A new approach for cyber security in the UK

Cyber security, and the money being spent on it, is increasing in importance within the UK. As the threat of terrorism evolves and becomes far more than just a physical danger, the role of organisations and government departments, like the National Cyber Security Centre, becomes pivotal in the UK’s defence strategy. Counter Terror Business explores

In announcing the launch of the five year National Cyber Security Strategy in November 2016, Chancellor Philip Hammond said that it was ‘crucial that Britain is a safe place to do digital business’ and that, in order to achieve this, ‘we need a secure cyber space’. Underpinned by £1.9 billion of transformational investment, the strategy is built upon three core pillars: defend, deter and develop, and is supported by National Cyber Security Centre (NCSC) - an organisation Hammond labelled as a ‘dedicated, outward-facing authority on cyber’.

Cyber crime and digital terrorist threats are not the anomaly that they once were. Indeed, Ciaran Martin, chief executive of the NCSC, has stated that 'stealing information for financial and political purposes is as old as human activity itself’, and that we need to demystify the assumption that cyber terrorists and criminals are ‘people sitting in computers at far away places, that cannot be contested’, highlighting that it is an ‘incredibly damaging attitude’ to take, one which we can assume will not be happening on his watch.

For that reason, January’s annual Crime Survey for England and Wales included cyber crime offences for the first time, reflecting the very real ‘threat faced by the public every day’. The survey concluded that there were a total of 40,202 offences flagged as online crime to the year ending September 2016. As this is the first annual recording there are no previous figures with which to compare, but the fact the figures were included highlight a number of things. The survey measures crime by asking members of the public about their experiences of crime over the previous 12 months. While the Office for National Statistics (ONS), who conduct the survey, reported that there was ‘no statistically significant change’ compared with the previous year’s survey, the fact that there was no recognised statistical change in the number of crimes, and yet it was the first time that cyber crime was included suggests that the dominance and regular occurrence of cyber crime is increasing at pace. In the past burglary and theft of vehicles were the high volume crimes driving trends, but the latest report shows fraud and computer misuse as the new headline figures.

Writing recently in the Sunday Times, Ciaran Martin revealed that Britain's security has been threatened by 188 high-level cyber attacks in the last three months, most of which threatened national security. Martin said that attempts on government departments were designed to ‘extract information on UK government policy on anything from energy to diplomacy to information on a particular sector’, with some attempted attacks being conducted by Russian and Chinese state-sponsored hackers, similar to those which led to the publication of leaked emails from Democratic Presidential candidate Hillary Clinton in the run-up to November’s US election.

Martin and Hammond have both expressed concern over the recent ‘change in Russian aggression in cyber space’, culminating in cyber attacks on political institutions, parties and organisations. Hammond, writing in the Sunday Telegraph, said the NCSC was blocking nearly 200 potential attacks on government departments an members of the public each day, resulting in approximately 34,550 attacks over the last six months.

The Internet Revolution
In advance of the formal opening of the NCSC, which took place on 14 February, Hammond warned companies that they needed to be aware of the ‘alarmingly real security threats’ and vulnerabilities that come with advancing technologies. The Internet of Things has the potential to create more dynamic, cost effective and responsive services across both the private and public sector, with the digital sector already pumping nearly £120 billion into the UK economy every year. But it also has the capacity to increase the dangers facing organisations if the right security is not in place. The damage that can be inflicted has been highlighted in the high profile attacks against Sony, TalkTalk and French TV station Monde. Worryingly, while two-thirds of large businesses reported a cyber breach or attack in the last 12 months, nine out of 10 businesses are currently operating without having an incident management plan in place for the possible event of a cyber breach.

Martin has stated that, alongside the intelligence agency GCHQ, he wants to make the UK ‘the hardest target’, an effort that will require increased cooperation and focus from the government and private sector. The main aim, at least in the short term, is to protect sensitive data, whether that be that of MPs and government officials or companies operating with large quantities of their users personal information - including names, addresses, bank details etc. In 2015, the Office of Personnel Management confirmed that nearly four million US government workers had been struck by data breaches, which revealed employee job assignments, performance reviews and training. The NCSC will continue to ensure that no such breach occurs in the UK.

