WannaCry borderline national cyber emergency

There was some debate about the classification of WannaCry, but it was certainly a borderline national cyber emergency, according to Eleanor Fairfield, of the assessment division of the National Cyber Security Centre (NCSC).

There is yet to be a “C1” category attack, where there is a national emergency or disruption of essential services, but NCSC head Ciaran Martin is on record as saying it is a question of “when, not if” she told the information security track of the International Security Expo 2018 in London.  

However, Fairfield said the NCSC deals with “a few C2-level attacks every month” that typically have a potentially serious impact on a large proportion of the population, the economy or government, where government will often mobilise to mitigate and respond.

In the two years since the NCSC was set up, it has managed around 1,000 incidents, the majority of which are believed to have been committed by nation state cyber actors or criminal groups which are tolerated or even sponsored by nation states.

“The major threat actors of concern that we monitor and are interested in are nation states and cyber criminals, where nation state actors are characterised as being ‘acute’ in the sense that they tend to be severe with sudden onset.

“While the criminal threat tends to be persistent, lower-level, longer-term, chronic threats,” said Fairfield, adding that the main difference between these two groups is that the criminals are motivated by financial gain rather than political or ideological ends.

Although nation states have the most sophisticated capabilities, she noted that they still use the lowest-level tools that are available if they are still able to do the job before they resort to the more sophisticated tools in their arsenals.

The NCSC’s monitoring highlights various kinds of cyber threat activity, said Fairfield, including activity that is potentially of use for future offensive activities; side effects of global campaigns that are not targeted at the UK, but – like WannaCry – could have a severe impact; and activity that is part of a hybrid or asymmetric campaign, such as the leaks that were a key feature in the US presidential election that had a cyber element.

“Our policy is to expose bad behaviour in cyber space – to call it out so that it is not allowed to pass [unchallenged] and so eventually become the norm, showing that these actors cannot act with impunity, and hopefully to deter future disruptive and destructive activity.

“Another way we do that is by publishing technical indicators online to make available the stuff that we are observing and that they are using to help organisations to protect themselves and to make the UK a harder operating environment [for malicious cyber actors],” said Fairfield.

Commenting on the public attribution of a wave of cyber attacks to Russia’s military intelligence service in October, the NCSC head said it was an “important and historic development” because it combined elements of diplomatic, criminal justice and remediating attribution in light of the related US indictments announced on the same day.

“We learned quite a lot from the US and their experience, and their success encouraged our minsters to move on from what was an understandable reticence to begin attribution,” Martin said in a panel discussion at the fourth annual European Cybersecurity Forum in Krakow.

According to Fairfield, the NCSC is increasingly pushing out defensive information that can be used by cyber security software firms and researchers to support the cyber defence of the UK, with much of the information sharing being done through the NCSC-hosted cyber security information sharing partnership (Cisp).

One of the challenges for cyber defenders, she said, is that increasingly diverse types of cyber criminals, including those with low levels of technical capability, are getting access to highly sophisticated tools that are disseminated through the dark web.

However, like nation state actors, criminals also use low-level tools that continue to be effective. “The TalkTalk attack is a good example of this, where young attackers were able to use a simple SQL injection exploit. This is the kind of activity that can be undertaken because of vulnerabilities that exist, making high-end tools unnecessary.”

Similarly, Fairfield said attackers commonly exploit known vulnerabilities, relying on the fact that organisations often do not apply patches that are available. “Once again, WannaCry is example, where thousands of organisations – including the NHS – were affected because they had not applied the latest security updates for their operating systems.”

Although hacktivists, terrorists and script kiddies are all players, Fairfield said they are much lower down the spectrum than nation state and cyber criminal groups, which are the main actors that the NCSC is concerned about.

In the past few years, Fairfield said the NCSC has seen an increase in the pace and impact of cyber incidents. “And we are seeing that whereas historically a cyber attack would be a specific attack against a specific victim to target their networks and information, we are now seeing attacks increasingly targeting parts of supply chains.

“They are typically targeting organisations that are a weak link through which they can get to larger organisations higher up in the chain. We are also seeing macro structural attacks that exploit vulnerabilities in things like routers, for example, to access all of the traffic going across a particular type or brand of router for a wide range of organisations,” she said.

Poor cyber security practices, said Fairfield, mean that it still does not take a sophisticated cyber attack to cause significant disruption. “Unpatched vulnerabilities make it easy for adversaries to get in, which is why the NCSC advises organisations to ensure they apply security updates as soon as possible.

“Cyber criminals have an ongoing financial impact on individuals, businesses and the UK economy,” she said, reiterating that the NCSC believes that it is only a matter of time before the UK sees a C1 cyber incident.