Annual Review 2018 Making the UK the safest place to live and work online
2018 2 NCSC ANNUAL REVIEW 2018 Welcome
The National Cyber Security Centre (NCSC) was created in 2016 as part of the Government’s five-year National Cyber Security Strategy. Since then, our goal has been to make the UK the safest place to live and work online. This review tells the story of our second year, with interviews, testimonials, images and data that take you behind the scenes at the NCSC. It provides a snapshot of our work over the period 1 September 2017 to 31 August 2018. We hope it helps you understand what we do, and along the way see some of the milestones we have reached in our second year. We have also produced a digital report where you can see this year’s events come to life at: ncsc.gov.uk/annual-review-2018
3 NCSC ANNUAL REVIEW 2018 4 NCSC ANNUAL REVIEW 2018 Ministerial Foreword
We have every reason to be proud and expertise to be our single centre term, strategic challenges, whether of the UK’s position at the forefront of excellence. This Annual Review that is affecting behaviour change, of the global digital revolution. recognises the transformational developing the right skills set among Our collective ability to embrace impact of the National Cyber Security UK professionals, or deepening our cyberspace is already driving our Centre over the last year. As well collaborative partnerships in the UK country’s prosperity and enhancing our as providing greater insight into the and internationally. Because whatever national security. We have one of the nature of the threats we face, the the future holds, we will need to highest levels of internet access and National Cyber Security Centre’s continue to work together to protect usage in the developed world, and our successes include a pioneering Active our economic and individual freedoms. digital industries are growing faster Cyber Defence programme, delivered than any other part of the economy. with industry to block attacks on At the same time, the threat from a scale of millions per month, and criminals, hacktivists and nation states the development of a world-leading continues to increase and evolve. It is incident management response Rt Hon David Lidington CBE MP easier and cheaper than ever before capability, made possible through key Minister for the Cabinet Office and the for those who want to do us harm partnerships with law enforcement and Chancellor of the Duchy of Lancaster to access the tools, exploits and the wider cyber security community. It services they need to launch attacks. has also reached out internationally That is why cyber security remains a to strengthen global cyber defences top priority for this government and and our collective ability to deter and for me personally, as the Minister disrupt malicious actors, and continues responsible for improving the security to inspire the next generation of cyber and resilience of the UK, including security experts and entrepreneurs. protecting our critical national infrastructure. There are many more achievements to celebrate in this Annual Review. We launched our National Cyber Everyone at the National Cyber Security Strategy in 2016 to set Security Centre, and its numerous the direction and ambition for our partners in the public, private and investment and efforts. Because as the voluntary sectors, should take great digital revolution touches every part pride in this work. How we set up of our society, we wanted to ensure the National Cyber Security Centre that our response was comprehensive. reflects the single, clear message that To defend our people, to deter our underpins our strategy, that while we adversaries and to develop the can lead the way, we cannot solve capabilities we need to ensure the UK these problems alone. We need not remains the safest place to live and just a whole of government but a work online. Our strategy is supported whole of society approach to tackle by significant investment – £1.9bn – cyber security. to drive the transformation we need to respond at the scale and pace The future remains stubbornly difficult required. to predict. But we do know that the next 12 months will continue to We have made good progress since we challenge and surprise us. We have launched the strategy. At the heart of built solid foundations to ensure that our response was the formation of the we can remain resilient in an ever National Cyber Security Centre, which changing world. Key to our success brings together our best intelligence will be how we take on longer-
5 NCSC ANNUAL REVIEW 2018 Contents
07 Timeline 09 CEO Overview 11 Countering the Threat 18 Behind the Scenes of an Incident 23 Building the UK’s Defences 34 Cyber Capability for the Future 41 100 Years of the Cyber Mission
6 NCSC ANNUAL REVIEW 2018 Timeline This covers the period 1 September 2017 to 31 August 2018
• Handled 557 incidents • Added 2,361 new members onto our Cyber Security Information Sharing Partnership • Removed 138,398 unique phishing sites • Engaged with 1,968 students on our CyberFirst courses • Produced 214 threat assessments • Challenged 4,500 girls in the 2018 CyberFirst Girls • Produced 145,000 physical items for 170 customer Competition departments through the UK Key Production Authority • Delivered cyber security awareness sessions to more than • Produced 134 pieces of guidance and 95 blogs 1,000 charities • Had 1.9 million visitors to our website • Welcomed visiting delegations from 54 countries • Awarded more than 8,900 Cyber Essentials certificates • Hosted more than 80 stakeholder events
7 NCSC ANNUAL REVIEW 2018 2017
3 Oct 1ST ANNIVERSARY OF THE NCSC CELEBRATED
11 Oct SMALL BUSINESS GUIDE PUBLISHED
SECURING ELECTIONS FOR EU MEMBER STATES SUMMIT HELD 23 Oct AT NCSC HEADQUARTERS
2018
5 Feb ACTIVE CYBER DEFENCE: ONE YEAR ON REPORT PUBLISHED
CHARITY SECTOR THREAT ASSESSMENT AND SMALL CHARITY 1 Mar GUIDE PUBLISHED
19 Mar CYBERFIRST GIRLS COMPETITION FINAL TOOK PLACE IN MANCHESTER
10-12 Apr CYBERUK 2018 HOSTED IN MANCHESTER
10 Apr CYBER THREAT TO UK BUSINESS JOINT REPORT WITH NATIONAL CRIME AGENCY PUBLISHED
16 Apr U.S-UK TECHNICAL ALERT ISSUED ON RUSSIAN MALICIOUS ACTIVITY
PRIME MINISTERS OF THE UK, CANADA, NEW ZEALAND AND 18 Apr AUSTRALIA MET AT THE NCSC AS PART OF THE COMMONWEALTH SUMMIT
3 May GUIDANCE FOR LOCAL AUTHORITIES AHEAD OF LOCAL ELECTIONS PUBLISHED
9 May NETWORKS AND INFORMATION SYSTEMS DIRECTIVE CAME INTO EFFECT
25 May GENERAL DATA PROTECTION REGULATION CAME INTO FORCE
THE NCSC’S CEO AND THE MINISTER FOR THE CABINET OFFICE GAVE 25 June EVIDENCE ON THE CYBER SECURITY OF THE UK’S CRITICAL NATIONAL INFRASTRUCTURE TO THE JOINT COMMITTEE ON THE NATIONAL SECURITY STRATEGY
27 June NINE START-UPS GRADUATED FROM THE NCSC CYBER ACCELERATOR
Jul-Aug HELD CYBERFIRST SUMMER COURSES FOR YOUNG PEOPLE ACROSS THE UK
19 Jul CYBER THREAT TO LEGAL SECTOR REPORT PUBLISHED
22 Aug THREE NEW ACADEMIC CENTRES OF EXCELLENCE IN CYBER SECURITY RESEARCH ANNOUNCED
8 NCSC ANNUAL REVIEW 2018 CEO Overview
Cyber security is a tough, complex threat is abating. Proof of that – if it strategic or commercial reasons, and challenge. But the UK is making were needed – is that in the two years give themselves a starting point – significant progress in strengthening of our existence the NCSC has dealt ‘prepositioning’ – for a significant our defences against those who seek with well over 1,000 cyber security attack in the future. to harm us online. This matters as we incidents. look to an ever more digital future for That’s why earlier this year, along our prosperity. The majority of these incidents were, with the Government of the United we believe, perpetrated from within States, the NCSC published evidence In this report – GCHQ’s National nation states in some way hostile of Russian pre-positioning on some of Cyber Security Centre’s second Annual to the UK. They were undertaken by our critical sectors, along with detailed Review – we set out: groups of computer hackers directed, technical guidance to business on how sponsored or tolerated by the to get rid of it from our networks. • the latest overview of the threats governments of those countries. These we face; groups constitute the most acute and That landmark publication – not just • the progress we’ve made in meeting direct cyber threat to our national calling out unacceptable behaviour them, including some world- security. I remain in little doubt we but providing the tools to clean it leading initiatives to rectify some of will be tested to the full, as a centre, up – was one example of how we’ve the systemic security weaknesses of and as a nation, by a major incident at been moving in the right direction over the modern Internet; some point in the years ahead, what the past year. It built on other, similar • the cyber security challenges we would call a Category 1 attack. publications where we have drawn facing families, businesses, critical on an array of technical data – some network owners and government, Although there have been several classified, some not – and published and what they can do to meet very significant incidents, thus far, transparent, technically authoritative them; and the UK has avoided a Category 1 – guidance on it. These attacks have • our plans for the future. most of our foremost international come from a range of states, as well partners have not. But even if this as many non-state sources. There is Although the UK is making significant continues, we must be alert to the much, much more to the cyber security progress in improving our cyber constant threat from countries who threat to the UK than just Russia. security, that does not mean that we will attack critically important national are getting everything right, or that the networks to steal information for
9 NCSC ANNUAL REVIEW 2018 This practical guidance really matters, organisation can reasonably assess Ireland this summer; we have a because victims of cyber crime tend to to be the risks it faces. Defences also permanent member of staff based in be less concerned with the identity of need to be good enough to contain Scotland, and Glasgow will host our the attacker than the impact on their attacks that do get through, as some flagship CYBERUK event in 2019; Cardiff lives and wellbeing, and what they can inevitably will. University’s success in becoming one of do to contain the damage. our most recent Academic Centres of Therefore, understanding how cyber Excellence in Cyber Security Research Indeed, whilst nation state activity attacks work is vital to get ahead of means all four parts of the UK now is the most acute threat, low- the problem. That’s why we’ve started host one of these centres. And like the sophistication but high-volume cyber publishing guidance to boards on rest of GCHQ, we maintain presence crime is the most chronic one, dealt the types of questions they can ask in London, Cheltenham, Bude and with at scale by our first-rate partners their cyber security teams about how Scarborough, and we will look to in law enforcement, led by the they are managing risk. More will expand our presence in Manchester National Crime Agency (NCA). follow, with the aim of helping leaders in the coming years. understand enough technical detail Whilst these incidents individually to make the right decisions. These are This expansion of our national are of less strategic significance, the sorts of practical steps companies footprint will help us further make a cumulatively they amount to a can take to make the marginal mark on UK cyber security at every strategic threat to our prosperity by improvements that will deter some level. There is a real opportunity here undermining our confidence in the attacks, make some others less likely – there are already signs that other digital economy. to succeed, and lessen the impact