We are approaching the fourth anniversary of the foundation of the NCSC and the threats it was created to respond to loom larger than ever. PublicTechnology examines the growth of the UK’s cyber-defence capability
In January 2018, Ciaran Martin, the chief executive of the National Cyber Security Centre, publicly warned that “it is a matter of when, not if” the UK would suffer a category-one cyberattack, and that we could count ourselves lucky to make it through the coming two years without doing so.
Many people no doubt the same reaction: did we not just have one?
Martin’s comments came just seven months after the destruction wrought by WannaCry – which, despite the NCSC chief’s warning, remains the most serious breach ever suffered in the UK.
Most people outside the security sector could be forgiven for assuming that was as bad as it gets.
But, on the NCSC’s five-tier ranking system, WannaCry was classed as a category-two attack, indicating a “highly significant incident”.
This classification is applied to any “cyberattack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy”.
For an incident to be placed in category one – otherwise known as a “national cyber emergency” – it would need to “cause sustained disruption of UK essential services or affect UK national security, leading to severe economic or social consequences or to loss of life”.
In April 2019, almost two years on from WannaCry and 15 months after Martin’s warnings, PublicTechnology asked the cyber chief whether he still saw a cyber emergency as an imminent inevitability.
“I wouldn’t see the prospect of one receding, and I think we should expect it at some point,” he said.
Does the fact that we have avoided one thus far is down speak to the strength of the UK’s defences, the shortcomings of our attackers – or, simply, luck?
“[It is] a combination of multiple factors,” Martin told us. “I think we are doing a lot of very good work… in particular on resilience and critical infrastructure. But that is not, in and of itself, a guarantee against a category-one attack. I think that we have a good detection and deterrence operation – and I mean deterrence in its broader sense, in terms of making the UK a harder target, a harder place to bother with.”
He added: “I would say we have also come close to category-one attacks. The impact of WannaCry was categorised as a category two, but there are similar attacks in other countries that, had they occurred to that extent, might have been a category-one attack.”
An active approach
Of course, a key reason that the NCSC was founded – seven months before WannaCry – is the recognition among defence, security and intelligence professionals of the inevitability of the kind of attacks that it has been equipped to respond to on behalf of the UK.
Its mantra for doing so is “active cyber defence”, a strategy that involves combating commodity attacks through “automated and scalable” means.
Included in the ACD arsenal is a takedown service for malicious content discovered by NCSC, a platform automatically scans sites for vulnerabilities, and a service for email domain owners to better understand and combat issues such as phishing attacks. Also part of its core line-up are a range of services for the public sector, including a protective domain-name service to prevent their platforms being used to spread malware, an incubator for suspicious emails, and a platform allowing for easy reporting of vulnerabilities in government services and websites.
Date of establishment of the National Cyber Security Centre
Number of NHS trusts – out of a total of 236 – that were impacted by WannaCry
Sustained disruption of essential services… severe economic or social consequences or loss of life
Impacts that would constitute a category-one national cyber emergency
Number of incidents handled by NCSC in the 2018/19 year
Number of phishing URLs taken down during the year
This active cyber defence approach has been broadly adopted by a number of other countries, including the US where, in June 2018, the national Cyber Command announced an even more proactive policy, which it characterised as “defending forward”.
“Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, and counter attacks close to their origins,” it said. “Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defence and reduce attacks.”
The organisation’s goal is for the US to “achieve and maintain superiority in the cyberspace domain [in order] to influence adversary behaviour, deliver strategic and operational advantages for the Joint Forces, and defend and advance our national interests”.
There is clarity about the identity of those adversaries; Iran, North Korea, China and Russia are routinely namechecked by both the US and the UK the four hostile actors it faces in cyberspace.
But such is the difficulty of attributing attacks to a sufficient degree of certainty that it is much rarer for any campaign to be directly blamed on another nation.
However, the NCSC – sometimes in conjunction with US counterparts – has, on occasion, shown a willingness to do so.
