The National Cyber Security Centre: a year in review

The National Cyber Security Centre’s chief executive Ciaran Martin and technical director Ian Levy discuss how to demystify the digital landscape and how best to manage online risks.

Sign Up

Get the New Statesman's Morning Call email.

For a long time the term “cyber security” might have been mistaken as a motif of science fiction, but now, according to Ciaran Martin, it occupies a “crucial and relevant space across government, business and industry”. It is fitting, then, that GCHQ decided to commit to the establishment of the National Cyber Security Centre – a subsidiary tasked with limiting and countering the threats posed, as Martin puts it, “by the simple reality that the whole world is getting more digital.”

He explains: “There are now more devices connected to the internet than there are people and with the growth of our dependence on technology comes an increased risk. We need to get away from the idea that cyber security is a mystical, impossible subject, and improve the understanding around it. Hollywood hasn’t done us any favours.”  

In stark contrast to the GCHQ base in Cheltenham – which is the size of Wembley Stadium, patrolled by armed guards and with barbed wire fences around its perimeter – the NCSC headquarters in London is decidedly less conspicuous. Located a stone’s throw from Victoria Station, two floors of a glass-walled office building house some of the United Kingdom’s foremost cyber security experts. To the average passer-by it probably looks like countless other glass-walled office buildings.

This, Martin says, is a suitable quirk of concept. “Cyber security is an issue for individuals and organisations alike. I think as people start to realise cyber risks in ways that are directly relevant to them – maybe a compromised database of a thousand people here or a couple of hundred pounds defrauded there – then they will see that it’s not something that you can afford to overlook. These are everyday crimes, everyday problems.”

In the first year of its operation, the NCSC has logged 1,131 incident reports with around 600 being classed as “significant”. Are there any patterns or common themes in the vulnerabilities exposed by these breaches? Martin says: “I suppose what we’ve learnt is that cyber security represents both a high-end issue of national security – there are indeed adversarial state-level actors – and a potential to do immediate economic harm. The commonality that we’ve seen is that most attacks are facilitated by a very basic level of exploitation. You can have attacks that are of low sophistication but have a potentially high impact. This could be down to outdated software, human error or a poor monitoring of network data.”

What constitutes a significant attack? “Sometimes the identity of the attacker alone is enough to class it as significant – particularly if it’s a hostile state actor – and sometimes the identity of the attacker can be irrelevant but the breach’s potential to impact the wider public can be huge.”

In May, the NCSC faced one such significant attack – the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding payments in Bitcoin. The attack began on Friday 12th May and within a day was reported to have infected more than 230,000 computers in 150 countries, including those in 47 NHS trusts.

The NCSC worked with NHS England’s emergency response teams, the Department of Health, NHS Digital and NHS Improvement to coordinate actions. Martin says: “The NCSC reacted quickly to offer victim support and advice on the day of the attack, updating our own ransomware guidance. Experts from the NCSC were deployed to Barts Hospital Trust and we continue today to work and support government departments in identifying vulnerabilities and what data matters and should be backed up.”

But the NCSC, its technical director Ian Levy points out, is not an exclusively reactive operation. “We’re not waiting for attacks to happen; we are creating dynamic solutions to prevent as many as possible from getting through in the first place.” In addition to leading the UK response to the WannaCry incident, the NCSC has created a website to provide easy to understand advice and information to the public. It has hosted 2,300 delegates and 173 speakers at the CyberUK conference in Liverpool; seen a 42 per cent increase in visits (4,000 per month) to the Cyber Security Information Sharing Partnership (CiSP); produced 200,000 physical items for 190 customer departments through the UK Key Production Authority, securing and protecting vital communications for, amongst others, the armed forces; and helped nurture the next generation of cyber experts by enrolling more than 1,000 young people in CyberFirst courses.

Levy sent shockwaves across the tech sector at Symantec’s Crystal Ball event in September, when he suggested that a more serious incident than WannaCry was “inevitable” but insists that the comment wasn’t defeatist, simply realistic. “I stand by it. Unless we do something differently, the investigations will say it was an unprecedented attack and two guys will get blamed for it because they’re charged with doing an impossible amount of security on their own. The NCSC is trying to make a difference by designing systems so that people can use them better.”