countries’ admiration for what the of attacks that get through. This was UK is doing in cyber security could That is why our world-leading active launched with support from the CBI secure a competitive advantage for the cyber defence (ACD) initiative – using – an example of government and country in our digital future. As GCHQ automation to reduce some of the industry partnership at its best. begins its second century of service most common weaknesses in cyber to the UK, it is an exciting time for its security defences – is one of our most Through our work on incidents newest part, the NCSC. important pieces of work. The Internet over the past year in particular, we was not designed with security in have become acutely conscious of So let me conclude by paying tribute mind and, from a security perspective, the role the supply chain plays in to our exceptional teams, as well as there are significant flaws in the way leaving organisations vulnerable to to our partners in the security and it operates. In the 2016 National Cyber compromise. As the next generation law enforcement communities, within Security Strategy, the Government of technology evolves, supply chain wider government, in industry and made a major strategic decision to try risk becomes an ever more important other organisations nationally and to redress some of those structural challenge. Meeting it, particularly in abroad. Moving forward on all fronts – problems through the ACD programme. the telecommunications sector as the using world-class data and skills from We were the first in the world to age of 5G approaches, is a top priority GCHQ and our partners at home and attempt this, reducing the damage for the NCSC, supporting the lead abroad; publishing clear, technically done by large scale but basic cyber of the Secretary of State for Digital, authoritative guidance to individuals attacks, freeing up our world-class Culture, Media and Sport, and his and businesses; fixing some of the operatives to focus on the most potent department. That’s a key challenge underlying security problems inherent threats. Our aim is to take away as for our experts who lead on our in modern technology; and enhancing much of the harm from as many programme to protect the nation’s and diversifying our skills base – are people as we can, as often as we can. most critically important networks, vital for our third year and for our alongside their work on our social mission to help make the UK the safest In February this year, our Technical security payments systems, the new place to live and work online. Director, Dr. Ian Levy, published a generation of civil nuclear reactors, groundbreaking paper setting out our systems to protect our national the results of the first year of the defence secrets, and the payments and programme. The latest results show clearing networks that underpin the Ciaran Martin, that since the programme started, UK’s world-leading financial system. CEO of the National Cyber the proportion of phishing sites in the Security Centre world that are hosted in the UK has Finally – for us, heading in the right fallen from 5.3 per cent to 2.4 per cent. direction means becoming a truly This, and other impressive results, national centre, reflecting, and being means we are going to roll out existing present in, the communities we serve. measures further, and expand the We remain very proud of our work programme over the next few years. on skills in schools, particularly our CyberFirst Girls Competition which The ACD programme shows what this year attracted more than 4,500 government can do directly to improve highly talented 12 and 13-year-old cyber security. But getting ahead of female students with an interest in the problem involves equipping every cyber security. Although just over half organisation, however large or small, of the NCSC’s senior leadership are with the tools they need to protect female, there remains a mountain to themselves as best they can. climb within government service and Getting the right cyber security nationally to harness the power of all capabilities for an organisation sections of the population and end starts with a better understanding the serious underrepresentation of all of the risks. No one is asking British minority groups within the profession. citizens and businesses to have cyber defence capabilities akin to those We will also continue to expand our of a nation state. They just need to footprint geographically. We held our be good enough to fend off what an first ever CyberFirst event in Northern
10 NCSC ANNUAL REVIEW 2018 Countering 1 the Threat
At the NCSC, we take a proactive approach to securing the UK’s online defences at home and collaborating with our allies overseas. Instead of waiting for an attack, we anticipate problems and find solutions to prevent them doing harm.
11 NCSC ANNUAL REVIEW 2018 2018 Active Cyber Defence
Active Cyber Defence (ACD) is a collection of services that aim to protect the UK from the high-volume commodity attacks that affect people’s everyday lives. These attacks involve using tools and techniques openly available on the internet that are relatively simple to use. We have developed and tested our ACD services on government with great success. Our longer-term goal is to encourage solutions like these to be adopted across other sectors in the UK. 1 2 3 4 Web Check Protective DNS Takedown Service Mail Check Spotting website weaknesses Protecting the Government Taking down malicious Blocking fake emails from malicious websites content Web Check is a service The Protective Domain We know that people are Cyber attackers spoof email that enables UK public Name System (DNS) blocks more likely to click on a addresses to trick victims sector bodies to scan their malicious sites from being link if it appears to come into opening their phishing websites for common accessed by public bodies. from the UK Government. emails as this makes it vulnerabilities. To help these The Takedown Service easier for them to commit bodies identify potential The aim of the service is aims to prevent cyber identity fraud and theft. weak spots, Web Check not just to block harmful criminals impersonating Mail Check enables an generates an easy-to- sites, but to notify the the Government online. organisation to authenticate understand report showing public bodies about any the email they send so that what needs fixing and how issues so they can fix them. In the past year, we have a receiver can determine to fix it. It is currently being used worked with Netcraft to if it is genuine or fake. As by more than 200 public remove phishing sites people don’t receive the This year, every local sector organisations across that were being used fake emails, they don’t have authority in England, the UK. The DNS service has to impersonate the UK to make judgments about Scotland and Wales, and now detected and blocked Government and notify which attachments to open almost all in Northern attempts to access over 30 internet mail providers and which links to click on. Ireland have signed up to million malicious websites. that are sending malware Web Check. to unsuspecting members Using the Domain-based of the public using the UK Message Authentication Government brand. Over Protocol (DMARC) as part the past year, the month- of this solution, Mail Check by-month volume of each has already prevented of these threats has fallen, a huge number of fake suggesting that criminals are emails getting through. And using the UK Government the number of messages brand less and hosting fewer spoofing protected UK of their malicious sites in Government domains the UK. has fallen, suggesting that our work is deterring criminals from spoofing the Government. Protecting Government Domains
We started Mail Check in 2017. Soon after, cyber criminals After a few months we saw a significant drop in the abuse of responded by spoofing sites that look like UK Government these fake domains. We are now blocking emails spoofing domains but in fact do not exist. For example, instead of tax-service.gov.uk, and anything else that spoofers create using tax.service.gov.uk, they attempted to use tax-service. which ends in gov.uk. gov.uk. As the address does not exist, this means there is no record and as a result it will not get blocked. Working in partnership with government and technical experts, we developed a solution, Synthetic DMARC, and used Cyber Security Information Sharing Partnership (CiSP) to keep gov.uk domain administrators informed.
12 NCSC ANNUAL REVIEW 2018 UK share of visible Availability time global phishing for sites spoofing attacks dropped government brands from 5.3% (June down from 42 hours 2016) to 2.4% (July (2016) to 10 hours 2018) median (2018)
Mail Check Takedown Service
Over the last 12 months, the service removed 138,398 phishing sites hosted in the UK
and a further 14,116 worldwide spoofing the UK Government
Protective DNS Web Check
Average of We have identified unique malicious domains blocked every 10,975 month 2,372 urgent findings that have been fixed
13 NCSC ANNUAL REVIEW 2018 Protective DNS
What Next for Active Cyber Defence?
The cyber threat is always evolving so we need to continue We pilot our ACD tools with the public sector first and, to build a pipeline of ACD services that can deal with where relevant, demonstrate the benefits to other sectors. them. These include a service that reports on the condition This year, we are working with a range of companies and of an organisation’s infrastructure, a service that helps departments to understand how we can help different vulnerability researchers to report bugs in government sectors. We are also encouraging a range of technology websites, and an online package containing cyber exercises providers to offer similar services to their customers so that that help organisations prepare for an incident. together we can ensure that cyber crime doesn’t pay. To improve information sharing with the cyber security industry, we are continuing to develop a suite of services which automate the processing and sharing of information and events. We have already launched a pilot that shares indicators of compromise with one of the UK’s leading internet service providers. This gives their customers better protection automatically at no extra cost. “You don’t need to beat cyber crime – As part of the ACD programme, the NCSC has started to and it would be unrealistic to think we deliver a pilot host-based capability to central government. This involves deploying software that analyses device could. But we do want to make it as hard data to understand and detect threats that target the Government’s IT systems. The service complements as possible and that means making it as an organisation’s existing cyber security and has now been successfully deployed to 14,500 government devices. The unprofitable and risky as we can for cyber number of devices enrolled will increase significantly in the coming months. By using the data this generates, we criminals to act in the UK.” were able to issue our first Threat Surface reports, help early adopters understand the attacks they face, and detect targeted cyber attacks against government systems. Dr. Ian Levy, Technical Director, NCSC
14 NCSC ANNUAL REVIEW 2018 International Partnerships
The NCSC’s international partnerships In partnership with the rest of help us share information and combat government, we have furthered our common cyber threats. In our second cooperation overseas, and we aim year, we had the honour of hosting to expand our reach in 2019. four Heads of Government during the Commonwealth Heads of Government Meeting in April. We have welcomed delegations from 54 countries across six continents, and we have visited 18 countries for bilateral meetings and public engagements.
