It has never been more important to defend our digital lives and secure our most critical systems and services. The UK faces a range of evolving and diversifying threats, from the ever-present ransomware threat and the scourge of online scams to the cybersecurity risks that came with the return of war to Europe.
The cybersecurity landscape has experienced profound change over the past 12 months and the threats, risks and vulnerabilities we collectively face require a whole-of-society response to keep the UK safe online.
At the National Cyber Security Centre (NCSC), we have been part of a huge effort to bolster our national resilience at every level, working with allies and partners in government and the private sector. We have reflected on some of the recent successes and challenges in our latest Annual Review. It is worth considering what we can learn from the past year so we can effectively tackle the emerging and persistent threats that lie ahead.
One of cybersecurity’s most significant challenges came from the invasion of Ukraine. While Russia’s brutal and destructive war has sought to redraw the physical map, its consequences have been felt globally, including in cyberspace.
As a part of GCHQ, the NCSC has unique capabilities to monitor cybersecurity threats, and from the very start of 2022 we warned of heightened cyber-risks as a result of Russian hostility. We responded by publishing expert guidance to help organisations bolster their defences, and have worked closely with partners to ensure that critical infrastructure, businesses and the whole of society are as resilient as possible.
Building resilience is vital for preventing attacks during periods of heightened threat and for raising the bar for other threats. This is a key lesson we can take away from the conflict in Ukraine: that with strong cyber-defences in place, the defender has significant agency. Ukraine’s defences have been exemplary and I’m proud the NCSC has supported them, in conjunction with the Foreign, Commonwealth and Development Office.
While the threat from Russia has been particularly blatant this year, it’s important not to forget the other threats we face, some of which are, unfortunately, all too familiar. Ransomware remains one of the most acute hazards for UK businesses and organisations and we have seen the real-world consequences that attacks can have: hitting businesses’ operations, finances and reputations, and leading to widespread disruption for customers. The NCSC has published guidance to help organisations take the necessary measures to protect themselves and we continue to urge CEOs to take the issue seriously and not delegate it to technical experts.
We have also seen low-sophistication cybercrime continue to hit the public, with commodity attacks such as phishing and malware – in the 12 months to March, 2.7 million cyber-enabled frauds were recorded. The NCSC, working with law enforcement, is more resolute than ever in thwarting cybercriminals. And it is heartening to see a growing awareness of how we can all play a part in this.
In the 12 months to September there were 6.5 million reports of suspicious emails made to the NCSC by the British public – a 20 per cent increase on the year before, and this is a trend we are keen to see continue. It has made a demonstrable contribution to improving our collective resilience.
Over the past year I’m pleased to say the NCSC has helped to stop hundreds of thousands of attacks upstream while bolstering preparedness and helping institutions and organisations better understand the nature of threats, risks and vulnerabilities downstream.
We have seen more organisations sign up to our pioneering Active Cyber Defence services, such as Early Warning, which had a 90 per cent increase in uptake in the 12 months up to September, and Exercise in a Box, where there was a 42 per cent increase. Meanwhile, our Cyber Aware campaign is a great place for individuals and smaller firms to learn practical steps to improve their cyber-hygiene.
By following our advice in using three random words to create a strong password and turning on two-step verification to secure online accounts, people can protect themselves from the most common attacks. As people’s thoughts turn to online shopping ahead of Christmas, now is a good time to be considering this.
However, with an evolving threat landscape, there is always more we can be doing to stay ahead of future threats. In our Annual Review, we consider the challenges on the horizon – in particular, the growing commercial availability of malicious cyber-tools and the risk of them falling into the wrong hands, being used with greater frequency and with less predictability.
As a responsible and democratic cyber-power, the UK is at the forefront of understanding and responding to this increasing threat and calling it out where we see it. There is growing competition for technological advantage between states, which is creating an increasingly fragmented ecosystem that brings risks for interoperability, and could undermine the free and open values that underpin our technologies.
This contrasts with the positive insight that NCSC experts provide in support of the UK’s values-driven approach to developing capabilities and innovations. And finally, while Russia remains a persistent cybersecurity threat to the UK, the scale and pace of China’s technical development is still likely to be the single biggest factor affecting our cybersecurity in the years to come.
At the NCSC, we are addressing these challenges now to ensure the UK can continue as a global cyber-power in the future. Our blueprint for doing so is set out in the National Cyber Strategy, which recognises that a thriving cyber-skills and growth ecosystem is vital for maintaining this advantage, and we champion the diversity of talent at its heart.
Initiatives such as CyberFirst have engaged thousands of young people from all across the country in the past year, while our NCSC for Startups programme has supported businesses that generate hundreds of millions of pounds in investment. This is a source of great optimism for me and my team as we look ahead to 2023. But cybersecurity is a team sport and it is only through mobilising the whole of society that we can achieve our goal of making the UK a safe place to live and work online.