sign in sign up
<<
Home , National Crime Agency

Annual Review 2018 Making the UK the safest place to live and work online

2018 Welcome

The National Cyber Security Centre (NCSC) was created in 2016 as part of the Government’s five-year National Cyber Security Strategy. Since then, our goal has been to make the UK the safest place to live and work online. This review tells the story of our second year, with interviews, testimonials, images and data that take you behind the scenes at the NCSC. It provides a snapshot of our work over the period 1 September 2017 to 31 August 2018. We hope it helps you understand what we do, and along the way see some of the milestones we have reached in our second year. We have also produced a digital report where you can see this year’s events come to life at: ncsc.gov.uk/annual-review-2018

NCSC ANNUAL REVIEW 2018 3 4 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 5 Contents Ministerial 08 Timeline Foreword 10 CEO Overview We have every reason to be proud and expertise to be our single centre term, strategic challenges, whether of the UK’s position at the forefront of excellence. This Annual Review that is affecting behaviour change, of the global digital revolution. recognises the transformational developing the right skills set among Our collective ability to embrace impact of the National Cyber Security UK professionals, or deepening our cyberspace is already driving our Centre over the last year. As well collaborative partnerships in the UK country’s prosperity and enhancing our as providing greater insight into the and internationally. Because whatever . We have one of the nature of the threats we face, the the future holds, we will need to 12 highest levels of internet access and National Cyber Security Centre’s continue to work together to protect usage in the developed world, and our successes include a pioneering Active our economic and individual freedoms. Countering the Threat digital industries are growing faster Cyber Defence programme, delivered than any other part of the economy. with industry to block attacks on At the same time, the threat from a scale of millions per month, and criminals, hacktivists and nation states the development of a world-leading continues to increase and evolve. It is incident management response Rt Hon David Lidington CBE MP easier and cheaper than ever before capability, made possible through key Minister for the and the for those who want to do us harm partnerships with and Chancellor of the Duchy of Lancaster 20 to access the tools, exploits and the wider cyber security community. It services they need to launch attacks. has also reached out internationally Behind the Scenes of an Incident That is why cyber security remains a to strengthen global cyber defences top priority for this government and and our collective ability to deter and for me personally, as the Minister disrupt malicious actors, and continues responsible for improving the security to inspire the next generation of cyber and resilience of the UK, including security experts and entrepreneurs. protecting our critical national infrastructure. There are many more achievements 26 to celebrate in this Annual Review. We launched our National Cyber Everyone at the National Cyber Building the UK’s Defences Security Strategy in 2016 to set Security Centre, and its numerous the direction and ambition for our partners in the public, private and investment and efforts. Because as the voluntary sectors, should take great digital revolution touches every part pride in this work. How we set up of our society, we wanted to ensure the National Cyber Security Centre that our response was comprehensive. reflects the single, clear message that To defend our people, to deter our underpins our strategy, that while we 38 adversaries and to develop the can lead the way, we cannot solve capabilities we need to ensure the UK these problems alone. We need not Cyber Capability for the Future remains the safest place to live and just a whole of government but a work online. Our strategy is supported whole of society approach to tackle by significant investment – £1.9bn – cyber security. to drive the transformation we need to respond at the scale and pace The future remains stubbornly difficult required. to predict. But we do know that the next 12 months will continue to 46 We have made good progress since we challenge and surprise us. We have launched the strategy. At the heart of built solid foundations to ensure that 100 Years of the Cyber Mission our response was the formation of the we can remain resilient in an ever National Cyber Security Centre, which changing world. Key to our success brings together our best intelligence will be how we take on longer-

6 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 7 2017

3 Oct 1ST ANNIVERSARY OF THE NCSC CELEBRATED

11 Oct SMALL BUSINESS GUIDE PUBLISHED TimelineThis covers the period 1 September 2017 to 31 August 2018 SECURING ELECTIONS FOR EU MEMBER STATES SUMMIT HELD 23 Oct AT NCSC HEADQUARTERS

2018

5 Feb ACTIVE CYBER DEFENCE: ONE YEAR ON REPORT PUBLISHED

CHARITY SECTOR THREAT ASSESSMENT AND SMALL CHARITY 1 Mar GUIDE PUBLISHED

19 Mar CYBERFIRST GIRLS COMPETITION FINAL TOOK PLACE IN MANCHESTER

10-12 CYBERUK 2018 HOSTED IN MANCHESTER Apr

10 Apr CYBER THREAT TO UK BUSINESS JOINT REPORT WITH NATIONAL AGENCY PUBLISHED

16 Apr U.S-UK TECHNICAL ALERT ISSUED ON RUSSIAN MALICIOUS ACTIVITY

PRIME MINISTERS OF THE UK, CANADA, NEW ZEALAND AND 18 Apr AUSTRALIA MET AT THE NCSC AS PART OF THE COMMONWEALTH SUMMIT

3 May GUIDANCE FOR LOCAL AUTHORITIES AHEAD OF LOCAL ELECTIONS PUBLISHED

9 May NETWORKS AND INFORMATION SYSTEMS DIRECTIVE CAME INTO EFFECT

25 May GENERAL DATA PROTECTION REGULATION CAME INTO FORCE

THE NCSC’S CEO AND THE MINISTER FOR THE CABINET OFFICE GAVE EVIDENCE ON THE CYBER SECURITY OF THE UK’S CRITICAL NATIONAL 25 June INFRASTRUCTURE TO THE JOINT COMMITTEE ON THE NATIONAL SECURITY STRATEGY

27 June NINE START-UPS GRADUATED FROM THE NCSC CYBER ACCELERATOR • Handled 557 incidents • Added 2,361 new members onto our Cyber Security Information Sharing Partnership • Removed 138,398 unique phishing sites • Engaged with 1,968 students on our CyberFirst courses Jul-Aug HELD CYBERFIRST SUMMER COURSES FOR YOUNG PEOPLE ACROSS THE UK • Produced 214 threat assessments • Challenged 4,500 girls in the 2018 CyberFirst Girls • Produced 145,000 physical items for 170 customer Competition departments through the UK Key Production Authority 19 Jul CYBER THREAT TO LEGAL SECTOR REPORT PUBLISHED • Delivered cyber security awareness sessions to more than • Produced 134 pieces of guidance and 95 blogs 1,000 charities • Had 1.9 million visitors to our website • Welcomed visiting delegations from 54 countries 22 Aug THREE NEW ACADEMIC CENTRES OF EXCELLENCE IN CYBER SECURITY RESEARCH ANNOUNCED • Awarded more than 8,900 Cyber Essentials certificates • Hosted more than 80 stakeholder events

