deepagopi2011 - Fotolia
Government and the private sector must work together to sort out some of the big cyber security problems in the IT industry, says Ciaran Martin, CEO of the National Cyber Security Centre (NCSC).
“Let’s have a defensive technocratic partnership with the commercial drivers in this industry and let’s get after some of these big problems,” he told the European Cybersecurity Forum in Krakow.
Citing firmware issues that led to Spectre and Meltdown and vulnerabilities in the SSL and PGP protocols, Martin said there are still a few key things that could be done that would have an “absolutely transformative effect”.
Detailing the NCSC’s Active Cyber Defence programme, he said a key aim is to show “in basic steps” published evidence of how that could work.
“We want to build up from that with industry and international partners, and while we do not claim to have all the answers, we are saying this is a contribution to the conversation where we want to work with international partners – public and private – to analyse, to share and to learn,” he said.
“Together, we can make much more progress in making this precious new sense of freedoms and opportunities that the internet allows, automatically safer, and I hope that Active Cyber Defence is a small contribution and step in that direction.”
Emphasising that the Active Cyber Defence programme has “nothing to do with hacking back”, Martin said he was delighted to discuss the programme at a conference about public policy on cyber security.
“Despite its huge strategic importance, I think we don’t talk enough about public policy in cyber security – and it matters profoundly,” he said.
The “explosion of opportunity and freedoms” in the digital age faces a range of threats, said Martin, including “alternative visions” of the internet and the digital age that want to take away and compromise those freedoms and trust.
“Active Cyber Defence is our public policy contribution to take an incremental, but positives, step to build some of that trust,” he said.
The aim of the programme is to protect the majority of people in the UK from the majority of harm caused by the majority of the attacks for the majority of the time, said Martin.
“It’s a practical set of automated and free-to-implement measures to stop relying on the user to do the impossible, to get in at the start of the chain, and to do it on as large a scale as possible in collaboration with industry where possible,” he said.
Read more about the NCSC
- The NSC started several initiatives in its first year with the aim of using data drawn from those to drive better cyber security practices.
- The National Cyber Security Centre is unashamedly ambitious in aiming to make the UK the safest place to do business online, which chief Ciaran Martin sees as an achievable goal.
- The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies.
- The NCSC has the right pedigree to coordinate and balance the cyber security efforts of government, industry and academia, says GCHQ director Robert Hannigan.
To date, the programme includes things such as automated takedowns, free safety checks for small and public authorities that cannot afford it, implementation of the DMARC protocol, and protective DNS to block access to known malicious sites automatically, said Martin.
“A key principle [of the Active Cyber Defence programme] is that it relies on real measurable data; on evidence that we can then publish to show how well it works, so that others can adopt what works well and we can jettison those things that are not,” he said.
For example, in the past two years, the automated takedown service has seen the average time for phishing sites in the UK drop from 27 hours to just one hour before they are taken down, said Martin.
“That is an important bit of progress in making the UK a much less attractive place to host phishing sites, and we have removed nearly 140,000 to date, and the UK share of international phishing sites has gone down from nearly 5.5% to just over 2%.”
Martin said the Web Check component of the Active Cyber Defence programme was the result of the realisation that the NCSC was lecturing organisations to behave as if they were corporate giants, when, in fact, small local government bodies in the UK could not afford the technology or the people who could understand the data.
“Web Check takes all an organisation’s internet-facing services, runs a basic test on them, tells them if their digital certificate has expired or is about to expire, and gives them practical advice on how to fix it,” he said. “We have had 2,372 urgent findings to date that have been fixed.”
NCSC data also shows that in just the first year of using Dmarc, the tax department blocked 500 million phishing emails that pretended to be from the tax authority.
“This is another Active Cyber Defence measure that gets away from the madness of telling people that they should know what to do to be safe at all times, and that they should be able to judge whether every email they receive is genuine or not and to act accordingly,” said Martin.
Looking to the future, he said the NCSC is working with industry to help ensure devices that make up the internet of things are safer from the start and to develop a code of practice and product labelling system that is aimed at informing consumers to make better security choices.