The NCSC’s annual report reveals that a public sector entity or business is hit with a major cyberattack about twice each day. CSW's sister title PublicTechnology looks at the biggest risks facing government and how they can be mitigated
Cyberattacks now seem firmly accepted as a fact of life.
Indeed, so commonplace are they that a significant assault is targeted at a UK company or public-sector entity as regularly as the coming and going of the tides.
The National Cyber Security Centre, which is charged with responding to these most threatening attacks, handled 658 such incidents in the past year, according to its recently published annual report.
This equates to one every 13 hours – the same amount of time needed to watch the waves recede and then return.
The report, which covered the 12 months to the end of August 2019, also revealed that 900 separate organisations required NCSC support during the year.
Government was the sector that needed by far the most, followed by academia. Third on the list was IT companies, then managed services providers and, in joint fifth place, the transport and health sectors.
While the consequences of cyberattacks remain severe, the volume of threats is, at least, fairly consistent. Since the NCSC was founded in October 2016, it has been called on to respond to attacks at a rate of about 600 per year. The running tally now stands at 1,800.
According to the agency’s chief executive Ciaran Martin, it has done a pretty good job so far.
At an event last month marking the publication of the report, he says that the document constitutes “a three-year record of strong, practical success”.'
We will take more risks… not all of them will work, and my plea to our partners is to stand with us through our failures as well as our successes
Ciaran Martin, NCSC
Examples of the organisation’s impact cited by Martin include “stopping more than one million credit cards from being used by cybercriminals”, and the recent collaboration with the US National Security Agency to expose the activities of Russian hacking group Turla, which had been masking its attacks by posing as a similar Iranian group.
But the NCSC chief says that such successes are only “part one” of the story of the agency’s activities over the past year.
The second part of the tale – which perhaps elucidates why the frequency of attacks remains so unrelenting – is the all-too-familiar challenges faced by anyone in the business of trying to prevent or mitigate cyberattacks.
“Some attackers are still doing the same things over and over again, and too often they are getting through,” Martin says. “There are things that organisational leaders can do to get ahead of the problem… [such as using] two-factor authentication and back-ups. All organisations can scan for vulnerabilities, and have strategies to counter phishing attacks. Do that, and so much of the problem goes away, and we can focus on the big problems of the future.”
Many of those biggest problems are already looming large.
Not least the danger of online interference in the democratic process.
In the run-up to the 2017 general election, the NCSC engaged with local authorities across the country to advise on potential cybersecurity issues and how to combat them. When the next poll takes place – which, at time of the NCSC report's publication seemed likely to be imminent, but had yet to be confirmed – the agency is understood to be ready to undertake this work in a more methodical way then two years ago, when the election came as a surprise to most.
Since then, the Cabinet Office has also established the Defending Democracy programme – a cross-government initiative dedicated to securing democracy against all forms of threat.
The NCSC has a key role to play – although, in the last few years, the nature of the threat faced has become more complex and elusive.
Number of significant attacks the NCSC responded to last year
HMRC’s global ranking in league table of most-phished organisations – compared with 16th three years ago
This is often not the case for online disinformation, which has become perhaps the biggest threat of all.
Nevertheless, Martin says his organisation is fully prepared to meet the challenge.
“As talk of an election gets ever louder, we are ready to work with political parties, local government, the media, and wider society to protect that most valuable of national commodities – our free and fair democratic system,” he says.
The most likely source of the threat posed to any piece of infrastructure or institution of national importance is one of a familiar quartet of hostile states: Iran; Russian; China; and North Korea.
The first of these – while still representing a significant danger – is understood to target considerably more of its resources at the US, Saudi Arabia, and Israel, than at the UK.
China, meanwhile, maintains the ability to launch as destructive and sophisticated an attack as any aggressor. But, in recent years, it has increasingly wielded such power through overt political and economic means, rather than covert methods.
North Korean attacks, while powerful, are now primarily financially driven.
Russia stands out as the most malignant threat; in the last 18 months, numerous highly coordinated attacks against industry, government, and infrastructure have been attributed to the Kremlin by the NCSC and its allies.
Given the investigative importance of information provided by technology companies, working with the commercial sector is central to the NCSC’s operations.
Talal Rajab, head of programme for cyber and national security at industry body techUK, tells CSW that, when it first started, the organisation “was quite a difficult agency to engage with”.
But this has now improved greatly, he says, as a result of initiatives like the Industry 100 – a scheme in which private sector representatives undertake short and part-time secondments at the NCSC.
“The NCSC’s guidance is also definitely helpful – their website is a really good resource,” Rajab adds. “Their cloud security principles set very clear guidelines and very clear actions that industry can take to develop secure cloud services.”
The techUK man says that “there are still areas where improvements can be made” – principally the Cyber Essentials security accreditation programme.
Some 14,324 certificates were awarded through the scheme last year. But Rajab says that the number of companies that are certified overall is still quite low. And, while certification is theoretically mandatory for the award of certain government contracts, this could be more effectively enforced, he adds.
But, overall, “the scale of what the NCSC continues to do is impressive”, according to Rajab. He points to the success of the agency’s Active Cyber Defence set of tools which, over the last three years, have helped HM Revenue and Customs move 16th to 126th on the list of the world’s most-phished brands.
While these four main hostile actors have remained unchanged for a number of years, the security agency believes there is the potential for others to join them over the course of the next decade – something which is becoming ever-more plausible as increasingly sophisticated and powerful attacks are available on the dark web to anyone willing to pay for them.
Risks are all multiplied by the fact that, according to Martin, UK government cybersecurity professionals are “dealing with a legacy that I would call accidentally insecure”.
“No one in public policy in the 90s saw the internet coming in the way that it did,” he says. “We need to look at this ageing, clunky, legacy systems that run so many critical services and try and build in protection into the next generation.”
But, even as it strives to make things safer, keeping up with the attackers will necessitate taking more chances.
“We will take more risks – we will innovate, that is essential,” Martin says. “Not all of them will work, and my plea to our partners is to stand with us through our failures as well as our successes.”
The NCSC report, event, and all comments made in this piece were made before the election was announced and the pre-election restrictions began