NCSC looks to industry to scale Active Cyber Defence

The national cyber security agency is calling on wider government organisations as well as industry to help scale automated cyber attack blocking systems country-wide

Scaling the Active Cyber Defence (ACD) programme to be truly national is not something the National Cyber Security Centre can do on its own, says Ian Levy, technical director of the NCSC.

“This is about making technology services objectively more secure and the idea is to protect the majority of the people from the majority of attacks for the majority of time. It is a whole of the UK thing. It is about citizens, enterprise as well as government,” he told CyberUK 2019 conference in Glasgow.

All of the initiatives within ACD have been tested and proven to be effective in the NCSC and government departments, and now the challenge is to roll those out to all technology services in the UK, said Levy quoting some stats from the soon-to-be-released ACD two-year report.

For example, he said Protective DNS, which blocks users visiting websites known to be malicious, blocked 59 million events in the public sector in 2018 alone, ranging from state attacks to Conficker, which is malware from 2008 that was found still running in public sector networks. 

“Mining the Protective DNS data was very interesting because we found more than 100 networks that are running Windows XP somewhere, and although we can’t say exactly how many machines there are or what they are doing, we can help those network owners to find those machines and fix the problem.”

Another success, said Levy, is that the UK has gone from hosting 5.4% of global phishing in 2016 to less than 2%. “If we can get others to do the same, we can start making phishing much harder to do and start making hosting bad stuff much harder to do.”

Read more about Active Cyber Defence

In the past year, Levy said NCSC has been using the ACD takedown service to look for credit card skimmers on small business websites in the UK that have been compromised by cyber criminals who have installed malware designed to steal payment card information.

“We started detecting that and found thousands of instances, all of them small businesses, and we have notified them for free that their stuff needs fixing. And as we start to scale this up, we are looking to the wider UK technology community to help us to make the UK secure. That is the job, which is a team sport, which I know is corny, but it is true.”

Levy was joined on stage by Paul Chichester, NCSC director for operations, Jon Browning, NCSC deputy director for digital government and representatives of Nominet, Jisc and BT to talk about how they have applied elements of the ACD programme.  

In closing, Levy said the challenge is for service providers to take what has been developed under the ACD programme and implement it at scale.

“If you are an entity that can function as one of these scaling points, like Nominet, Jisc and BT, please come talk to us and help us to help you to protect whoever you service, whether you are a managed service provider, regional broadband provider or a collaboration service provider.”

ACD alone is not enough

However, Levy said that even if an organisation were to use everything in the ACD programme, they need to understand that they still need to do their own cyber security.

“We can’t protect you from everything, but please take the things we are building, take commercial products, take open source and take stuff you develop yourself, whatever it takes to protect your networks better – it is critically important,” he said.

“My big ask is to please help build operational security into networks, help the NCSC scale the ACD programme so that we can detect stuff better and protect stuff better to make the UK the best place to live and work online.”

The ACD programme continues to evolve and incubate new services such as Domain Discovery for finding websites that organisations own; Digital Security Telescope, which provides a dashboard of an organisation’s security posture; and Supplier Check, which helps government buyers buy from suppliers that have the appropriate cyber security controls.

Read more on Hackers and cybercrime prevention

Data Center
Data Management