NCSC: A new and adventurous agenda

Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), reflects on the lessons learned during the first year of the government’s new agency.

I am proud of what the NCSC (pictured) has done in its first year to protect the public sector, including:

  • Our cyber experts received 1,131 incident reports, with 590 classed as ‘significant’;
  • Our Active Cyber Defence programme is blocking tens of millions of attacks every week;
  • We’ve produced more than 200,000 protective items for Armed Forces communications;
  • Over 1,000 young people have taken advantage of our free CyberFirst courses – and 8,000 girls entered our CyberFirst Girls contest;
  • We led the UK response to the global WannaCry incident, which affected 47 NHS trusts.

This success didn’t come easily, or by accident – we have had to think dynamically. The last few years have seen a step change in the UK Government’s approach to cyber security, involving a profound strategic rethink and the creation of the NCSC.

This change of approach was needed because we had been less successful in getting good cyber security into the mainstream across the country than we had hoped.

We questioned our approach and found answers not just from technical experts, but in the disciplines of economics and behavioural science.

To date, the UK’s record in resisting more sophisticated attacks has been relatively good in terms of national security, though we’ve acknowledged that we have some way to go when it comes to our basic defences.

And raising the standard of these defences is the most important thing we can do as a country because, for the attacker, a cyber-attack is fundamentally about return on investment – what they will potentially get out of an attack compared to how easy or difficult it is to mount it.

If it’s easy to get in – and lucrative once the attacker is in – the attacker will come. If it’s hard to get in and, once you do, it’s hard to steal or tamper with stuff, the attacker may well go away, because there are plenty of other easier targets around.

Barriers to investment – and how to break them down

We also considered why, given the financial implications of cyber-attacks, market forces don’t lead companies to invest fully in cyber defence. Economics and behavioural science suggest some broad answers to this consideration.

First, cyber security had become shrouded in mystique and scaremongering, with threats not accompanied by clear guidance. Business leaders were trapped into thinking of cyber security as a problem that they couldn’t understand or do anything about.

A second problem was that this climate of mystery and fear translated into bad advice and rules for citizens. Here is one example of official government advice: “Have a different, complex password for each service and change them often.”

We enlisted academics to revisit guidance from a behavioural science point of view. The conclusion was that this advice was like asking the average person to remember a new 600-digit number every month. The verdict? Impossible and unworkable, and therefore no basis for defence.

We now ensure our advice for organisations and the public is practical and workable; the advice we issued during WannaCry – the attack that affected the English and Scottish NHS – was a good example of this. We published detailed, specific and technical guidance on how to contain the attack within 24 hours and more general guidance on how to protect against ransomware, and undertook a wave of media activity to make sure we maximised public awareness of that guidance.

In comes DMARC

In our approach, we were also noticing an apparent mismatch between the issues and the economic incentives to fix them.

One of the biggest problems in cyberspace is online spoofing – pretending to be someone you’re not usually by way of a fake email. Once someone opens the email, clicks on the link, and opens the attachment – the attack succeeds. But the organisation that is spoofed doesn’t suffer any damage – if it’s HMRC, for example, people are still going to pay tax because that’s the law. This means that this is a national problem, not an organisational one.

HMRC’s digital leadership recognised the problem and worked with the Government Digital Service and the NCSC to create the Domain-based Message Authentication, Reporting and Conformance protocol – or DMARC, one of the NCSC’s Active Cyber Defence measures. This helps determine whether a communication comes from the organisation it purports to. What DMARC does is tell the internet’s distribution mechanisms how to recognise a genuine email from an organisation.

We tried it out with HMRC in 2016. Instead of delivering the fake emails to the user with a warning, they were delivered to us, and we got 300 million of them in 2016 alone. The best thing about this system is that ordinary computer users don’t have to make a judgment about whether to open a ‘dodgy-looking’ email. And this is especially important when you consider another difficult piece of previous advice: “Don’t open attachments or click links unless you trust them.”

DMARC works because people no longer have to make impossible judgments about what to trust, open or click, because they don’t get the emails in the first place.

We’ve learned that passive cyber defence – promoting partnership and information-sharing initiatives – produces some research outcomes, but they were very limited. Instead, we are actively stepping in to fix problems by using the behavioural science and economic lessons that we have learned to raise the basic defences of organisations across the country. And we’re making it practical and economical for them to do so – which is especially important for public bodies.

