many years ago with protective DNS and offering it largely to government.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:14:40]:
Which is systemic.
42
00:00:41,000 –> 00:00:42,000
Richard Horne [00:14:41]:
Yeah, that’s right. But it’s something, organizations have to take it up. And so it’s kind of largely contained to government departments and charities and things which we’ve been expanding out as a service. But you can’t cover everyone with that. So what we’re doing is taking the outputs of what we’re learning from that and turning it into this share and defend, which then goes to the Internet service providers and enables them to take the real scale impact that kind of covers everything as well. So we’re all the time looking for ways to innovate and create those scaled impacts.
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:15:09]:
Awesome. Awesome. And, and if there were a significant incident in the UK and say COBRA was stood up or whatever process was stood up in the UK, where would NCSC fit into that picture?
44
00:00:43,000 –> 00:00:44,000
Richard Horne [00:15:23]:
It’s our role to communicate. This is what’s happening. This is what we don’t know. This is what organizations need to do to defend themselves and this is how we can help. So it’s absolutely our role to be at the center of incidents as they happen that are of national significance and to be sort of leading the charge in terms of these, this is the technical picture on what organizations need to do.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:15:43]:
And I think we’re starting to see that cyber is its own domain, but it transcends air, land, sea, space. It’s getting harder to differentiate physical cyber, kinetic cyber. So it would probably be all of the above, right? I mean at the end of the day. But NCSC does have that role, which is a critical role and hopefully you never have to step into those shoes soon. But I think that it’s more than unlikely. There’s a possibility that that actually does happen and I think is important. In the U.S., one of the challenges you will hear over and over and over is small, medium sized businesses, state, local, territorial, tribal. I know our systems are created a little differently so there is a tether to London on some of these issues from a policing standpoint.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:16:36]:
But how do we get around the small medium sized businesses? So I think most of the big infrastructure owner operators, at least they understand they need to do something. Are they doing enough? Probably not. But many of them didn’t go into business thinking they had to defend against China, Russia, Iran, North Korea and national security agencies and militaries. How do you get around the small medium sized business? If there’s an incident, who do they call?
47
00:00:46,000 –> 00:00:47,000
Richard Horne [00:17:02]:
So I think it’s a really good point and we have a number of strands to that answer. So there’s no one kind of…
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:17:09]:
Just like us.
49
00:00:48,000 –> 00:00:49,000
Richard Horne [00:17:11]:
So I think the first thing is to recognize that actually for a small, a small organization, cyber security is easier. A lot of the challenges of cyber security, both in terms of defense and recovery and rebuild, comes from scale. You take the most extreme example of a, I don’t know, a builder who uses a laptop to do their supplies ordering. If the laptop gets bricked by ransomware, then they go out to the local store, buy a new laptop, if they’ve got it backed up in the cloud or backed up on a USB stick, then they’re back up in business and that’s straightforward. But it’s as soon as you get, start connecting systems together that the challenge becomes much harder, both in terms of defending but also in terms of being able to rebuild and be resilient. So I think the first thing is to try not to scare people.
50
00:00:49,000 –> 00:00:50,000
Richard Horne [00:17:57]:
It’s not as hard if you’re a small organization. The second thing is to have really clear guidance. So we have something called Cyber Essentials in the UK, which has been around for 10 years now. And it’s the, sort of the five foundational things that if you do these, then they’re the foundational things for cybersecurity and try and make that really clear, really simple. We’ve worked with insurers who have assessed how many claims on cyber insurance have been made when organizations had Cyber Essentials, and they’ve concluded that…
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:18:28]:
Do you think your insurance sector’s figured that out? Ours is struggling. I just testified before Congress on this issue.
52
00:00:51,000 –> 00:00:52,000
Richard Horne [00:18:34]:
They assess that organizations are 92% less likely to make an insurance claim if they have Cyber Essentials. Okay, yeah, it’s great to have that fact. It’s not our fact, it’s what insurance industry is telling us. So things like Cyber Essentials, then we have a cyber governance code of practice for people who lead organizations and just try to make it really simple. What are the things to think about in lay people’s terms? Not talking tech, sort of technical, things like that. So we have a whole load of things like that and then the interventions that we can make at scale, like share and defend that sort of take some of that noise out of the system as well.
