The National Cyber Security Centre (NCSC) will offer advice to both citizens and organisations on how to protect themselves against hackers.
Speaking to the BBC’s Newsnight, NCSC CEO Ciaran Martin said: “We have had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure – and our job is to make sure we deal with it in the most effective way possible.”
The NCSC is expected to be a more transparent and accessible organisation than GCHQ, the intelligence agency that previously took responsibility for strengthening the UK’s cyber resilience (although NCSC is under the control of GCHQ). Its remit also extends to helping businesses of a broader spectrum of sizes and sectors.
Nevertheless, the protection of critical national infrastructure remains of paramount concern, particularly given stories like the New Year power outages in Ukraine, which were attributed to malware.
Mike Gillespie, founder of cybersecurity consultancy Advent IM, has noted the growing ambitions of malign actors in an interview with IFSEC Global: “We’re seeing attacks on physical buildings, on CCTV systems, on air conditioning systems, vehicles, tram systems, train systems are all coming under attack,” he said.
“And sometimes for direct malicious intent with a view to causing accidents, damage, bringing down national infrastructure. If it’s a weak system, a legacy system, poorly installed and poorly patched, it then allows a foothold to be gained.”
The centre will also seek to foster collaboration between government and the private sector in order to reduce the UK’s vulnerability to cyber breaches and safeguard its £118bn digital sector.
The UK now faces about 60 serious cyber-attacks a month, according to the NCSC.
Many of those are believed to originate from Russia, which was at the centre of hacking allegations surrounding the US presidential election in November. There are also fears of interference in upcoming elections in France and Germany.
“I think there has been a significant change in the Russian approach to cyber-attacks and the willingness to carry it out, and clearly that’s something we need to be prepared to deal with,” Ciaran Martin said. “There has been an identifiable trend in Russian attacks in the West, in terms of focusing on critical national industries and political and democratic processes.”
The difficulty of identifying hackers and mounting prosecutions across borders has prompted the NCSC to adopt a muscular approach to cyber defence – one that sees attack as the best form of defence.
“In the most serious cases, we have lawful powers where we can go after the infrastructure of adversaries – the infrastructure that people use to attack us – and we would do that in some of the most serious cases several dozen times a year,” Martin told the BBC.
Among the NCSC’s first priorities are projects to uncover vulnerabilities in public sector websites. “We’re actively working to reduce the harm caused by cyber-attacks against the UK and will use the government as a guinea pig for all the measures we want to see done by industry at national scale,” says NCSC technical director, Dr Ian Levy.
The NCSC plans to publish the results of its research and publish some of its code as source code to foster greater collaboration and propagate best practice.
High-profile individuals will also be given advice on how to protect their sensitive personal data.
“The NCSC is a positive stepping stone in instilling the vital cyber secure mindset, but it can only do so much. Businesses must also take responsibility.” David Navin, head of corporate, Smoothwall
The new centre is the central plank in a five-year, £1.9bn National Cyber Security Strategy announced by the government in November 2016.
Richard Lack, managing director for the EMEA region at Gigya, which develops identity management solutions, says the NCSC “will only have real impact on the issue if business decision makers, rather than just government and national security-related industries, also take responsibility in order to protect the enterprise and consumers in a sustainable way.
“Unsurprisingly, it was found recently that CEOs identify cyber security, data privacy breaches and IT disruptions as the top three technology threats to stakeholder trust.”
David Navin, head of corporate at Smoothwall, echoed these sentiments. Welcoming the opening of the NCSC as “a positive stepping stone in instilling the vital cyber secure mindset” among businesses and within the public sector, he nevertheless said that the “NCSC can only do so much.
“Businesses must also take responsibility and ensure that they are complying with regulation and build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance.”
Richard Lack also offered his take on the steps businesses can take to bolster their defences: “There are many ways in which companies can introduce new processes, technology or rules in order to tighten control,” he said.
“One approach, for example, would be to insist on the use of multifactor authentication, where a customer needs to combine something they know – ie a password – with something they have – such as a token or mobile phone – or something they are, such as a fingerprint. The key is that these other factors aren’t reusable or replicable and can’t be pilfered on the internet.
“It is important that we see more of this type of network-level security. By combining innovative technologies with good old common sense, businesses can work alongside the government to make our digital world a safer place.”
A survey by the Electrical Contractors Association recently revealed that 39% of buyers of smart building tech admit to not taking steps to safeguard installations against hackers.
Continued Navin: “Cyber security is an educational issue within businesses and needs to be given its high level of importance across the board, from the c-suite through to all its employees. Hopefully the launch of the NCSC will prompt UK businesses to advance their cyber security measures, keeping their companies, customers, data and information safe.”
