Unlike its GCHQ, its secretive parent, the UK National Cyber Security Centre (NCSC) is very upfront. The website is stuffed with information and its senior staff are regular speakers at conferences around the UK and the world. It was established in October 2016, as a part of the 2016 National Cyber Security Strategy a government initiative to make the UK the safest place to live and do business online after an earlier study determined that cybercrime is a big a threat to the United Kingdom as conventional crime and warfare. It is a “one-stop shop” leading the fight against cybercrime bringing together different parts of government departments, GCHQ and MI5 and works with law enforcement bodies such as the police Regional Organised Crime Units and the National Crime Agency.
NCSC sees a cybercriminal spectrum, ranging from at one end the spotty teenager hacker in his bedroom, through “hacktivists” using hacking techniques to promote a cause; organised criminal groups; some large corporations; and ending with nation states. Each of these have different motives and objectives for their attacks and part of the ambitions of the centre includes getting a better understanding of these. Other ambitions include reducing the number of attacks that get through, building strong methods for responding to those attacks that do get through the defences and making the United Kingdom where technology can thrive.
At the heart of the NCSC’s approach is the Active Cyber Defence (ACD) programme. Its intention is “to protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.” That is – to make life as difficult as possible for potential attacker. In some ways it is a bit like physical security for your house. No matter what you do, a determined person who isn’t worried about causing damage will get in. But most potential intruders will move from a strongly defended home to an easier target.
ACD is still in early stages and is being implemented through a number of evidence-based strategies, with evidence being initially gathered from work on government systems, but the intention is that as the organisation gains in-depth knowledge the lessons learned will be rolled out to a wider audience. It is already building links with industry in critical areas, such as energy, finance and telecoms.
Identifying malicious content
A first activity is takedown. When NCSC identifies a site that is a source of malicious content, for example pretending to be HM Revenue and Customs, it requests that the hosting organisation remove it. In their first year it had 121,479 taken down in the UK with a further 18,067 sites worldwide. Several thousand e-mail sites pretending to be government departments have been closed down. So far, the hosts’ responses have been largely supportive, but NCSC will consider “naming and shaming” if necessary.
DMARC is an international system to protect e-mail domain owners from having their domain name used for spoof messages. NCSC is working to get the system adopted across the public sector. In its first year of operation the number of spoof messages from @gov.uk has fallen consistently
Web Check is a simple set of tests for finding security issues with web sites. The output is a clear list of issues together with suggestions for resolving them. In eight months Web Check has run over 7million individual tests on nearly 7,000 domains, creating 4,108 advisories on issues such as certificate management, out of date software being used, and poor TLS. Most of these were fixed within two days of the notification. Any public sector website can request a Web Check.
The Domain Name System (DNS) is a critical element of the internet. A hierarchy of servers allows an end user machine to hunt for an address in the internet. The NCSC has worked to create the Public Sector DNS service, through which all DNS requests from public sector machine can be routed. It blocks access to known “bad” URLs: in one week in December 2017 it saw 1.23billion requests of which 273,329 requests were blocked. The system also analyses the requests, and has identified security issues in the source computers, including malware families and phishing emails
Other work, still in early stages, includes work on ways to improve the security of routing on the internet and developing the Threat-o-Matic, a hub to link all elements of ACD
Since it recognises that it is not possible to stop all threats, NCSC is also developing expertise in incident management. In its first year it was given a major test when the WannaCry ransomware infected over 230,000 computers around the world. In the UK the main target was the NHS and the NCSC worked with a number of NHS organisations to provide support and advice. While WannaCry was the real headline grabber, in its first year the NCSC received 1,131 incident reports of which 591 were “significant” and 30 required cross-government response.
With cybersecurity a significant issue for all computer users, there are many opinions on what to do. The NCSC approach of combining active security with gathering evidence is already, after only 18 months, replacing opinions with hard facts.