Sergey Nivens - Fotolia
The cyber threat to UK businesses is “bigger than ever”, according to the latest joint cyber threat report by the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).
Asked how businesses should respond to the report, NCSC technical director Ian Levy said: “If they do nothing else, they should do the basics. Of all the incidents we have investigated in the past year, almost all of them could have been prevented or at least mitigated to a great degree by the basics.”
Jacqui Chard, deputy director, defence and national security at the NCSC, said the report again underlines the importance of following best practice and putting processes in place to ensure “basic cyber hygiene”.
The important take-aways for cyber crime and good practices contained in the NCSC-NCA report also apply to the defence and national security sectors, said Chard.
“Although we think predominantly about the operational ‘in theatre’ risk, our people need to be equipped with the insights provided by the report,” she said. “While the defence and national security sectors are typically extremely capable technically, we still have a really big workforce around the world and a large partner network, so lessons around good practice and basic cyber hygiene apply to all of them.”
Although the NCSC is not saying that organisations need to patch every sever, Levy said the ones on the internet absolutely should be patched up to date, and although the NCSC is not saying organisations should use two-factor authentication for everything, they should for all critical systems.
All cyber attacks work on the basis of a return on investment, said Levy, whether it involves nation states or cyber criminals. “If you can mess about with the model, they will go somewhere else,” he said. “If you can make it that your organisation is not collateral, they will go somewhere else.”
The NCSC’s Active Cyber Defence (ACD) programme, which is aimed at increasing risk to cyber adversaries and reducing their return on investment to protect the majority of people in the UK from cyber attacks, achieved significant success in its first year in reducing the UK’s share of global phishing attacks, shutting down more than 100,000 phishing sites hosted in the UK, removing thousands of spoofed UK government domains, and blocking millions of malicious emails each month.
Now that the NCSC has proved that those simple technical measures have had a “decent effect” on attackers, Levy said the next step is to scale that to be UK-wide and run by the private sector.
“For example, the day after our first annual report was published, BT announced it had set up a free sharing platform for all ISPs [internet service providers],” he said. “The idea is that we get ISPs to protect their residential, SME and charity customers by default for free, and that is how we can change the scope of attacks against the UK.”
The ACD programme includes the use of the domain-based message authentication, reporting and conformance protocol (Dmarc), which helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as if they have come from a trusted address.
“Not only do we want industry in the UK to use Dmarc, we also want to help change software so that it is easier for people to see when they are being spoofed,” said Levy. “We are looking to do something with the major software and service providers to give people better information, so it is harder to spoof people using email.”
Another key component of the ACD programme is Web Check, which performs some simple tests on public sector websites to ﬁnd security issues. It provides clear reporting to the service owners, along with advice on how to ﬁx any problems.
However, it is not clear yet how this service can be scaled up to be UK-wide, said Levy. “And that is not a technical problem, but a market problem. If we provide free vulnerability scanning for charities in the UK, for example, it is not clear whether that will kill the market or raise it up. So we need to do a set of studies to work out how this will scale.”
In the coming year, the NCSC plans to introduce “three or four” new elements to its ACD programme, which, like the first few, will be tested for effectiveness across government departments.
“One is a vulnerability disclosure pilot, which is in response to complaints by security researchers about how difficult it is to report vulnerabilities to government,” he said. “This initiative is aimed at making sure that it is easier and simpler to report vulnerabilities and ensuring that government takes its responsibility seriously and fixes things in a sensible way.”
Another initiative is aimed at building a tool that discovers what infrastructure the government is using to enable automatic alerts of associated security risks. “If we know everybody who is using something, when a vulnerability in that thing is discovered, we can automatically alert all those affected,” said Levy.
The NCSC-NCA cyber threat report also includes case studies and summaries of the top 30 incidents in the past year. “They all have something that enterprises can take away,” said Levy.
“Organisations need to think about how they can respond before it happens to them because no organisation wants to be innovating through a crisis. Instead, you want a well-practised incident response playbook that sets out what are the most critical systems, what action to take and who to contact.
“It there is one thing I would ask big businesses to do, it would be to invest in some planning and to ensure that their boards know what questions they should be asking around cyber security because a lot of CIOs are not happy to be challenged in the way that I think they should be.
“If a CIO can defend his or her decisions and explain them in a way the board can understand, they possibly do not understand the issues well enough themselves to be doing the job effectively.”
Social media footprints
Chard said that one area of cyber security that the private sector could learn from the defence and national security sectors is helping individuals in organisations to understand their social media footprints and how these build up.
“The approach in the military and security sectors is to encourage people to live their lives normally, but to be aware of the risks,” she said. “It is difficult to have a zero internet footprint, and very few people are required to do that because of their job, so what we need to do is to help people understand that their online footprint is important, so that they take the necessary precautions not to disclose any sensitive information about operations and associated locations.
“The MoD is increasingly building this type of awareness into military exercises as well as interaction with social and traditional media, and so it would be good for the private sector to do likewise when they are doing cyber security exercises in the business context.”
The NCSC-NCA report is also relevant for the MoD, said Chard, because it is also an online business in many respects, communicating and doing business online. “So cyber crime is an important consideration, in addition to the high-end threats, which we also see increasing,” she said.
In the military context, Chard said there are strong relationships with the UK’s allies around cyber threats, and in this respect, the UK’s departure from the European Union is not likely to make any difference. “There are obviously practicalities from an economic point of view, which could have impacts on capabilities that we can share, but that is still unknown,” she added.
The NCSC is a signatory to the Nato memorandum of understanding on cyber defence, said Chard, and there is a lot of interaction with Nato in the defence context, with the UK being an active participant in all Nato cyber exercises.
“Nato members are the primary allies for our forces, and so I regularly support the MoD with allies bilaterally and trilaterally and in the Nato context, as well as our deployed forces overseas to help them understand the cyber threat,” she said.
Asked about the MoD cyber reservist programme, Chard said it is now fully set up and active. “The criteria for joining have also been set and relaxed to enable a larger number of people from the private sector to contribute expertise without needing the meet the MoD’s physical requirements and the highest levels of security clearance,” she said.