Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre

Page created by Johnnie Mills
 
CONTINUE READING
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019
Making the UK the safest place to live and work online
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019

Welcome
Since the National Cyber Security Centre (NCSC)
was created in 2016 as part of the government’s
five-year National Cyber Security Strategy, it
has worked to make the UK the safest place
to live and work online. This review of its third
year provides an update on some of the latest
developments and highlights, with interviews,
data and a chance to hear from some of the
people working on the NCSC’s mission. It provides
a snapshot of the organisation’s work over the
period 1 September 2018 to 31 August 2019, with
some key milestones along the way.

The NCSC has also produced a digital report
where you can see this year’s events come to
life at:

ncsc.gov.uk/annual-review-2019

                                    National Cyber Security Centre   3
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019                                                                                                                                   Annual Review 2019

Ministerial foreword                                                                                            Contents

                                                                                                                6    CEO foreword
The United Kingdom has one of the most                  security protection on the “Internet of Things” –
digitally-developed economies in the world,             digital devices embedded in everyday objects
transforming the lives of citizens, driving             manufactured around the world, ranging from

                                                                                                                8    Timeline
innovation, and fuelling job opportunities and          video doorbells and “nanny-cams” to fridges
national growth. We can be proud that in the            and ovens, which enable them to send and
National Cyber Security Centre (NCSC) we have           receive data. This is a concern for our government,

                                                                                                                12   Cyber security for individuals and families
a world-leading body for digital protection which,      as the Prime Minister made clear in September
since its launch in 2016, has made the UK safer         2019 during his speech to the United Nations
and its defences stronger. Ensuring the UK remains      General Assembly, when he called for emerging

                                                                                                                20   Targeting the biggest risks
the most secure place to live and do business           technologies to be designed with the right
online, and upholding public trust in our digital       safeguards already in place to protect people.
systems, are personal priorities for me and a key       We can all be proud of the NCSC’s influence

                                                                                                                46 Countering the adversary
part of this government’s vision for the UK. As the     already in this area, working closely with partners
Cabinet Office Minister responsible for resilience      across government and internationally.
and the National Cyber Security Strategy, I very

                                                                                                                54 International cooperation
much welcome the achievements and progress              Every chapter of the NCSC’s Annual Review is
laid out in this Annual Review.                         testament to the hard work and achievements
                                                        of its staff and leadership. The NCSC operates

                                                                                                                60 Securing the digital homeland
Establishing the NCSC was a key pillar of the           in a complex landscape in which the contours
National Cyber Security Strategy 2016-2021,             are constantly changing and there is no room
which has transformed the UK’s fight against            for complacency. Securing the internet is a

                                                                                                                74   Cyber capability for the future
evolving online threats posed by criminals,             24/7 challenge, 365 days a year, and cannot be
hacktivists and hostile nation states. Backed by        shouldered by any one organisation. While the
£1.9 billion in funding, and with a deliberately        government, through the National Cyber Security

                                                                                                                90 Celebrating 100 years of GCHQ's cyber mission
interventionist and comprehensive approach,             Strategy and Centre, can lead the way, we are
the Strategy is acclaimed by other nations as           also dependent on our partners in industry and
a model of its kind. Any digital economy must           academia - and across society as a whole - for
be alert to new threats, and to changes in              a joint approach to tackling cyber security. This
existing threats. The NCSC benefits from being          is a long-term mission, and I congratulate the
part of GCHQ: it fuses the best of our national         NCSC for helping to build a pipeline of specialist
security capabilities with cutting-edge technical       talent for the future to achieve this. One of the
knowledge to thwart the menace of global cyber          many ways it supports this mission is through
crime. In October 2018, for example, its work           its CyberFirst programme, which develops the
ensured that the UK and our allies were able to         careers and expertise of our younger digital
expose attacks launched by Russian military             natives and brings new generations into the
intelligence on political institutions, and business,   UK’s fight for a more resilient digital future.
media and sporting interests.
                                                        It is impossible to predict what the future will look
The NCSC works on behalf of many millions of            like. But we know that we have the organisation
citizens and organisations. This Annual Review          and the tools we need to look ahead and remain
reveals important technical interventions on            resilient. Through the Strategy, and the tireless
behalf of individuals and families, as well as          work of the NCSC, we are scaling up the systems,
for businesses, national and local government,          structures and capabilities necessary to respond
and critical national infrastructure. One such          quickly to threats – not only now, but to the end
example of this is the ground-breaking work it          of the Strategy and beyond.
has done to reduce credit card fraud, preventing
hundreds of thousands of cases in the past year.

On the international stage, too, the NCSC is
extremely active. It shares the UK’s specialist
knowledge across borders to help strengthen
global cyber defences and shape global
attitudes to deterring and tackling cyber crime                            Rt Hon Oliver Dowden CBE MP,
wherever it may originate. Over the past year                              Paymaster General and Minister
this has included a drive to increase the                                  for the Cabinet Office

4    National Cyber Security Centre                                                                                                                    National Cyber Security Centre   5
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019                                                                                                                                            Annual Review 2019