In March 2018 it reportedly issued warnings to government departments, hospitals, energy companies, and organisations responsible for critical national infrastructure that they should be vigilant against possible cyberthreats from Russia.
A month later, it went considerably further.
Supported by the FBI and the US Department of Homeland Security, the NCSC spoke out in April 2018 to call out Russia for a sustained campaign of attacks on both sides of the Atlantic.
At the time, Martin hailed “a significant moment in the transatlantic fightback against Russia’s aggressive activity in cyberspace”.
“We have called it out before, but never have we joined together… to give advice to industry and citizens,” he said. “This a very significant moment – we are holding Russia to account, and improving our defences at the same time.”
Later that year, the NCSC spoke out once again, as it attributed to Russian intelligence four malicious campaigns on targets around the world, over a period of three years.
The more aggressive tone was amplified by then foreign secretary Jeremy Hunt, who said: “These cyberattacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport. The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”
The UK’s more long-standing law-enforcement organisations have also shown a growing cognisance of the threat posed by hostile actors in cyberspace.
The UK’s National Crime Agency runs a dedicated cyber division employing more than 300 specialists to lead the UK’s response to cybercrime.
In late 2018, the head of operations for the National Cyber Crime Unit Mike Hulett told PublicTechnology that his organisation intended to counter the threat posed by Russia by working more closely with the country’s neighbours. This plan included putting officers on the ground, as well as supporting overseas counterparts in growing the skills of their own staff.
“In an ideal world, we would have a liaison officer in Moscow, but realistically the diplomatic and political situation between ourselves and Russia isn’t going to change anytime soon,” Hulett said. “Instead, part of our strategy is to gain influence and capability in surrounding states, so places like Ukraine, Romania and the Baltic states are ones that we work closely with on a number of different issues.”
He added: “We have done quite a lot of capability building [such as] training programmes in different countries. We can’t have vast amounts of people out there, but if we can have someone out there for a couple of weeks, we can teach them a particular technique that they can then cascade to their own [agencies]. We have done quite a few multi-country exercises as well, where test out how different countries would interact with each other in times of a critical cyber incident.”
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms.”
Then foreign secretary Jeremy Hunt in October 2018
Elections and the wider democratic process are seen as one of the foremost potential targets for such an incident.
In 2017, the cybersecurity chief of what was then the Department for Communities and Local Government warned that local government elections were increasingly likely to be targeted by attackers. He urged councils’ information-security professionals to take the time to make sure their local-government colleagues were aware of the threat and as prepared as possible.
“It is only a matter of time before somebody will try some kind of intervention,” he said. “How many of you have put your electoral services team through a day’s cyber training? This is fundamental. This is what matters to your councillors and your electors. On the [NCSC] website there is a free one-day training to make people aware about cyber. Go back to talk to your head of democratic services… This is one significant step we can take to defend our democracy.”
The threat to national elections is perhaps even greater. It is a threat that is well understood by the NCSC which, prior to the 2017 general election, engaged with local authorities across the country to advise on potential cybersecurity issues and how to combat them. By the time of the next poll, two years later – by which time the Cabinet Office had established the cross-government Defending Democracy programme – this work was conducted in a more methodical way.
“We are ready to work with political parties, local government, the media, and wider society to protect that most valuable of national commodities – our free and fair democratic system,” said NCSC chief Martin, in the weeks leading up the 2019 election.
As the wait goes on for the moment when one of those commodities suffers the most severe of attacks, the need for government to take every step possible to protect them is greater than ever.
This article is part of PublicTechnology’s Cyber Week, a dedicated programme of content focused on the threats facing the public sector and the country at large, and how government can best respond. Throughout the week, which is brought to you in association with CyberArk, we will publish interviews, features, analysis and exclusive research looking at – in chronological order – the cyber landscape for defence and national security, businesses, citizens, the NHS, and, finally, central and local government. Click here to access all the content in one place.