Following on from our previous blog post, UK Cyber Security Strategy in a Nutshell, we thought it might be useful to summarise the general approach of HM Government to cyber security and highlight some of the resources that might be useful to UK-based (and possibly non UK-based) organizations. Cyber security was identified as one of four major threats to the UK in the Government’s National Security Strategy in 2015.
As a quick reminder, the UK government has allocated £1.9 billion towards the problem of cyber security and is approaching it from four angles:
DEFEND – try to stop it happening
DETER – hunt down those that do it
DEVELOP – nurture the talent for the future
INTERNATIONAL ACTION – get other countries to help
The strategy involves the creation of some new organizations, the merging of some old ones and the re-emphasis of a number of existing initiatives. At first sight it may appear to be a confusing mixture of loosely-connected resources so we’ll try to make some sense of how it all fits together.
The central hub of UK cyber activity continues to be GCHQ (Government Communications Head Quarters) based in Cheltenham with regional hubs in Scarborough, Bude, Harrogate and Manchester. GCHQ works with MI5 and the Secret Intelligence Service (SIS, also known as MI6) to protect the UK from a variety of threats including cybercrime, terrorism and whichever foreign nations are causing trouble at the time. The current Director of GCHQ is a guy called Robert Hannigan who has a long track record in advising government on national security issues and according to the GCHQ website is a fan of “hurling and Gaelic football”.
The centrepiece of the new structure is the National Cyber Security Centre (NCSC), part of GCHQ, which brings together and replaces a number of existing organizations under one roof, including:
CERT-UK – used to deal with the handling of cyber incidents; this is now a role of the NCSC
CPNI – Centre for the Protection of National Infrastructure, still exists and is part of the NCSC; focussed on making sure the lights don’t go out amongst other high priority goals
CESG – previously the information security arm of GCHQ, now replaced by the NCSC
CiSP – Cyber Information Sharing Partnership, a platform to allow industry and the Government to share real-time information about current threats. This is now run by the NCSC.
The NCSC publishes a wide range of guidance on cyber security issues, informed by the experience of GCHQ. It also issues a weekly threat report detailing the kinds of malware currently being seen in cyberspace. Finally, the NCSC has responsibility for co-ordinating some forms of education and research in cyber security and runs a certification scheme covering people, products and services. A new conference, CyberUK has been launched in 2017, hosted by the NCSC and intended to inform both government agencies and industry.
In conjunction with the SANS Institute HM Government has launched a Cyber Retraining Academy, a ten week programme open to people with no previous exposure to cyber security and aimed at starting to address the current cyber security skills shortage.
Another useful Government resource is the Information Commissioner’s Office. Based in Wilmslow, Cheshire, the ICO is an independent public body that reports into the Department for Media, Culture and Sport. Elizabeth Denham was appointed UK Information Commissioner in July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada. Appropriately given her role in Privacy, we were unable to find out via the Internet if Elizabeth also likes “hurling and Gaelic football” or anything else.
The ICO primarily deals with data protection and privacy issues and has the power to issue fines to organizations that breach relevant legislation such as the Data Protection Act and in future the EU General Data Protection Regulation (depending on Brexit, watch this space).
In these days of cyberwarfare you won’t be surprised to know that the UK military has its own capabilities in this area. The newly-formed Cyber Security Operations Centre at MOD Corsham (in the West Country, near Bath) is a dedicated facility focussed on defending military networks from attack. The offensive side of the UK’s cyber capability is mounted by the National Offensive Cyber Programme (NOCP), a partnership between GCHQ and the MoD. Supported by the recent Investigatory Powers Act 2016 this programme will consist of proactive state-sponsored hacking and cyber-attacks against whatever targets are deemed appropriate.
The battle against cyber-crime continues unabated and is led in the UK by the National Cyber Crime Unit, NCCU. This is part of the National Crime Agency, NCA (the UK equivalent of the FBI but, let’s face it, not as cool) and it deals with regional units across the country, including the Metropolitan Police Cyber Crime Unit. Each Regional Cyber Crime Unit (RCCU) has officers working to raise awareness amongst people and organizations in their area as well as investigating more serious cases of cybercrime. The NCA co-operates with GCHQ to investigate specific types of cyber crime via a Joint Operations Cell (JOC), mainly focussed on online child exploitation within the Dark Web.
At a more local level, each of the 43 Police Forces in the UK also have a responsibility to record and investigate cybercrime, with varying degrees of knowledge and success. They are helped by the guidance issued by the National Police Chiefs’ Council which co-ordinates best practices in cybercrime investigation via the Digital Policing Board led by the Chief Constable of Essex Police.
As well as getting involved directly in Cyberspace, HM Government also tries to encourage the private sector and members of the public to take steps to protect themselves from cybercrime via a number of initiatives.
GetSafeOnline is a privately-owned website supported and promoted by the government aimed at individuals and small businesses and provides a variety of best practice advice to avoid becoming a victim. CyberAware (formerly CyberStreetwise) is the official HM Government effort and uses a rather mean-looking ginger cat to encourage people and businesses to adopt basic precautions.
But the government’s flagship initiative to encourage better cyber security amongst UK businesses is the Cyber Essentials Scheme. This proposes security controls in five main areas:
Organizations can become certified to Cyber Essentials at two levels – Basic, via a self-assessment questionnaire and Plus, which includes a basic penetration test by an approved organization. The scheme is effectively a cut-down version of the Ten Steps to Cyber Security, issued by GCHQ and there are some plans to require organizations dealing with the government to have Cyber Essentials certification in the future. But be in no doubt that Cyber Essentials is basic at best and represents an attempt to raise the standard of cyber security in UK businesses from bad to merely ok. The scheme also suffers from a lack of awareness amongst UK businesses; in the most recent government survey, only 6% of organizations had heard of Cyber Essentials versus 18% for the ISO/IEC 27001 standard.
In the event that the worst happens and a cybercrime is experienced, the main method for reporting these is via the Action Fraud website which is run by the City of London Police working alongside the National Fraud Intelligence Bureau. Logging a cybercrime on Action Fraud will allow a crime number to be obtained, possibly for insurance purposes, but the premise behind the website is more for building a bigger picture rather than expecting any direct action for your specific crime. This is useful is you need to keep an eye on the latest scams doing the rounds.
So what are the main points from this quick run-through of the UK government’s approach to cyber security? Well, certainly central government is getting its own act together in a big way and recognizing the need to build capability and develop skills for the future. Similarly, law enforcement is waking up to the fact that traditional methods of policing are no longer enough and they are putting things in place at least at the national and regional level to tackle the cybercrime problem.
Probably the main area of weakness remains the lack of awareness and engagement within industry, particularly at the SME level where the attitude of “security through obscurity” still seems to prevail. The government still has its work cut out to get the message across that effective cyber security is not optional but a must-have in the 21st century.