NCSC’s Dr Ian Levy on why the UK must ‘turn cybersecurity into a science’
The technical director of the National Cyber Security Centre tells PublicTechnology about the organisation’s achievements so far, and what it is doing to prepare for an inevitable cyber emergency
Here’s one for any fellow fans of Only Connect: what is the connection between the following four things?
The Iranian nuclear programme.
The oldest credit-reference agency in the US.
The world’s third most popular internet search engine.
Hopefully – unlike me when I watch the BBC quiz show – you are not currently staring blankly and bemusedly at the screen, but collectively shouting the correct answer: they have all been impacted by notorious cyberattacks.
The fact that each of this quartet has been hacked is, in and of itself, quite alarming. Taken together, the realisation that attackers can penetrate sensitive targets as diverse as hospitals, individuals’ financial history, uranium-enrichment facilities, and people's personal emails is more than a little terrifying.
WannaCry was a hell of a weekend. But I think our decisions helped reduce harm
So, while it may be hard not to feel a pang of fear every time you see a headline heralding another high-profile hack, some experts would like to see a more measured approach to protecting the connected world from the many dangers it faces.
Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC), tells PublicTechnology that part of his organisation’s remit is to foster and promote a strategy characterised by pragmatism, not paranoia.
“We want to generate the data to turn cybersecurity into a science. Because, at the moment, a lot of it is driven by fear,” he says.
According to Levy, the NCSC – which is part of GCHQ – can use government’s wealth of data, as well as its research and analysis capabilities, to help demystify cybersecurity, and enable businesses and public-sector entities to take an empirical approach to defending themselves.
“We have said from the start that we want to try and democratise security,” Levy says. “People talk about advanced persistent threats – APT. It sounds terrifying, but a lot of times that could also stand for ‘adequate pernicious toerags’. A lot of incidents we have dealt with are [as a result of] some basic problems.”
He adds: "Every organisation has a cybersecurity budget, and it is about understanding how to invest their scarce resources to best effect. By generating objective data and putting some science behind it, we can help them make decisions in a better way.”
In addition to providing UK companies and government entities with a centralised hub of information and advice, Levy and his technical team are also engaged in “building the defences for the country”.
“How do we defend at a national level against things like phishing? We cannot stop people sending links – but how can we manage the human cost?,” he says.
Since 2016 NCSC has been working with security vendor Netcraft to provide a service allowing government departments to report to the Bath-based company details of phishing campaigns by which they have been affected. Netcraft then immediately issues takedown notices to the companies responsible for hosting the email and related phishing site.
The introduction of this service has enabled the NCSC to drastically reduce – from 27 hours to under one hour – the average amount of time phishing sites targeted at government remain live after being detected. The post-detection lifespan for malware has fallen from 22 days to less than two days.
Levy says that, not only has the NCSC’s work with Netcraft had a positive effect, but that its efforts have also inspired others to take the lead in combatting common threats like phishing. The publication in February of a report titled Phishing attacks: Defending your organisation prompted BT to set up its own a facility for sharing information on phishing sites, Levy says.
“We have data that shows that these measures have a measurable impact,” he adds.
On the one-year anniversary of its creation, the NCSC published a report revealing that, during its first 12 months, it had received reports of 1,191 incidents, of which 590 were considered “significant” – including 34 for which NCSC had to co-ordinate a cross-government response.
“That was surprising to me – the number of incidents that we had to handle,” Levy says. “We even had to spin up an incident because the National Lottery wasn’t hacked. People had misinterpreted information.”
The scale of some of the attacks was also a revelation, the technical director adds.
“WannaCry being the obvious one,” he says. “That was a hell of a weekend. But I think our decisions helped reduce harm."
Levy adds: “We also changed some of our incident-management procedures as a result of that. [For example], we found that some organisations do incident management by email. Only to be told [during WannaCry] to turn email off – not by us, by others. We are now helping organisations have a better-planned response.”
We want to try and democratise security... a lot of incidents we have dealt with are [as a result of] some basic problems
WannaCry was classed by NCSC as a category 2 assault, indicating that it is considered a ‘highly significant incident’. The UK has yet to suffer a top-tier category 1 breach, which would denote a ‘national cyber emergency’.
“There will be a category 1 incident sometime in the next couple of years,” Levy tells PublicTechnology. “Our job is to minimise the harm of that.”
When asked if the country is ready to deal with such an attack, Levy says: “We can always do better. But I think the UK critical infrastructure sector is pretty well managed. Every single sector has a regulator, [overseen by] a lead government department. Our job is to help them understand the risks.
“But we cannot do that in isolation.”
Woody Johnson compares the use of the vendor’s equipment to ‘letting a kleptomaniac into your house’
Ability to compel telecoms firms to gather data was introduced in Investigatory Powers Act
Department seeks leaders in the areas of digital enablement and cyber risk