This week saw the release of a threat report from the National Cyber Security Centre (NCSC) and National Crime Agency (NCA), coinciding with the CyberUK conference in Manchester.
Titled Cyber Threat to UK Business Industry, it highlighted that cyber-criminals are launching more online attacks on UK businesses than ever before, and that a basic cybersecurity posture is no longer enough and most attacks will be defeated by organizations which prioritize cybersecurity and work closely with government and law enforcement.
In particular, the report claimed that between October 2016 and the end of 2017, the NCSC recorded 34 significant cyber-attacks (attacks that typically require a cross-government response) and 762 less serious incidents (typically confined to single organizations).
It predicted that “2018 will bring more of these attacks” with crypto-jacking and the Internet of Things and its associated threats continuing to grow.
Looking over 2017’s headlines in cybersecurity, from WannaCry and NotPetya to data breach incidents at Equifax and Uber, and the opening of the NCSC in February 2017, has the world of cybersecurity changed in the eyes of this new UK government department? One NCSC spokesperson told Infosecurity that “people do take cybersecurity seriously” but this was while the number of attacks increased.
Reporting cybersecurity incidents remains an issue though, and the Cyber Security Information Sharing Partnership (CISP) remains something that the NCSC is actively encouraging participation in. The spokesperson said that companies need to report issues to enable the NCSC to know what is going on, and CISP remains something that the NCSC relies on.
“What is shared is varied, and some services tell us a lot and we do a lot with indicators of compromise and information like that is a good way to get advice out,” they said.
One of the problems may be that CEOs and boards of directors may not be engaged in the threat of cybersecurity. Speaking to Infosecurity, NCSC technical director Ian Levy said that without the hype of cybersecurity “it is just risk management in the end” and while it would never be acceptable for a CEO to say that “it is just a legal issue so leave it to the lawyers,” a cybersecurity issue is determined to be the CIO’s problem.
“Getting rid of the hype and democratizing it and taking some of the fear out of it is absolutely critical,” he argued. “Fear drives bad risk management as you don’t make the right decision when you’re fearful.”
He said that part of the job of the NCSC is to take away the fear, and help people make the right decisions as there is no right or wrong decision, just what is the correct step for a company.
Jacqui Chard, deputy director for Defence and National Security at the NCSC, told Infosecurity that there is an understanding of cybersecurity within critical national infrastructure, particularly through CNI suppliers, but when talking to wider society, it is less so.
“But we see so much in the press about cyber-attacks and the British public are unsure on what to do or what it means, as it is clouded in technical language,” she said.
Chard added that the report was aimed at the wider community, and echoing comments made later by the NSA’s David Hogue, a light does need to be shone on the issue as “the simple things which we said five years ago will not cut it now.”
So is there more of an understanding at board level of what the problems are? Chard said that there is an increased understanding, and some years ago businesses would not have cyber-risk on their agenda and now they will.
Chard said: “What we are yet to do and need to do is understand that boards are talking about it, but do they understand it? There is still work in the community to talk about business language as there is not a lot to understand for the CEO or CIO alone if it is not in their business language.”
She said that decisions on cybersecurity resiliency are hard, but boards recognize the potential of reputational damage, and need more than just “its bad out there,” which she said was not very helpful.
Launched last November, the NCSC’s Active Cyber Defense (ACD) Strategy provides tools to help businesses, and Chard said that this was to aim to “get rid of the myths about [cybersecurity] being too technical and hard to understand, to knowing it is a risk in your business.”
Upon its launch, Levy said that the ACD was intended to tackle a significant proportion of the cyber-attacks that hit the UK by implementing partnerships and tools to help businesses with the security basics.
“It won't affect the really targeted attacks (at least initially) but we’re hoping that we can reduce the noise enough to make the defenders’ jobs easier when tackling those very targeted attacks,” Levy said.
Chard said that the NCSC has been equipping businesses with the correct questions to ask recently, and while the NCSC does not know the right answer for each business, management can start to explore the questions and ask their teams these questions.
From the time spent with NCSC’s executives this week, it is clear that its intention is to enable businesses to understand the issues within cybersecurity. As detailed in many of the talks at the CyberUK conference, it’s less a problem with targeted attacks and zero-day vulnerabilities, and more about getting cyber-hygiene measures in place. If that can be done, the UK may become the safer place that the NCSC aspires it to be.