Five Eyes Partnerships
The Five Eyes intelligence alliance New Zealand has a thriving National comprises Australia, Canada, New Cyber Security Centre within their Zealand, the United Kingdom and Government Communications Security the United States. The alliance – now Bureau. And over the past year, our nearly eight decades old – remains colleagues in Canada and Australia at the heart of our international have announced the creation of partnerships. their equivalent cyber security organisations. With the United States, the cornerstone remains the relationship We are very proud of the work we between GCHQ and the National all do together and as we expand Security Agency but we are working our collaboration on threat sharing, closely with other U.S. agencies. joint operations and beyond, our The U.S. Department of Homeland organisations will become closer Security and the Federal Bureau of still, to the mutual benefit of all. Investigation, with whom we released the joint Technical Alert in April 2018 about malicious cyber activity carried out by the Russian Government, are becoming more and more important to UK cyber security.
15 NCSC ANNUAL REVIEW 2018 Keynote speech by NCSC Director of Operations Paul Chichester at NATO’s annual cyber security summit
Cyber Defence Cooperation European Security Cooperation with NATO
Building on the Memorandum of As the next phase of the UK’s European Conferences Understanding signed in 2017, the relationship with the rest of Europe NCSC worked with NATO to deepen takes shape, our ongoing collaboration In September 2017, NCSC CEO Ciaran our shared understanding of the to tackle common cyber threats will Martin set out the importance of cyber threat. help protect our shared values of continued international cooperation freedom, democracy and prosperity. in cyber security in his keynote address We have shared information and at a major conference held in Tallinn taken the steps we need to take to during the Estonian Presidency of the strengthen our cyber defences and Protecting the Integrity of EU Council. A few weeks later he was to deter and respond to malicious Elections part of the Prime Minister’s delegation cyber activity. to Estonia, where she attended the EU Electoral security is one of the areas Digital Summit. In a keynote speech at NATO’s annual in which we are working closely with cyber security summit in October 2017, our European counterparts. In October Ciaran Martin further reinforced the UK the NCSC’s Director of Operations 2017, the NCSC hosted approximately message of unconditional commitment Paul Chichester emphasised the UK’s 50 delegates from across the EU to to European security at the Munich support to NATO operations and discuss how to tackle interference in Security Conference in 2018, a global encouraged members of the Alliance to the electoral process and strengthen forum for security policy, shortly embrace their role as lead responders the collective response to the threat. before the Prime Minister set out to global attacks from state and her vision for post-Brexit European non-state actors, who could harm our The summit helped initiate the security cooperation. democracies and critical infrastructure. creation of a new guide to securing elections across Europe and beyond. Co-led by Estonia and the Czech Republic, the NCSC made a significant contribution to the product which was published in July, six months before the next round of European Parliament elections.
16 NCSC ANNUAL REVIEW 2018 Visit to NCSC headquarters by four Heads of Government
The NCSC Hosts Four Prime Ministers During Commonwealth Summit “Cyber security affects us all as online crime A commitment to improve does not respect international borders. I have international cyber security was made during a visit to the NCSC headquarters called on Commonwealth leaders to take action by four Heads of Government in April 2018. and to work collectively to tackle this threat. GCHQ Director Jeremy Fleming hosted Our package of funding will enable members to the UK Prime Minister alongside prime ministers from New Zealand, Canada, review their cyber security capability and deliver and Australia, where the leaders were also briefed by Ciaran Martin. the stability and resilience that we all need to stay The visit was part of the biennial safe online and grow our digital economies.” Commonwealth Heads of Government Meeting, in which Ciaran Martin Rt Hon. Theresa May, UK Prime Minister addressed the Foreign Ministers of all 53 member countries and discussed common threats and what the Commonwealth could do together to combat those threats. The summit culminated in the UK Prime Minister’s announcement of an investment of up to £15 million1 over the next three years to help the Commonwealth strengthen its cyber security capabilities.
1https://www.gov.uk/government/news/uk-commits-to-a-safer-commonwealth-in-cyber-space
17 NCSC ANNUAL REVIEW 2018 Behind 2 the Scenes of an Incident
This special report offers a never before seen glimpse behind the curtain of the UK’s strongest asset against cyber attacks. Members of the NCSC’s world-class incident management team explain the methodology we have used to defend against more than 1,000 cyber incidents – a rate of more than 10 per week.
18 NCSC ANNUAL REVIEW 2018 Behind the Scenes of an Incident
At the NCSC, we are committed to being open and transparent – even to the point of now sharing the methodology we use to defend against cyber threats.
It is well known that “There are a wide range of “In the past two years, the NCSC coordinates nation state and criminal we’ve had 2,011 reports Job Descriptions defences to support UK actors targeting every – or ‘tippers’, as we call victims, but the tactics our country. The number of them,” Rachel said. “Around experts deploy are much sophisticated actors is half were designated as Incident handlers less understood. This is increasing, and cyber attacks requiring further enhanced manage and respond to partly due to the covert are seen as a good way investigation. incidents, engage with nature of some of the of pursuing criminal and victims and where necessary intelligence agencies they national interests. Our job is “New incidents are raised support coordinators on can draw on, and partly to make the UK the hardest as a ‘ticket’ with our significant incidents. because the NCSC promises target possible.” Defence Watch Officers confidentiality to the (DWOs), who all come Incident coordinators companies who work The NCSC’s Head of Incident from an intelligence, law manage and coordinate with us. Management Adrian said: enforcement or military cross-government response “The team operates out background. They are able to significant incidents and of GCHQ’s main office in to determine whether it engage with victims. Meeting the Team Cheltenham and, since April meets our criteria as a 2017, the NCSC’s London ‘significant’ incident. Incident reporters Two years ago, the level headquarters, Nova South. produce professional of the cyber threat was Jill added: “We become products on incidents well known to the UK “The most prominent attack aware of incidents in a to ensure all relevant Government. Since then, we have faced so far was variety of ways. As well government partners and the level of the threat has WannaCry, which threatened as companies contacting agencies are updated on become unavoidable to to do unprecedented us directly, we hear about developments. every UK citizen. Attackers damage to the NHS in May incidents from international devise new ways to harm 2017. But most attempted partners and law businesses and individuals compromises are never even enforcement colleagues. all over the world, and cyber known to the public and attacks are rarely out of the many are mitigated by our “It’s really important for headlines. incident management team us to work closely with working closely with the law enforcement. Their NCSC Director of Operations victim organisation – and support is invaluable, and Paul Chichester has overall I’m proud of the work we they work with us to pursue command of the team do.” the adversaries behind that coordinates our work the attacks and ensure against ongoing cyber So, what happens when an protection advice gets out attacks. Facing more than attack does get through? to companies, in particular 1,000 incidents in two years smaller ones at a local – including 557 in the last level.” 12 months – may have been Learning About an more than some may have Incident Jamie explained: “Many expected, but it did not calls we don’t progress shock Paul. The front line of the relate to individuals rather incident management team than organisations. While He reflected: “Cyber attacks includes handlers like Jill, those attacks can still be are a major danger – the coordinators like Rachel and significant, they are taken volume and range are huge, reporters like Jamie. forward by Action Fraud, so but they are on a trajectory we redirect those people to that hasn’t surprised us. them.