8 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 9 This practical guidance really matters, organisation can reasonably assess Ireland this summer; we have a because victims of cyber crime tend to to be the risks it faces. Defences also permanent member of staff based in be less concerned with the identity of need to be good enough to contain , and Glasgow will host our the attacker than the impact on their attacks that do get through, as some flagship CYBERUK event in 2019; Cardiff lives and wellbeing, and what they can inevitably will. University’s success in becoming one of do to contain the damage. our most recent Academic Centres of Therefore, understanding how cyber Excellence means all four parts of the Indeed, whilst nation state activity attacks work is vital to get ahead of UK now host one of these centres. And is the most acute threat, low- the problem. That’s why we’ve started like the rest of GCHQ, we maintain sophistication but high-volume cyber publishing guidance to boards on presence in London, Cheltenham, Bude CEO crime is the most chronic one, dealt the types of questions they can ask and Scarborough, and we will look to with at scale by our first-rate partners their cyber security teams about how expand our presence in Manchester in in law enforcement, led by the they are managing risk. More will the coming years. National Crime Agency (NCA). follow, with the aim of helping leaders understand enough technical detail This expansion of our national Whilst these incidents individually to make the right decisions. These are footprint will help us further make a are of less strategic significance, the sorts of practical steps companies mark on UK cyber security at every cumulatively they amount to a can take to make the marginal level. There is a real opportunity here strategic threat to our prosperity by improvements that will deter some – there are already signs that other undermining our confidence in the attacks, make some others less likely countries’ admiration for what the digital economy. to succeed, and lessen the impact UK is doing in cyber security could Overview of attacks that get through. This was secure a competitive advantage for the That is why our world-leading active launched with support from the CBI country in our digital future. As GCHQ cyber defence (ACD) initiative – using – an example of government and begins its second century of service automation to reduce some of the industry partnership at its best. to the UK, it is an exciting time for its most common weaknesses in cyber newest part, the NCSC. security defences – is one of our most Through our work on incidents important pieces of work. The Internet over the past year in particular, we So let me conclude by paying tribute was not designed with security in have become acutely conscious of to our exceptional teams, as well as mind and, from a security perspective, the role the supply chain plays in to our partners in the security and there are significant flaws in the way leaving organisations vulnerable to law enforcement communities, within it operates. In the 2016 National Cyber compromise. As the next generation wider government, in industry and Security Strategy, the Government of technology evolves, supply chain other organisations nationally and made a major strategic decision to try risk becomes an ever more important abroad. Moving forward on all fronts – to redress some of those structural challenge. Meeting it, particularly in using world-class data and skills from problems through the ACD programme. the telecommunications sector as the GCHQ and our partners at home and We were the first in the world to age of 5G approaches, is a top priority abroad; publishing clear, technically attempt this, reducing the damage for the NCSC, supporting the lead authoritative guidance to individuals done by large scale but basic cyber of the Secretary of State for Digital, and businesses; fixing some of the attacks, freeing up our world-class Culture, Media and Sport, and his underlying security problems inherent operatives to focus on the most potent department. That’s a key challenge in modern technology; and enhancing threats. Our aim is to take away as for our experts who lead on our and diversifying our skills base – are much of the harm from as many programme to protect the nation’s vital for our third year and for our people as we can, as often as we can. most critically important networks, mission to help make the UK the safest Cyber security is a tough, complex threat is abating. Proof of that – if it strategic or commercial reasons, and alongside their work on our social place to live and work online. challenge. But the UK is making were needed – is that in the two years give themselves a starting point – In February this year, our Technical security payments systems, the new significant progress in strengthening of our existence the NCSC has dealt ‘prepositioning’ – for a significant Director, Dr. Ian Levy, published a generation of civil nuclear reactors, our defences against those who seek with well over 1,000 cyber security attack in the future. groundbreaking paper setting out our systems to protect our national to harm us online. This matters as we incidents. the results of the first year of the defence secrets, and the payments and Ciaran Martin, look to an ever more digital future for That’s why earlier this year, along programme. The latest results show clearing networks that underpin the CEO of the National Cyber our prosperity. The majority of these incidents were, with the Government of the United that since the programme started, UK’s world-leading financial system. Security Centre we believe, perpetrated from within States, the NCSC published evidence the proportion of phishing sites in the In this report – GCHQ’s National nation states in some way hostile of Russian pre-positioning on some of world that are hosted in the UK has Finally – for us, heading in the right Cyber Security Centre’s second Annual to the UK. They were undertaken by our critical sectors, along with detailed fallen from 5.3 per cent to 2.4 per cent. direction means becoming a truly Review – we set out: groups of computer hackers directed, technical guidance to business on how This, and other impressive results, national centre, reflecting, and being sponsored or tolerated by the to get rid of it from our networks. means we are going to roll out existing present in, the communities we serve. • the latest overview of the threats governments of those countries. These measures further, and expand the We remain very proud of our work we face; groups constitute the most acute and That landmark publication – not just programme over the next few years. on skills in schools, particularly our • the progress we’ve made in meeting direct cyber threat to our national calling out unacceptable behaviour CyberFirst Girls Competition which them, including some world- security. I remain in little doubt we but providing the tools to clean it The ACD programme shows what this year attracted more than 4,500 leading initiatives to rectify some of will be tested to the full, as a centre, up – was one example of how we’ve government can do directly to improve highly talented 12 and 13-year-old the systemic security weaknesses of and as a nation, by a major incident at been moving in the right direction over cyber security. But getting ahead of female students with an interest in the modern Internet; some point in the years ahead, what the past year. It built on other, similar the problem involves equipping every cyber security. Although just over half • the cyber security challenges we would call a Category 1 attack. publications where we have drawn organisation, however large or small, of the NCSC’s senior leadership are facing families, businesses, critical on an array of technical data – some with the tools they need to protect female, there remains a mountain to network owners and government, Although there have been several classified, some not – and published themselves as best they can. climb within government service and and what they can do to meet very significant incidents, thus far, transparent, technically authoritative Getting the right cyber security nationally to harness the power of all them; and the UK has avoided a Category 1 – guidance on it. These attacks have capabilities for an organisation sections of the population and end • our plans for the future. most of our foremost international come from a range of states, as well starts with a better understanding the serious underrepresentation of all partners have not. But even if this as many non-state sources. There is of the risks. No one is asking British minority groups within the profession. Although the UK is making significant continues, we must be alert to the much, much more to the cyber security citizens and businesses to have cyber progress in improving our cyber constant threat from countries who threat to the UK than just Russia. defence capabilities akin to those We will also continue to expand our security, that does not mean that we will attack critically important national of a nation state. They just need to footprint geographically. We held our are getting everything right, or that the networks to steal information for be good enough to fend off what an first ever CyberFirst event in Northern

10 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 11 Countering the 1 Threat

At the NCSC, we take a proactive approach to securing the UK’s online defences at home and collaborating with our allies overseas. Instead of waiting for an attack, we anticipate problems and find solutions to prevent them doing harm.

12 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 13 UK share of visible Availability time Active Cyber Defence global phishing for sites spoofing attacks dropped government brands

Active Cyber Defence (ACD) is a collection of services that aim to protect the UK from the high-volume commodity from 5.3% (June down from 42 hours attacks that affect people’s everyday lives. These attacks involve using tools and techniques openly available on the internet that are relatively simple to use. 2016) to 2.4% (July (2016) to 10 hours We have developed and tested our ACD services on government with great success. Our longer-term goal is to encourage solutions like these to be adopted across other 2018) median (2018) sectors in the UK. 1 2 3 4 Mail Check Takedown Service Web Check Protective DNS Takedown Service Mail Check Spotting website weaknesses Protecting the Government Taking down malicious Blocking fake emails Over the last 12 months, the service from malicious websites content removed Web Check is a service The Protective Domain We know that people are Cyber attackers spoof email that enables UK public Name System (DNS) blocks more likely to click on a addresses to trick victims sector bodies to scan their malicious sites from being link if it appears to come into opening their phishing websites for common accessed by public bodies. from the UK Government. emails as this makes it 138,398 vulnerabilities. To help these The Takedown Service easier for them to commit bodies identify potential The aim of the service is aims to prevent identity fraud and theft. phishing sites hosted in the UK weak spots, Web Check not just to block harmful cyber criminals from Mail Check enables an generates an easy-to- sites, but to notify the impersonating organisation to authenticate understand report showing public bodies about any the Government online. the email they send so that what needs fixing and how issues so they can fix them. a receiver can determine and a further to fix it. It is currently being used In the past year, we have if it is genuine or fake. As by more than 200 public worked with Netcraft to people don’t receive the This year, every local sector organisations across remove phishing sites fake emails, they don’t have authority in England, the UK. The DNS service has that were being used to make judgments about Scotland and Wales, and now detected and blocked to impersonate the UK which attachments to open 14,116 almost all in Northern attempts to access over 30 Government and notify and which links to click on. worldwide spoofing the UK Ireland have signed up to million malicious websites. internet mail providers Government Web Check. that are sending malware Using the Domain-based to unsuspecting members Message Authentication of the public using the UK Protocol (DMARC) as part Government brand. Over of this solution, Mail Check the past year, the month- has already prevented by-month volume of each a huge number of fake Protective of these threats has fallen, emails getting through. And suggesting that criminals are the number of messages DNS Web Check using the UK Government spoofing protected UK brand less and hosting fewer Government domains of their malicious sites in has fallen, suggesting Average of We have identified the UK. that our work is deterring criminals from spoofing the unique malicious domains blocked every Government. month Protecting Government Domains 10,975 2,372 urgent findings that have been fixed

We started Mail Check in 2017. Soon after, cyber criminals After a few months we saw a significant drop in the abuse of responded by spoofing sites that look like UK Government these fake domains. We are now blocking emails spoofing domains but in fact do not exist. For example, instead of tax-service.gov.uk, and anything else that spoofers create using tax.service.gov.uk, they attempted to use tax-service. which ends in gov.uk. gov.uk. As the address does not exist, this means there is no record and as a result it will not get blocked. Working in partnership with government and technical experts, we developed a solution, Synthetic DMARC, and used Cyber Security Information Sharing Partnership (CiSP) to keep gov.uk domain administrators informed.

14 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 15 Protective DNS

International Partnerships

The NCSC’s international partnerships In partnership with the rest of help us share information and combat government, we have furthered our common cyber threats. In our second cooperation overseas, and we aim year, we had the honour of hosting to expand our reach in 2019. four Heads of Government during the Commonwealth Heads of Government Meeting in April. We have welcomed delegations from 54 countries across six continents, and we have visited 18 countries for bilateral meetings and public engagements.

