Show Hide image

The National Cyber Security Centre: a year in review

The National Cyber Security Centre’s chief executive Ciaran Martin and technical director Ian Levy discuss how to demystify the digital landscape and how best to manage online risks.

For a long time the term “cyber security” might have been mistaken as a motif of science fiction, but now, according to Ciaran Martin, it occupies a “crucial and relevant space across government, business and industry”. It is fitting, then, that GCHQ decided to commit to the establishment of the National Cyber Security Centre – a subsidiary tasked with limiting and countering the threats posed, as Martin puts it, “by the simple reality that the whole world is getting more digital.”

He explains: “There are now more devices connected to the internet than there are people and with the growth of our dependence on technology comes an increased risk. We need to get away from the idea that cyber security is a mystical, impossible subject, and improve the understanding around it. Hollywood hasn’t done us any favours.”  

In stark contrast to the GCHQ base in Cheltenham – which is the size of Wembley Stadium, patrolled by armed guards and with barbed wire fences around its perimeter – the NCSC headquarters in London is decidedly less conspicuous. Located a stone’s throw from Victoria Station, two floors of a glass-walled office building house some of the United Kingdom’s foremost cyber security experts. To the average passer-by it probably looks like countless other glass-walled office buildings.

This, Martin says, is a suitable quirk of concept. “Cyber security is an issue for individuals and organisations alike. I think as people start to realise cyber risks in ways that are directly relevant to them – maybe a compromised database of a thousand people here or a couple of hundred pounds defrauded there – then they will see that it’s not something that you can afford to overlook. These are everyday crimes, everyday problems.”

In the first year of its operation, the NCSC has logged 1,131 incident reports with around 600 being classed as “significant”. Are there any patterns or common themes in the vulnerabilities exposed by these breaches? Martin says: “I suppose what we’ve learnt is that cyber security represents both a high-end issue of national security – there are indeed adversarial state-level actors – and a potential to do immediate economic harm. The commonality that we’ve seen is that most attacks are facilitated by a very basic level of exploitation. You can have attacks that are of low sophistication but have a potentially high impact. This could be down to outdated software, human error or a poor monitoring of network data.”

What constitutes a significant attack? “Sometimes the identity of the attacker alone is enough to class it as significant – particularly if it’s a hostile state actor – and sometimes the identity of the attacker can be irrelevant but the breach’s potential to impact the wider public can be huge.”

In May, the NCSC faced one such significant attack – the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding payments in Bitcoin. The attack began on Friday 12th May and within a day was reported to have infected more than 230,000 computers in 150 countries, including those in 47 NHS trusts.

The NCSC worked with NHS England’s emergency response teams, the Department of Health, NHS Digital and NHS Improvement to coordinate actions. Martin says: “The NCSC reacted quickly to offer victim support and advice on the day of the attack, updating our own ransomware guidance. Experts from the NCSC were deployed to Barts Hospital Trust and we continue today to work and support government departments in identifying vulnerabilities and what data matters and should be backed up.”

But the NCSC, its technical director Ian Levy points out, is not an exclusively reactive operation. “We’re not waiting for attacks to happen; we are creating dynamic solutions to prevent as many as possible from getting through in the first place.” In addition to leading the UK response to the WannaCry incident, the NCSC has created a website to provide easy to understand advice and information to the public. It has hosted 2,300 delegates and 173 speakers at the CyberUK conference in Liverpool; seen a 42 per cent increase in visits (4,000 per month) to the Cyber Security Information Sharing Partnership (CiSP); produced 200,000 physical items for 190 customer departments through the UK Key Production Authority, securing and protecting vital communications for, amongst others, the armed forces; and helped nurture the next generation of cyber experts by enrolling more than 1,000 young people in CyberFirst courses.

Levy sent shockwaves across the tech sector at Symantec’s Crystal Ball event in September, when he suggested that a more serious incident than WannaCry was “inevitable” but insists that the comment wasn’t defeatist, simply realistic. “I stand by it. Unless we do something differently, the investigations will say it was an unprecedented attack and two guys will get blamed for it because they’re charged with doing an impossible amount of security on their own. The NCSC is trying to make a difference by designing systems so that people can use them better.”

