A long term strategy for cyber security
Challenges remain in the fight for cyber security. Open Access Government’s Ciara Ruane highlights the work being undertaken to keep the UK safe
Following the cyber-attack on the NHS earlier this year questions have been raised as to how both the public and private sector can protect themselves from hackers. The recently launched National Cyber Security Centre (NCSC) released a statement at the time of the attack, saying: “The NCSC is aware of an incident and is working around the clock with the UK Parliamentary digital security team to understand what has happened and advise on the necessary mitigating actions.”
Launched in 2016, the NCSC collaborates with other government departments such as defence, intelligence, and law enforcement. Speaking about the launch of the centre, Chancellor Phillip Hammond, said: “The cyberattacks that we are seeing are increasing in their frequency, their severity, and their sophistication. In the first 3 months of its existence, the NCSC has already mobilised to respond to attacks on 188 occasions. “The NCSC will play a unique and crucial role bringing together the public and the business community on the one hand, and our intelligence and security agencies on the other.”
Strategy for security
In November 2016, the government announced the new National Cyber Security Strategy, which was part of the Active Cyber Defence (ACD) programme. The centre aims to work with other national and international organisations to gather information needed to detect, prevent, and solve potential threats to digital infrastructure. They aim to register government and other high-profile domains and emails through the DMARC (domain-based message authentication, reporting and conformance), a move which will soon become mandatory, as well as creating a centralised registry system for the public sector. They have partnered with Nominet, a Domain Name Service (DNS) that prevents access to known harmful domains, and provides analytics data to provide insight into the state of IT in the public sector.
The NCSC has also set up a free WebCheck service, which aims to scan sites for common vulnerabilities. Currently running on a prototype with 150 users, the service targets points such as security certificates and out of date domains, notifying the organisations responsible for them. They have also been working with Netcraft, a private company, creating an email address where public sector organisations can provide the URLs of potential scam sites, to identify and take them down within around 24 hours of their creation. This is a service which they aim to expand, which will identify both malware and phishing sites and issue takedown notifications within a few hours.
They have also outlined plans to develop new identification techniques beyond current protocol such as password registration. Facial recognition software and other such technologies would, they claim, provide a more airtight identification process. Through the GOV.UK verify service, the government offers choices of certified companies, such as the Post Office, which can verify your identity with the information you give them. It aims to shorten and simplify the registration process while providing an extra layer of security. The NCSC has also identified the need to gather wide ranging unbiased data on the digital landscape so that future threats can be identified, which is a key aim for their overall defence strategy.
Protecting organisations from attack
The NHS attack itself was caused by a group of hackers using a ‘cyber weapon’ called Eternal Blue developed by the US government to access the files of suspected terrorists. ‘WannaCry’ exploited a weakness in Microsoft, which has now been patched. Microsoft’s legal head Brad Smith criticised the US government for developing the system and urged them to become more transparent, saying the attack could have been prevented otherwise. Edward Snowden also criticised the government for not identifying the flaw in Microsoft operating systems when they found it. The ransomware tricked victims into opening links that corrupted their systems and blocked their files, requiring bitcoin payments to regain access. Hence, the emphasis on avoiding opening links in suspect emails.
After the attack, Microsoft said that those using the most up to date version of their antivirus software would be protected. One researcher is said to have accidentally found a way to prevent further spread for the time being. The NCSC has a section of their website dedicated to advising protection against WannaCry. It names the patches and updates available through Microsoft, and offer their own ‘Cyber Essentials’ programme, which is now mandatory for government contract suppliers and can be installed for small businesses and other organisations.
Speaking at London Tech Week, NCSC CEO Ciaren Martin outlined how organisations can protect themselves from such threats. “There are a whole range of basic protections that can be layered to build up your defences.
“Understanding the threat environment is important of course. During WannaCry we sent out three simple messages: keep security software patches up to date, use AV and back up as you can’t be held to ransom if you’re backed up.”
Open Access Government