What Next for Active Cyber Defence? Five Eyes Partnerships

The Five Eyes intelligence alliance New Zealand has a thriving National The cyber threat is always evolving so we need to continue We pilot our ACD tools with the public sector first and, comprises Australia, Canada, New Cyber Security Centre within their to build a pipeline of ACD services that can deal with where relevant, demonstrate the benefits to other sectors. Zealand, the and Government Communications Security them. These include a service that reports on the condition This year, we are working with a range of companies and the United States. The alliance – now Bureau. And over the past year, our of an organisation’s infrastructure, a service that helps departments to understand how we can help different nearly eight decades old – remains colleagues in Canada and Australia vulnerability researchers to report bugs in government sectors. We are also encouraging a range of technology at the heart of our international have announced the creation of websites, and an online package containing cyber exercises providers to offer similar services to their customers so that partnerships. their equivalent cyber security that help organisations prepare for an incident. together we can ensure that cyber crime doesn’t pay. organisations. With the United States, the To improve information sharing with the cyber security cornerstone remains the relationship We are very proud of the work we industry, we are continuing to develop a suite of services between GCHQ and the National all do together and as we expand which automate the processing and sharing of information Security Agency but we are working our collaboration on threat sharing, and events. We have already launched a pilot that shares closely with other U.S. agencies. joint operations and beyond, our indicators of compromise with one of the UK’s leading The U.S. Department of Homeland organisations will become closer internet service providers. This gives their customers better Security and the Federal Bureau of still, to the mutual benefit of all. protection automatically at no extra cost. “You don’t need to beat cyber crime – Investigation, with whom we released the joint Technical Alert in April 2018 As part of the ACD programme, the NCSC has started to and it would be unrealistic to think we about malicious cyber activity carried deliver a pilot host-based capability to central government. out by the Russian Government, are This involves deploying software that analyses device could. But we do want to make it as hard becoming more and more important to data to understand and detect threats that target the UK cyber security. Government’s IT systems. The service complements as possible and that means making it as an organisation’s existing cyber security and has now been successfully deployed to 14,500 government devices. The unprofitable and risky as we can for cyber number of devices enrolled will increase significantly in the coming months. By using the data this generates, we criminals to act in the UK.” were able to issue our first Threat Surface reports, help early adopters understand the attacks they face, and detect targeted cyber attacks against government systems. Dr. Ian Levy, Technical Director, NCSC

16 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 17 Keynote speech by NCSC Director of Operations Paul Chichester at NATO’s annual cyber Visit to NCSC headquarters by four Heads of Government security summit

Cyber Defence Cooperation European Security Cooperation The NCSC Hosts Four with NATO Prime Ministers During Commonwealth Summit “Cyber security affects us all as online crime Building on the Memorandum of As the next phase of the UK’s European Conferences A commitment to improve does not respect international borders. I have Understanding signed in 2017, the relationship with the rest of Europe international cyber security was made NCSC worked with NATO to deepen takes shape, our ongoing collaboration In September 2017, NCSC CEO Ciaran during a visit to the NCSC headquarters called on Commonwealth leaders to take action our shared understanding of the to tackle common cyber threats will Martin set out the importance of by four Heads of Government in April cyber threat. help protect our shared values of continued international cooperation 2018. and to work collectively to tackle this threat. freedom, democracy and prosperity. in cyber security in his keynote address We have shared information and at a major conference held in Tallinn GCHQ Director Jeremy Fleming hosted Our package of funding will enable members to taken the steps we need to take to during the Estonian Presidency of the the UK Prime Minister alongside prime strengthen our cyber defences and Protecting the Integrity of EU Council. A few weeks later he was ministers from New Zealand, Canada, review their cyber security capability and deliver to deter and respond to malicious Elections part of the Prime Minister’s delegation and Australia, where the leaders were cyber activity. to Estonia, where she attended the EU also briefed by Ciaran Martin. the stability and resilience that we all need to stay Electoral security is one of the areas Digital Summit. In a keynote speech at NATO’s annual in which we are working closely with The visit was part of the biennial safe online and grow our digital economies.” cyber security summit in October 2017, our European counterparts. In October Ciaran Martin further reinforced the UK Commonwealth Heads of Government the NCSC’s Director of Operations 2017, the NCSC hosted approximately message of unconditional commitment Meeting, in which Ciaran Martin Rt Hon. , UK Prime Minister Paul Chichester emphasised the UK’s 50 delegates from across the EU to to European security at the Munich addressed the Foreign Ministers of all support to NATO operations and discuss how to tackle interference in Security Conference in 2018, a global 53 member countries and discussed encouraged members of the Alliance to the electoral process and strengthen forum for security policy, shortly common threats and what the embrace their role as lead responders the collective response to the threat. before the Prime Minister set out Commonwealth could do together to to global attacks from state and her vision for post-Brexit European combat those threats. non-state actors, who could harm our The summit helped initiate the security cooperation. democracies and critical infrastructure. creation of a new guide to securing The summit culminated in the UK elections across Europe and beyond. Prime Minister’s announcement of Co-led by Estonia and the Czech an investment of up to £15 million1 Republic, the NCSC made a significant over the next three years to help the contribution to the product which was Commonwealth strengthen its cyber published in July, six months before security capabilities. the next round of European Parliament elections.

1https://www.gov.uk/government/news/uk-commits-to-a-safer-commonwealth-in-cyber-space

18 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 19 Behind the Scenes 2 of an Incident

This special report offers a never before seen glimpse behind the curtain of the UK’s strongest asset against cyber attacks. Members of the NCSC’s world-class incident management team explain the methodology we have used to defend against more than 1,000 cyber incidents – a rate of more than 10 per week.

20 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 21 Behind the Scenes of an Incident

At the NCSC, we are committed to being open and transparent – even to the point of now sharing the methodology we use to defend against cyber threats.

It is well known that “There are a wide range of “In the past two years, “If a tipper has been classed “At the moment our model ‘cryptonym’ – that is used the NCSC coordinates nation state and criminal we’ve had 2,011 reports Job Descriptions New Incident as ‘significant’ by the DWO, is unique, but we know that as the sole reference during defences to support UK actors targeting every – or ‘tippers’, as we call it’s elevated to an ‘incident’ world leaders and other top secret discussions. victims, but the tactics our country. The number of them,” Rachel said. “Around Categorisation and a handler is assigned countries are looking to experts deploy are much sophisticated actors is half were designated as Incident handlers System to it.” copy it.” “The operation naming less understood. This is increasing, and cyber attacks requiring further enhanced manage and respond to process probably isn’t as partly due to the covert are seen as a good way investigation. incidents, engage with Speaking about the new exciting as some might nature of some of the of pursuing criminal and victims and where necessary C1 attacks are national New Categorisation system, Mike Hulett, think!” Jamie explained. intelligence agencies they national interests. Our job is “New incidents are raised support coordinators on emergencies, causing Framework Head of Operations at the “Some people think there can draw on, and partly to make the UK the hardest as a ‘ticket’ with our significant incidents. sustained disruption of National Crime Agency’s are ‘in jokes’ or hidden because the NCSC promises target possible.” Defence Watch Officers essential services, leading to To ensure the appropriate National Cyber Crime Unit meanings, but actually the confidentiality to the (DWOs), who all come Incident coordinators severe economic or social handler manages an (NCCU), said: “We, and system randomly creates 10 companies who work The NCSC’s Head of Incident from an intelligence, law manage and coordinate consequences – or to a loss incident, it must first be others in law enforcement, options to choose from. with us. Management Adrian Searle enforcement or military cross-government response of life. assigned an attack category. have worked closely with said: “The team operates background They are able to significant incidents and Since January 2018, the the NCSC to deliver a “You choose something out of GCHQ’s main office in to determine whether it engage with victims. C2 attacks can have a UK’s cyber community has consistent and effective memorable, but it has to Meeting the Team Cheltenham and, since April meets our criteria as a serious impact on a large implemented a new incident response to cyber incidents be suitable. The names 2017, the NCSC’s London ‘significant’ incident. Incident reporters portion of the population, categorisation framework. that affect the UK. are used across the world, Two years ago, the level headquarters, Nova South. produce professional economy or government. so we also have to make of the cyber threat was Jill added: “We become products on incidents The new approach fully “Our collective sure it doesn’t translate to well known to the UK “The most prominent attack aware of incidents in a to ensure all relevant C3 attacks can have a aligns the NCSC’s work with understanding of the anything unfortunate.” Government. Since then, we have faced so far was variety of ways. As well government partners and serious impact on a large law enforcement agencies to evolving threat to the UK is the level of the threat has WannaCry, which threatened as companies contacting agencies are updated on organisation or wider defend against the growing improving, but to improve The sharing of information become unavoidable to to do unprecedented us directly, we hear about developments. government. threat, with incident further we encourage is of paramount every UK citizen. Attackers damage to the NHS in May incidents from international responders now classifying all those businesses and importance. Every morning devise new ways to harm 2017. But most attempted partners and law C4 attacks could threaten a attacks into six specific organisations which suffer a a daily ‘team campfire’ is businesses and individuals compromises are never even enforcement colleagues. medium-sized organisation. categories (C1-6) rather cyber attack to report them. held to look at the last 24 all over the world, and cyber known to the public and than the previous three. The hours and what is next. attacks are rarely out of the many are mitigated by our “It’s really important for C5 attacks include threats to new system ranges from “Timely reporting of For C1-3s, a cross-NCSC headlines. incident management team us to work closely with a small organisation. targeting the Government incidents allows the NCA Tactical Leadership Group working closely with the law enforcement. Their and critical national and NCSC to decide upon (TLG) is immediately set up NCSC Director of Operations victim organisation – and support is invaluable, and C6 attacks on individuals, infrastructure through to and deliver the most to share the facts among Paul Chichester has overall I’m proud of the work we they work with us to pursue the response would be individual citizens. effective response.” our colleagues in GCHQ command of the team do.” the adversaries behind led by law enforcement and the law enforcement that coordinates our work the attacks and ensure agencies, such as the local Paul explained: “We wanted Once an incident is put onto community. against ongoing cyber So, what happens when an protection advice gets out police force. to have a more coherent the system with a specific attacks. Facing more than attack does get through? to companies, in particular process with industry category, it is allocated an At this meeting, the team 1,000 incidents in two years smaller ones at a local and law enforcement, so incident handler. agrees its understanding of – including 557 in the last level.” developed a new, truly the technical issues, sets 12 months – may have been Learning About an national system. out clear objectives and more than some may have Incident Jamie explained: “Many “The initial evidence is The Language of ascertains how to provide expected, but it did not calls we don’t progress that it has been extremely the best possible support to shock Paul. The front line of the relate to individuals rather effective in helping us direct the victim. incident management team than organisations. While our resource against the A peculiar aspect that He reflected: “Cyber attacks includes handlers like Jill, those attacks can still be attacks we can best support arises at this stage is the Cyber security is a team are a major danger – the coordinators like Rachel and significant, they are taken against. language of espionage. All sport, and it is also volume and range are huge, reporters like Jamie. forward by Action Fraud, so C1-3 incidents are given an but they are on a trajectory we redirect those people to operational code name – or that hasn’t surprised us. them.

