Andrea Danti - Fotolia

UK government details plans for National Cyber Security Centre

The objectives of the UK’s National Cyber Security Centre are to address systemic vulnerabilities, reduce risks, respond to serious incidents and nurture national cyber security capability

The government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.

The NCSC is set to open in October 2016 and will be based in London. The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ. The technical director for the NCSC will be Ian Levy, formerly technical director of cyber security at GCHQ.

Chancellor George Osborne announced the NCSC in November 2015 as part of the government’s National Cyber Security strategy for the next five years, supported with £1.9bn funding.

The NCSC is at the heart of that strategy and will be the “bridge” between industry and government, said Matthew Hancock, minister for the Cabinet Office.

It will simplify the “current complex structures, providing a unified source of advice and support, including on managing incidents. It will be a single point of contact for the private and public sectors alike,” he wrote in foreward to the prospectus for the NCSC.

Hancock said it is “vital” that the NSCS works with industry from the very start, and called on UK businesses to give feedback on the centre’s proposed design.

NCSC CEO Ciaran Martin invited UK industry to engage with his team about what they would like to get out of working with the NCSC.

“The government has set out its intent to address the cyber threat, to put tough and innovative approaches in place, and to be a world leader in cyber security.

“The National Cyber Security Centre will be at the heart of this approach, bringing together the capabilities already developed by CESG – the information security arm of GCHQ, the Centre for the Protection of National Infrastructure, Cert-UK and the Centre for Cyber Assessment.

“This will allow us to build on the best of what we already have, while significantly simplifying the current arrangements,” he said.

According to the prospectus, the NCSC will have four key objectives:

  1. To understand the cyber security environment, share knowledge, and use that expertise to identify and address systemic vulnerabilities.
  2. To reduce risks to the UK by working with public and private sector organisations to improve their cyber security.
  3. To respond to cyber security incidents to reduce the harm they cause to the UK.
  4. To nurture and grow national cyber security capability, and provide leadership on critical national cyber security issues.

Centre of cyber expertise

The government plans to make the NCSC the centre of its expertise on what is happening in cyber space, combining the knowledge gathered from incidents and intelligence with that shared with industry, academia and international partners.

The NCSC will aim to use that knowledge to provide best practice advice and guidance and to tackle systemic vulnerabilities to enhance cyber security for all.

The NCSC will support the most critical organisations in the UK across government and the private sector to secure and defend their networks. This will include the provision of bespoke advice and guidance, help to design and test networks and exercise response arrangements.

When a serious cyber incident occurs, the NCSC will work with victims to minimise the damage, help with recovery and learn lessons to reduce the chance of recurrence and minimise future impact.

According to the prospectus, this help will include connecting victims with commercial companies that are recognised as being excellent at cyber incident response, and ensuring that the wider response of government and law enforcement is well co-ordinated.

Read more about cyber security

  • Government announces a £250,000 programme to increase the rate of cyber security startup development in the UK.
  • An essential part of information security is identifying and managing the risks, experts tell the European Information Security Summit 2016.
  • Chancellor George Osborne promises a £1.9bn investment in cyber security over the next five years and to “aggressively defend” public services from cyber attacks.

In the case of very serious incidents, the NCSC’s response may include communicating publicly about consequences and the steps people and businesses should take to protect themselves.

The establishment of the NCSC will bring a new level of coherence and effectiveness to how government does cyber security. It seeks to partner with government agencies and departments, the devolved administrations, and the wider public and private sectors.

The NCSC will also work in close partnership with law enforcement to support their efforts to tackle cyber crime, and with the UK’s security and intelligence agencies and the Ministry of Defence to identify and counter the full range of threats in cyber space.

The NCSC will support the government’s wider security and prosperity agenda by engaging with international partners on incident handling, situational awareness, building technical capabilities and capacity and contributing to broader cyber security discussions.

Tailored security device

For organisations that have their own networks, the NCSC will run the cyber security information sharing partnership (CiSP). This is aimed at enabling organisations to share information with each other and the NCSC about what they are seeing on their networks, and provide a forum for discussion from beginner through to expert level.

The NCSC will produce tailored advice and guidance to identified sectors and proactively work with companies on this. However, it will initially focus on sectors which form the critical national infrastructure and those of strategic or significant economic importance or tied to the delivery of key public services.

The NCSC will not offer an enquiries line for the general public and Action Fraud will continue to be the first port of call for victims to report suspected cyber crime.

However, when there is a significant cyber incident affecting the UK, the NCSC will have the leading role for government in communicating to the public, to provide reassurance and guidance on what individuals and organisations can do to better protect themselves.

The NCSC’s specialist teams will work with the Ministry of Defence – and other users of very secure communications – to ensure that operational needs are met. It will also ensure the capabilities needed to operate both independently and with the UK’s allies are available in the future.

The NCSC will work with the cyber security industry to help ensure organisations of all kinds can find cyber security products and services that are high quality and meet their needs.

Collaboration key to fighting cyber crime

Gordon Morrison, director of government relations at Intel Security, said the collaborative and open approach promised by the NCSC is critical for tackling the fight against cyber crime.

“We expect that the organisation’s openness will help create a greater climate of collaboration and conversation around this significant challenge affecting all aspects of the lives of British businesses and individuals’ digital lives.

“We look forward to working with the NCSC as it responds to cyber attacks on the UK and promotes a diverse and collaborative approach to cyber security to improve the country’s overall cyber health – between the private and public sector, and in the UK and internationally.”

John Smith, principal solution architect at code-checking firm Veracode, said it is essential that organisations gain a greater awareness around the threat of vulnerabilities and how best to approach them to remediate them.

“We expect the NCSC to stride forward in helping organisations understand this acute threat and the importance of incorporating proactive application security measures into their cyber security processes,” he said.

According to Veracode, cyber attacks at the application layer are growing by more than 25% annually, with exploited vulnerabilities frequently resulting in catastrophic data breaches, such as the TalkTalk breach achieved using an SQL injection attack.

“Too frequently organisations’ take a lacklustre approach to remediating these potentially grave vulnerabilities. In the retail and hospitability sectors, Veracode research found only 60% of application vulnerabilities identified were fixed,” said Smith.

Read more on Hackers and cybercrime prevention

Data Center
Data Management