As well as DMARC, Active Cyber Defence involves:

  • The Domain Name Service (DNS) filter, which operates for all public servants who use government networks, stopping them visiting sites we know to be malicious;
  • A new service called WebCheck. This allows smaller organisations like local authorities and NHS bodies to scan their web-facing services for common vulnerabilities and then tell them how to fix them. It is free, and gives advice in a non-technical way;
  • Working with internet hosts to take down malicious websites – and automating this. Bad sites used to be up for an average of 27 hours – it’s now down to around one.

You can find out more about Active Cyber Defence on our website.

These measures embody the new and adventurous agenda from the NCSC that is drawing attention from around the world. We’re not claiming to get everything right, but we set out to use GCHQ’s world-class expertise for the benefit of all UK internet users.

We aim to innovate constantly, and to give users easy and cheap ways of making themselves that bit safer online – because every extra bit of protection counts. We are also serious about being open, and we want to work with partners in government, law enforcement, business, citizens’ groups and internationally.

We think our approach is working so far, and we hope it can be used to successfully tackle other challenges that face the public sector.     



There are no comments. Why not be the first?

Add your comment

public sector executive tv

more videos >

latest public sector news

Leeds’ Clean Air Zone Plans Suspended for the foreseeable future

19/08/2020Leeds’ Clean Air Zone Plans Suspended for the foreseeable future

Leeds City Council have today (August 19) announced that their plans for a Clean Air Zone within the city may not have to go ahead due to lower e... more >
Colleges set to receive £200m in Funding

19/08/2020Colleges set to receive £200m in Funding

Over 180 colleges are set to receive a share of £200m, in order to repair and refurbish buildings and campuses. The funding makes up p... more >
UK climate change projects to receive £14m funding

18/08/2020UK climate change projects to receive £14m funding

The National Lottery Community Fund has announced the first 14 grants from the Climate Action Fund going to communities across the UK to tackle c... more >

the raven's daily blog

Cleaner, greener, safer media: Increased ROI, decreased carbon

23/06/2020Cleaner, greener, safer media: Increased ROI, decreased carbon

Evolution is crucial in any business and Public Sector Executive is no different. Long before Covid-19 even became a thought in the back of our minds, the team at PSE were looking at innovative ways to deliver its content to our audience in a more dynamic and responsive manner. We’re conscious to take the time to both prot... more >
read more blog posts from 'the raven' >


Artificial intelligence: the devil is in the data

17/12/2018Artificial intelligence: the devil is in the data

It’s no secret that the public sector and its service providers need to invest in technology to help make better use of their resources. Bu... more >
Digital innovation in the public sector: The future is now

17/12/2018Digital innovation in the public sector: The future is now

One of the public sector’s key technology partners has recently welcomed a new member to its team. Matt Spencer, O2’s head of public ... more >
New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

05/11/2018New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

The new chief executive of one of the new unitary authorities in Dorset has outlined his approach to culture and work with employees, arguing tha... more >
Keeping the momentum of the Northern Powerhouse

15/10/2018Keeping the momentum of the Northern Powerhouse

On 6 September, the biggest decision-makers of the north joined forces to celebrate and debate how to drive innovation and improvement through th... more >

last word

Prevention: Investing for the future

Prevention: Investing for the future

Rob Whiteman, CEO at the Chartered Institute of Public Finance (CIPFA), discusses the benefits of long-term preventative investment. Rising demand, reducing resource – this has been th... more > more last word articles >

editor's comment

25/10/2017Take a moment to celebrate

Devolution, restructuring and widespread service reform: from a journalist’s perspective, it’s never been a more exciting time to report on the public sector. That’s why I could not be more thrilled to be taking over the reins at PSE at this key juncture. There could not be a feature that more perfectly encapsulates this... read more >

public sector focus

LGA: ‘Air pollution is a major public health issue’

17/08/2020LGA: ‘Air pollution is a major public health issue’

The Local Government Association (LGA) has ca... more >
Automating back-office processes for local authorities

29/07/2020Automating back-office processes for local authorities

Words provided by Cantium Business Solutions,... more >