22 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 23 Mythbusting On 13 June 2018, Dixons Carphone plc announced that a review of its systems “I raise my glass to the UK for what they have and data had shown unauthorised access to certain data held by the company. done with NCSC – galvanising public and private While the NotPetya attack A Dixons Carphone spokesperson said: interests with that bold statement of becoming was ongoing, worldwide media reported early “Our experience engaging with the NCSC following the the safest place to live and do business online. international assessments discovery that some of our customers’ data had been And the results speak for themselves – it has that it was ransomware. The NCSC detected subject to unauthorised access has been beneficial. been amazing.” it was actually wiper malware masquerading as ransomware, and the Dave Hogue, U.S. communications team “The NCSC has been supportive and provided valuable quickly acted to ensure people stopped treating advice which has helped both shape our response and the attack as something it wasn’t – which could have ensure that we are taking all appropriate steps to ensure caused financial damage the security of our customers’ data.” without retrieving any data. Director of Communications Nicky Hudson said: “We quickly published an updated statement on our website, phoned journalists and tweeted to get the message out as quickly and clearly as possible. That worked and helped to focus people’s actions on the real threat rather than paying a ransom for something that doesn’t exist.” vital that information is ourselves, the victim think is happening and try incident is absolutely vital. Aftermath and shoulder-to-shoulder with assets? And do you have a shared to other affected and their CIR company to get them to investigate The old saying of ‘a lie can international partners, we comprehensive response areas of government. to investigate. If it’s so they can give us more get halfway around the Evaluation have been able to show that plan? The TLG findings are fed appropriate, we can enrich information. We try to work world before the truth gets An incident stops being foreign state aggression will into a cross-Whitehall any information we receive with them to identify what’s its boots on’ is particularly ‘active’ once the breach not be tolerated.” “Answering those three Strategic Leadership Group with intelligence we have, happening and help them to true in cyber security – and is sealed and no further questions isn’t going to stop (SLG). A single incident and we work with a range of fix it.” particularly dangerous. realistic assistance can be Every single incident is all of the damage, but every can be of interest to partners to further develop given. However, that is not comprehensively evaluated organisation should know multiple departments, so our understanding. For the most significant “Cyber attacks obviously the end of the NCSC’s work by coordinators, who what to do in the first 36 representatives are brought incidents, the NCSC deploys don’t adhere to to learn lessons and share diligently identify both hours of an attack.” into the meetings to discuss “It’s really helpful if boots on the ground and international boundaries findings that will help to successes and lessons the attack and identify the companies allow us access sends an incident response or time zones. Incidents make the country safer. learned. “We understand that next actions to take. to their system logs to team to the victim to offer often break during the night, defending from cyber look for indicators of hands-on support. and we need to make sure While completely Adrian explained: “There attacks can feel daunting. Supporting the compromise (IOCs), and we harmful myths are corrected. confidential, intelligence wasn’t an NCSC before 2016 The attacks we face change look for known scripts from Jamie added: “We can gained from incidents goes and we always said we are every day, and as with any Victim actors we already track. By provide direct support and “If a company has publicly into mapping the broader trying to create something response process, every time knowing who is behind the advice to victims, and help acknowledged a breach and threat landscape and leads completely new. we work on an incident we Simultaneously, the NCSC attack, we are better able to understand the nature it affects a large number to significant breakthroughs learn from it – and share works with the victim to understand intent and and extent of a compromise. of people, we work with in broader UK intelligence “That learning has not those learnings as widely as organisation to ensure they reduce the damage.” “That response enables technical colleagues to get operations. ended now we are up and possible.” have appropriate defences us to review the logs on the right advice out quickly running – we are still always in place. An important part If an incident has been a computer to locate the which people can act on.” Paul said: “By having those looking to evolve and The NCSC has been clear of business continuity and detected by the NCSC but is attack. It can be done by who track and respond improve.” that cyber attacks will take disaster recovery planning not known to the company, either looking through the The result is around to threats in the same place for the foreseeable is identifying a supplier of it falls to the incident victim’s physical system or 1,000 words of easy-to- team, it helps us to better future and it is a matter of incident response services handlers to pick up the taking a digital image of the understand, actionable understand who is targeting Mitigation, not when and not if a ‘category in advance of any serious phone and explain what has system to the NCSC labs.” advice published on the us, investigate them and Prevention one’ attack will occur. attack. happened. NCSC website within 24 share our findings. Jill said: “That’s not Public Engagement hours of an incident. The There is no silver bullet that But thanks to the expertise Rachel explained: “The always easy – we get a NCSC website receives “That can lead to public will defeat cyber attacks, and agility of our incident first thing a handler will lot of people hanging up! When a major incident hits, around 180,000 visitors per attribution – as we’ve seen but work can be done management team, the UK ask a potential victim They might think it’s just it is also vital that the public month, and is soon to be more than ever this year. to reduce the harm they has one of the best lines of is ‘Do you have a Cyber someone on the inside or are kept informed. The revamped to help users find NCSC assessments were cause. Post-event work defence in the world to help Incident Response (CIR) don’t realise the seriousness, NCSC has a range of sector relevant advice. behind attributing WannaCry also includes outreach work the country thrive in the company? We can still work so sometimes we need to engagement teams and to the North Korean Lazarus to support the victim and digital age. with them if they don’t, have persuasive skills as full-time communications Group and NotPetya to the proactively warn companies but it will often influence well as technical knowledge. staff who are embedded in Russian state. who could suffer similar how effectively they can every stage of an incident – attacks. investigate and mitigate “To help with that there’s a including a 24/7 media “When we concluded the against the attack.” contact validation form on duty service. Russian state was almost Paul added: “We always ask our website that individuals certainly responsible for them three things: Do you Jamie added: “If the can use to confirm the NCSC Director of NotPetya, it was announced know who could target you? company is happy to share identity of a member of the Communications Nicky in a joint attribution Do you know your critical information, we will set up NCSC who has contacted Hudson said: “Getting our with the United States a trilateral group between them. We explain what we messaging right during an of America. By standing

24 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 25 Building the UK’s 3 Defences

The NCSC serves every part of the UK. In our second year, we have worked to strengthen our regional partnerships, deepen our local understanding and expand our reach across the country. We seek to make sure that every corner of the UK is as well prepared as it can be for whatever incidents may hit us. We are working closely with partners in England and the devolved administrations where we have advised critical sectors including water, energy and health, and advised on the implementation of the Network and Information Systems (NIS) Directive. These partnerships are vital as they help to protect our essential services.

