The new National Cyber Security Centre began its first day of operations on Monday 3rd October. In a speech by Ciaran Martin, the new NCSC Chief Executive, at a Cyber Security Summit in Washington DC in September, he set out the UK’s new approach to cyber security.
Security officials, Martin said were sometimes accused of seeking to thwart or slow the onset of the technology that underpins the digital revolution. A claim, he emphatically rejected, saying ‘our job is to help make the digital economy and digital Government work, by making it safer’.
Martin described the approach to be adopted by the NCSC. A key element is ‘organisational coherence’. Cyber, he said, cuts across lots of different public authorities and the NCSC is designed to bring together various sources of expertise into a single organisation, including some of the best protective security experts in MI5, CERT-UK and GCHQ, together with formalised and integrated operational partnerships with law enforcement, defence and private industry.
A second and ‘absolutely essential’ part of the strategy is our core national defensive cyber capabilities, to tackle those who genuinely merit the description ‘APT’. There are various aspects to this, he said, including maintenance of the UK’s status as one of the few sovereign cryptographic nations for our most sensitive secrets. Another is our development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats.
The most exciting and innovative part of the plan, he said, is what we call ‘active cyber defence’. This, in addition to disruptive and potentially lawfully governed defensive capabilities, is where the Government takes specific action with industry to address large scale, non-sophisticated attacks.
As an example, he explained: We need to make sure UK Government email is trusted, so we need to stop people spoofing our .gov.uk domain. To do that we set a DMARC policy as a trial to stop emails from the wrong IP sets, or with the wrong key, purporting to come from .gov.uk, from being delivered to the intended recipient. Instead, they get delivered to ‘us’. So, whoever was sending 58,000 malicious emails per day from the delightfully named firstname.lastname@example.org isn’t doing it anymore.
Lastly, he said, we want to be judged on results. Hard data and hard, credible evidence has been scarce in cyber security thus far. Part of the agenda will be the publication of data and evidence about what is and isn’t working, and metrics about the outcomes achieved. If we succeed, we want to be able to prove it, not just assert it. If we fail, we don’t expect to be able to hide.