User-friendliness, Levy argues, represents the bedrock of improved cyber security. “Passwords are my favourite example. If you use a different password for every system, service or account, you’re told to make it complicated and change it often. Weigh up the average number of accounts and passwords and it roughly translates to saying that you need to remember a different 600-digit number every month. People can’t do that so they build coping strategies, like using the same password for everything or storing them on a text file on the desktop. Those coping mechanisms show that we’ve got the design of our systems wrong.”

So, how do we make them better? “Firstly, let’s put into perspective that your email account is different. It’s the key to your kingdom. Whenever you get a password reset for something, where does it go? It’s the source. Let’s protect that better and use a password manager to help people understand. In the long run, though, you want different sorts of authentication. The NCSC wants you to be able to log on without a password, using commodity technologies. It could be your Apple pay, your Fitbit or whatever, so you don’t have to worry about always remembering a hundred-odd passwords.”

Jeremy Fleming, the head of GCHQ, wrote in an op-ed for the Daily Telegraph recently that the NCSC has helped the intelligence organisation to “come out of the shadows”. What’s it like being the public-facing wing of a traditionally secretive entity? While Martin stresses that all sensitive information remains protected by a need-to-know basis – and some very thick walls – he comments that the NCSC is “enjoying letting people know what they need to know, too. We’re trying to make a positive difference by empowering people through knowledge.”

When the Prime Minister called a snap general election earlier this year, he adds, it was important to brief all stakeholders on the potential cyber risks involved. “When we did the election protection work, what was fantastic is that we were able to get hundreds of people from political parties, local government and the like to come in. We developed electoral software and had service providers in a room downstairs. While we weren’t going to talk about the classified basis of our knowledge, we showed them the threat as we saw it and the easy things they could do to deal with it. We were able to get that rolled out within days.”

The same Jeremy Fleming op-ed also addresses one of cyber security’s hot potatoes: encryption. “Hostile states, terrorists and criminals,” the former deputy director-general of MI5 warned, “use those same features – instant connectivity and encrypted communications – to undermine our national security, attack our interests and, increasingly, commit crime.” Does the NCSC support the idea of inserting “backdoors” into encrypted messaging platforms to enhance surveillance of suspicious actors? “We need to get away from this language about backdoors. The Investigatory Powers Act is clear about lawful access to data in strictly controlled circumstances.

“We are in favour of strong encryption for all and no one in UK government wants to weaken that encryption. But it is a fact that encrypted services are abused by certain groups, including terrorists and those who commit serious crimes. The government doesn’t want unfettered access but we do need to ensure that the service providers can give targeted exceptional access to law enforcement.”

One of the biggest problems in UK cyber security is attackers spoofing the government to send fake emails. Domain-based Message Authentication, Reporting and Conformance protocol, better known as DMARC, helps to verify whether the communications come from the said sender. Levy explains: “The concept is pretty simple. The most common way to expose victims’ systems is to attack is through email spoofing and spear-phishing [where emails are tailored to increase the chance of the recipient clicking on a malicious link]. So we have built the ‘Mail Check’ service that monitors the adoption of the standard and provides data on trends. DMARC has already stopped a lot of potential attacks, for example blocking at least 120,000 emails from a spoof ‘@gov.uk’ address. Authentication markers that the sender can’t control – big ticks and big crosses – those are how you can make it clear what’s to be trusted.”

Reflecting on one year of the NCSC, both Martin and Levy agree that awareness must be at the heart of any cyber security strategy. It’s vital that regulation isn’t viewed as “punitive”, Levy says, but rather as a way of “getting people and businesses to do the right thing by default. We don’t want to disadvantage the SMEs. You have to address those different company types in different ways. Our small business guide presents five simple steps as an infographic. We want to be able to present cyber security in a way that it can be consumed easily and by the right audience.”

Cyber security, Martin reiterates, can no longer be viewed as an issue for a company’s IT department alone. The breaches at Equifax, Yahoo and TalkTalk, he says, have caused lasting reputational damage, well beyond the initial loss of data. Should every person and every company, then, be doing more to improve their cyber security? “Absolutely.”

Rohan Banerjee is a Special Projects Writer at the New Statesman. He co-hosts the No Country For Brown Men podcast.

Show Hide image

The UK is prepared for the international cyber threat

The Secretary of State explains how the UK is shoring up its defences, and working with other nations to meet the challenges of the digital age.