26 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 27 Working Across the UK

Central Government Regional Organised Crime Units “The National Cyber Security Centre has “Our engagement with NCSC this year Alongside HMRC, the , the Department for Regional Organised Crime Units (ROCUs) are trusted offered vital expertise and support to our has continued in several valuable areas, Work and Pensions, the Ministry of Defence, and the partners of the NCSC that form the Cyber PROTECT Foreign and Commonwealth Office, the NCSC is a key Network. The national policing network of Cyber PROTECT work to develop a set of action plans that from successful take-up of Active Cyber stakeholder in the Transforming Government Security officers aims to raise awareness of the threats posed Programme. This initiative transforms the way that the by cyber crime and provide advice to organisations and will help make Scotland a world leading Defence in the Welsh public sector, Government addresses its most challenging security individuals on how to protect themselves. The Network problems. As part of this, we delivered training for the is made up of over 60 officers and staff who provide nation in cyber resilience.” to raising awareness of the threat and new Senior Security Advisors, who are the focal points for communities with specialist policing capabilities for cyber security in government, to ensure they are equipped to security. Cyber PROTECT is a critical route for the NCSC support on managing incidents at several deliver the right advice on cyber security. to get its message into – and a source of feedback from – Representative of the Cyber Resilience Unit, Scottish local communities. The PROTECT network coordinator and Government events funded by Welsh Government, engagement lead are both seconded into NCSC to embed this partnership fully. to supporting the growth of cyber skills in Wales through CyberFirst courses at Devolved Administrations Digital Government Lofts “Our close working relationship with Cardiff Metropolitan University.” the NCSC is invaluable on our journey We continue to help the UK’s devolved administrations Digital Government Lofts are events where NCSC experts Representative of the Welsh Government raise cyber resilience across all sectors. We promote the brief representatives from other areas of government and to design and build the brand new adoption of ACD, CiSP and CyberFirst; provide bespoke the public sector to improve regional engagement. The Lofts technical consultancy; and present at cyber security events. take place across the country and, this year, they were held technology platform to support the We have helped to deliver a secure platform for devolved in Shipley, Glasgow, Bristol, Cardiff and London, with up to benefits in Scotland; supported the Welsh Government 80 people attending each event. devolution of social security benefits to with their plans to raise cyber resilience within their 22 local authorities; and supported the Scotland. The safe and secure transition “The inaugural Northern Ireland administration with workshops designed to link their incident management process to the national framework. of those benefits is of paramount CyberFirst Defenders course was a major importance and our early engagement success. It was a really collaborative with the NCSC, as the national technical effort and we were very pleased with the authority for cyber security, demonstrates engaging way of involving the pupils.” our commitment to the principle of ‘secure by design’.” “We are certain that this is the beginning of a long-term strategic plan which will Representative of the Social Security Directorate, Scottish Government encourage more young people to join the profession. NCSC staff were particularly helpful in providing definitive advice “The NCSC provides ROCUs with up to and guidance on policy and strategy for date information and services which we password management.” can then disseminate to SMEs and the Strategy Officer, Digital Shared Services, Northern Ireland general public.” administration

Representative from the Southern Wales ROCU Events in London and Cheltenham

We have hosted more than 80 stakeholder events at our London headquarters and at GCHQ in Cheltenham. These have ranged from regular Information Exchanges with representatives from critical national infrastructure sectors to CyberFirst activities, international visits, and training events.

28 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 29 Working with Protecting Critical the Regulators National Infrastructure NIS Directive The UK’s critical national infrastructure In the telecoms sector, our work with (CNI) supports nearly every aspect the Department for Digital, Culture, of our daily life. Our CNI is becoming Media and Sport (DCMS) has helped This year has seen the UK regulations increasingly digital, which brings real pave the way to faster 5G networks. implementing the EU NIS Directive benefits, but also raises cyber security And as we enter the ‘Great British come into force, resulting in companies risks. To combat these threats, we Space Age’, we are helping to design being designated as Operators of work with thousands of systems and four new UK spaceports to help an Essential Services (OES) and Digital hundreds of organisations across the already successful industry reach for Service Providers (DSP). The NCSC has UK. the stars. two formal roles under NIS: to act as the UK’s Cyber Incident Security Over the past year, we have supported Response Team (CSIRT); and to be many of these organisations to secure the UK’s single point of contact. As their systems. In the transport sector, the CSIRT, our role is to provide 24/7 our advice has helped to secure incident support and assistance to the next generation of vehicles. In OESs and DSPs on cyber matters. the energy sector, our experts have helped design the security of a new We have also produced guidance sustainable national grid. and developed a framework which supports the assessment of the level of cyber security achieved by OES in relation to NIS requirements. While the Mapping Critical Systems Protecting the Nation’s Exercising Capability in Civil Nuclear Exercise Securing the Air NCSC has no regulatory role in NIS, we are supporting new NIS regulators to Energy Europe develop their staffs’ skills and provide guidance on the threat that different industries face. We are working with industry and the regulators to ensure The NCSC has been working with lead The NCSC has undertaken a range of The NCSC both contributed to the We supported BEIS on the planning We have continued working with that the implementation of this government departments and industry work within the energy sector. We development of and participated in the and delivery of a technical exercise NATS, the main air navigation service directive leads to better standards of to develop a process which identifies brought together participants from European Union Agency for Network in Estonia for the UK’s civil nuclear provider in the UK, to review the cyber cyber security. the systems that are critical to our CNI, the oil and gas sector, cyber security and Information Security Cyber Europe sector. The NCSC acted as part of the security of their air traffic control including dependencies between the industry, the Department for Business, 2018 exercise for the aviation sector. ‘red team’, testing the 15 participants in and management system. A series sectors. We have mapped the critical Energy & Industrial Strategy (BEIS) and The exercise drew participants from their ability to understand and defend of rigorous technical reviews looked systems that are vital to the everyday the Oil & Gas Authority to conduct a 30 countries and enabled each to against a range of cyber threats. at their existing and new systems operation of the CNI. By better threat and vulnerability survey of the test their national incident response and made recommendations for GDPR understanding the interconnectedness sector. This resulted in a number of procedures as well as their ability to The NCSC continues to work with improvements which NATS agreed. The of the various sectors, we can improve vulnerabilities being identified which coordinate with European partners BEIS, other government departments new systems will also be compatible their resilience. will lead to improvements based on in the event of a widespread cyber and industry partners to extend with changes being made across In May, the General Data Protection our advice. incident. It involved sending out over the number and types of technical Europe over the next 20 years as Regulation (GDPR) came into force As it continues to develop, this work 23,000 ‘injects’ – updates that drive exercises available to operators in part of the Single European Sky ATM alongside the new Data Protection will provide an overarching view of our the direction of an exercise – with the their sectors. Research project. Act 2018, placing a comprehensive CNI, enabling industry and government UK receiving approximately 470. This set of new obligations on public and to concentrate their cyber security enabled the NCSC and the Department private sector organisations to protect efforts where they will have the most for Transport (DfT) to validate their all the personal data that they collect impact. procedures and identify areas for and process. development in their response. “This provided a very rich The NCSC has partnered with the scenario which taxed us Information Commissioner’s Office (ICO) to develop a set of GDPR across a broad range of security outcomes. This guidance provides an overview of what the technical abilities in many GDPR says about security and describes a set of security-related “The NCSC is a valuable partner for the Bank of England in developing the next cyber security topics.” outcomes that all organisations processing personal data should generation of the Real-Time Gross Settlement service; a high value settlement system Gavin, Nuclear Decommissioning seek to achieve. which lies at the heart of the UK’s financial system. The NCSC is providing guidance at Authority both a technical and strategic level to help the bank design a system that will meet the changing needs of the public and support innovation in the payments industry while maintaining security and resilience at the heart of the service.”

Victoria Cleland, Executive Director, Banking, Payments and Financial Resilience, the Bank of England

30 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 31 Securing Britain’s Secrets Government Missions Defending Defence Working with Industry

