On Wednesday 23 October, the National Cyber Security Centre (NCSC) released its third Annual Review, analysing and making public a catalogue of its successes over the last year, including advances made to protect individual citizens and increased international cooperation to increase cyber resilience and defend against state-sponsored cyber-attacks.
The below analysis of the Annual Review 2019 highlights the achievements of the NCSC over the last year, the improvements required to fully understand, reduce and respond to cyber-attacks, and future avenues of growth for the NCSC.
Though the NCSC has succeeded in increasing cyber resilience, it still had to deal with 658 major incidents, with the most effected industries being Government, Academia and the IT sector. Clearly therefore, despite these improvements, more work is needed to maintain the UK’s place as the safest place to do business online.
The review highlights that over the last year there have been significant attacks from strategic adversaries such as the Russian GRU (military intelligence) and APT10, working on behalf of the Chinese Ministry of State Security, aiming to gain access to sensitive intellectual property and commercial data and targeting political institutions, businesses, media and sport. The NCSC has a huge role in minimising these threats, and through its new Indicator of Compromise (IOC) Machine, helps declassify sensitive material, increasing UK resilience to these threats.
The review showcases some of the recent regulatory and educational projects the NCSC has undertaken to increase protection and understanding of cyber threats, including but not limited to:
- Secure by Design Code of Practice for IoT in tandem with DCMS
- New web platform and Board Toolkit, to encourage cyber security discussions within businesses
- CyberFirst Girls Competition
The NCSC also managed to support government, businesses and the public in the following ways:
- Provided support to almost 900 victim organisations
- Took down 177,335 phishing URLs, 62.4% of which were removed within 24 hrs
- Added more than 5,000 new members onto the Cyber Security Information Sharing Partnership (CiSP)
- Enabled 2886 small businesses across the UK to do simulated cyber exercising
- Delivered cyber security awareness and training sessions to more than 2,700 charities
- Hosted 197 events with more than 9,000 attendees
In highlighting their achievements and future development, the review was structured around six key themes, and the advancements made within each theme:
1. Cyber security for individuals and families
The NCSC has helped ensure people of all ages have the confidence, skills and protection to be secure when using internet-connected devices and online services.
Broadly, the NCSC’s efforts have focused on four themes: reducing the burden on the general public by ensuring security measures are in place before they access the device; making it easier to act upon cyber security advice; equipping people with the confidence and tools to protect themselves; and raising awareness within the general public, both to protect themselves and inform others.
To achieve this, the NCSC has engaged extensively with national and international bodies including the Department for Digital, Culture Media and Sport (DCMS), where they informed policy protocols for the Secure by Design Code of Practice for consumer IoT security. They have also published extensive guidance to help people protect themselves online, allowing the public to remain secure when setting up devices, checking default settings and managing updates.
Moreover, the pioneering Operation Haulster has disrupted cyber-crime by flagging fraudulent intention against more than one million stolen credit cards and the NCSC’s efforts to halt attacks on Magento, an open source shopping platform, have showcased their efforts to protect online and financial consumers. The NCSC has also tested the cyber resilience of 19 mobile phone networks and has sped up the response to Border Gateway Protocol (BGP) misuse through its new BGP Spotlight, which will alert UK Internet Service Providers (ISPs) when BGP misuse occurs, allowing them to respond quickly and minimise the disruption to the internet.
There is, however, more to be done to secure individual digital footprints. The NCSC’s UK Cyber Survey 2019 states that though 68% of people say that they know either a fair amount or a great deal about how to protect themselves online and 80% say cyber security is a high priority for them, 37% believe loss of personal details is unavoidable and 34% rely on connections for help on cyber security. Moreover, there were almost one million incidents of computer misuse over the last year, and there is continued need to create greater security and protection for individuals.
Though the NCSC has published informative documents, such as its analysis of the 100,000 most commonly re-occurring passwords, more needs to be done to get this information to the public and build awareness of how attackers use common vulnerabilities to gain access to sensitive systems.
2. Targeting the biggest risks
NCSC’s programmes have played a critical role in protecting the institutions, infrastructure and services people rely on.
For example, NCSC’s Active Cyber Defence (ACD) programme represents a major step-change in the country’s approach to cyber security because of its voluntary nature and is an example to other countries of the bold measures required to protect the digital homeland. This programme includes:
- web checks to find obvious security issues so owners can fix them
- protective DNS (PDNS) to block public sector organisations from accessing malicious domains
- Mail Check to help root out phishing attacks,
- and ADC’s takedown service which find malicious sites and gets them removed from the internet.
These services have been remarkably successful with 177,335 phishing URLs taken down in the last year, and 62.4% within 24hrs of being determined malicious. Moreover, over the last year, more than double the number of government organisations are protected by PDNS and 460+ organisations are using this service.