53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:19:09]:
Awesome. And do you do any, and forgive me if I don’t know this, but do you have like, national tabletop exercise? I mean, because what you don’t want, and I’m drawing from counterterrorism environment, people exchanging business cards when the bomb goes off or something bad happens or the balloon goes up. How do you start? Because it, trust is at the heart of everything here and building trust with your partners. And when you look at cyber, everyone’s your partner. Right?
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:19:39]:
So how do you, how do you start sort of peeling that back?
55
00:00:54,000 –> 00:00:55,000
Richard Horne [00:19:42]:
So one thing we do in, in the National Cyber Security Center is we have what we call trust groups where we’re encouraging industry to, to lead them more and more. But we catalyze. So for different sectors, we catalyze kind of, you know, CISOs coming together largely and sharing information. And they really come into their own in an incident. So in the uk, we had a sort of a little run of incidents in the retail sector recently, similar kind of TTPs. And so the retail trust group kind of fired up and was in real time sharing information about what the organizations were seeing, the victims being able to say, well, this is what happened to us in a trusted environment where everyone could then be vigilant for the specifics of what we were seeing, rather than sort of generalities.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:20:28]:
And you would share those sort of like an ISAC in the, with some of our critical infrastructure sectors.
57
00:00:56,000 –> 00:00:57,000
Richard Horne [00:20:34]:
Very much kind of building it so that it’s not, it’s sort of a bit more organic than, rather than a sort of command and control structure. It’s very much a group who feel that self interest and want to support each other, which I think is really important.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:20:49]:
And looking at UK’s role and NCSC in particular leans very forward, and I know there’s, the special relationship will always exist between the US and UK, and I am an unabashed proponent of the Five Eyes partnership. But when you start looking at international, how do you feel NCSC fits into that picture? Bilat, multilat, all of the above? Where do you, how do you start prioritizing that?
59
00:00:58,000 –> 00:00:59,000
Richard Horne [00:21:17]:
Yeah, so I mean for us, our relationship with the US, as you say, both, we’re part of GCHQ, so the signals intelligence relationships are really important. So the relationship with the US and the Five Eyes really does underpin especially our understanding the most advanced threat and how we get after
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:21:34]:
The APTs.
61
00:01:00,000 –> 00:01:01,000
Richard Horne [00:21:35]:
Yeah, that’s right. And we, we do a lot of work together. You’ll have seen loads of advisories and guidance coming out about specific threats that are…
62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:21:44]:
Including logos, formal logos, and I want to see more of that and other players too, other countries as well.
63
00:01:02,000 –> 00:01:03,000
Richard Horne [00:21:50]:
Absolutely. And we, you know, as a Five Eyes, we very much see the value of expanding that out to include many other countries. You know, the more we can create a unified sort of approach to combating some of these advanced threats, the, the more it will benefit us all because we are a global society and we depend on each other and we have to kind of create that movement of response, not just acting in isolation.
64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:22:14]:
And I don’t want to sound all breathy here, but we can’t take for granted that democratic countries, autocratic regimes can exploit technology in different sorts of ways. And there’s a bigger issue that I think democracies need to really line up on this. Even if we don’t agree on everything else. On some of these principles, that’s, that’s essential. Is that fair from your perspective?
65
00:01:04,000 –> 00:01:05,000
Richard Horne [00:22:38]:
Yeah. And I think working together with other countries and especially more developing countries as the US and the UK do. By supporting them, we’re helping that sort of democratic sort of drive globally for sort of the free will to really unite in combating some of these, as you say, quite almost existential threats.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:23:04]:
And it’s also realpolitik, it’s in our best interest because what happens there comes here. So it’s sort of a tripwire as well.