From the rise in mobile working to the emergence The NCSC works with the defence sector and The NCSC continues to support the Defending We cannot do any of this alone. Our industry of quantum computing, the national defence UK intelligence agencies to help preserve the Defence Programme, which was established in partners provide a vital service to keep our landscape is changing all the time. In response, national security of the UK. Our encryption 2014 with the aim to make the defence sector a communications secure. we have developed secure systems that our expertise enables the NCSC to protect the UK’s more difficult target for those that threaten our government partners and allies can trust. These national defences in a range of ways. national security. The Sovereign Enabling Framework solutions ensure government missions achieve their outcomes. Securing Secret Communications Strategic Deterrent The Sovereign Enabling Framework allows companies to work with us on cryptographic Joint Crypt Key The NCSC has continued to support the Cabinet To help the MOD protect the UK’s most sensitive key projects such as the JCKP. We designed Office’s FOXHOUND programme to deliver a capabilities, we provide support with incident this framework to ensure that companies The Joint Crypt Key Programme (JCKP) helps the secure IT and communications network (known and threat reporting, advice on cyber security working with us have a good understanding UK keep its secrets secret, share information as Rosa) across central government. Rosa offers policy and training to identify supply chain of cryptographic key and to demonstrate the effectively and ensure that it is available when the UK Government and its partners a single, vulnerabilities. behaviours we need to protect the UK. and where required. secure platform for working up to and at the SECRET classification. Joint Strike Fighter In its second year, we are pleased to welcome Working in collaboration with the Ministry two businesses onto the framework, joining the of Defence (MOD), JCKP helps us work with This year, the first phase of bespoke mobile The NCSC supported the MOD to ensure the original six companies. With their support, we foreign partners and keeps our key distribution phones that use our unique technology was secure delivery of the new F-35B fighter planes. have sustained and developed the skills, capacity technologies up to date. Now, two years into a deployed to users, and we are working with We produced cryptographic key management and capabilities of the UK’s cryptographic key 10-year plan, JCKP has helped the UK maintain the Rosa operations centre to ensure a smooth that enables the MOD to operate the aircraft industry. its standing as a world leader in cryptographic transition to the new system. The effective wherever and whenever they are needed. key services. partnership between the NCSC and the Cabinet We tested the aircraft to ensure that it met Exporting Crypt Overseas Office Government Security Group is delivering a national TEMPEST standards, which ensure that UK Key Production Authority single security solution to dozens of departments military equipment does not unintentionally emit This year, the NCSC made the biggest change and thousands of users. Our cyber security sensitive information. We also provided guidance to information security export licensing in over The UK Key Production Authority (UKKPA) is a experience means we are perfectly placed to to secure the international ground systems and a decade. Working in partnership with the critical part of the NCSC’s cryptography defences. secure the UK Government’s latest technology. provided technical expertise to mitigate the Department for International Trade and industry UKKPA generates, distributes and accounts for threat to the supply chain that supports the bodies, we released our Open General Export cryptographic key material for government, Protecting Our NATO Allies aircraft throughout its life. Licence (OGEL) for information security items. industry and our allies overseas to support secure encrypted communications. We work with NATO to help protect their Securing the Defence Supply Chain The new licence removes a large administrative communications infrastructure. Our expertise in burden for businesses and introduces a simpler, UKKPA Facts cryptography and security helps support NATO We worked with the MOD through the Defence lighter touch process for the faster export of defence efforts and ensures our armed forces get Cyber Protect Partnership to build better cyber low risk cryptographic goods from the UK. This • 170 customers across government, industry the protection they need. security into their contracting and procurement enables UK firms to compete on a more equal and law enforcement processes. We also provided defence industry playing field with the U.S. • Alongside the U.S, we are one of only two suppliers with threat briefings to help them suppliers of key material to NATO identify vulnerabilities in their supply chains. The Wassenaar Arrangement • Annually we process approximately 3,800 Our work helps protect national security orders for key material, equating to 145,000 customers and helps ensure that their The NCSC provides cryptography and cyber physical items, such as CDs and data tokens systems are not compromised. security expertise into the UK’s representation • We support the MOD, intelligence agencies, at The Wassenaar Arrangement. The Arrangement and other government departments in their is a body of technical experts from 42 states requirements for allied electronic key received who provide guidance on arms control. During from the U.S. and other partners. the 2017 negotiations, the NCSC contributed to the redrafting of the controls text for intrusion software tools. The outcome provides greater clarity of the control text and provides some exemptions where the described products are used by the cyber security industry. The NCSC’s contribution was a significant factor in achieving the progress to date. We also provided technical contribution to new areas where controls might be relaxed National or tightened.

Security “The NCSC has provided significant ongoing cyber security support within the F-35 mission support environment. The NCSC has been a critical contributor to The national security sector faces unique threats as it processes the UK’s most sensitive data and runs its most F-35 system connectivity and UK network security, enabling Defence Equipment sensitive systems. The NCSC is working hard to support them. Far from being limited to securing the defence sector, and Support to understand and mitigate risk while ensuring that security policies the NCSC’s robust encryption systems help ensure the UK Government stays secure today and in the future. and international collaborations remain robust to the cyber threat.” Caroline Dyer, Programme Manager, Ministry of Defence

32 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 33 Individuals and Families The NCSC Supporting our Citizens Online Despite the scale of the cyber threat today, vital protective actions are still routinely left at individuals’ discretion. We support a number of initiatives which help people to take the right protective action. The NCSC’s digital output has become an integral part of how we provide advice and guidance. and Economy To encourage lasting and meaningful change, the NCSC is working with other government departments on strategic This year, more than 1.9 million people have communications and initiatives that build on the success visited our website, and our Twitter and of the UK Government’s current behaviour change LinkedIn channels now reach more than 80,000 campaign, Cyber Aware. This is based on the technical people. Our content has allowed the NCSC The NCSC is committed to helping everyone stay We aim to expand and develop our offer across advice of the NCSC and promotes simple measures that to start conversations, raise awareness and safe online – from the smallest organisations the UK. We are developing a toolkit to help people can adopt to stay secure online. increase understanding across the cyber security to the biggest global brands. We have begun boards better understand the cyber threat and landscape. in-depth research to inform the content that mitigate risks. And we are working with our we deliver to our varied audiences. We have Industry 100 partners to create innovative new As the NCSC develops, so must our digital listened to users and will be incorporating their ways to raise the level of cyber security across “As data controllers, law firms handle significant presence. To deliver an improved website, we feedback into the launch of our new website. the UK. have responded to feedback and focused on The new website will have a focus on protecting volumes of confidential and sensitive giving users a much-improved journey through individuals and families, businesses, charities, the site with more intuitive navigation. and government. information and client monies as part of Our goal is to deliver a digital platform that their daily work. The Law Society sees The helps users not only understand the importance of cyber security, but also how they can protect Cyber Threat to UK Legal Sector Report as themselves at work and at home. This platform will also be a base for new digital services in the Enterprise and Organisations as a positive step to help our members spot future. vulnerabilities and put relevant safeguards and Small and Medium-Sized Charities Retail protections in place.” CiSP Enterprises Christina Blacklaws, President, The Law Society Small and medium-sized enterprises We work with the charity sector to Our work with our retail partners (SMEs) account for 99% of all ensure their good work can carry ensures the sector remains resilient The Cyber Security Information Sharing private sector businesses. With fewer on without interruption from cyber to potential attacks. In 2017, the retail Partnership (CiSP) is a joint industry and resources than larger companies, it is threats. As part of an awareness- sector contributed £194 billion to the government initiative set up to exchange cyber crucial that we do all we can to help raising campaign, the NCSC released UK economy.2 And as the largest single “The small charities guide is really useful threat information in real time, in a confidential these businesses keep themselves safe. the first ever threat assessment for employer in the UK, it is vital that we and dynamic environment. That’s why we produced our Small UK charities. The report showed that help keep it safe. because it uses simple language, it is practical Business Guide and distributed copies charities were under attack but few The benefits of CiSP include giving members around the country through the annual people in the sector were aware of the To do this, we produced the Retail and it doesn’t shroud everything in a mist of a secure environment to engage with industry business engagement event, the Small significance of the threat. Cyber Security Toolkit in partnership and government counterparts, supplying early Business Saturday Bus Tour. with the British Retail Consortium. The expertise. It just gives you some very simple warning of cyber threats, and helping members To combat the threat, we released toolkit has now been downloaded and learn from their experiences and successes of We partnered with various trade our Cyber Security: Small Charity shared thousands of times, helping to steps that you can take to make your charity other users. bodies to ensure we are tailoring our Guide. In partnership with the Charity make online shopping safer. products to meet the needs of SMEs. Commission and leading charitable more secure.” Since its launch, CiSP has grown to 10,569 users We also participated in the Prince’s bodies, the guide aims to help charities across 22 sectors and produced 20,270 pieces of Trust Business Emergency Resilience understand the risks and offers advice Education Pauline Broomhead, CEO of Foundation for Social Improvement content. Group’s ‘Would You Be Ready’ to reduce them. We collaborated campaign to ensure that businesses with The Foundation for Social We worked with Universities UK to are as resilient as they can be. Improvement to bring the guide to life raise awareness of cyber security by delivering cyber security awareness among university leaders. We also We have also developed links with sessions to more than 1,000 charities partnered with the Department for Bug Bounty regional organisations such as the across the UK. Education to produce cyber security North West Business Leadership Team. guidance for schools. “For the British Retail Consortium and our This has led to direct engagement The NCSC is working with the with universities, local authorities and National Association for Voluntary members, cyber security is at the very heart The NCSC works with vendors to help mitigate business leaders in the region. and Community Action to develop a Sport critical security issues before they cause real range of training materials for their of our work and an area where relationships harm. This includes vulnerabilities in major Legal 200 members to deliver to the 145,000 We played our part in some of the software products. As testament to our skills, charities and voluntary groups they biggest sporting events of the decade with the NCSC are vital. We look forward to the NCSC was named as one of Microsoft’s represent. This is a unique campaign by helping protect the England team top five Bounty Hunters in the first quarter of Legal services hold some of their that ensures that the work of these in the run up to the FIFA World Cup continuing our ground-breaking work into the 2018. NCSC’s expertise helps keep government, clients’ most sensitive information and vital organisations is protected. We and improving the cyber security of businesses and individuals safe and provides they are increasingly subject to cyber pride ourselves on being able to the 2018 Commonwealth Games. Our future.” support for a range of good causes as all the attacks. That’s why we produced The help safeguard those charities who training helps sports organisations bounties we win are awarded to charity. Cyber Threat to UK Legal Sector Report. safeguard others. understand that tackling cyber crime James, British Retail Consortium In partnership with The Law Society really is a team sport. and our Industry 100 legal partners, the report helps law firms understand current cyber security threats and the risks to the legal sector, and includes guidance firms can use to secure their cyber defences. 2http://researchbriefings.files.parliament.uk/documents/SN06186/SN06186.pdf

34 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 35 CYBERUK 2018 Industry 100

The NCSC’s Industry 100 initiative “Industry 100 allows us to draw on the CYBERUK is the UK Government’s This meant ensuring that we had brings together public and private flagship cyber security event. CYBERUK diversity of thought in the programme, sector talent to generate innovative best and brightest in industry – to test and is all about promoting a national and provided a positive learning ideas and collaborate on some of the conversation around cyber security environment for all participants. latest cyber security challenges across to challenge the Government’s thinking as and building a community that works a wide range of NCSC placements. together. The conference brought together we take this project forward.” 2,500 delegates with combined Since the programme began, we We were delighted to bring CYBERUK expertise across multiple disciplines have been pleased to welcome 132 Rt Hon. Philip Hammond, Chancellor of the Exchequer 2018 to Manchester, a city synonymous and professions. The event offered professionals from 60 organisations with innovation, creativity and a wealth of content on the who have come together to enhance technology. technical aspects of developing and the cyber security of the UK. implementing cyber security in the Over the three days in April, we had face of complex problems and threats. Contributors have included engaging speakers, thought provoking representatives from sectors including topics and a plethora of talent in We are pleased to announce that legal, finance, aerospace, telecoms, attendance. We were committed CYBERUK 2019 will be held in Glasgow. academia, IT, oil and gas, nuclear and to putting diversity at the heart of engineering. CYBERUK 2018. Highlights How Does Industry 100 Work?

