MI5 to oversee new National Protective Security Authority

The UK government has announced the creation of a new security agency, the National Protective Security Authority (NPSA), to help organisations defend themselves against potential national security threats, including state-backed cyber espionage.

The NPSA will be overseen by domestic counter-intelligence and security agency MI5, and will work closely alongside existing bodies including GCHQ’s National Cyber Security Centre (the NCSC), and the National Counter Terrorism Security Offices to provide holistic advice on security.

It absorbs the responsibilities of the Centre for the Protection of National Infrastructure (CPNI), but with a broader remit given state-backed threats now extend to organisations, such as science and technology firms and research institutions, that are not classed as critical national infrastructure (CNI).

The government said state-backed attempts at stealing sensitive research and information had the potential to undermine UK businesses and harm their competitiveness on the global stage.

“Science, technology and academia are as much on the front lines of national security as the UK’s critical national infrastructure,” said security minister Tom Tugendhat.

“We know that hostile actors are trying to steal intellectual property from UK institutions to harm our country. The National Protective Security Authority will play a crucial role in helping businesses and universities better protect themselves and maintain their competitive advantage.”

MI5 director general Ken McCallum has previously spoken of the growing threat to organisations posed by espionage, particularly that emanating from China, which has a long history of such activity, including intellectual property theft, targeting and exploiting academic researchers, and acquiring sensitive information through exploiting professional networking websites such as LinkedIn.

The Russian state is also known to be highly active in this area, using similar methods to compromise persons of interest to its intelligence goals, as has Iran.

Meanwhile, earlier this year a study by China expert and diplomatic services veteran Charlie Parton found that Chinese technology companies involved in the supply of components used in devices that make up the internet of things (IoT), which may expose those that use them to spying by Beijing.

The NPSA said its advice would be provided in an “accessible and informative” way and could be understood and used by a broad range of organisations, from two-person startups to top universities.

Ultimately, its goal is to provide training and advice on the measures organisations should be putting in place to help address the problem, and it has already launched guidance covering subject areas such as the security of visual surveillance equipment, incident management, cyber assurance for physical security systems, and deploying perimeter intrusion detection systems.

It has also produced a mobile app, Think Before You Link, which will help users of social media platforms such as Facebook and LinkedIn to better identify some of the traits of fake profiles used by malicious actors to lure their victims into a compromise. The app was launched last year by the NPSA’s predecessor, the CPNI.

ESET global cyber security adviser Jake Moore commented: “Industrial espionage has shifted up a gear in the last few years, so it is a positive and bold step forward to see the government focus on this growing area of attack. From large organisations like Huawei and TikTok to small companies trading with the UK, advice is vital when there are so many questions surrounding interactions with Chinese firms. 

“Specifically creating an agency in this particular area also suggests the prevalence in modern day espionage, nation state attacks and the fear of international data surveillance – so it is excellent to see it being taken seriously by the government in an timely manner.

“The NCSC has been a tremendous success and hopefully this new agency will follow in its footsteps offering the right support to protect UK businesses from inevitable attacks.”