19 NCSC ANNUAL REVIEW 2018 “If a tipper has been classed “At the moment our model ‘cryptonym’ – that is used New Incident as ‘significant’ by the DWO, is unique, but we know that as the sole reference during it’s elevated to an ‘incident’ world leaders and other top secret discussions. Categorisation and a handler is assigned countries are looking to System to it.” copy it.” “The operation naming process probably isn’t as Speaking about the new exciting as some might C1 attacks are national New Categorisation system, Mike Hulett, think!” Jamie explained. emergencies, causing Framework Head of Operations at the “Some people think there sustained disruption of National Crime Agency’s are ‘in jokes’ or hidden essential services, leading to To ensure the appropriate National Cyber Crime Unit meanings, but actually the severe economic or social handler manages an (NCCU), said: “We, and system randomly creates 10 consequences – or to a loss incident, it must first be others in law enforcement, options to choose from. of life. assigned an attack category. have worked closely with Since January 2018, the the NCSC to deliver a “You choose something C2 attacks can have a UK’s cyber community has consistent and effective memorable, but it has to serious impact on a large implemented a new incident response to cyber incidents be suitable. The names portion of the population, categorisation framework. that affect the UK. are used across the world, economy or government. so we also have to make The new approach fully “Our collective sure it doesn’t translate to C3 attacks can have a aligns the NCSC’s work with understanding of the anything unfortunate.” serious impact on a large law enforcement agencies to evolving threat to the UK is organisation or wider defend against the growing improving, but to improve The sharing of information government. threat, with incident further we encourage is of paramount responders now classifying all those businesses and importance. Every morning C4 attacks could threaten a attacks into six specific organisations which suffer a a daily ‘team campfire’ is medium-sized organisation. categories (C1-6) rather cyber attack to report them. held to look at the last 24 than the previous three. The hours and what is next. C5 attacks include threats to new system ranges from “Timely reporting of For C1-3s, a cross-NCSC a small organisation. targeting the Government incidents allows the NCA Tactical Leadership Group and critical national and NCSC to decide upon (TLG) is immediately set up C6 attacks on individuals, infrastructure through to and deliver the most to share the facts among the response would be individual citizens. effective response.” our colleagues in GCHQ led by law enforcement and the law enforcement agencies, such as the local Paul explained: “We wanted Once an incident is put onto community. police force. to have a more coherent the system with a specific process with industry category, it is allocated an At this meeting, the team and law enforcement, so incident handler. agrees its understanding of developed a new, truly the technical issues, sets national system. out clear objectives and “The initial evidence is The Language of ascertains how to provide that it has been extremely Espionage the best possible support to effective in helping us direct the victim. our resource against the A peculiar aspect that attacks we can best support arises at this stage is the Cyber security is a team against. language of espionage. All sport, and it is also C1-3 incidents are given an operational code name – or
20 NCSC ANNUAL REVIEW 2018 On 13 June 2018, Dixons Carphone plc announced that a review of its systems and data had shown unauthorised access to certain data held by the company.
A Dixons Carphone spokesperson said: “Our experience engaging with the NCSC following the discovery that some of our customers’ data had been subject to unauthorised access has been beneficial.
“The NCSC has been supportive and provided valuable advice which has helped both shape our response and ensure that we are taking all appropriate steps to ensure the security of our customers’ data.”
vital that information is ourselves, the victim think is happening and try incident is absolutely vital. shared to other affected and their CIR company to get them to investigate The old saying of ‘a lie can areas of government. to investigate. If it’s so they can give us more get halfway around the The TLG findings are fed appropriate, we can enrich information. We try to work world before the truth gets into a cross-Whitehall any information we receive with them to identify what’s its boots on’ is particularly Strategic Leadership Group with intelligence we have, happening and help them to true in cyber security – and (SLG). A single incident and we work with a range of fix it.” particularly dangerous. can be of interest to partners to further develop multiple departments, so our understanding. For the most significant “Cyber attacks obviously representatives are brought incidents, the NCSC deploys don’t adhere to into the meetings to discuss “It’s really helpful if boots on the ground and international boundaries the attack and identify the companies allow us access sends an incident response or time zones. Incidents next actions to take. to their system logs to team to the victim to offer often break during the night, look for indicators of hands-on support. and we need to make sure Supporting the compromise (IOCs), and we harmful myths are corrected. look for known scripts from Jamie added: “We can Victim actors we already track. By provide direct support and “If a company has publicly knowing who is behind the advice to victims, and help acknowledged a breach and Simultaneously, the NCSC attack, we are better able to understand the nature it affects a large number works with the victim to understand intent and and extent of a compromise. of people, we work with organisation to ensure they reduce the damage.” “That response enables technical colleagues to get have appropriate defences us to review the logs on the right advice out quickly in place. An important part If an incident has been a computer to locate the which people can act on.” of business continuity and detected by the NCSC but is attack. It can be done by disaster recovery planning not known to the company, either looking through the The result is around is identifying a supplier of it falls to the incident victim’s physical system or 1,000 words of easy-to- incident response services handlers to pick up the taking a digital image of the understand, actionable in advance of any serious phone and explain what has system to the NCSC labs.” advice published on the attack. happened. NCSC website within 24 Jill said: “That’s not Public Engagement hours of an incident. The Rachel explained: “The always easy – we get a NCSC website receives first thing a handler will lot of people hanging up! When a major incident hits, around 180,000 visitors per ask a potential victim They might think it’s just it is also vital that the public month, and is soon to be is ‘Do you have a Cyber someone on the inside or are kept informed. The revamped to help users find Incident Response (CIR) don’t realise the seriousness, NCSC has a range of sector relevant advice. company? We can still work so sometimes we need to engagement teams and with them if they don’t, have persuasive skills as full-time communications but it will often influence well as technical knowledge. staff who are embedded in how effectively they can every stage of an incident – investigate and mitigate “To help with that there’s a including a 24/7 media against the attack.” contact validation form on duty service. our website that individuals Jamie added: “If the can use to confirm the NCSC Director of company is happy to share identity of a member of the Communications Nicky information, we will set up NCSC who has contacted Hudson said: “Getting our a trilateral group between them. We explain what we messaging right during an
21 NCSC ANNUAL REVIEW 2018 “I raise my glass to the UK for what they have Mythbusting done with NCSC – galvanising public and private While the NotPetya attack interests with that bold statement of becoming was ongoing, worldwide media reported early the safest place to live and do business online. international assessments And the results speak for themselves – it has that it was ransomware. The NCSC detected been amazing.” it was actually wiper malware masquerading as ransomware, and the Dave Hogue, U.S. National Security Agency communications team quickly acted to ensure people stopped treating the attack as something it wasn’t – which could have caused financial damage without retrieving any data. Director of Communications Nicky Hudson said: “We quickly published an updated statement on our website, phoned journalists and tweeted to get the message out as quickly and clearly as possible. That worked and helped to focus people’s actions on the real threat rather than paying a ransom for something that doesn’t exist.” Aftermath and shoulder-to-shoulder with assets? And do you have a international partners, we comprehensive response Evaluation have been able to show that plan? An incident stops being foreign state aggression will ‘active’ once the breach not be tolerated.” “Answering those three is sealed and no further questions isn’t going to stop realistic assistance can be Every single incident is all of the damage, but every given. However, that is not comprehensively evaluated organisation should know the end of the NCSC’s work by coordinators, who what to do in the first 36 to learn lessons and share diligently identify both hours of an attack.” findings that will help to successes and lessons make the country safer. learned. “We understand that defending from cyber While completely Adrian explained: “There attacks can feel daunting. confidential, intelligence wasn’t an NCSC before 2016 The attacks we face change gained from incidents goes and we always said we are every day, and as with any into mapping the broader trying to create something response process, every time threat landscape and leads completely new. we work on an incident we to significant breakthroughs learn from it – and share in broader UK intelligence “That learning has not those learnings as widely as operations. ended now we are up and possible.” running – we are still always Paul said: “By having those looking to evolve and The NCSC has been clear who track and respond improve.” that cyber attacks will take to threats in the same place for the foreseeable team, it helps us to better future and it is a matter of understand who is targeting Mitigation, not when and not if a ‘category us, investigate them and Prevention one’ attack will occur. share our findings. There is no silver bullet that But thanks to the expertise “That can lead to public will defeat cyber attacks, and agility of our incident attribution – as we’ve seen but work can be done management team, the UK more than ever this year. to reduce the harm they has one of the best lines of NCSC assessments were cause. Post-event work defence in the world to help behind attributing WannaCry also includes outreach work the country thrive in the to the North Korean Lazarus to support the victim and digital age. Group and NotPetya to the proactively warn companies Russian state. who could suffer similar attacks. “When we concluded the Russian state was almost Paul added: “We always ask certainly responsible for them three things: Do you NotPetya, it was announced know who could target you? in a joint attribution Do you know your critical with the United States of America. By standing
22 NCSC ANNUAL REVIEW 2018 Building 3 the UK’s Defences
The NCSC serves every part of the UK. In our second year, we have worked to strengthen our regional partnerships, deepen our local understanding and expand our reach across the country. We seek to make sure that every corner of the UK is as well prepared as it can be for whatever incidents may hit us. We are working closely with partners in England and the devolved administrations where we have advised critical sectors including water, energy and health, and advised on the implementation of the Network and Information Systems (NIS) Directive. These partnerships are vital as they help to protect our essential services.
23 NCSC ANNUAL REVIEW 2018 2018 Working Across the UK
Central Government Regional Organised Crime Units
Alongside HMRC, the Home Office, the Department for Regional Organised Crime Units (ROCUs) are trusted Work and Pensions, the Ministry of Defence, and the partners of the NCSC that form the Cyber PROTECT Foreign and Commonwealth Office, the NCSC is a key Network. The national policing network of Cyber PROTECT stakeholder in the Transforming Government Security officers aims to raise awareness of the threats posed Programme. This initiative transforms the way that the by cyber crime and provide advice to organisations and Government addresses its most challenging security individuals on how to protect themselves. The Network problems. As part of this, we delivered training for the is made up of over 60 officers and staff who provide new Senior Security Advisors, who are the focal points for communities with specialist policing capabilities for cyber security in government, to ensure they are equipped to security. Cyber PROTECT is a critical route for the NCSC deliver the right advice on cyber security. to get its message into – and a source of feedback from – local communities. The PROTECT network coordinator and engagement lead are both seconded into NCSC to embed this partnership fully.
