Uncontrolled cyber attacks on UK cyber defenders’ radar

The UK’s National Cyber Security Centre (NCSC) considers preparing for uncontrolled cyber attacks just as important as preparing for targeted ones, as it continues to brace for an attack of national significance.

Fearing reckless attacks as much as controlled attacks was one of the biggest lessons of 2017, NCSC chief Ciaran Martin told The Guardian, citing WannaCry an example of when attackers lose control.

The UK and US have blamed WannaCry on North Korea, which, according to the NCSC, has shifted its focus from disrupting infrastructure to stealing money through various methods, including ransomware.

WannaCry is seen as part of those efforts, but the NCSC believes the malware did not behave as expected, causing disruption instead of being an effective way of collecting ransom payments.

In the UK, the biggest impact of WannaCry was on the NHS, but despite the level of disruption caused, it ranked only as a category two (C2) attack, requiring a cross-government response.

Martin reiterated the NCSC’s fairly long-standing view that the UK in all likelihood could face a major category one (C1) cyber attack of national significance by 2020.

He said the UK had been “fortunate” to avoid facing a C1 attack to date, unlike the US, France and other parts of Europe.

Publication of the interview comes a day after the UK’s army chief called for increased defence spending to help the country keep up with its adversaries, particularly in the light of the cyber threat.

Cyber attacks that target military and civilian operations are one of the biggest threats facing the country, UK defence chief of general staff Nick Carter warned in light of the fact that Russia, North Korea, Iran and China have been blamed for cyber attacks on the US and Europe in recent months.

Martin confirmed that some of these attacks were aimed at identifying vulnerabilities in infrastructure for potential future disruption, but that there had been no successful attempt to influence UK democracy.

The UK has previously indicated that it is building cyber-offensive capabilities, and while Martin said this will be an “increasing part of the UK’s security toolkit”, he pointed out that a cyber attack would not necessarily trigger a retaliatory cyber attack, but a range of responses would be considered, including sanctions.

The latest NCSC figures, to December 2017, show that in the NCSC’s first 14 months, it recorded no C1-level incidents, 34 C2-level incidents – including WannaCry – and 762 C3-level incidents, which are “major incidents” that typically involve only single organisations such as a defence contractor.

This means there has been just one C2-level incident and 178 C3-level incidents since September 2017.

While Martin said total protection is impossible, NCSC technical director Ian Levy believes a change in approach to cyber security could reduce the likelihood or impact of an attack.

In September 2017, Levy said the NCSC believes that by putting some science and data behind cyber security, it can demystify it and enable UK organisations to deploy effective and appropriate defences.

For this reason, Levy said the NCSC has begun publishing data and evidence to ensure people really understand how to conduct risk management properly. “Because in the end, cyber security is just risk management,” he said.