• 2,500 delegates • 210 speakers 1 2 3 4 • 48 track and stream sessions • 26 ‘Spotlight stage’ lightning talks Industry 100 secondees will Participating organisations There are exciting and Some roles are also • 15 workshops work across a wide range are expected to continue challenging opportunities available for secondees who • 105 sponsors and exhibitors of bespoke short-term to pay salaries for Industry in all areas, including are not based at our offices. • Dragons’ Den style ‘Cyber Den’ placements at the NCSC 100 secondees, in order to security engineering, • Live cyber incident exercise normally on a part-time maintain independence. communications and Find out more: • Provided sign language interpreters basis. finance. www.ncsc.gov.uk/ for hearing-impaired delegates industry-100 • 94% of delegates rated the content of the conference as ‘excellent’ or ‘good’ • 88% of delegates rated our commitment to diversity positively “I’m proud to be part of the Industry 100 “Industry 100 has enabled me to research programme as I am at the forefront of the most pressing and emerging issues developing cyber security skills across in cyber and security affairs, something the UK. My role as a Cyber Security that has been invaluable for both King’s Educator is to build upon the work of the College London and my own academic CyberFirst programme and increase its studies. The flexible working hours at the proliferation and participation.” NCSC are very convenient, allowing me to balance my work with my continuing Zeshan, Technical Evangelist at CompTIA and Cyber Security Educator at the NCSC academic studies.” Rob, master’s student at King’s College London and CNI “CYBERUK is a tremendous conference. You get to meet a lot of interesting people in Assessor at the NCSC areas I wouldn’t normally be exposed to. It is a great community. The partnership with the people who are in attendance and who are here speaking has really evolved a lot and the initiatives, the competitions and the outreach to the community has been really amazing to watch.” Katie Moussouris, Founder, Luta Securia

36 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 37 Cyber Capability 4 for the Future

The NCSC strives to identify new ways to build the UK’s talent pipeline, promote innovation, and develop the UK’s cyber security research. Our investment in skills helps the UK remain a world leader in cyber security by developing the talent we have and attracting the best and brightest people to the industry. To ensure a secure, resilient and prosperous economy, organisations must have access to the cyber security skills they need, which is why the NCSC is working closely with the Department for Digital, Culture, Media and Sport (DCMS) to close the cyber skills gap.

38 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 39 People

The NCSC’s single greatest asset is our people. At a time of rapid change in our industry, we are helping students of all ages develop the skills they need to grow to work across the UK and have a rewarding and interesting career in cyber security.

Launch of the Cyber Schools Hub in Gloucestershire

CyberFirst Cyber Schools Hubs Certified Degrees Cyber Security Body of Knowledge

The CyberFirst programme aims to “Looking back over my time CyberFirst Girls Competition At the NCSC, we are also taking strides We believe that all UK students Through the Cyber Security Body identify and nurture exceptional young to reduce the UK’s digital skills gap. should have access to a high-quality of Knowledge (CyBOK) project, we talent, engaging students from all in the scheme, I consider Women make up only 11% of the Currently, only one in nine students education in cyber security. Assessing are identifying and defining the key backgrounds and every region. global cyber security workforce.3 chooses to take a GCSE in Computer everything from the instructor to knowledge areas required by those myself lucky to have been a Through the CyberFirst Girls Science4. Initiatives like our Cyber the facilities, NCSC-certified degree working in cyber security. CyberFirst Bursaries Competition, we are working to Schools Hubs aim to change that by programmes have helped hundreds part of such a great project. increase the number of young encouraging pupils to choose a career of students choose the right cyber After public consultation and having The CyberFirst Bursary project women in the cyber industry. in the cyber sector. security degree course for them. Since taken on board a great deal of continues to grow, and in autumn Not only has my cyber the initiative began, we have certified feedback, the project took its first big 2018 more than 500 students will have This year’s CyberFirst Girls Competition Launched in spring, our two pilot 24 master’s degrees, three integrated steps this year with the launch of the joined the initiative. Each student outlook been enhanced attracted over 4,500 girls aged 12-13. Cyber Schools Hubs in Gloucestershire master’s degrees and two bachelor’s first two of the 19 identified knowledge receives £4,000 a year and a minimum The finalists overcame 170 challenges have provided the opportunity to degrees. areas: ‘Cryptography’ and ‘Software of eight weeks’ paid cyber security but my career aspirations of varying difficulty and the top ten over 17,000 children to engage in Security’. We aim to have launched all work experience or training each teams qualified for a head-to-head events, code clubs, and fun ways to This year, analysis by the Higher 19 knowledge areas by the end of July summer with industry or government. changed completely!” final in Manchester. As part of their learn about cyber security. At one Education Standards Authority 2019. prize, all the finalists were then invited school, we held an event that took shows that UK students with a to Buckingham Palace to meet His inspiration from the popular BBC TV certified master’s degree have higher CyberFirst Degree Apprenticeships Lauren, CyberFirst Bursary student Royal Highness The Duke Of York. show Dragons’ Den to inspire students employment rates and higher salaries and increase their awareness of cyber than students on non-certified CyberFirst Girls Competition In September 2017, we ran a In 2019, we are hoping to build on security. master’s degrees. We were particularly finalists in action recruitment exercise for our brand “The competition has this year’s success by expanding the pleased to see an increase in new Cyber Security Degree Level CyberFirst Girls Competition to over The initiative has been incredibly applications from post-92 universities Apprenticeship which will see young taught me and my team- 1,000 schools. popular, and we have encouraged as well as more universities from all people working within the NCSC’s participating schools to share what around the UK. parent organisation, GCHQ. Successful mates a lot about coding they have learnt with nearby schools. applicants will start a degree The Hubs are an example of how apprenticeship, learning everything and I think I’d now like to do 2018 Winners: The Computifuls we are extending a hand to local “There has been a definite from code to emerging technologies, from The Piggott School communities and supporting projects with a potential full-time role upon computing for GCSEs.” that build our national strengths. increase in the number of graduation. applicants, which has more The apprenticeships give students Annarose, St Catherine’s College, “What a morning it was! exposure to some of the most cutting- CyberFirst Girls Competition finalist than trebled since gaining edge technologies and practical from Northern Ireland As someone working in insights into the innovative ways we certified status.” use them. In our first year, we have the cyber and technology already made over 100 offers of an Representative of University apprenticeship and were pleased to industry and a father of two of South Wales welcome our first intake in September 2018. We hope this programme will kids who will be making open up a career in cyber security for a wide range of people – not just those their own career choices who choose to go to university. in the coming years, I came CyberFirst Courses away feeling inspired, This year, we held CyberFirst courses in Edinburgh, Belfast, Cardiff and enlightened and also Southampton as well as 23 free, week- long summer courses at universities somewhat humbled by across the UK. the experience.”