User-friendliness, Levy argues, represents the bedrock of improved cyber security. “Passwords are my favourite example. If you use a different password for every system, service or account, you’re told to make it complicated and change it often. Weigh up the average number of accounts and passwords and it roughly translates to saying that you need to remember a different 600-digit number every month. People can’t do that so they build coping strategies, like using the same password for everything or storing them on a text file on the desktop. Those coping mechanisms show that we’ve got the design of our systems wrong.”

So, how do we make them better? “Firstly, let’s put into perspective that your email account is different. It’s the key to your kingdom. Whenever you get a password reset for something, where does it go? It’s the source. Let’s protect that better and use a password manager to help people understand. In the long run, though, you want different sorts of authentication. The NCSC wants you to be able to log on without a password, using commodity technologies. It could be your Apple pay, your Fitbit or whatever, so you don’t have to worry about always remembering a hundred-odd passwords.”

Jeremy Fleming, the head of GCHQ, wrote in an op-ed for the Daily Telegraph recently that the NCSC has helped the intelligence organisation to “come out of the shadows”. What’s it like being the public-facing wing of a traditionally secretive entity? While Martin stresses that all sensitive information remains protected by a need-to-know basis – and some very thick walls – he comments that the NCSC is “enjoying letting people know what they need to know, too. We’re trying to make a positive difference by empowering people through knowledge.”

When the Prime Minister called a snap general election earlier this year, he adds, it was important to brief all stakeholders on the potential cyber risks involved. “When we did the election protection work, what was fantastic is that we were able to get hundreds of people from political parties, local government and the like to come in. We developed electoral software and had service providers in a room downstairs. While we weren’t going to talk about the classified basis of our knowledge, we showed them the threat as we saw it and the easy things they could do to deal with it. We were able to get that rolled out within days.”

The same Jeremy Fleming op-ed also addresses one of cyber security’s hot potatoes: encryption. “Hostile states, terrorists and criminals,” the former deputy director-general of MI5 warned, “use those same features – instant connectivity and encrypted communications – to undermine our national security, attack our interests and, increasingly, commit crime.” Does the NCSC support the idea of inserting “backdoors” into encrypted messaging platforms to enhance surveillance of suspicious actors? “We need to get away from this language about backdoors. The Investigatory Powers Act is clear about lawful access to data in strictly controlled circumstances.

“We are in favour of strong encryption for all and no one in UK government wants to weaken that encryption. But it is a fact that encrypted services are abused by certain groups, including terrorists and those who commit serious crimes. The government doesn’t want unfettered access but we do need to ensure that the service providers can give targeted exceptional access to law enforcement.”

One of the biggest problems in UK cyber security is attackers spoofing the government to send fake emails. Domain-based Message Authentication, Reporting and Conformance protocol, better known as DMARC, helps to verify whether the communications come from the said sender. Levy explains: “The concept is pretty simple. The most common way to expose victims’ systems is to attack is through email spoofing and spear-phishing [where emails are tailored to increase the chance of the recipient clicking on a malicious link]. So we have built the ‘Mail Check’ service that monitors the adoption of the standard and provides data on trends. DMARC has already stopped a lot of potential attacks, for example blocking at least 120,000 emails from a spoof ‘@gov.uk’ address. Authentication markers that the sender can’t control – big ticks and big crosses – those are how you can make it clear what’s to be trusted.”

Reflecting on one year of the NCSC, both Martin and Levy agree that awareness must be at the heart of any cyber security strategy. It’s vital that regulation isn’t viewed as “punitive”, Levy says, but rather as a way of “getting people and businesses to do the right thing by default. We don’t want to disadvantage the SMEs. You have to address those different company types in different ways. Our small business guide presents five simple steps as an infographic. We want to be able to present cyber security in a way that it can be consumed easily and by the right audience.”

Cyber security, Martin reiterates, can no longer be viewed as an issue for a company’s IT department alone. The breaches at Equifax, Yahoo and TalkTalk, he says, have caused lasting reputational damage, well beyond the initial loss of data. Should every person and every company, then, be doing more to improve their cyber security? “Absolutely.”

Rohan Banerjee is a Special Projects Writer at the New Statesman. He co-hosts the No Country For Brown Men podcast.