Devolved Administrations Digital Government Lofts
We continue to help the UK’s devolved administrations Digital Government Lofts are events where NCSC experts raise cyber resilience across all sectors. We promote the brief representatives from other areas of government and adoption of ACD, CiSP and CyberFirst; provide bespoke the public sector to improve regional engagement. The Lofts technical consultancy; and present at cyber security events. take place across the country and, this year, they were held We have helped to deliver a secure platform for devolved in Shipley, Glasgow, Bristol, Cardiff and London, with up to benefits in Scotland; supported the Welsh Government 80 people attending each event. with their plans to raise cyber resilience within their 22 local authorities; and supported the Northern Ireland administration with workshops designed to link their incident management process to the national framework.
Events in London and Cheltenham
We have hosted more than 80 stakeholder events at our London headquarters and at GCHQ in Cheltenham. These have ranged from regular Information Exchanges with representatives from critical national infrastructure sectors to CyberFirst activities, international visits, and training events.
24 NCSC ANNUAL REVIEW 2018 “The National Cyber Security Centre has “Our engagement with NCSC this year offered vital expertise and support to our has continued in several valuable areas, work to develop a set of action plans that from successful take-up of Active Cyber will help make Scotland a world leading Defence in the Welsh public sector, nation in cyber resilience.” to raising awareness of the threat and support on managing incidents at several Representative of the Cyber Resilience Unit, Scottish Government events funded by Welsh Government, to supporting the growth of cyber skills in Wales through CyberFirst courses at “Our close working relationship with Cardiff Metropolitan University.” the NCSC is invaluable on our journey to design and build the brand new Representative of the Welsh Government technology platform to support the devolution of social security benefits to Scotland. The safe and secure transition “The inaugural Northern Ireland of those benefits is of paramount CyberFirst Defenders course was a major importance and our early engagement success. It was a really collaborative with the NCSC, as the national technical effort and we were very pleased with the authority for cyber security, demonstrates engaging way of involving the pupils.” our commitment to the principle of ‘secure by design’.” “We are certain that this is the beginning of a long-term strategic plan which will Representative of the Social Security Directorate, Scottish Government encourage more young people to join the profession. NCSC staff were particularly helpful in providing definitive advice “The NCSC provides ROCUs with up to and guidance on policy and strategy for date information and services which we password management.” can then disseminate to SMEs and the Strategy Officer, Digital Shared Services, Northern Ireland general public.” administration
Representative from the Southern Wales ROCU
25 NCSC ANNUAL REVIEW 2018 Protecting Critical National Infrastructure
The UK’s critical national infrastructure In the telecoms sector, our work with (CNI) supports nearly every aspect the Department for Digital, Culture, of our daily life. Our CNI is becoming Media and Sport (DCMS) has helped increasingly digital, which brings real pave the way to faster 5G networks. benefits, but also raises cyber security And as we enter the ‘Great British risks. To combat these threats, we Space Age’, we are helping to design work with thousands of systems and four new UK spaceports to help an hundreds of organisations across the already successful industry reach for UK. the stars. Over the past year, we have supported many of these organisations to secure their systems. In the transport sector, our advice has helped to secure the next generation of vehicles. In the energy sector, our experts have helped design the security of a new sustainable national grid.
Mapping Critical Systems Protecting the Nation’s Exercising Capability in Energy Europe
The NCSC has been working with lead The NCSC has undertaken a range of The NCSC both contributed to the government departments and industry work within the energy sector. We development of and participated in the to develop a process which identifies brought together participants from European Union Agency for Network the systems that are critical to our CNI, the oil and gas sector, cyber security and Information Security Cyber Europe including dependencies between the industry, the Department for Business, 2018 exercise for the aviation sector. sectors. We have mapped the critical Energy & Industrial Strategy (BEIS) and The exercise drew participants from systems that are vital to the everyday the Oil & Gas Authority to conduct a 30 countries and enabled each to operation of the CNI. By better threat and vulnerability survey of the test their national incident response understanding the interconnectedness sector. This resulted in a number of procedures as well as their ability to of the various sectors, we can improve vulnerabilities being identified which coordinate with European partners their resilience. will lead to improvements based on in the event of a widespread cyber our advice. incident. It involved sending out over As it continues to develop, this work 23,000 ‘injects’ – updates that drive will provide an overarching view of our the direction of an exercise – with the CNI, enabling industry and government UK receiving approximately 470. This to concentrate their cyber security enabled the NCSC and the Department efforts where they will have the most for Transport (DfT) to validate their impact. procedures and identify areas for development in their response.
“The NCSC is a valuable partner for the Bank of England in developing the next generation of the Real-Time Gross Settlement service; a high value settlement system which lies at the heart of the UK’s financial system. The NCSC is providing guidance at both a technical and strategic level to help the bank design a system that will meet the changing needs of the public and support innovation in the payments industry while maintaining security and resilience at the heart of the service.”
Victoria Cleland, Executive Director, Banking, Payments and Financial Resilience, the Bank of England
26 NCSC ANNUAL REVIEW 2018 Working with the Regulators
NIS Directive
This year has seen the UK regulations implementing the EU NIS Directive come into force, resulting in companies being designated as Operators of Essential Services (OES) and Digital Service Providers (DSP). The NCSC has two formal roles under NIS: to act as the UK’s Cyber Incident Security Response Team (CSIRT); and to be the UK’s single point of contact. As the CSIRT, our role is to provide 24/7 incident support and assistance to OESs and DSPs on cyber matters. We have also produced guidance and developed a framework which supports the assessment of the level of cyber security achieved by OES in relation to NIS requirements. While the Civil Nuclear Exercise Securing the Air NCSC has no regulatory role in NIS, we are supporting new NIS regulators to develop their staffs’ skills and provide guidance on the threat that different industries face. We are working with industry and the regulators to ensure We supported BEIS on the planning We have continued working with that the implementation of this and delivery of a technical exercise NATS, the main air navigation service directive leads to better standards of in Estonia for the UK’s civil nuclear provider in the UK, to review the cyber cyber security. sector. The NCSC acted as part of the security of their air traffic control ‘red team’, testing the 15 participants in and management system. A series their ability to understand and defend of rigorous technical reviews looked against a range of cyber threats. at their existing and new systems and made recommendations for GDPR The NCSC continues to work with improvements which NATS agreed. The BEIS, other government departments new systems will also be compatible and industry partners to extend with changes being made across In May, the General Data Protection the number and types of technical Europe over the next 20 years as Regulation (GDPR) came into force exercises available to operators in part of the Single European Sky ATM alongside the new Data Protection their sectors. Research project. Act 2018, placing a comprehensive set of new obligations on public and private sector organisations to protect all the personal data that they collect “This provided a very rich and process. The NCSC has partnered with the scenario which taxed us Information Commissioner’s Office (ICO) to develop a set of GDPR across a broad range of security outcomes. This guidance provides an overview of what the technical abilities in many GDPR says about security and describes a set of security-related cyber security topics.” outcomes that all organisations processing personal data should Gavin, Nuclear Decommissioning seek to achieve. Authority
27 NCSC ANNUAL REVIEW 2018 Securing Britain’s Secrets Government Missions
From the rise in mobile working to the emergence The NCSC works with the defence sector and of quantum computing, the national defence UK intelligence agencies to help preserve the landscape is changing all the time. In response, national security of the UK. Our encryption we have developed secure systems that our expertise enables the NCSC to protect the UK’s government partners and allies can trust. These national defences in a range of ways. solutions ensure government missions achieve their outcomes. Securing Secret Communications
Joint Crypt Key The NCSC has continued to support the Cabinet Office’s FOXHOUND programme to deliver a The Joint Crypt Key Programme (JCKP) helps the secure IT and communications network (known UK keep its secrets secret, share information as Rosa) across central government. Rosa offers effectively and ensure that it is available when the UK Government and its partners a single, and where required. secure platform for working up to and at the SECRET classification. Working in collaboration with the Ministry of Defence (MOD), JCKP helps us work with This year, the first phase of bespoke mobile foreign partners and keeps our key distribution phones that use our unique technology was technologies up to date. Now, two years into a deployed to users, and we are working with 10-year plan, JCKP has helped the UK maintain the Rosa operations centre to ensure a smooth its standing as a world leader in cryptographic transition to the new system. The effective key services. partnership between the NCSC and the Cabinet Office Government Security Group is delivering a UK Key Production Authority single security solution to dozens of departments and thousands of users. Our cyber security The UK Key Production Authority (UKKPA) is a experience means we are perfectly placed to critical part of the NCSC’s cryptography defences. secure the UK Government’s latest technology. UKKPA generates, distributes and accounts for cryptographic key material for government, Protecting Our NATO Allies industry and our allies overseas to support secure encrypted communications. We work with NATO to help protect their communications infrastructure. Our expertise in UKKPA Facts cryptography and security helps support NATO defence efforts and ensures our armed forces get • 170 customers across government, industry the protection they need. and law enforcement • Alongside the U.S, we are one of only two suppliers of key material to NATO • Annually we process approximately 3,800 orders for key material, equating to 145,000 physical items, such as CDs and data tokens • We support the MOD, intelligence agencies, and other government departments in their requirements for allied electronic key received from the U.S. and other partners.