Richard, company director and dragon 3https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf at the school event

40 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 41 Research Quality

We worked with external partners Organisations need confidence that to support programmes that put the the people, products and services UK at the forefront of cyber security that help them manage their risk will research. This gives us access to world improve their security, not undermine -class experts and helps the NCSC to it. Working with our external assurance discover new ways to keep the UK’s partners, we operate a number of information safe. commercial initiatives that give organisations the evidence to help them differentiate the good from the Academic Centres of Research Institutes The Initiate Portfolio bad. Excellence in Cyber Security Research Institutes help us to develop An important part of the NCSC’s work Cyber Essentials Certified Cyber Security Consultancy Research cyber security capability in strategically is to anticipate how cyber security important areas. will evolve and discover new ways to keep the UK’s information safe. One Helping guard against the most The Certified Cyber Security Currently there are 23 organisations Universities which are recognised by In the past year, all our Institutes of the ways we do this is through the common, internet-based cyber threats, Consultancy gives customers across the UK who have achieved the NCSC and the Engineering and have increased expertise in every Initiate Portfolio which brings together the Cyber Essentials programme is independent, expert cyber security certification by demonstrating that Physical Sciences Research Council research area while deepening their the technical expertise of the NCSC available to all UK organisations, advice from a pool of certified the services they deliver meet the (EPSRC) as an Academic Centre of relationships with industry. The with the latest industry practices and of any size and sector, that want to professional service providers. The NCSC’s standards for high quality cyber Excellence in Cyber Security Research Institutes also successfully attracted academic research. demonstrate their commitment to initiative certifies organisations security advice in the areas of risk (ACE-CSR) have been assessed as match funding to complement the cyber security. Over the past year, we through a robust process of evidence management, risk assessment, security producing world-leading, impactful funds received from government. In The Portfolio includes a range of have more than doubled the number assessment and interview, to provide architecture, and audit and review. cyber security research. November 2017, we saw the launch projects, from developing the next of certificates issued, with the award of bespoke cyber security services that of the Research Institute in Secure generation of cryptographic devices over 8,900 new certificates. This brings meet the NCSC’s demanding standards. When the ACE-CSR programme was Hardware and Embedded Systems at to finding new ways to reduce data the total to 15,826 since the initiative launched, only eight universities were Queen’s University Belfast, which will loss. As just one example, we led began in 2014. We are currently successful at the assessment panel. announce its first funded projects in a research project to investigate reviewing the programme to make After the most recent assessments in December 2018. vulnerabilities in medical devices sure it is as effective and affordable as 2018, 17 universities have now been that use Wi-Fi or Bluetooth. This has possible. recognised. This is testament to the The results have been outstanding. enabled government departments to universities’ growing support for A start-up from Imperial College manage the risk and help staff use cyber security research. In return, London, whose work focuses on the these devices. Future projects include the ACEs-CSR get the chance to build automated testing of graphics, has developing common standards for their profile, receive international been acquired by Google. Middlesex devices connected to the Internet of recognition and showcase the UK’s University’s work on the verification Things. research capabilities on the global of security protocols uses physics to stage. develop a cryptosystem that is immune With funding from the MOD, to quantum computer attacks. And the UK intelligence agencies, the University of Glasgow, the University Cabinet Office and the Foreign and Innovation of Birmingham and the University of Commonwealth Office, the NCSC will Bristol are all measuring the impact of continue to help the Government the EU NIS Directive. harness innovation, utilise ground- breaking new technologies and keep Innovation takes new thinking “The opportunity to be our information secure. and insights and turns them into the things we need to live and do part of the NCSC Cyber business in cyberspace. We work with DCMS to create an ecosystem that Accelerator programme Launch of the Research Institute in Doctoral Studentship will transform ideas into real world Secure Hardware and Embedded solutions. This brings our experts afforded Trust Elevate Systems, Queen’s University Belfast Programme together with small businesses to help solve the cyber security challenges we unprecedented access face today. At the heart of this is the The NCSC’s sponsored Doctoral NCSC’s Cyber Accelerator. to cyber security experts, Studentships Programme helps increase the number of UK nationals support and guidance, undertaking cyber security research, Cyber Accelerator which will make a real difference to which was and continues the UK’s security. Aiming to nurture innovation in cyber In the past 18 months, the first two to be instrumental in The students often make discoveries, security, the NCSC’s nine-month cohorts raised more than £20 million for example, vulnerabilities in products Cyber Accelerator saw nine companies in funding, created 19 UK jobs and won accelerating our growth or standards, which are then reported develop products and services that will 15 trials and contracts worth over £3 to the manufacturer or the appropriate enhance the UK’s cyber defences. million. We’re now recruiting for a third and reach.” authority. The programme also offers cohort to start in late 2018. students the opportunity to undertake This included a service to solve the work placements within the NCSC and problem of age verification and Dr. Rachel O’Connell, has led to several students successfully parental consent for young people in CEO of Trust Elevate applying for subsequent employment online transactions, and another that with the NCSC. connects Internet of Things devices with end-to-end authenticated, encrypted security.

42 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 43 CyberFirst Courses ACEs-CSR

University of Birmingham University of Bristol Venue Course University of Cambridge Cardiff University University of Birmingham Defenders, Futures and Advanced University of Edinburgh Cardiff Metropolitan University Queens Adventurers, Defenders, Futures and Advanced Imperial College London Cleeve School Adventurers University of Kent Dean Close Adventurers King’s College London University of Gloucestershire Adventurers Lancaster University Imperial College London Defenders, Futures and Advanced Newcastle University Lancaster University Defenders, Futures and Advanced University of Oxford Manchester High School for Girls Adventurers Queen’s University Belfast NCSC headquarters Adventurers Royal Holloway, University of London Newcastle University Defenders, Futures and Advanced University of Southampton Newent Community School Adventurers, Defenders, Futures and Advanced University of Surrey Nottingham University Adventurers University College London Queen’s University Belfast Adventurers University of Warwick Royal Holloway , University of London Futures University of Southampton Adventurers Stirling University Adventurers University of Warwick Adventurers, Defenders, Futures and Advanced University of the West of Scotland Defenders, Futures and Advanced NCSC Certified Degree Providers

To find out more, visit: Abertay University www.ncsc.gov.uk/information/cyberfirst-courses University of Birmingham University of Bradford Cranfield University De Montfort University Edinburgh Napier University Innovation Imperial College London University of Kent Kingston University Cyber Accelerator – Cheltenham Innovation Centre Lancaster University University of Oxford Oxford Brookes University Queen’s University Belfast Royal Holloway, University of London Research Institutes - Host Universities Royal Holloway, University of London University of Southampton University of South Wales Research Institute in Science of Cyber Security (RISCS) – UCL, London University of Surrey Research Institute in Verified Trustworthy Software Systems (RIVeTSS) - Imperial College, London University College London Research Institute in Trustworthy Inter-Connected Cyber-Physical Systems (RITICS) - Imperial, London University of Warwick Research Institute in Secure Hardware and Embedded Systems (RISE) - Queens University Belfast University of the West of England University of York

44 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 45 The NCSC’s parent organisation, GCHQ, will be 100 years old in 2019. Founded as the Government Code & Cypher School 100 Years of the Cyber Mission in 1919, before changing its name to Government Communications Headquarters (GCHQ) in 1946 – and it has been keeping Britain safe ever since.

1919 1936 1944 1950s 1970 1988 Government Alan Turing Single national Alvis, the first Public Key The Morris Worm Code and Cypher writes a paper authority for machine of Cryptography computer virus School (GC&CS) On Computable communications the electronic is conceived 1981 is distributed is established Numbers, security is era, is created by James Ellis Early malware via the internet, with intelligence proposing established and remains at GCHQ begins to be resulting in the and security a universal the workhorse discovered at creation of the functions computing for secure 1969 scale. A year first Computer machine 1946 communications GCHQ incorporates later, Elk Cloner Emergency 1943 First use of for over 30 years the Communications- spreads beyond Response Team The first Colossus computers Electronic Security the lab it was (CERT) in the U.S. 1926 computer, the to generate Group (CESG) created in An emergency proto-computer, cryptographic- becoming National codebook was created for the material Technical Authority is issued to Newmanry section for all aspects of national at Bletchley Park cryptology authorities during the General Strike

2018 1996 The NCSC dealt The BRENT Secure with its first 1,000 Telephone is 2010 2016 cyber incidents – introduced to The National Cyber The NCSC is created a rate of more than provide secure Security programme 2014 as a ‘one-stop shop’ CERT-UK, the 10 per week 2019 communications of £860 million is for cyber security, national computer GCHQ’s across the whole announced to deliver uniting separate emergency response GCHQ commences centenary events of government the ‘National Cyber parts of government team, is launched celebrations for its include an Security Strategy that had a role in 100th anniversary and exhibition at the 2011-2016’ this area, within launches its second Science Museum GCHQ puzzle book to mark exploring the 2015 the occasion science behind 1989 1997 2013 The ‘National 2017 keeping the The concept of Introduction of The National Crime Security Strategy The NCSC led country safe, the World Wide the Government Agency and its 2016– 2021’ is the UK response which opens Web is created by Secure Intranet National Cyber Crime launched, confirming to the global in summer Sir Tim Berners- (GSI), connecting Unit is launched cyber as a top- outbreak of 2019; and the Lee UK Government tier threat to the Wannacry publication of its computer networks UK’s economic and ransomware first authorised national security history in autumn 2019

46 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 47 48 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 49 Can you find the secret codeword? Visit ncsc.gov.uk/annual-review-2018 To find out more visit: ncsc.gov.uk

@NCSC

National Cyber Security Centre

©Crown copyright 2018. Photographs produced with permission from third parties. NCSC information licensed for re-use under Open Government Licence (http://www.nationalarchives.gov.uk/doc/open-government-licence).

Designed and created by Agent Marketing Ltd. agentmarketing.co.uk