NCSC’s Dr Ian Levy on why the UK must ‘turn cybersecurity into a science’

Written by Sam Trendall on 12 April 2018 in Features
Features

The technical director of the National Cyber Security Centre tells PublicTechnology about the organisation’s achievements so far, and what it is doing to prepare for an inevitable cyber emergency

Here’s one for any fellow fans of Only Connect: what is the connection between the following four things?

The Iranian nuclear programme.

The oldest credit-reference agency in the US.

The world’s third most popular internet search engine.

NHS England.

Hopefully – unlike me when I watch the BBC quiz show – you are not currently staring blankly and bemusedly at the screen, but collectively shouting the correct answer: they have all been impacted by notorious cyberattacks.

The fact that each of this quartet has been hacked is, in and of itself, quite alarming. Taken together, the realisation that attackers can penetrate sensitive targets as diverse as hospitals, individuals’ financial history, uranium-enrichment facilities, and people's personal emails is more than a little terrifying.

WannaCry was a hell of a weekend. But I think our decisions helped reduce harm

So, while it may be hard not to feel a pang of fear every time you see a headline heralding another high-profile hack, some experts would like to see a more measured approach to protecting the connected world from the many dangers it faces.

Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC), tells PublicTechnology that part of his organisation’s remit is to foster and promote a strategy characterised by pragmatism, not paranoia.

“We want to generate the data to turn cybersecurity into a science. Because, at the moment, a lot of it is driven by fear,” he says.

According to Levy, the NCSC – which is part of GCHQ – can use government’s wealth of data, as well as its research and analysis capabilities, to help demystify cybersecurity, and enable businesses and public-sector entities to take an empirical approach to defending themselves.

“We have said from the start that we want to try and democratise security,” Levy says. “People talk about advanced persistent threats – APT. It sounds terrifying, but a lot of times that could also stand for ‘adequate pernicious toerags’.  A lot of incidents we have dealt with are [as a result of] some basic problems.”

He adds: "Every organisation has a cybersecurity budget, and it is about understanding how to invest their scarce resources to best effect. By generating objective data and putting some science behind it, we can help them make decisions in a better way.”

In addition to providing UK companies and government entities with a centralised hub of information and advice, Levy and his technical team are also engaged in “building the defences for the country”.

“How do we defend at a national level against things like phishing? We cannot stop people sending links – but how can we manage the human cost?,” he says.

Since 2016 NCSC has been working with security vendor Netcraft to provide a service allowing government departments to report to the Bath-based company details of phishing campaigns by which they have been affected. Netcraft then immediately issues takedown notices to the companies responsible for hosting the email and related phishing site.

The introduction of this service has enabled the NCSC to drastically reduce – from 27 hours to under one hour – the average amount of time phishing sites targeted at government remain live after being detected. The post-detection lifespan for malware has fallen from 22 days to less than two days.

Levy says that, not only has the NCSC’s work with Netcraft had a positive effect, but that its efforts have also inspired others to take the lead in combatting common threats like phishing. The publication in February of a report titled Phishing attacks: Defending your organisation prompted BT to set up its own a facility for sharing information on phishing sites, Levy says.

“We have data that shows that these measures have a measurable impact,” he adds.

Incident insight
On the one-year anniversary of its creation, the NCSC published a report revealing that, during its first 12 months, it had received reports of 1,191 incidents, of which 590 were considered “significant” – including 34 for which NCSC had to co-ordinate a cross-government response.

“That was surprising to me – the number of incidents that we had to handle,” Levy says. “We even had to spin up an incident because the National Lottery wasn’t hacked. People had misinterpreted information.”

The scale of some of the attacks was also a revelation, the technical director adds.

“WannaCry being the obvious one,” he says. “That was a hell of a weekend. But I think our decisions helped reduce harm."

Levy adds: “We also changed some of our incident-management procedures as a result of that. [For example], we found that some organisations do incident management by email. Only to be told [during WannaCry] to turn email off – not by us, by others. We are now helping organisations have a better-planned response.”

We want to try and democratise security... a lot of incidents we have dealt with are [as a result of] some basic problems

WannaCry was classed by NCSC as a category 2 assault, indicating that it is considered a ‘highly significant incident’. The UK has yet to suffer a top-tier category 1 breach, which would denote a ‘national cyber emergency’.

“There will be a category 1 incident sometime in the next couple of years,” Levy tells PublicTechnology. “Our job is to minimise the harm of that.”

When asked if the country is ready to deal with such an attack, Levy says: “We can always do better. But I think the UK critical infrastructure sector is pretty well managed. Every single sector has a regulator, [overseen by] a lead government department. Our job is to help them understand the risks.

“But we cannot do that in isolation.”

This week the NCSC is in Manchester hosting CYBERUK 18, an annual three-day event designed to be "government’s flagship event for cybersecurity in the UK".

About the author

Sam Trendall is editor of PublicTechnology

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

Standards watchdog flags up accountability concerns over ministers’ use of WhatsApp
13 January 2022

Lord Evans tells MPs that personal messaging platforms should only be used by ministers if doing so can be properly regulated

Right to rent: Home Office to enable third-party digital ID checks for landlords
12 January 2022

Private sector service providers will be certified to verify identities of prospective tenants and employees

Most departments wipe devices after failed password attempts
7 January 2022

FOI responses find that two thirds of government entities reset phones – a practice firmly discouraged by MPs

Year in review: How technology defined 2021’s biggest stories
31 December 2021

Digital and data once again had a starring role in supporting – and, occasionally, hampering – government’s work this year. PublicTechnology looks back at the most significant events.