National Security
The national security sector faces unique threats as it processes the UK’s most sensitive data and runs its most sensitive systems. The NCSC is working hard to support them. Far from being limited to securing the defence sector, the NCSC’s robust encryption systems help ensure the UK Government stays secure today and in the future.
28 NCSC ANNUAL REVIEW 2018 Defending Defence Working with Industry
The NCSC continues to support the Defending We cannot do any of this alone. Our industry Defence Programme, which was established in partners provide a vital service to keep our 2014 with the aim to make the defence sector a communications secure. more difficult target for those that threaten our national security. The Sovereign Enabling Framework Strategic Deterrent The Sovereign Enabling Framework allows companies to work with us on cryptographic To help the MOD protect the UK’s most sensitive key projects such as the JCKP. We designed capabilities, we provide support with incident this framework to ensure that companies and threat reporting, advice on cyber security working with us have a good understanding policy and training to identify supply chain of cryptographic key and to demonstrate the vulnerabilities. behaviours we need to protect the UK. Joint Strike Fighter In its second year, we are pleased to welcome two businesses onto the framework, joining the The NCSC supported the MOD to ensure the original six companies. With their support, we secure delivery of the new F-35B fighter planes. have sustained and developed the skills, capacity We produced cryptographic key management and capabilities of the UK’s cryptographic key that enables the MOD to operate the aircraft industry. wherever and whenever they are needed. We tested the aircraft to ensure that it met Exporting Crypt Overseas national TEMPEST standards, which ensure that military equipment does not unintentionally emit This year, the NCSC made the biggest change sensitive information. We also provided guidance to information security export licensing in over to secure the international ground systems and a decade. Working in partnership with the provided technical expertise to mitigate the Department for International Trade and industry threat to the supply chain that supports the bodies, we released our Open General Export aircraft throughout its life. Licence (OGEL) for information security items. Securing the Defence Supply Chain The new licence removes a large administrative burden for businesses and introduces a simpler, We worked with the MOD through the Defence lighter touch process for the faster export of Cyber Protect Partnership to build better cyber low risk cryptographic goods from the UK. This security into their contracting and procurement enables UK firms to compete on a more equal processes. We also provided defence industry playing field with the U.S. suppliers with threat briefings to help them identify vulnerabilities in their supply chains. The Wassenaar Arrangement Our work helps protect national security customers and helps ensure that their The NCSC provides cryptography and cyber systems are not compromised. security expertise into the UK’s representation at The Wassenaar Arrangement. The Arrangement is a body of technical experts from 42 states who provide guidance on arms control. During the 2017 negotiations, the NCSC contributed to the redrafting of the controls text for intrusion software tools. The outcome provides greater clarity of the control text and provides some exemptions where the described products are used by the cyber security industry. The NCSC’s contribution was a significant factor in achieving the progress to date. We also provided technical contribution to new areas where controls might be relaxed or tightened.
“The NCSC has provided significant ongoing cyber security support within the F-35 mission support environment. The NCSC has been a critical contributor to F-35 system connectivity and UK network security, enabling Defence Equipment and Support to understand and mitigate risk while ensuring that security policies and international collaborations remain robust to the cyber threat.” Caroline Dyer, Programme Manager, Ministry of Defence
29 NCSC ANNUAL REVIEW 2018 Supporting our Citizens and Economy
The NCSC is committed to helping everyone stay We aim to expand and develop our offer across safe online – from the smallest organisations the UK. We are developing a toolkit to help to the biggest global brands. We have begun boards better understand the cyber threat and in-depth research to inform the content that mitigate risks. And we are working with our we deliver to our varied audiences. We have Industry 100 partners to create innovative new listened to users and will be incorporating their ways to raise the level of cyber security across feedback into the launch of our new website. the UK. The new website will have a focus on protecting individuals and families, businesses, charities, and government.
Enterprise and Organisations
Small and Medium-Sized Charities Retail Enterprises
Small and medium-sized enterprises We work with the charity sector to Our work with our retail partners (SMEs) account for 99% of all ensure their good work can carry ensures the sector remains resilient private sector businesses. With fewer on without interruption from cyber to potential attacks. In 2017, the retail resources than larger companies, it is threats. As part of an awareness- sector contributed £194 billion to the crucial that we do all we can to help raising campaign, the NCSC released UK economy.2 And as the largest single these businesses keep themselves safe. the first ever threat assessment for employer in the UK, it is vital that we That’s why we produced our Small UK charities. The report showed that help keep it safe. Business Guide and distributed copies charities were under attack but few around the country through the annual people in the sector were aware of the To do this, we produced the Retail business engagement event, the Small significance of the threat. Cyber Security Toolkit in partnership Business Saturday Bus Tour. with the British Retail Consortium. The To combat the threat, we released toolkit has now been downloaded and We partnered with various trade our Cyber Security: Small Charity shared thousands of times, helping to bodies to ensure we are tailoring our Guide. In partnership with the Charity make online shopping safer. products to meet the needs of SMEs. Commission and leading charitable We also participated in the Prince’s bodies, the guide aims to help charities Trust Business Emergency Resilience understand the risks and offers advice Education Group’s ‘Would You Be Ready’ to reduce them. We collaborated campaign to ensure that businesses with The Foundation for Social We worked with Universities UK to are as resilient as they can be. Improvement to bring the guide to life raise awareness of cyber security by delivering cyber security awareness among university leaders. We also We have also developed links with sessions to more than 1,000 charities partnered with the Department for regional organisations such as the across the UK. Education to produce cyber security North West Business Leadership Team. guidance for schools. This has led to direct engagement The NCSC is working with the with universities, local authorities and National Association for Voluntary business leaders in the region. and Community Action to develop a Sport range of training materials for their Legal 200 members to deliver to the 145,000 We have developed relationships charities and voluntary groups they with major UK sports organisations, represent. This is a unique campaign helping the FA prepare for the 2018 Legal services hold some of their that ensures that the work of these FIFA World Cup and incorporating clients’ most sensitive information and vital organisations is protected. We cyber security into the plans for the they are increasingly subject to cyber pride ourselves on being able to 2022 Commonwealth Games. Our work attacks. That’s why we produced The help safeguard those charities who helps sports organisations understand Cyber Threat to UK Legal Sector Report. safeguard others. that reducing the cyber threat really is In partnership with The Law Society a team sport. and our Industry 100 legal partners, the report helps law firms understand current cyber security threats and the risks to the legal sector, and includes guidance firms can use to secure their cyber defences. 2http://researchbriefings.files.parliament.uk/documents/SN06186/SN06186.pdf
30 NCSC ANNUAL REVIEW 2018 Individuals and Families The NCSC Online Despite the scale of the cyber threat today, vital protective actions are still routinely left at individuals’ discretion. We support a number of initiatives which help people to take the right protective action. The NCSC’s digital output has become an integral part of how we provide advice and guidance. To encourage lasting and meaningful change, the NCSC is working with other government departments on strategic This year, more than 1.9 million people have communications and initiatives that build on the success visited our website, and our Twitter and of the UK Government’s current behaviour change LinkedIn channels now reach more than 80,000 campaign, Cyber Aware. This is based on the technical people. Our content has allowed the NCSC advice of the NCSC and promotes simple measures that to start conversations, raise awareness and people can adopt to stay secure online. increase understanding across the cyber security landscape. As the NCSC develops, so must our digital “As data controllers, law firms handle significant presence. To deliver an improved website, we have responded to feedback and focused on volumes of confidential and sensitive giving users a much-improved journey through information and client monies as part of the site with more intuitive navigation. Our goal is to deliver a digital platform that their daily work. The Law Society sees The helps users not only understand the importance of cyber security, but also how they can protect Cyber Threat to UK Legal Sector Report as themselves at work and at home. This platform will also be a base for new digital services in the as a positive step to help our members spot future. vulnerabilities and put relevant safeguards and protections in place.” CiSP Christina Blacklaws, President, The Law Society
The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber “The small charities guide is really useful threat information in real time, in a confidential because it uses simple language, it is practical and dynamic environment. The benefits of CiSP include giving members and it doesn’t shroud everything in a mist of a secure environment to engage with industry and government counterparts, supplying early expertise. It just gives you some very simple warning of cyber threats, and helping members learn from their experiences and successes of steps that you can take to make your charity other users. more secure.” Since its launch, CiSP has grown to 10,569 users across 22 sectors and produced 20,270 pieces of Pauline Broomhead, CEO of Foundation for Social Improvement content. Bug Bounty “For the British Retail Consortium and our members, cyber security is at the very heart The NCSC works with vendors to help mitigate critical security issues before they cause real of our work and an area where relationships harm. This includes vulnerabilities in major software products. As testament to our skills, with the NCSC are vital. We look forward to the NCSC was named as one of Microsoft’s top five Bounty Hunters in the first quarter of continuing our ground-breaking work into the 2018. NCSC’s expertise helps keep government, businesses and individuals safe and provides future.” support for a range of good causes as all the bounties we win are awarded to charity. James, British Retail Consortium
