monsitj - Fotolia
The UK has not had to face a top-level cyber security threat before, but the National Cyber Security Centre (NCSC) is continually preparing for what it considers to be inevitable.
“A level-1 cyber attack would be a classic national emergency that the government would take very seriously and the average person on the street would probably notice some sort of impact on their lives,” said Felicity Oswald, deputy director of strategy and effectiveness at NCSC.
“It is not a question of ‘if’ but ‘when’. We know it is going to happen,” she told a Policy-UK forum in London on the British approach to cyber security.
Most incidents are level-3. “These are every day incidents to us, but are still hugely significant to UK organisations,” said Oswald.
A level-2 incident typically matters at a sectoral level. It is a threat that is hitting more than one organisation or it is something on a national scale.
The NCSC has dealt with a “few hundred” of incidents in the first six months of its existence, said Oswald, but she did not say if any of those were level-2 incidents.
Responding to incidents is one of three main strategic goals of the NCSC. For this reason, the NCSC has a large incident management team. “We do our best to support all organisations during a cyber security incident or attack,” said Oswald.
Read more about the NCSC
- The National Cyber Security Centre is unashamedly ambitious in aiming to make the UK the safest place to do business online, which chief Ciaran Martin sees as an achievable goal.
- The UK’s NCSC and NCA publish a joint report on the cyber threats facing UK businesses, outlining the best response strategies.
- The NCSC has the right pedigree to coordinate and balance the cyber security efforts of government, industry and academia, says GCHQ director Robert Hannigan.
Understanding the threats against the UK and UK organisations in great detail is another strategic goal, but Oswald said this is not possible using GCHQ knowledge alone.
“We also need to bring in all the knowledge available in industry and share organisational knowledge across sectors,” she said, adding that the NCSC is keen to get feedback from industry.
“We want to be collaborative, we want to be different, and we want to be open and accountable, so tell us what is working and what is not.”
Addressing systemic vulnerabilities is part of the goal of understanding cyber threats to the UK and includes the NCSC’s Active Cyber Defence (ACD) programme, which is intended to tackle –in a relatively automated way – a significant amount of the cyber attacks that hit the UK.
“The work we do needs to not just include interesting theoretical pieces about threats. We must think practically about how we can come up with big interventions to stop them at source,” said Oswald.
“The second part of resilience is reducing risks. We do that through providing good advice based on the threats we understand are coming or have already arisen in a number of ways.
“The NCSC provides advice to everyone, from easily accessible advice to the public [via the NCSC website, weekly threat reports and social media] to highly classified advice to the top end of the national critical infrastructure and government,” she said.
The NCSC also provides information to small and large business through the cyber security information sharing partnership (Cisp).
The third strategic goal of the NCSC is nurturing and growing cyber security capability in the UK, and providing leadership on critical national cyber security issues.
Keeping track of cyber threats
It is challenging to know what will happen next, said Oswald. “But we know cyber threats are growing. The government in the UK is taking these threats very seriously and investing heavily, but we also know that we can’t do it alone.
“We need industry, not just to give us feedback, but to be part of the ecosystem, to be driving at the same things, to be holding us to account, and to also being doing their bit,” he said.
Asked if there is likely to be any policy change on permitting Chinese involvement in the UK’s tier-1 infrastructure through Chinese-made hardware such as routers, Oswald said prime minister Theresa May has made it clear she is keen to ensure key UK critical national infrastructure (CNI) is protected.
“One of the ways we have to do that is to ensure that where foreign investors are involved, we are 100% certain we know who they are, what they do, and what their intentions are around key CNI.”
Oswald said the government is also expected to publish a green paper later in 2017 that sets out a new plan for foreign direct investment. “We expect that, in line with the prime minister’s commitment, there will be some changes in policy and potentially legislation as well.”
Fighting cyber crime with deterrence
Asked if it was part of UK policy to stop threats before they happen, Oswald said deterrence is a big part of the national cyber security strategy.
“We don’t just mean to deter foreign state adversaries, but also hacktivists and cyber criminals. And one of the ways we want to do that is to make it both more costly and less rewarding to carry out cyber attacks.
“An example of this is the work we are doing on email spoofing by encouraging free email providers to implement the Dmarc [domain-based message authentication, reporting and conformance] protocol to ensure email senders are who they appear or claim to be,” he said.
This enables free email providers and other domain owners to block spoofed emails, making it less rewarding for cyber criminals to set up fake email accounts.
Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence programme led by the NCSC.
In November 2016, HM Revenue & Customs announced it was geared up to block the half a billion phishing emails sent per year designed to steal personal and financial information or deliver malware from ever reaching UK taxpayers using Dmarc.