New cyber incident classification to boost UK response

The National Cyber Security Centre (NCSC) has announced a new cyber attack classification system to align better with UK law enforcement.

The new approach will see the NCSC – a part of GCHQ – working hand in hand with law enforcement agencies to defend against the growing cyber threat.

The NCSC has responded to more than 800 significant incidents since October 2016, and its incident responders will now classify attacks into six specific categories, rather than the previous three.

The changes, which are effective immediately, are aimed at improving consistency around the incident response and enabling better use of resources to extend support to more victims.

Paul Chichester, director of operations at the NCSC, said the new joint approach, developed in partnership with UK law enforcement, will strengthen the UK’s ability to respond to the significant, growing and diverse cyber threats the country faces.

“The new system will offer an improved framework for dealing with incidents, especially as the EU’s GDPR [General Data Protection Regulation] and the NIS [Network and Information Systems] Directive come into force shortly,” he said. “Individual judgements will, of course, still be applied to respond to incidents as necessary.”

Information processed by the new framework will ultimately be used to generate the “most comprehensive” national picture to date of the cyber threat landscape, said the NCSC, spanning the full range of incidents from national crises to cyber attacks on individuals.

The incident category definitions are aimed at giving greater clarity on response mechanisms for incidents by identifying which factors would happen to activate a specific classification, which organisation responds, and what actions they would take.

National Police Chiefs’ Council lead for cyber crime, Peter Goodman, described the new classification system as “a hugely important step forward” in joint working between law enforcement and the intelligence agencies.

“Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response,” he said. “This is good news for the safety of our communities, business and individuals.”

The framework encompasses cyber incidents in all sectors of the economy, including central and local government, industry, charities, universities, schools, small businesses and individuals.

Any cyber attack that may have a national impact should be reported to the NCSC immediately, the agency said. This includes cyber attacks that are likely to harm UK national security, the economy, public confidence, or public health and safety.

Depending on the incident, the NCSC may be able to provide direct technical support in addition to the guidance and advice on its website for companies or individuals in need.

Individuals or businesses suffering a cyber attack below the national impact threshold should contact Action Fraud, the UK’s national fraud and cyber crime reporting centre, which will respond in accordance with the new incident categorisation.

Ollie Gower, deputy director of the National Cyber Crime Unit (NCCU) at the National Crime Agency (NCA), said the agency and wider law enforcement already work hand in hand with the NCSC to provide a strong, coordinated response to cyber incidents targeting the UK.

“This new framework will ensure we are using the same language to describe and prioritise cyber threats, helping us to deliver an even more joined- up response,” he said.

“I hope businesses and industry will be encouraged to report any cyber attacks they suffer, which, in turn, will increase our understanding of the cyber threat facing the UK.”

The announcement coincides with the final day of CyberUK 2018, the NCSC’s conference that has attracted more than 2,000 people from the cyber security industry, law enforcement, government and academia.

The conference has seen Manchester Central Convention Complex transformed by state-of-the-art industry and government displays demonstrating cutting-edge technology to help the UK thrive in the digital age, alongside a series of lectures, keynotes, panel debates and workshops on nurturing cyber skills and understanding, reducing and responding to cyber attacks.

The new categories of incident are: National cyber emergency, Highly significant incident, Significant incident, Substantial incident, Moderate incident and Localised incident.