31 NCSC ANNUAL REVIEW 2018 CYBERUK 2018
CYBERUK is the UK Government’s This meant ensuring that we had flagship cyber security event. CYBERUK diversity of thought in the programme, is all about promoting a national and provided a positive learning conversation around cyber security environment for all participants. and building a community that works together. The conference brought together 2,500 delegates with combined We were delighted to bring CYBERUK expertise across multiple disciplines 2018 to Manchester, a city synonymous and professions. The event offered with innovation, creativity and a wealth of content on the technology. technical aspects of developing and implementing cyber security in the Over the three days in April, we had face of complex problems and threats. engaging speakers, thought provoking topics and a plethora of talent in We are pleased to announce that attendance. We were committed CYBERUK 2019 will be held in Glasgow. to putting diversity at the heart of CYBERUK 2018. Highlights
• 2,500 delegates • 210 speakers • 48 track and stream sessions • 26 ‘Spotlight stage’ lightning talks • 15 workshops • 105 sponsors and exhibitors • Dragons’ Den style ‘Cyber Den’ • Live cyber incident exercise • Provided sign language interpreters for hearing-impaired delegates • 94% of delegates rated the content of the conference as ‘excellent’ or ‘good’ • 88% of delegates rated our commitment to diversity positively
“CYBERUK is a tremendous conference. You get to meet a lot of interesting people in areas I wouldn’t normally be exposed to. It is a great community. The partnership with the people who are in attendance and who are here speaking has really evolved a lot and the initiatives, the competitions and the outreach to the community has been really amazing to watch.” Katie Moussouris, Founder, Luta Securia
32 NCSC ANNUAL REVIEW 2018 Industry 100
The NCSC’s Industry 100 initiative “Industry 100 allows us to draw on the brings together public and private sector talent to generate innovative best and brightest in industry – to test and ideas and collaborate on some of the latest cyber security challenges across to challenge the Government’s thinking as a wide range of NCSC placements. we take this project forward.” Since the programme began, we have been pleased to welcome 132 Rt Hon. Philip Hammond, Chancellor of the Exchequer professionals from 60 organisations who have come together to enhance the cyber security of the UK. Contributors have included representatives from sectors including legal, finance, aerospace, telecoms, academia, IT, oil and gas, nuclear and engineering. How Does Industry 100 Work? 1 2 3 4 Industry 100 secondees will Participating organisations There are exciting and Some roles are also work across a wide range are expected to continue challenging opportunities available for secondees who of bespoke short-term to pay salaries for Industry in all areas, including are not based at our offices. placements at the NCSC 100 secondees, in order to security engineering, normally on a part-time maintain independence. communications and Find out more: basis. finance. www.ncsc.gov.uk/ industry-100
“I’m proud to be part of the Industry 100 “Industry 100 has enabled me to research programme as I am at the forefront of the most pressing and emerging issues developing cyber security skills across in cyber and security affairs, something the UK. My role as a Cyber Security that has been invaluable for both King’s Educator is to build upon the work of the College London and my own academic CyberFirst programme and increase its studies. The flexible working hours at the proliferation and participation.” NCSC are very convenient, allowing me to balance my work with my continuing Zeshan, Technical Evangelist at CompTIA and Cyber Security Educator at the NCSC academic studies.” Rob, master’s student at King’s College London and CNI Assessor at the NCSC
33 NCSC ANNUAL REVIEW 2018 Cyber 4 Capability for the Future
The NCSC strives to identify new ways to build the UK’s talent pipeline, promote innovation, and develop the UK’s cyber security research. Our investment in skills helps the UK remain a world leader in cyber security by developing the talent we have and attracting the best and brightest people to the industry. To ensure a secure, resilient and prosperous economy, organisations must have access to the cyber security skills they need, which is why the NCSC is working closely with the Department for Digital, Culture, Media and Sport (DCMS) to close the cyber skills gap.
34 NCSC ANNUAL REVIEW 2018 People
The NCSC’s single greatest asset is our people. At a time of rapid change in our industry, we are helping students of all ages develop the skills they need to grow to work across the UK and have a rewarding and interesting career in cyber security.
CyberFirst
The CyberFirst programme aims to “Looking back over my time CyberFirst Girls Competition identify and nurture exceptional young talent, engaging students from all in the scheme, I consider Women make up only 11% of the backgrounds and every region. global cyber security workforce.3 myself lucky to have been a Through the CyberFirst Girls CyberFirst Bursaries Competition, we are working to part of such a great project. increase the number of young The CyberFirst Bursary project women in the cyber industry. continues to grow, and in autumn Not only has my cyber 2018 more than 500 students will have This year’s CyberFirst Girls Competition joined the initiative. Each student outlook been enhanced attracted over 4,500 girls aged 12-13. receives £4,000 a year and a minimum The finalists overcame 170 challenges of eight weeks’ paid cyber security but my career aspirations of varying difficulty and the top ten work experience or training each teams qualified for a head-to-head summer with industry or government. changed completely!” final in Manchester. As part of their prize, all the finalists were then invited to Buckingham Palace to meet His CyberFirst Degree Apprenticeships Lauren, CyberFirst Bursary student Royal Highness The Duke Of York. In September 2017, we ran a In 2019, we are hoping to build on recruitment exercise for our brand “The competition has this year’s success by expanding the new Cyber Security Degree Level CyberFirst Girls Competition to over Apprenticeship which will see young taught me and my team- 1,000 schools. people working within the NCSC’s parent organisation, GCHQ. Successful mates a lot about coding applicants will start a degree apprenticeship, learning everything and I think I’d now like to do 2018 Winners: The Computifuls from code to emerging technologies, from The Piggott School with a potential full-time role upon computing for GCSEs.” graduation. The apprenticeships give students Annarose, St Catherine’s College, exposure to some of the most cutting- CyberFirst Girls Competition finalist edge technologies and practical from Northern Ireland insights into the innovative ways we use them. In our first year, we have already made over 100 offers of an apprenticeship and were pleased to welcome our first intake in September 2018. We hope this programme will open up a career in cyber security for a wide range of people – not just those who choose to go to university. CyberFirst Courses This year, we held CyberFirst courses in Edinburgh, Belfast, Cardiff and Southampton as well as 23 free, week- long summer courses at universities across the UK.
3https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf
35 NCSC ANNUAL REVIEW 2018 Launch of the Cyber Schools Hub in Gloucestershire
Cyber Schools Hubs Certified Degrees Cyber Security Body of Knowledge
At the NCSC, we are also taking strides We believe that all UK students Through the Cyber Security Body to reduce the UK’s digital skills gap. should have access to a high-quality of Knowledge (CyBOK) project, we Currently, only one in nine students education in cyber security. Assessing are identifying and defining the key chooses to take a GCSE in Computer everything from the instructor to knowledge areas required by those Science. Initiatives like our Cyber the facilities, NCSC-certified degree working in cyber security. Schools Hubs aim to change that by programmes have helped hundreds encouraging pupils to choose a career of students choose the right cyber After public consultation and having in the cyber sector. security degree course for them. Since taken on board a great deal of the initiative began, we have certified feedback, the project took its first big Launched in spring, our two pilot 24 master’s degrees, three integrated steps this year with the launch of the Cyber Schools Hubs in Gloucestershire master’s degrees and two bachelor’s first two of the 19 identified knowledge have provided the opportunity to degrees. areas: ‘Cryptography’ and ‘Software over 17,000 children to engage in Security’. We aim to have launched all events, code clubs, and fun ways to This year, analysis by the Higher 19 knowledge areas by the end of July learn about cyber security. At one Education Standards Authority 2019. school, we held an event that took shows that UK students with a inspiration from the popular BBC TV certified master’s degree have higher show Dragons’ Den to inspire students employment rates and higher salaries and increase their awareness of cyber than students on non-certified CyberFirst Girls Competition security. master’s degrees. We were particularly finalists in action pleased to see an increase in The initiative has been incredibly applications from post-92 universities popular, and we have encouraged as well as more universities from all participating schools to share what around the UK. they have learnt with nearby schools. The Hubs are an example of how we are extending a hand to local “There has been a definite communities and supporting projects that build our national strengths. increase in the number of applicants, which has more “What a morning it was! than trebled since gaining As someone working in certified status.” the cyber and technology Representative of University industry and a father of two of South Wales kids who will be making their own career choices in the coming years, I came away feeling inspired, enlightened and also somewhat humbled by the experience.”
Richard, company director and dragon at the school event
36 NCSC ANNUAL REVIEW 2018 Research
We worked with external partners to support programmes that put the UK at the forefront of cyber security research. This gives us access to world -class experts and helps the NCSC to discover new ways to keep the UK’s information safe.
