The Government cares about cyber security for two reasons. One is national security. Cyber attack can be (and occasionally, in other countries, has been) used as a way of damaging the security of a state, whether through interfering in electrical systems or elections.
The second reason is economic. Britain is one of the most digitally advanced economies in the world. That’s a vital national asset. But it won’t continue if citizens don’t think the digital environment is safe.
One thing the areas of national security and economic prosperity have in common from the point of view of cyber security is their vulnerability to attacks on basic weaknesses in defences. National security attacks can certainly be highly sophisticated (though not all are, and sophisticated attacks are difficult and costly to mount at scale). However, by far the biggest problem facing the UK in cyberspace is the accumulation of high-volume, low-sophistication, automated attacks from criminals and states seeking money or some other form of competitive advantage.
The UK’s record in cyber security to date is relatively good in terms of national security, though we’ve acknowledged that we have some way to go when it comes to our basic defences. And raising the standard of these defences is the most important thing we can do as a country, because, for the attacker, cyber attack is fundamentally about return on investment – what they will potentially get out of an attack compared to how easy or difficult it is to mount it. If it’s easy to get in – and lucrative once the attacker is in – the attacker will come. If it’s hard to get in and, once you do, it’s hard to steal or tamper with stuff, the attacker may well go away, because there are plenty of other easier targets around.
This explains, in part, why the National Cyber Security Centre (NCSC) was set up. We’re proudly part of GCHQ, the near century-old government signals and communications intelligence agency. There isn’t space here to outline in full the range of the NCSC’s activities in leading the response to major cyber attacks affecting the UK – protecting our critical national infrastructure and raising our defences as a whole. Instead, I want to outline the world-leading programme we announced just after the 2017 General Election to protect the UK Government and public services by improving the basic level of defences.
One of the fundamental problems in cyber security is that it is shrouded in mystery. It was necessary to get across that the measures we believed departments should put in place are easy to understand. They are also easy to implement and free. In due course, we will publish the data to show whether they work.
There are four measures already announced as part of our ‘active cyber defence’ programme.
1. Blocking fake emails
Online spoofing – pretending to be someone you’re not, usually by way of a fake email – is one of the biggest problems in cyberspace. Once someone opens the email, clicks on the link, and opens the attachment – the attack succeeds. But the organisation that is spoofed doesn’t suffer any damage – if it’s HMRC, for example, people are still going to pay tax because that’s the law. This is a national problem, not an organisational one.
We’ve made spoofing much harder if bodies adopt the Domain-based Message Authentication Reporting and Conformance protocol – or DMARC. This helps determine whether a communication comes from the organisation it purports to. What DMARC does is tell the internet’s distribution mechanisms how to recognise a genuine email from an organisation. We tried it out with HMRC in 2016. Instead of delivering the fake emails to the user with a warning, they were delivered to us. We got 300 million of them in 2016 alone. The best thing about this system is that ordinary computer users don’t have to make a judgment about whether to open a ‘dodgy’-looking email (please write and tell me if you know how to do that). So DMARC works, and is now freely available to all departments.
2. Stopping government systems veering onto malicious websites
Cyber attacks also commonly involve redirecting a user away from the domain they intended to access, to somewhere that contains malware* or is fraudulent. We’ve worked with a commercial partner to set up a filtering service for public sector bodies that stops this from happening for registered users.
Domain Name Service (DNS) is the phonebook of the internet, and our new service focuses on data that GCHQ and commercial partners have acquired from malicious addresses. It then simply blocks the user from going there – providing automatic protection for staff visiting infected sites while using work systems.
3. Helping public bodies fix website problems easily
Attackers also learn what to target by scanning for vulnerabilities in internet-facing services. The UK public sector has a huge digital estate to manage. This isn’t easy and provides a useful set of targets for attackers. If an organisation doesn’t know how to check for vulnerabilities – such as unused sites or those with out-of-date certificates – they provide an open goal for attackers. Web check is a free-to-use website configuration and vulnerability scanning service, available to all UK public sector organisations. It scans and then gives you a report in plain English on what needs fixing and how to fix it.
4. Removing bad things from the Internet (phishing and malware mitigation)
Since June 2016, the NCSC has been working with Netcraft, a private sector company, on a phishing† and malware countermeasures service to protect government brands and UK service hosting infrastructure.
Government departments benefit automatically from this protection without having to do anything. Departments can boost the service by notifying Netcraft if they discover they are the target of a phishing campaign, or that there are malicious emails purporting to be from them. Netcraft will then issue takedown notifications to the hosts of the email and phishing sites. To help this work, departments and businesses should forward offending emails and any attachments to email@example.com.
Since Netcraft started this work, the average 'time to die' for phishing sites relating to government has fallen from 27 hours prior to the service’s introduction, to under one hour; and for malware from 525 hours to 43. For attacks on HM Government hosted outside the UK, 63% of Advance Fee Fraud sites spoofing the government (where an email purporting to be from HMG asks for credit card details) are taken down within the first 24 hours, compared to 3% before.
These measures are part of a new and adventurous agenda from the NCSC that is drawing attention from around the world. We’re not claiming to get everything right, but we set out to use GCHQ’s world-class expertise for the benefit of all UK internet users. We aim to innovate constantly, and to give users easy and cheap ways of making themselves that bit safer online – because every extra bit of protection counts.
We’re also serious about being open; and we want to work with partners in government, law enforcement, and business, and with citizens’ groups and internationally. And we’ll publish details of how we get on so you can judge for yourself.
* Malware is software designed to disrupt, damage, or gain authorised access to a computer system.
† Phishing is the fraudulent practice of sending emails that purport to be from reputable organisations in order to induce individuals to reveal personal information, such as passwords and credit card numbers.