When, Not If: Does NCSC Pessimism Hurt UK Cybersecurity?

Comments emerged this week from the National Cyber Security Centre (NCSC) which claimed that the “UK is likely to be hit by a 'category one' (C1) cyber-attack in the next couple of years” and that the nation has been fortunate to avoid such a hit.

NCSC boss Ciaran Martin told The Guardian: “I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack.”

The comments echoed those heard before about two types of companies: those who have been hacked and those yet to discover it. Does this level of ‘defeatism’ add anything to the confidence of national security, if despite all you spend and prepare in defense of an attack, those deemed to protect and advise us are only preaching negative thoughts? Infosecurity looked at some of the responses to the NCSC’s comments.

"Martin's assertion that a major cyber-attack on the UK is a matter of 'when, not if' is spot on"

Joseph Carson, chief security scientist at Thycotic:
“Cyber-attacks have already been happening, the biggest issue is determining who and if a nation state was behind the cyber-attacks. Attribution is one of the most difficult tasks in cybercrime and when cyber-attacks cross borders without full cooperation of the foreign government or nation state, it is difficult to affirm who was sitting at the keyboard and who was instructing them to carry out the instructions. Yes, sometimes attribution back to a single computer is enough to put pressure on an individual however is it enough to claim it was directed by a nation state?

“To prevent such a major catastrophe from occurring, governments and nation states need to work together with full cooperation and transparency to ensure that cyber attribution is possible and hold each other responsible for the actions of criminal organizations carrying out cyber-attacks from within their borders. It is important that governments do not provide a safe haven for cyber-criminals to carry out such attacks especially when they are doing it for both financial and political gains, and extreme aggression.”

Israel Barak, CIO at Cybereason:
“The UK, as with most nations, has invested heavily in protecting classified networks and weapon systems, but security for critical infrastructure is usually handled by private organizations. We need to see stronger government regulation and guidance to ensure that high priority targets such as transport and energy are well protected. 

“Organizations and government agencies should have the ability today to detect threats to their personal information and critical infrastructure inside their network in real time, so they can respond quickly before there is an escalation and possible data exfiltration. Without that expectation expect to be breached. Advanced detection and response technologies will give organizations the ability to meet the attacker head on before any actual damage is done.”

"Governments and nation states need to work together with full cooperation and transparency to ensure that cyber attribution is possible"

Raj Samani, chief scientist and fellow at McAfee:
“The reality is that organizations across the UK were simply unprepared when WannaCry hit last year. Now we need to ensure that we operate under the assumption that another cyber-attack could hit at any time. Adopting this mentality will encourage British organizations to move from the defensive to the offensive, working together to actively hunt out cyber-criminals to effectively keep cyber-threats at bay.

“There is a misconception that cybersecurity is an IT issue, yet the reality is that it has a very real impact on society. Of course WannaCry is a real example of this, but beyond this the theft of Intellectual Property, or Business Confidential information impacts innovation and growth massively, and as an industry we need to do everything we can to prevent this.”

Mark James, security specialist at ESET:
"The statements made here are very valid, and a real concern. We have seen in the past a number of infections that have been initiated through opportunistic attacks, causing widespread concern and in some cases major disruption.

“Specific targeted attacks on systems that have a major impact on our day to day business and/or lives could have the potential to cripple our systems. With so much of our lives being conducted online to enable everyone and anyone the ability to interact, the dangers of security and safety are elevated, and need to be factored into the foundation of the security model.”

"We need to see stronger government regulation and guidance to ensure that high priority targets such as transport and energy are well protected"

Chris Day, chief cybersecurity officer at Cyxtera:
"Mr. Martin’s assertion that a major cyber-attack on the UK is a matter of 'when, not if' is spot on. Everyone in the public and private sectors should adopt that mindset because adversaries don't discriminate.

“We’re seeing increasingly bold steps by nation state actors to disrupt everything from the electric grid to elections. Category one (C1) attacks on critical infrastructure have already occurred in places like the Ukraine, and the US has fallen victim to tampering in its democratic processes.

“Governments must shore up security programs to cover both defensive and offensive strategies. My advice is to engage with an offensive-oriented cybersecurity firm that specializes in offensive-based services. Only then can you get a complete picture of risk and work to prevent something as catastrophic as a C1 attack.” 
Stephanie Weagle, VP at Corero Network Security:
“The NCSC is right to be concerned with their preparation and ability to handle a category one attack aimed at their critical infrastructure. The ability to take a critical website or system offline has never been easier with the proliferation of inexpensive, widely accessible DDoS attack tools, and the IoT fueling the capability for sophisticated and damaging attacks. As an organization becomes more reliant on internet accessibility, it needs to ensure it has sufficient preventative controls in place to eliminate the cyber-threat should it become a target.  
“Corero welcomes the priority that Government is placing on the issue of cybersecurity and the resilience of operators of essential services is a crucial part of this. While we understand the Government’s current preference for a light touch approach in the early stages of implementation, it is critical that the enforcement regime has teeth and results in the deployment of more sophisticated cyber defenses.”

What’s Hot on Infosecurity Magazine?