Academic Centres of Research Institutes The Initiate Portfolio Excellence in Cyber Security Research Institutes help us to develop An important part of the NCSC’s work Research cyber security capability in strategically is to anticipate how cyber security important areas. will evolve and discover new ways to keep the UK’s information safe. One Universities which are recognised by In the past year, all our Institutes of the ways we do this is through the the NCSC and the Engineering and have increased expertise in every Initiate Portfolio which brings together Physical Sciences Research Council research area while deepening their the technical expertise of the NCSC (EPSRC) as an Academic Centre of relationships with industry. The with the latest industry practices and Excellence in Cyber Security Research Institutes also successfully attracted academic research. (ACE-CSR) have been assessed as match funding to complement the producing world-leading, impactful funds received from government. In The Portfolio includes a range of cyber security research. November 2017, we saw the launch projects, from developing the next of the Research Institute in Secure generation of cryptographic devices When the ACE-CSR programme was Hardware and Embedded Systems at to finding new ways to reduce data launched, only eight universities were Queen’s University Belfast, which will loss. As just one example, we led successful at the assessment panel. announce its first funded projects in a research project to investigate After the most recent assessments in December 2018. vulnerabilities in medical devices 2018, 17 universities have now been that use Wi-Fi or Bluetooth. This has recognised. This is testament to the The results have been outstanding. enabled government departments to universities’ growing support for A start-up from Imperial College manage the risk and help staff use cyber security research. In return, London, whose work focuses on the these devices. Future projects include the ACEs-CSR get the chance to build automated testing of graphics, has developing common standards for their profile, receive international been acquired by Google. Middlesex devices connected to the Internet of recognition and showcase the UK’s University’s work on the verification Things. research capabilities on the global of security protocols uses physics to stage. develop a cryptosystem that is immune With funding from the MOD, to quantum computer attacks. And the UK intelligence agencies, the University of Glasgow, the University Cabinet Office and the Foreign and of Birmingham and the University of Commonwealth Office, the NCSC will Bristol are all measuring the impact of continue to help the Government the EU NIS Directive. harness innovation, utilise ground- breaking new technologies and keep our information secure.
Launch of the Research Institute in Doctoral Studentship Secure Hardware and Embedded Systems, Queen’s University Belfast Programme
The NCSC’s sponsored Doctoral Studentships Programme helps increase the number of UK nationals undertaking cyber security research, which will make a real difference to the UK’s security. The students often make discoveries, for example, vulnerabilities in products or standards, which are then reported to the manufacturer or the appropriate authority. The programme also offers students the opportunity to undertake work placements within the NCSC and has led to several students successfully applying for subsequent employment with the NCSC.
37 NCSC ANNUAL REVIEW 2018 Quality
Organisations need confidence that the people, products and services that help them manage their risk will improve their security, not undermine it. Working with our external assurance partners, we operate a number of commercial initiatives that give organisations the evidence to help them differentiate the good from the bad.
Cyber Essentials Certified Cyber Security Consultancy
Helping guard against the most The Certified Cyber Security Currently there are 23 organisations common, internet-based cyber threats, Consultancy gives customers across the UK who have achieved the Cyber Essentials programme is independent, expert cyber security certification by demonstrating that available to all UK organisations, advice from a pool of certified the services they deliver meet the of any size and sector, that want to professional service providers. The NCSC’s standards for high quality cyber demonstrate their commitment to initiative certifies organisations security advice in the areas of risk cyber security. Over the past year, we through a robust process of evidence management, risk assessment, security have more than doubled the number assessment and interview, to provide architecture, and audit and review. of certificates issued, with the award of bespoke cyber security services that over 8,900 new certificates. This brings meet the NCSC’s demanding standards. the total to 15,826 since the initiative began in 2014. We are currently reviewing the programme to make sure it is as effective and affordable as possible. Innovation
Innovation takes new thinking “The opportunity to be and insights and turns them into the things we need to live and do part of the NCSC Cyber business in cyberspace. We work with DCMS to create an ecosystem that Accelerator programme will transform ideas into real world solutions. This brings our experts afforded Trust Elevate together with small businesses to help solve the cyber security challenges we unprecedented access face today. At the heart of this is the NCSC’s Cyber Accelerator. to cyber security experts, support and guidance, Cyber Accelerator which was and continues Aiming to nurture innovation in cyber In the past 18 months, the first two to be instrumental in security, the NCSC’s nine-month cohorts raised more than £20 million Cyber Accelerator saw nine companies in funding, created 19 UK jobs and won accelerating our growth develop products and services that will 15 trials and contracts worth over £3 enhance the UK’s cyber defences. million. We’re now recruiting for a third and reach.” cohort to start in late 2018. This included a service to solve the problem of age verification and Dr. Rachel O’Connell, parental consent for young people in CEO of Trust Elevate online transactions, and another that connects Internet of Things devices with end-to-end authenticated, encrypted security.
38 NCSC ANNUAL REVIEW 2018 CyberFirst Courses
Venue Course
University of Birmingham Defenders, Futures and Advanced Cardiff Metropolitan University Adventurers, Defenders, Futures and Advanced Cleeve School Adventurers Dean Close School Adventurers University of Gloucestershire Adventurers Imperial College London Defenders, Futures and Advanced Lancaster University Defenders, Futures and Advanced Manchester High School for Girls Adventurers NCSC headquarters Adventurers Newcastle University Defenders, Futures and Advanced Newent Community School Adventurers, Defenders, Futures and Advanced Nottingham University Adventurers Queen’s University Belfast Adventurers Royal Holloway, University of London Futures University of Southampton Adventurers University of Stirling Adventurers University of Warwick Adventurers, Defenders, Futures and Advanced University of the West of Scotland Defenders, Futures and Advanced
To find out more, visit: www.ncsc.gov.uk/information/cyberfirst-courses Innovation
Cyber Accelerator – Cheltenham Innovation Centre Research Institutes - Host Universities
Research Institute in Science of Cyber Security (RISCS) – University College London Research Institute in Verified Trustworthy Software Systems (RIVeTSS) - Imperial College London Research Institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) - Imperial College London Research Institute in Secure Hardware and Embedded Systems (RISE) - Queen’s University Belfast
39 NCSC ANNUAL REVIEW 2018 Academic Centres of Excellence in Cyber Security Research
University of Birmingham University of Bristol University of Cambridge Cardiff University University of Edinburgh Imperial College London University of Kent King’s College London Lancaster University Newcastle University University of Oxford Queen’s University Belfast Royal Holloway, University of London University of Southampton University of Surrey University College London University of Warwick NCSC-Certified Degree Providers
Abertay University University of Birmingham University of Bradford Cranfield University De Montfort University Edinburgh Napier University Imperial College London University of Kent Kingston University Lancaster University University of Oxford Oxford Brookes University Queen’s University Belfast Royal Holloway, University of London University of Southampton University of South Wales University of Surrey University College London University of Warwick University of the West of England University of York
40 NCSC ANNUAL REVIEW 2018 100 Years of the Cyber Mission
1919 1936 1944 Government Alan Turing Single national Code and Cypher writes a paper authority for School (GC&CS) On Computable communications is established Numbers, security is with intelligence proposing established and security a universal functions computing machine 1946 1943 First use of The first Colossus computers 1926 computer, the to generate An emergency proto-computer, cryptographic- codebook was created for the material is issued to Newmanry section national at Bletchley Park authorities during the General Strike
1969 GCHQ incorporates the 1981 Communications- Early malware Electronic Security 1989 begins to be The concept of Group (CESG) discovered at becoming National the World Wide scale. A year Web is created Technical Authority later, Elk Cloner for all aspects of by Sir Tim spreads beyond Berners-Lee cryptology the lab it was created in 1950s 1970 1988 Alvis, the first Public Key The Morris Worm machine of Cryptography computer virus the electronic is conceived is distributed era, is created by James Ellis via the internet, and remains at GCHQ resulting in the the workhorse creation of the for secure first Computer communications Emergency for over 30 years Response Team (CERT) in the U.S.
41 NCSC ANNUAL REVIEW 2018 The NCSC’s parent organisation, GCHQ, will be 100 years old in 2019. Founded as the Government Code & Cypher School in 1919, before changing its name to Government Communications Headquarters (GCHQ) in 1946 – and it has been keeping Britain safe ever since.
1996 2010 2014 The BRENT Secure The National Cyber CERT-UK, Telephone is Security programme the national introduced to of £860 million computer provide secure 2013 emergency is announced The National Crime communications response team, is to deliver the Agency and its across the whole launched ‘National Cyber National Cyber Crime of government 1997 Security Strategy Unit is launched Introduction of 2011-2016’ the Government Secure Intranet (GSI), connecting UK Government computer networks
2018 The NCSC dealt with its first 1,000 2016 cyber incidents – The NCSC is created a rate of more than as a ‘one-stop shop’ 10 per week 2019 for cyber security, GCHQ’s uniting separate GCHQ commences centenary events parts of government celebrations for its include an that had a role in 100th anniversary and exhibition at the this area, within launches its second Science Museum GCHQ puzzle book to mark exploring the 2015 the occasion science behind The ‘National 2017 keeping the Security Strategy The NCSC led country safe, 2016– 2021’ is the UK response which opens launched, confirming to the global in summer cyber as a top- outbreak of 2019; and the tier threat to the Wannacry publication of its UK’s economic and ransomware first authorised national security history in autumn 2019
42 NCSC ANNUAL REVIEW 2018 43 NCSC ANNUAL REVIEW 2018 44 NCSC ANNUAL REVIEW 2018 45 NCSC ANNUAL REVIEW 2018 Can you find the secret codeword? Visit ncsc.gov.uk/annual-review-2018
46 NCSC ANNUAL REVIEW 2018 To find out more visit: ncsc.gov.uk
@NCSC
National Cyber Security Centre
©Crown copyright 2018. Photographs produced with permission from third parties. NCSC information licensed for re-use under Open Government Licence (http://www.nationalarchives.gov.uk/doc/open-government-licence). Designed and created by Agent Marketing Ltd. agentmarketing.co.uk
47 NCSC ANNUAL REVIEW 2018