A new approach to cyber security

The UK needs to take a more “active posture” in defending against the range of cyber threats it currently faces with government, industry and law enforcement working in even closer partnership, the first chief executive of the new National Cyber Security Centre (NCSC) has warned.

In his first speech in the post, at the Billington Cyber Security Summit in Washington DC earlier this month, Ciaran Martin said that the NCSC, which will be officially opened next month, would be adopting an “active cyber defence”, with the Government taking specific action with industry to address large-scale, non-sophisticated attacks that are doing so much damage.

“The great majority of cyber attacks are not terribly sophisticated. They can be defended against. And even if they get through, their impact can be contained,” said Mr Martin. “But far too many of these basic attacks are getting through. And they are doing far too much damage. They’re damaging our major institutions.”

He said the NCSC will look at using a series of automated measures to make UK government networks the “most secure in the world”.

It is piloting ways of tackling ‘commodity’ attacks by sending automated takedown requests to hosters, registrars and others. “And we’re starting to see real, measurable results,” said Mr Martin. “Looking at phishing attacks against UK government brands, the median time the phishing site is up has dropped from 49 hours to five hours – a clear, verifiable improvement.”

He added they were currently working with the UK telecommunications industry to stop the well-known abuse of the BGP (Border Gateway Protocol) and SS7 (Signalling System 7) protocols to reroute traffic: “If we’re right, this will mean it’s much more difficult for UK machines to participate in a DDoS (distributed denial-of-service) attack.”

He also highlighted what he described as a “flagship project” that would automatically protect government sites from hacks through increased DNS (domain name system) filtering. “What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”

He said it was “crucial that economy-wide initiatives should be private sector-led”, but stressed that DNS filtering would have to be opt-out based for consumers and “addressing privacy concerns and citizen choice” was hardwired into their programme.

Mr Martin said the NCSC’s agenda was to “get ahead of a serious and persistent threat which puts at risk national security and national wellbeing”.

“It’s not just a building. It’s not just there to coordinate. It’s there to deliver an ambitious strategy that our government is preparing,” he explained.

“And that strategy is about tackling the most capable threats and protecting our most important national systems. But it’s also a significant shift in thinking towards looking – at a national level – at how we use technology to improve cyber security everywhere in the UK.”

Mr Martin said there were a number of reasons for the NCSC, such as organisational coherence, “but cyber cuts across lots of different public authorities and we’re designed to bring together various sources of expertise into a single organisation”.

“And we’ll have formalised and integrated operational partnerships with law enforcement, defence and private industry,” he added.

He said the UK has faced, and continues to face, “some very serious cyber attacks”, but there has not yet been a “single stand-out incident of hostile foreign cyber attack that’s resonated as a first-order national crisis with the public and media”.

“But I expect – frankly I know – that we will face one, and we prepare on that basis. And behind the necessarily closed doors of our cyber defence operations centre, last year we detected twice as many national security level cyber incidents – 200 per month – than we did the year before,” Mr Martin added.

Mr Martin’s speech came as the National Audit Office (NAO) published a critical report