In the past three years as Defence Secretary, I’ve been confronted by a swathe of complex challenges. Yet whether the danger comes from state aggressors, rogue states or non-state actors, it’s striking how often cyber is now their weapon of choice. And there’s a very good reason we now regard cyber as a Tier One threat – up there with natural disasters and terror. Virtual attacks have real consequences. We’ve seen Daesh using online tools to recruit followers and spread murderous propaganda. We’ve seen Russia using an army of social media bots to steadily drip-feed fake news and disinformation to the West, poisoning public trust. And North Korea’s fingerprints appear to be on numerous high-profile cyber strikes.

This year alone Parliament has been hacked and the WannaCry virus has shut down NHS operating theatres, as well as affecting more than 200,000 people worldwide. The consequences for the military are equally significant; it has been claimed Russia used malware to track and target Ukrainian artillery which illustrates how cyber can directly impair military capability. While big set-piece attacks are devastating, lower-level activity is costing business billions, undermining democracy and putting us all at risk.

In recent years we’ve seen our cyber adversaries multiply, attracted by the anonymous and ambiguous nature of the medium. It’s no longer the usual suspects; now any loner with a laptop and a grudge can cause chaos. That’s why the UK is taking action. We’re investing £1.9bn to strengthen our cyber security capability. This month we marked the first anniversary of the National Cyber Security Centre – bringing together some of the best cyber security brains from across government and the country. In the past year it has responded to nearly 600 significant incidents requiring a national, coordinated response. Defence is at the forefront of our response which incorporates three key elements.

Firstly, it’s about creating better resilience. We’re making sure our latest fifth-generation kit, from F35 to future frigates, Ajax Armoured Vehicles to drones, is packed with information sensors that can gather millions of bytes of data per second, to detect cyber intrusions and respond appropriately. We’ve also set up the Defence Cyber Partnership Programme ensuring companies with whom we’ve placed defence contracts are properly protected and meeting a host of security standards.

Secondly, we’re recruiting the best and brightest cyber talent. We’ve got cyber reservists from industry and academia putting their high-tech skills at the service of the nation by weeding out network vulnerabilities. We’re also building up a new 21st century Cyber Corps. This team of expert volunteers and captains of industry will advise us how to generate the disruptive capability needed, in everything from big data to autonomy, to keep us ahead in the cyber space race. Cyber is now a core part of our military training. In a few months’ time we will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all of our military joint cyber training into one place.

But, as RAF Second World War hero Air Vice-Marshal ‘Johnnie’ Johnson once remarked: “The only proper defence is offence.” Knowing we have the ability to expose cyber attacks and respond, whether in the air, on land, at sea, or in the cyber sphere, will deter our adversaries. Equally, offensive cyber capability gives us the means to maintain our battlefield advantage, delivering more targeted effects, limiting civilian casualties and protecting our own people.

And thirdly, we’re making offensive cyber an essential part of our arsenal, to use it where appropriate and governed by our commitment to international law. Our National Offensive Cyber Programme allows us to integrate cyber into all our military operations, and is being used with great effectiveness to degrade Daesh, not only in Iraq but in Syria too. And we’re not just investing in kit capable of soaking up a wealth of data, but running a multimillion-pound competition to develop machine learning algorithms and artificial intelligence too – freeing up our personnel to provide a more co-ordinated and tailored response.

When it comes to cyber deterrence we stand stronger when we stand together, so we’re also working with our allies to develop our collective cyber response. At last year’s Warsaw summit, NATO recognised cyber as a distinctive domain of operations for the first time. Allied nations signed the cyber pledge, committing to enhance their national defences and strengthen their collective capability to resist attack. Simultaneously we need to continue to develop the ability to provide a proportionate response to cyber attacks against NATO allies. Having honed our own innovative national cyber techniques, we’ve become one of the first NATO members to publicly offer offensive cyber support to Alliance operations as and when required.

In 1933 Churchill declared: “Air power may either end war or end civilisation”, knowing air power could be used for good or ill. He made the right choice and in the dark decade that followed, our planes helped liberate our nation and transform our lives for the better. Now, in this new cyber age, we too are determined to make the right choices – boosting our cyber power to make our nation safer and the world more secure.