The UK has to take a more proactive approach to cyber security to cope with increasingly digitised systems and the growing digital economy, the chief executive of the National Cyber Security Centre has said.
The UK is to focus on large-scale, unsophisticated attacks – Photo credit: PA
In his first speech in the role, given at a conference in Washington, Ciaran Martin said that the centre, which will be officially opened next month, would be carrying out “active cyber defence”. This will see the government working with industry to address large-scale, unsophisticated attacks that are prolific and doing a lot of damage.
“The great majority of cyber attacks are not terribly sophisticated. They can be defended against,” Martin said. “But far too many of these basic attacks are getting through. And they are doing far too much damage. They’re damaging our major institutions.”
Martin acknowledged that it was open to debate whether the government should get involved in countering attacks that target companies, but said that there was a legitimate role for it to take the lead. This, he said, would boost businesses’ and consumers’ confidence in the digital economy.
The National Cyber Security Centre will look at using a series of automated measures to make UK government networks the most secure, with the aim of demonstrating their efficacy so others take them on.
Martin listed some examples, which included work to stop people spoofing GOV.UK domains by updating its DMARC – Domain-based Message Authentication, Reporting and Conformance – policy to stop emails from the wrong IP sets.
He also set out what he described as a flagship project that would automatically protect government sites from hacks through increased DNS filtering, adding that this could be sold on to companies. “What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”
He said it was crucial that economy-wide initiatives should be private sector-led, and stressed that such filtering would have to be opt-out based for consumers. “Addressing privacy concerns and citizen choice is hardwired into our programme,” he said.
Discussing the new national centre, Martin said that the aim was to bring together the UK’s expertise in one organisation, adding that transparency would be a key part of what made it unique. The centre, he said, would be taking “a more public-facing approach than ever before”.
Further elements to the government’s strategy for cyber defence include building up core national defensive cyber capabilities and work to mitigate against the risks linked to securing legacy systems by designing and implementing systems that are harder to disrupt.
Martin’s speech came as the National Audit Office published a critical report into data protection, calling for much greater coordination of strategy by the Cabinet Office.
It said that said there were almost 9,000 data breaches from the 17 biggest government departments in 2014-15. It also noted that there were twice as many national-level cyber incidents – 200 a month – in that year than the previous one.
Referring to the National Cyber Security Centre, the NAO said it would help pool expertise, it was of the opinion that a more wide-ranging shake-up is needed to improve protection.
“The NCSC should streamline central government processes for dealing with information incidents in cyberspace,” the report said.
“However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report.”
It also sounded a note of caution on the centre’s plans to work with the private sector – which Martin repeatedly emphasised in his speech.
“The NCSC is designed to work with government and the private sector: whether it has the capacity to do so effectively remains to be seen,” the NAO said.
In concluding his speech, Martin said that the centre wanted to be judged on results.
“Hard data and hard, credible evidence has been scarce in cyber security thus far,” he said. “Part of the agenda will be the publication of data and evidence about what is and isn’t working, and metrics about the outcomes achieved. If we succeed, we want to be able to prove it, not just assert it. If we fail, we don’t expect to be able to hide.”