67
00:01:06,000 –> 00:01:07,000
Richard Horne [00:23:11]:
Absolutely.
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:23:11]:
If you think about it in a traditional kind of way. In terms of supply chain issues, this is one, honestly, it’s really hard because at the end of the day, government’s visibility is limited here. It’s up to industry being able to literally fill out. And I feel like a lot of our policies in the US, very well intended, but they’re sort of analog solutions to a digital challenge. So SBOM is a great program. I will be the biggest advocate for it, but it’s literally like writing in. How do we get our arms around that? And, and, and this is important because they’re vulnerabilities not only from the data and info sec sets of issues, but hardware firmware in particular here. Right?
69
00:01:08,000 –> 00:01:09,000
Richard Horne [00:24:00]:
Yeah, yeah. And I think, as you say, it’s kind of, you know, it is one of the big unsolved challenges, as it were, that a lot of the technology that’s out there today, you know, we see many cyber attacks exploiting zero day vulnerabilities that frankly shouldn’t be there. And yeah, the quality of code that we have in our hardware, software, it is a big issue. I think there’s real opportunity with, we haven’t talked about AI yet.
70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:24:30]:
We’re gonna get there. Yeah, you can’t escape without that. No one can.
71
00:01:10,000 –> 00:01:11,000
Richard Horne [00:24:33]:
The biggest opportunity with AI, I think, in my view is if we can use AI to generate good code at the outset, then that’s a phenomenal win.
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:24:43]:
Absolutely.
73
00:01:12,000 –> 00:01:13,000
Richard Horne [00:24:44]:
And we’ll start to, start to make a real impact over time.
74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:24:47]:
Alright, you opened yourself up to the AI question, and whether it’s AI or AI enabled is more the way I’m looking at it through application. But almost every national security leader I brought in tends to believe AI benefits the attacker. Almost every industry leader I’ve brought in tends to believe that AI done right benefits the defender. The red, blue. Clearly it’s a combination of both in my eyes. But I’d be curious, how is NCSC using AI or with your partners? Is that a, I hope you’re leaning forward on this. But smartly, I would imagine too. Right?
75
00:01:14,000 –> 00:01:15,000
Richard Horne [00:25:29]:
So I think one thing I do with cybersecurity is I try to talk about cybersecurity as a contest. Especially in private sector organizations. There’s a bit of a mindset of this is a risk, how do we control the risk? And actually you can’t control it. It’s a contest.
76
00:01:15,000 –> 00:01:16,000
Frank Cilluffo [00:25:44]:
Great.
77
00:01:16,000 –> 00:01:17,000
Richard Horne [00:25:44]:
And I play tennis.
78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:25:46]:
And I play tennis in college too, so there we go.
79
00:01:18,000 –> 00:01:19,000
Richard Horne [00:25:48]:
So thinking about, you know, in tennis, it’s a contest. You’re all the time seeing your opponent develop, you’re developing and you’re working that through. And I think AI is almost like the, you’re probably too young for this, Frank. But when we move from wooden rackets to composite rackets.
80
00:01:19,000 –> 00:01:20,000
Frank Cilluffo [00:26:08]:
I played with wooden rackets. Yeah.
81
00:01:20,000 –> 00:01:21,000
Richard Horne [00:26:08]:
It’s like, was that an advantage? It was an advantage to both sides and it was about adopting the technology and using it. And so I think it’s like that with AI. Is it an advantage to either side in the contest? Well, it depends on your pace of adoption. If you stick with a wooden racket, then ultimately you’re going to be overcome.
82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:26:26]:
And the court, right? Grass is different than Har-Tru, which is different than clay, which is different than…
83
00:01:22,000 –> 00:01:23,000
Richard Horne [00:26:31]:
But it’s like having this new technology does change the game, but it’s the extent to which you embrace it, enables you to keep in the contest.