Despite the work and opening of the NCSC, the House of Commons Public Accounts Committee has examined measures to protect information across government and warned that the government faces ‘a real struggle’ to find enough staff with the skills to fight the rapidly growing threats.

The Committee concludes that while the threat from cyber attacks has been one of the top four risks to national security since 2010, it has taken government too long to consolidate and coordinate the 'alphabet soup' of agencies that protect Britain, with processes for recording departmental personal data breaches by government departments too ‘inconsistent and dysfunctional’. Challenging the words of Hammond and Martin, who have done much to reassure the public in emphasising the number of threats deterred in recent months, the Public Accounts Committee calls on the Cabinet Office to develop a detailed plan for the new NCSC, explaining ‘who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance’. Clarity, which the committee claim is lacking, appears to be the order of the day, with Meg Hillier, who chairs the committee, saying that the government’s approach to ‘handling personal data breaches has been chaotic and does not inspire confidence’, branding its leadership as ‘inadequate’. One of Martin’s most pressing concerns should be establishing clear communications lines between the NCSC and government and clarify the work being undertaken and the support it is providing. Time will tell how successful he, and the wider work of the NCSC, is in establishing clear cyber security guidelines.

The importance of protecting privacy
In November 2016, a 17-year-old boy admitted hacking offences linked to a data breach at the communications firm TalkTalk, revealing that he had used hacking tool software to identify vulnerabilities on target websites. The cyber attack on the company in October 2015 prompted fears thousands of people may have had their online details stolen, after the data haul netted email addresses, names and phone numbers, as well as 21,000 unique bank account numbers and sort codes.

TalkTalk itself, who claim that the hack cost them £42 million, was fined a record £400,000 for security failings which allowed customers' data to be accessed ‘with ease’, with the situation raising concerns about the safety of customers and members of the public entering personal information onto websites, wth many websites not offering the opportunity to do so, with ‘security’ given as the reason. In January 2017, a blog post from the NCSC offered some advice on the debate, suggesting that organisations should stop preventing customers and users from pasting their passwords into the required bars on their websites, because the positives of pasting passwords outweighed the risks.

The blog post, titled Let them paste passwords, read: “We think customers should be allowed to paste their passwords into forms, and that it improves security. We believe [stopping password pasting] is one of those 'best practice' ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn't make sense.”

The NCSC argue that password pasting improves security because it helps to reduce password overload. Additionally, it urges that password managers can be a beneficial tool because it makes it much easier to have different passwords for each website site used, without the frustration of typing errors or forgetting passwords. Prevention of using password managers means that customers are far more likely to re-use the same passwords on different websites, choose very simple (and so easy to guess) passwords or write passwords down in places that are easy to find - each hindering personal security.

Cyber security guidance
Updated in August 2016, NCSC’s 10 Steps: Executive Summary sets out what a common cyber attack looks like and how attackers typically undertake them, and offers an effective means to help protect organisations from attacks. Here, we look at the 10 steps in detail.

NCSC encourages organisations to embed a clearly communicated and appropriate risk management regime, that ensures that all employees (including governance), contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries. Additionally, having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Therefore, companies should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching.

The connections from your networks to the Internet, and other partner networks, expose company systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, UK organisations can reduce the chances of these attacks succeeding or causing harm. Rather than focusing purely on physical connections, companies should consider where their data is stored and processed, and where an attacker would have the opportunity to interfere with it.

Concerning the managing of user privileges, companies should provide users with a reasonable, but minimal, level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. Likewise, users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure.

It is needless to say that all organisations, no matter how security focused and cyber trained, will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach.

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data, and therefore companies should be clear about the business need to use removable media and apply appropriate security controls to its use. Regarding mobile working, companies should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers - training users on the secure use of their mobile devices in the environments they are likely to be working in.