Given the success of ACD there are plans to increase its reach to include a new automated system which acts on public information to shut down malicious sites and a new Internet Weather Centre which will provide a comprehensive understanding of the digital landscape. There are also preparations to create an Infrastructure Check Service to help national infrastructure providers scan infrastructure for vulnerabilities and a Breach Check which helps organisations check whether employee email addresses have been compromised.
Alongside the ACD, the NCSC are providing several other services to raise cyber resilience in the public sector. This includes active input into the Cabinet Office’s Government Security Group, providing cyber threat assessments limiting the impact of adversaries on our elections and political process, and promoting regulatory cohesion through the NCSC’s Cyber Assessment Framework.
Finally, the NCSC works with international allies and military services to develop comprehensive systems for National Security. This includes the creation of Cyber Surgeries with Ministry of Defence (MOD) figures and aiding the transition of ROSA, a central government IT System, as it becomes a fully supported service across government.
3. Countering the adversary
Strategic adversaries of the UK and organised criminal organisations continue to attempt to undermine UK security systems. The NCSC vision in countering these threats is guided by three principles:
- Impact Driven: Prioritise where most harm is to be caused and where NCSC can have the most impact in reducing it.
- Threat Focused: Disrupt operation of cyber adversaries.
- Vulnerability Informed: Which sectors are most at risk.
Consequently, the NCSC have utilised the following strategies in their mission to deter strategic adversaries:
- Calling out Hostile State Actors: Working with a strong network of partners the NCSC, where possible, aims to locate the source of a cyber attack.
- Launching the NCSC’s Cyber Defence Ecosystem (CDE): The CDE aims to foster a national ecosystem of collaborative threat analysis and automated threat sharing.
- Finally, the NCSC has created an Indicator of Compromise (IOC) Machine which has changed the way sensitive material is declassified.
4. International cooperation
The NCSC is keen to show the steps they have taken to help other countries improve their defensive cyber capabilities and they have visited 20 countries to improve cyber capability and welcomed delegations from 56.
Crucially, NCSC has worked closely with NATO to support deterrence and defence objectives and strongly supports the 2016 Cyber Defence Pledge that aims to ensure the Alliance is fully cyber trained and secure.
5. Securing the digital homeland
The NCSC was keen to emphasise it had improved cyber capabilities within the general population and was providing educational opportunities, dealing with more than 11,000 queries last year whilst building a new and improved website to educate on the importance of cyber security.
Alongside this, NCSC ran a campaign with the Cabinet Office and DCMS to change national behaviours surrounding cyber security and provided educational literature for businesses, such as a Small Business Guide. In 2019, 14,234 Cyber Essential Certificates were also issued, representing a 39% increase on the previous year. However, this scheme is not working without limitations. At present the certifications have no automatic expiry dates which can lead to outdated certification being used to justify cyber security credentials. Consequently, as of next year, certification will be issued with a 12-month expiry.
6. Cyber capability for the future
The final point the NCSC Review seeks to raise is the measures it has taken to increase the UK cyber security talent pipeline, creating the next generation of cyber leaders.
One of the main components of this is the CyberFirst pathway which guides the development of young people interested in cyber from ages 11 to 18+. The project was successful with 90% of students in the upper age groups hoping to secure a career in cyber security, and a 30% increase in the number of applications.
Alongside this is the Cyber Schools Hub which has 26 participating schools and provides over 250 extra teaching hours to train school children.
Finally, the NCSC wants to highlight that it supports the growth of start-up cyber companies which are bringing new security products to the market. The third cohort of the NCSC Cyber Accelerator created 30 jobs and raised more than £15m in funding.
It is really encouraging to see that the NCSC has made valuable steps to increasing cyber resilience among the general population and has also created vital infrastructure systems that allow the detection of malware and defence of the cyber realm more credible. Clearly, cyber security remains a Tier 1 threat, but the NCSC has had a positive impact in mitigating the effect of both sophisticated state sponsored attacks and speculative phishing emails.
Moreover, cyber vulnerability is an issue which crosses borders and it is therefore encouraging that the NCSC has worked with the Foreign and Commonwealth Office to provide a framework to help engage allies and partner nations, and booster worldwide defensive cyber capabilities.
techUK particularly welcomes the work supporting financial institutions, making them aware of fraudulent attempts to withdraw cash. Operation Haulster has thus far flagged up efforts to defraud more than one million stolen credit cards.
However, they need to continue their active engagement. CEO of the NCSC, Ciaran Martin, admitted that there were still too many “basic attacks” that were successful and that the NCSC “need to do those basics right but also … look at what challenges are ahead”. Sneha Dawda of the Royal United Services Institute says that in writing the UK Cyber Security Strategy, the NCSC will require “sustained transparency, clear communication and commitment … to maintain a high level of engagement”. Consequently, the commitment to train the next generation of cyber professionals through the academic centres of excellence and the Cyber First projects could be vital, helping to bridge the gap between the current workforce and industry need.
techUK looks forward to seeing how NCSC continues to protect the UK public online over the next year.