84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo [00:26:39]:
And learn from it, right? So in the DoD setting they call persistent engagement, you’re sort of grappling with the adversary to learn. And in an AI setting, it is very much the same thing that the, the, the way people discuss it, I think sometimes isn’t helpful because the bad guy only has to be right once. So if you look at it through that lens, you could see how AI is always going to have the scary side. But the truth is, is you can automate a big chunk of what we’re doing.
85
00:01:24,000 –> 00:01:25,000
Richard Horne [00:27:12]:
Yeah, that’s right. You can, you can take out vulnerabilities at the start. If you’re using AI to generate good code, then that could create a huge impact. You can use AI to understand how you’re vulnerable. You can use AI to look through your supply chain and see where you’re vulnerable in a way that you might not be able to without. You can use AI to understand sort of the real time view of your landscape, where you’re vulnerable, what attackers are doing, being able to join dots that humans can’t in, in real time. So there are huge advantages to defending. Equally, there are huge advantages to our adversaries.
86
00:01:25,000 –> 00:01:26,000
Richard Horne [00:27:47]:
And it’s a contest.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:27:48]:
That is a contest. And by the way, that was the old UK counterterrorism strategy was contest, so yeah, that plays well. I love it. So I also, since you brought up AI, we got to go to quantum and that could be a genuine game changer. Anything that NCSC is, and I know GCHQ is very focused on some of these issues, but because it could change the whole business of signals intelligence and cryptology and cryptography. But anything in particular that NCSC is concerned about, thinking about, investing in from a research, you’re a PhD in mathematics, so you’re going to know a lot more than I do on this side. But it’s a little bit of physics too, but yeah.
88
00:01:27,000 –> 00:01:28,000
Richard Horne [00:28:34]:
So, so I think again, quantum, it’s a new technology and if you’re listening to this and you don’t quite understand the impact on cybersecurity, the big impact is if quantum computers reach certain size then they’ll be able to break much of the cryptography that’s used today. So, but the, the good thing is we, we know what cryptography will be resistant to a quantum computer. So it’s a, it’s like Y2K. It’s a case of finding all the cases of cryptography in your systems and replacing them with quantum resistant cryptography. Now clearly it’s a huge challenge but we do have the luxury of time if we embrace it. So you know our viewers…
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:29:14]:
But can’t take it for granted.
90
00:01:29,000 –> 00:01:30,000
Richard Horne [00:29:15]:
We can’t take it for granted. So we’ve issued some guidance recently which very much aligns with what’s been said here in the US and and elsewhere in the Five Eyes that sort of we need to view this as a 10 year journey and we’ve just got, NIST have just certified some algorithms for use. They’re now, implementations are being worked up so you probably don’t want to rush in with implementations that are a bit immature. Equally, you need to be looking to having replaced all your cryptography in a 10 year time frame. So there’s a 10 year timeframe to map out. Now for many organizations, unfortunately a lot of their budget cycles don’t think in terms of decades. So it’s a case of keeping a focus through that, through that time frame on you’re first of all testing implementations, understanding your environment, understanding what your suppliers will fix for you over time, understanding what you have in your, in your bill of materials as you say, sort of where cryptography is and getting to that point over that 10 year frame.
91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:30:16]:
You know there’s a lot in our business to be depressed about. But, and I’m often told by friends, a pessimist is an optimist with experience. I still tend to be optimistic. What on the light side, what keeps you, what’s most exciting for you? There’s so much innovation going on, but I don’t want to put words in your mouth. What are you most excited about?
92
00:01:31,000 –> 00:01:32,000
Richard Horne [00:30:41]:
Yeah, I think, and again it’s this kind of contest mentality. There is so much that we’re doing that is advancing us. A lot of what cloud service providers can give small organizations today encapsulate so much security, technology, and processing that would be out of reach of small organizations a few years ago. But equally that’s part of this evolving contest. You’ve got to keep getting better and that’s what we’re doing. So there is so much that is happening that is good. So I think it’s a case of not being pessimistic or optimistic, but being pragmatic about it. We’re in a contest.
