The National Cyber Security Centre (NCSC) has defended the UK against more than 600 cyber attacks in the past year alone, bringing the total number to almost 1,800 since the Centre’s formation back in 2016. These figures are contained in the NCSC’s third Annual Review, which also sets out the various ways in which the organisation has been protecting the public.
Over the period of the review, the NCSC has dealt with 658 incidents. A significant number of those incidents continue to emanate from hostile nation states.
In the most wide-ranging review yet produced by the NCSC, which is a part of GCHQ, significant disclosures include:
*The pioneering Operation Haulster, which automatically flagged fraudulent intention against more than one million stolen credit cards, as a direct result protecting hundreds of thousands of people from financial loss
*A machine to improve the efficiency of information sharing around threats to the UK, in turn speeding up the process from a matter of hours to just seconds
*A breakdown (for the first time) of the sectors which are given the most support from the NCSC’s Incident Management team, with Government heading the list, followed by academia, IT, managed service providers and – in joint fifth – health and transport
Oliver Dowden, minister for the Cabinet Office, said: “We’ve made great progress on making the UK safer since launching our world-leading £1.9 billion Cyber Security Strategy in 2015. Establishing the NCSC was a key part of this and has played a central role in tackling online threats posed by criminals, hacktivists and hostile nation states. As the Cabinet Office minister responsible for resilience against cyber attacks and protecting our Critical National Infrastructure, I very much welcome the achievements laid out in this Annual Review which show that we’re making the UK a more challenging place for our cyber adversaries to operate in.”
Breadth of outstanding work
NCSC CEO Ciaran Martin explained: “This review gives a real insight into the breadth of the outstanding work being done by the NCSC and underlines why we’re a world leader in cyber security. From handling more than 600 incidents – many from hostile nation states – through to equipping the public with the tools they need to stay safe online, we’re employing our expertise on a number of fronts. I’m proud to lead this organisation and optimistic that, in a constantly evolving landscape, we can help make this the safest country in which to live and work online.”
Elsewhere in the review, the key role the NCSC plays in protecting the democratic process is highlighted. The organisation meets with UK political parties every three months and regularly gives cyber security advice to Parliamentarians. During this year’s local and European elections, the NCSC provided parties with guidance on risks and advice on protecting people and systems.
The success of the Active Cyber Defence (ACD) Programme is also highlighted. ACD is the NCSC’s world-leading, bold and interventionist approach that stops millions of cyber attacks from ever happening.
ACD features a number of pioneering programmes, such as the Takedown Service, which finds malicious sites and sends notifications to the host to have them removed. Thanks to this service, 98% of phishing URLs discovered to be malicious were taken down (a total of 177,335 phishing URLs). Of those, 62.4% were removed in the first hour.
There are also examples in the review of how the NCSC is helping to defend individuals and families from the cyber threat, including via Operation Haulster. As a result of the latter, fraudulent intention against more than a million credit cards was automatically flagged to banks, in the majority of cases before a crime had taken place. This means hundreds of thousands of people were protected before they lost a penny.
The review underlines the NCSC’s commitment to sharing as much threat information as possible in real time, in the form of the new Indicator of Compromise (IoC) machine. Previously, it has taken several hours for officials to be able to share information relating to threats to the UK, but the IoC machine can identify what can be shared in a matter of seconds – though the final decision still lies with an individual.
*handled 658 incidents, with support provided to almost 900 victim organisations
*produced 154 threat assessments for a range of sectors
*delivered, along with sector and law enforcement partners, cyber security awareness and training sessions to more than 2,700 charities
*welcomed visiting delegations from 56 countries
*enabled 2,886 small businesses across the UK to do simulated cyber exercising for themselves
*challenged 11,802 girls in the 2019 CyberFirst Girls Competition
Stopping credit card fraud
Referencing the NCSC’s pioneering operation to stop hundreds of thousands of people from losing money to credit card fraud, Caroline Hermon (head of Artificial Intelligence at SAS UK & Ireland) commented: “The rapid expansion of payment services over the last few years has led to consumer demands for convenience and flexibility with new payment methods. Banks and other financial institutions are aware that they must meet these demands, but they’re also aware that these new payment systems leave them open to new forms of fraud. The challenge therefore centres around how banks can adapt to these new types of fraud without damaging the customer experience through large numbers of false positives.”
Hermon continued: “Where payment fraud was historically driven by card cloning, it has since migrated to transactions where the card does not need to be present, such as online purchases. While it’s true that this provides the customer with a more seamless experience, it also aids fraudsters by helping them to access funds through illicit transactions and gives banks less time to detect fraudulent activity. To detect instances of payment fraud, organisations need to take an agile approach as there’s little time for drawn-out checks. However, with up to 10% of rejected orders believed to be valid, they also need to do everything possible to ensure that their prevention systems avoid too many false positives.”
In addition, Hermon commented: “There are many actions that businesses can take to protect themselves from these security threats. For a start, moving from a rules-based to a machine learning analytics system will help to overcome the problem of false positives. These approaches are particularly useful to detect rare payment fraud events hidden in Big Data sets. Moreover, they reduce the false positive rate by learning customer behaviour over time so that normal behaviour for an individual does not raise alerts.”
In conclusion, Hermon stated: “Ultimately, payment fraud detection systems must be able to look at payment processes from end-to-end and also across channels. While it’s important that banks keep up with consumer expectations to ensure a positive customer experience, they cannot lose track of the privacy and fraud implications that come with seamless payments.”
Attack attribution by geography
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, has commented: “The National Cyber Security Centre does a laudable job with proactive, preventive and educative efforts in cyber space. Its transparent communications with the stakeholders are likewise greatly beneficial and serve as a decent example to other European countries.”
He continued: “I would, however, be prudent with attack attribution by geography, especially when we’re talking about APTs and otherwise sophisticated attacks. For example, it’s not that infrequent to see cyber criminals purposely taking control of law enforcement IT infrastructure and using it as an exit point when currying out intrusions. Political tensions and the complexities of international criminal law exacerbate an already overly complicated incident forensics process, often making breaches technically uninvestigable. Thus, reliable attack attribution remains a highly complicated challenge today.”
Also, Kolochenko observed: “Security awareness and education should remain a vital part of a national cyber security strategy. Given the rapid proliferation of technology into our daily lives with the Internet of Technologies and mobile technologies, everyone’s a potential victim. Most of the attacks targeting UK consumers and businesses leverage some trickery and can be effectively prevented by non-technical means.”