DragonImages - Fotolia
The UK’s cyber defence centre has defended the country against more than 1,600 cyber attacks over the past two years.
The majority of attacks were conducted by hostile foreign states, the National Cyber Security Centre (NCSC) has revealed.
Since it was set up in 2016, the NCSC, which is part of the GCHQ intelligence agency, has handled more than 10 attacks per week.
“We are calling out unacceptable behaviour by hostile states and giving our businesses the specific information they need to defend themselves,” said Ciaran Martin, chief executive of the National Cyber Security Centre. “We are improving our critical systems. We are helping to make using the internet automatically safer.”
The NCSC revealed that many of the cyber attacks directed against the UK were the work of the Russian intelligence agency, the GRU.
It found that cyber attacks orchestrated by the GRU had included attempts to undermine the World Anti-Doping Agency, disrupt transport and energy systems in Ukraine, destabilise democracies and target businesses.
UK needs to prepare for ‘category 1’ cyber attack
The UK has so far avoided major attacks like those that have hit other countries, including the US, which lost highly sensitive records of 21 million current and former government employees, following an attack on the US Office of Personnel Management in 2015.
But Martin said the UK needed to be prepared for a major cyber security attack in the future. Nation states are “positioning themselves” for a major attack in the future, he said in a foreword to the NSCC’s annual review.
That could include significant disruption to a public service that might put life at risk, the theft of a bulk dataset containing highly personal details on the population, or large-scale commercial damage.
“I remain in little doubt we will be tested to the full, as a centre and as a nation, by a major incident at some point in the years ahead – what we would call a category 1 attack,” he said.
- C1 attacks are national emergencies, causing sustained disruption of essential services, leading to severe economic or social consequences – or to loss of life.
- C2 attacks can have a serious impact on a large portion of the population, economy or government.
- C3 attacks can have a serious impact on a large organisation or wider government.
- C4 attacks could threaten a medium-sized organisation.
- C5 attacks include threats to a small organisation.
- C6 attacks are on individuals – the response would be led by law enforcement agencies, such as the local police force.
Supply chain threats are top priority
The centre said that over the past year it had become “acutely conscious” that vulnerabilities in supply chains for components and equipment could leave organisations open to electronic attack.
Mitigating risk, particularly in the telecoms sector as 5G mobile technology is introduced, is a top priority, it said.
The NCSC advised public sector organisations and companies that felt they may be a target for Russian espionage not to use antivirus (AV) software from Moscow-based security company Kaspersky Labs.
The agency is working with Kaspersky to mitigate concerns over the security of its technology, but said the software offered perfectly good protection for most people in the country.
The UK has also been running a risk mitigation programme with Chinese telecoms company Huawei, which supplies technology used in the UK’s telephone infrastructure.
The programme works well, said Ian Levy, technical director of the NCSC. “When we found some significant weaknesses in Huawei’s security we were able to transparently intercept that.”
He said the UK – in contrast with strongly voiced concerns about Chinese technology in the US – was more concerned about the security of the entire infrastructure, rather than which country supplied individual components.
“The way we try to design systems is we assume the worst possible vulnerability in any component. It does not really matter if that vulnerability is accidental or malicious, the impact is the same,” he said. “We try to design a system that can minimise the chances of that vulnerability being exploited, and minimise the harm when it hits.”
Martin said the UK and China had been holding dialogues on security over the years, including cyber security. “There are ways of talking to the Chinese government which do not currently apply to Russia,” said Levy.
NCSC is also working with air navigation service NATS to review the security of its air traffic control and management system. It has also made recommendations to improve security and conducted cyber attack simulations with the nuclear industry.
The agency supported the Ministry of Defence with guidance on the security of F-35B joint fight strike aircraft, with support for ground systems, the parts supply chain, cryptographic key management and testing of aircraft to ensure they do not emit sensitive information through radiation from electronic displays.
The NCSC research institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) at Imperial College is “starting to make an objective difference” to the critical national infrastructure, by improving the security of industrial control systems, said Levy.
The NCSC, which collaborates with industry on cyber attacks, will hold a conference of government and industry professionals in Glasgow next year to share cyber security best practice. This follows an event in Manchester this year, which attracted 2,500 delegates.
Making progress against phishing attacks
The agency said its efforts had reduced the UK’s share of visible global phishing attacks, which are widely used by hackers to gain unauthorised access to computer systems, by more than half – from 5.3% to 2.4%.
Its Active Cyber Defence (ACD) initiative, which aims to protect the UK from high-volume hacking attacks, removed 138,398 phishing sites hosted in the UK between September 2017 and August 2018.
The director of GCHQ, Jeremy Fleming, said the NCSC had become a world-leading organisation “in just two years”, and was at the front line of efforts to thwart the growing cyber threat from hostile nation states.
David Lidington, chancellor of the Duchy of Lancaster and minister for the Cabinet Office, said: “Our National Cyber Security Strategy set out ambitious proposals for how this government will defend our people, deter our adversaries and develop UK capabilities to ensure this remains the safest place to live and do business online.”
The NCSC opened in October 2016 as part of the government’s £1.9bn National Cyber Security Strategy, aimed at improving the UK’s cyber landscape and addressing the country’s cyber security skills gap.
It manages national cyber security incidents, carries out real-time threat analysis and provides tailored advice to different sectors of industry and government. It can draw on the resources of GCHQ, the electronic intelligence-gathering agency.
Inside the NCSC
The NCSC’s annual review gives details for the first time of the tactics used by NCSC’s incident management team, which works behind the scenes to coordinate defence efforts and support UK victims when attacks do get through.
Over the past two years, the NCSC, which has its main office at GCHQ in Cheltenham and a London headquarters, received more than 2,000 reports of cyber incidents, which are assessed by defence watch officers for severity (see category box above).
The NCSC prioritises incidents in the top three categories, ranging from those that could have a serious impact on a large organisation or government, up to national emergencies that could lead to a loss of life or sustained disruption to essential services.
Secrecy is protected by allocating each incident a code name or “cryptonym”, chosen from a list of 10 randomly generated names. These are double-checked to ensure they don’t translate into “anything unfortunate” in another language.
The centre sets up a tactical leadership group (TLG) to share details of an incident with law enforcement agencies, the electronic intelligence agency, GCHQ and a strategic leadership group (SLG) in Whitehall which contains representatives from multiple government departments.
Intelligence staff report they can run into problems contacting companies that have been unknowingly affected by cyber attacks. “We get a lot of people hanging up. They might think it’s just someone on the inside or don’t realise the seriousness,” said one officer, quoted in the review.
The NCSC has set up a contact validation form on its website, which allows organisations to verify that the caller is genuine.
This story was updated on 17 October 2018.