“Active cyber defence”: UK’s first National Cyber Security Centre chief sets out strategy

Written by Rebecca Hill on 15 September 2016 in News

The UK has to take a more proactive approach to cyber security to cope with increasingly digitised systems and the growing digital economy, the chief executive of the National Cyber Security Centre has said.

The UK is to focus on large-scale, unsophisticated attacks - Photo credit: PA

In his first speech in the role, given at a conference in Washington, Ciaran Martin said that the centre, which will be officially opened next month, would be carrying out “active cyber defence”. This will see the government working with industry to address large-scale, unsophisticated attacks that are prolific and doing a lot of damage.

“The great majority of cyber attacks are not terribly sophisticated. They can be defended against,” Martin said. “But far too many of these basic attacks are getting through. And they are doing far too much damage. They're damaging our major institutions.”

Martin acknowledged that it was open to debate whether the government should get involved in countering attacks that target companies, but said that there was a legitimate role for it to take the lead. This, he said, would boost businesses’ and consumers’ confidence in the digital economy.

The National Cyber Security Centre will look at using a series of automated measures to make UK government networks the most secure, with the aim of demonstrating their efficacy so others take them on.

Martin listed some examples, which included work to stop people spoofing GOV.UK domains by updating its DMARC - Domain-based Message Authentication, Reporting and Conformance – policy to stop emails from the wrong IP sets.

Related content

NAO urges Cabinet Office to coordinate Whitehall data security efforts
Are we entering a 'cognitive era'?

He also set out what he described as a flagship project that would automatically protect government sites from hacks through increased DNS filtering, adding that this could be sold on to companies. “What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”

He said it was crucial that economy-wide initiatives should be private sector-led, and stressed that such filtering would have to be opt-out based for consumers. “Addressing privacy concerns and citizen choice is hardwired into our programme,” he said.

Discussing the new national centre, Martin said that the aim was to bring together the UK’s expertise in one organisation, adding that transparency would be a key part of what made it unique. The centre, he said, would be taking “a more public-facing approach than ever before”.

Further elements to the government’s strategy for cyber defence include building up core national defensive cyber capabilities and work to mitigate against the risks linked to securing legacy systems by designing and implementing systems that are harder to disrupt.

Martin’s speech came as the National Audit Office published a critical report into data protection, calling for much greater coordination of strategy by the Cabinet Office.

It said that said there were almost 9,000 data breaches from the 17 biggest government departments in 2014-15. It also noted that there were twice as many national-level cyber incidents – 200 a month – in that year than the previous one.

Referring to the National Cyber Security Centre, the NAO said it would help pool expertise, it was of the opinion that a more wide-ranging shake-up is needed to improve protection.

"The NCSC should streamline central government processes for dealing with information incidents in cyberspace," the report said.

"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report."

It also sounded a note of caution on the centre’s plans to work with the private sector - which Martin repeatedly emphasised in his speech.

“The NCSC is designed to work with government and the private sector: whether it has the capacity to do so effectively remains to be seen,” the NAO said.

In concluding his speech, Martin said that the centre wanted to be judged on results.

“Hard data and hard, credible evidence has been scarce in cyber security thus far,” he said. “Part of the agenda will be the publication of data and evidence about what is and isn't working, and metrics about the outcomes achieved. If we succeed, we want to be able to prove it, not just assert it. If we fail, we don't expect to be able to hide.”

Share this page




Please login to post a comment or register for a free account.



Submitted on 15 September, 2016 - 17:12
“The great majority of cyber attacks are not terribly sophisticated. They can be defended against". Agreed, which makes the fact that most users are not sophisticated either resonate. Following a great event #transformPS, it became clearer still that a key part of transformation is getting services trusted - and we cannot do that without an increase in user awareness. Now, one area few often raise is platform - and I for one have used Apple and now iOS for many years. My reason - security confidence. If you want to maximise security then ease of use and great design go hand in hand. Endpoint security can work in the hands of the 'less than secure' user, but it takes a special platform to make it happen. John Rudkin

Related Articles

Ex-Whitehall top dog to join board of defence and security firm
27 June 2022

Former cabinet secretary Mark Sedwill has landed a non-executive role at BAE Systems

Prison officers to undergo ‘financial stability checks’ in new anti-corruption measure
30 May 2022

MoJ signs deal for credit analysis software platform

EXCL: Wall of silence surrounds plan for nationwide collection of citizens’ internet records
26 May 2022

Online notice reveals controversial trials are to be expanded into a national service – about which government, law enforcement, watchdogs and all the UK’s major ISPs declined to answer questions...

DfE retains security provider for cyber incident response in £500k deal
25 May 2022

Department signs contract with defence contractor BAE