93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:31:25]:
Well, that’s a very stoic perspective and a good perspective because it is reality, and just total sidebar, you mentioned cloud service provider, and that is if you can push some of that, they are much more capable to provide services to small, medium sized businesses. And if you shift the onus a little there. Have you designated cloud service providers a critical infrastructure?
94
00:01:33,000 –> 00:01:34,000
Richard Horne [00:31:49]:
So in the UK we’ve designated data centers, the critical infrastructure that a lot of that sort of sits on and a lot of the, especially in things like financial services, but as well in incoming regulation, your critical national infrastructure where they have dependencies on others for them to flow through requirements on their providers.
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:32:09]:
And AI is very hungry from an energy perspective. And that’s become a very big issue here in the United States. To be AI dominant, we also have to be energy dominant. Anything creative the UK is thinking about that?
96
00:01:35,000 –> 00:01:36,000
Richard Horne [00:32:28]:
So I think that’s kind of slightly outside of…
97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:32:31]:
But it affects your work.
98
00:01:37,000 –> 00:01:38,000
Richard Horne [00:32:32]:
Absolutely, it affects my work. And the UK has an AI action plan that it’s pursuing that the prime minister published several months ago. And yeah, that’s very much part of the thinking of the UK government is how do we, how do we embrace AI and how do we kind of be one of the leaders in, in an AI world?
99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:32:50]:
And Richard, I didn’t, I failed to bring up, and during your dissertation you spent some time in Auburn.
100
00:01:39,000 –> 00:01:40,000
Richard Horne [00:32:57]:
Absolutely. That’s why I said War Eagle.
101
00:01:40,000 –> 00:01:41,000
Frank Cilluffo [00:32:58]:
Yeah, yeah. Which is a good one. Exactly.
102
00:01:41,000 –> 00:01:42,000
Richard Horne [00:33:01]:
I spent a few week in Auburn. So yeah, it was great. It feels like coming home, seeing all the Auburn stuff around.
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:33:05]:
Well, you’ve got an open invitation here and anytime you want to get back to campus, that’s an open invitation. My team has a pretty big presence in Huntsville as well because that’s space roles there. What questions didn’t I ask that I should have?
104
00:01:43,000 –> 00:01:44,000
Richard Horne [00:33:21]:
Probably loads.
105
00:01:44,000 –> 00:01:45,000
Frank Cilluffo [00:33:23]:
I know.
106
00:01:45,000 –> 00:01:46,000
Richard Horne [00:33:24]:
No, I think for me the big thing is in the world we’re in, we all need to recognize we have a responsibility for cybersecurity for ourselves and for others. And the more we can work together internationally, the more we can work together, government and private sector together, to make sure we’re all stepping up to that responsibility and really understand organizations like mine can empower, can help. But we do need all organizations to take that step and understand that cybersecurity is part of their mission. It’s not an additional cost, but cyber security is actually part of your mission.
107
00:01:46,000 –> 00:01:47,000
Frank Cilluffo [00:34:01]:
And in the for what it’s worth, when I served on the Solarium Commission, I wanted to build an NCSC in the UK. Now it gets complicated with intelligence authorities in the US but in all sincerity, you are leading an essential organization that is every day doing important work for the betterment of your citizens. And I think our citizens benefit from all of that. And let me just say thank you for taking time on your busy trip to D.C. to sit down with us and, and more importantly, for continuing to fight the good fight, because the good, the good, the women and men that want to do good will do good. But they, but, but they ultimately are going to need leaders like you to make that happen. So thank you.
108
00:01:47,000 –> 00:01:48,000
Richard Horne [00:34:45]:
Thank you. And thank you for having me here.
109
00:01:48,000 –> 00:01:49,000
Frank Cilluffo [00:34:46]:
Let me leave you with the token, both figuratively and literally, of our appreciation, our coin, and it’s actually made in the U.S. so, Richard, thank you,
110
00:01:49,000 –> 00:01:50,000
Richard Horne [00:34:53]:
Thank you.
111
00:01:50,000 –> 00:01:51,000
Frank Cilluffo [00:34:54]:
Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.