11.12.17
NCSC: A new and adventurous agenda
Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), reflects on the lessons learned during the first year of the government’s new agency.
I am proud of what the NCSC (pictured) has done in its first year to protect the public sector, including:
- Our cyber experts received 1,131 incident reports, with 590 classed as ‘significant’;
- Our Active Cyber Defence programme is blocking tens of millions of attacks every week;
- We’ve produced more than 200,000 protective items for Armed Forces communications;
- Over 1,000 young people have taken advantage of our free CyberFirst courses – and 8,000 girls entered our CyberFirst Girls contest;
- We led the UK response to the global WannaCry incident, which affected 47 NHS trusts.
This success didn’t come easily, or by accident – we have had to think dynamically. The last few years have seen a step change in the UK Government’s approach to cyber security, involving a profound strategic rethink and the creation of the NCSC.
This change of approach was needed because we had been less successful in getting good cyber security into the mainstream across the country than we had hoped.
We questioned our approach and found answers not just from technical experts, but in the disciplines of economics and behavioural science.
To date, the UK’s record in resisting more sophisticated attacks has been relatively good in terms of national security, though we’ve acknowledged that we have some way to go when it comes to our basic defences.
And raising the standard of these defences is the most important thing we can do as a country because, for the attacker, a cyber-attack is fundamentally about return on investment – what they will potentially get out of an attack compared to how easy or difficult it is to mount it.
If it’s easy to get in – and lucrative once the attacker is in – the attacker will come. If it’s hard to get in and, once you do, it’s hard to steal or tamper with stuff, the attacker may well go away, because there are plenty of other easier targets around.
Barriers to investment – and how to break them down
We also considered why, given the financial implications of cyber-attacks, market forces don’t lead companies to invest fully in cyber defence. Economics and behavioural science suggest some broad answers to this consideration.
First, cyber security had become shrouded in mystique and scaremongering, with threats not accompanied by clear guidance. Business leaders were trapped into thinking of cyber security as a problem that they couldn’t understand or do anything about.
A second problem was that this climate of mystery and fear translated into bad advice and rules for citizens. Here is one example of official government advice: “Have a different, complex password for each service and change them often.”
We enlisted academics to revisit guidance from a behavioural science point of view. The conclusion was that this advice was like asking the average person to remember a new 600-digit number every month. The verdict? Impossible and unworkable, and therefore no basis for defence.
We now ensure our advice for organisations and the public is practical and workable; the advice we issued during WannaCry – the attack that affected the English and Scottish NHS – was a good example of this. We published detailed, specific and technical guidance on how to contain the attack within 24 hours and more general guidance on how to protect against ransomware, and undertook a wave of media activity to make sure we maximised public awareness of that guidance.
In comes DMARC
In our approach, we were also noticing an apparent mismatch between the issues and the economic incentives to fix them.
One of the biggest problems in cyberspace is online spoofing – pretending to be someone you’re not usually by way of a fake email. Once someone opens the email, clicks on the link, and opens the attachment – the attack succeeds. But the organisation that is spoofed doesn’t suffer any damage – if it’s HMRC, for example, people are still going to pay tax because that’s the law. This means that this is a national problem, not an organisational one.
HMRC’s digital leadership recognised the problem and worked with the Government Digital Service and the NCSC to create the Domain-based Message Authentication, Reporting and Conformance protocol – or DMARC, one of the NCSC’s Active Cyber Defence measures. This helps determine whether a communication comes from the organisation it purports to. What DMARC does is tell the internet’s distribution mechanisms how to recognise a genuine email from an organisation.
We tried it out with HMRC in 2016. Instead of delivering the fake emails to the user with a warning, they were delivered to us, and we got 300 million of them in 2016 alone. The best thing about this system is that ordinary computer users don’t have to make a judgment about whether to open a ‘dodgy-looking’ email. And this is especially important when you consider another difficult piece of previous advice: “Don’t open attachments or click links unless you trust them.”
DMARC works because people no longer have to make impossible judgments about what to trust, open or click, because they don’t get the emails in the first place.
We’ve learned that passive cyber defence – promoting partnership and information-sharing initiatives – produces some research outcomes, but they were very limited. Instead, we are actively stepping in to fix problems by using the behavioural science and economic lessons that we have learned to raise the basic defences of organisations across the country. And we’re making it practical and economical for them to do so – which is especially important for public bodies.
As well as DMARC, Active Cyber Defence involves:
- The Domain Name Service (DNS) filter, which operates for all public servants who use government networks, stopping them visiting sites we know to be malicious;
- A new service called WebCheck. This allows smaller organisations like local authorities and NHS bodies to scan their web-facing services for common vulnerabilities and then tell them how to fix them. It is free, and gives advice in a non-technical way;
- Working with internet hosts to take down malicious websites – and automating this. Bad sites used to be up for an average of 27 hours – it’s now down to around one.
You can find out more about Active Cyber Defence on our website.
These measures embody the new and adventurous agenda from the NCSC that is drawing attention from around the world. We’re not claiming to get everything right, but we set out to use GCHQ’s world-class expertise for the benefit of all UK internet users.
We aim to innovate constantly, and to give users easy and cheap ways of making themselves that bit safer online – because every extra bit of protection counts. We are also serious about being open, and we want to work with partners in government, law enforcement, business, citizens’ groups and internationally.
We think our approach is working so far, and we hope it can be used to successfully tackle other challenges that face the public sector.
FOR MORE INFORMATION
W: ncsc.gov.uk