CEO foreword
It is a privilege to present the National Cyber      Iran and North Korea continue to pose strategic       The importance of partnerships in cyber
Security Centre’s third Annual Review.               national security threats to the UK, but we can’t     security, both at home and abroad, cannot
                                                     often talk about the operational successes and        be over emphasised. We are learning that
It’s very hard to condense the world-leading work    the full range of the NCSC, GCHQ and wider state      securing the nation’s digital future is not
the NCSC does in 12 months into one document,        capabilities that are deployed against them.          just about protecting networks and devices –
but I hope this review gives you an insight into                                                           it’s about inspiring a safe and trusted product
what we are doing to understand, reduce and          Whether it’s state attacks or global cyber crime,     base, and a skilled and diverse workforce who
respond to cyber attacks.                            it’s the basics that matter. The most immediate       can make the cyber landscape work for the
                                                     threats to UK citizens and businesses come from       whole of the UK.
There certainly is a lot to be proud of – for        large scale global cyber crime. Despite often
example, thanks to the innovation of our technical   being low in sophistication, these attacks threaten   At a time when confidence in the internet
experts, we have been able to increase the           our social fabric, our way of life and our economic   across the world is under strain, there is much
number of threat indicators we share by tenfold      prosperity. That is why so much of the NCSC’s         within this review to inspire pride and optimism.
to more than 1,000 per month, and the speed we       efforts are geared towards raising our defences       The NCSC is proud to have helped to deliver the
process them from days to seconds.                   against all threats in cyberspace. There are many     Cabinet Office-led strategy to make the country
                                                     operational successes in this field – particularly    the safest place to live and work online, and this
There is of course much work to do – as shown        our pioneering Active Cyber Defence work.             year the UK was rated first in the Global Cyber
by the 658 incidents we supported this year.                                                               Security Index published by the International
For the first time ever, in this review, these       Looking ahead, there is also the risk that            Telecommunication Union (ITU).
incidents are broken down into the most affected     advanced cyber attack techniques could find
sectors. We believe that being transparent helps     their way into the hands of new actors, through       None of our achievements would be possible
to target the interventions we need to help those    proliferation of such tools on the open market.       if it were not for the exceptional people I am
who are most vulnerable.                             Additionally, we must always be mindful of the risk   delighted to call my colleagues at the NCSC.
                                                     of accidental impact from other attacks. Cyber        The work they do inspires me on a daily basis,
However, sometimes transparency has its limits.      security has moved away from the exclusive            and it is an honour to lead them.
A significant proportion of our work has continued   prevail of security and intelligence agencies
to take the form of defending against hostile        towards one that needs the involvement of all         Ciaran Martin
state actors. We can say that Russia, China,         of government, and indeed all of society.             CEO of the National Cyber Security Centre

6    National Cyber Security Centre                                                                                                                             National Cyber Security Centre   7
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019                                                                                                                                                                   Annual Review 2019

Timeline
This covers the period 1 September 2018 to 31 August 2019

                                     14 Oct                                                   20 Dec                                                                      21 Mar
    12 Sept                          Secure by Design                                         UK and allies                                      13 Feb                   NCSC Board
    NCSC CEO delivers                ‘Code of Practice             23 Nov                     expose APT10                                       NCSC Directors           Toolkit launched           28 Mar
    speech at the                    for Consumer                  Advice to shop             of cyber attacks                                   meet with Ministers      to encourage               Fifth annual
    Confederation of                 Internet of                   safely online on           on intellectual                                    at the National          essential                  report from
    British Industry’s Cyber         Things Security’              Black Friday and           property and       7 Jan                           Assembly for Wales       cyber security             the Huawei
    Conference to help               published with                Cyber Monday               sensitive          Guidance on                     in Cardiff               discussions                Cyber Security
    business leaders                 the Department                published in               commercial         cyber security                  to discuss how           between the                Evaluation Centre
    understand and manage            of Digital, Culture,          partnership                data in Europe,    for major events                to boost Welsh           Board and their            Oversight Board
    cyber security risks             Media and Sport               with retailers             Asia and the US    published                       cyber defences           technical experts          published

                   03 Oct                                   22 Nov                    29 Nov                                        29 Jan                        12 Mar                       24-25 Mar
                   UK, Dutch and other                      NCSC CEO                  UK’s ‘Equities Process’                       Academic Centres              New NCSC web                 Royal Masonic
                   allies expose GRU                        meets with the            published on how                              of Excellence in              platform launched            School for Girls
                   (Russian military                        First Minister of         vulnerabilities are                           Cyber Security                including bespoke            crowned winners
                   intelligence) cyber                      Scotland, Members         identified and handled                        Research visit NCSC           guidance for six             of the NCSC’s
                   attacks targeting                        of the Scottish                                                         headquarters to               new audience                 CyberFirst Girls
                   political institutions,                  Parliament and the                                                      take part in strategic        categories                   Competition at the
                   businesses, media                        Chief Constable                                                         discussions                                                final which took
                   and sport                                of Police Scotland                                                                                                                 place in Edinburgh
                                                            in Edinburgh to
                                                            discuss ways
                                                            to boost cyber
                                                            security in Scotland

8   National Cyber Security Centre                                                                                                                                                    National Cyber Security Centre   9
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019                                                                                                                                        Annual Review 2019

                                                                                                                                   Year Three Highlight Statistics

                                                                                                                                      Handled 658 incidents

                                                                                                                                      Provided support to almost 900
                                                                                                                                      victim organisations

                                                                                                                                      Produced 154 threat assessments

                                                                                                                                      Took down 177,335 phishing URLs, 62.4% of
                                                                 25 June                                                              which were removed within 24 hours
                                                                 De Montfort
                                                                 and Northumbria                                                      2.8 million visitors to the NCSC’s website
                                                                 Universities
                          23 May                  13 June        recognised                                   Aug                     Added more than 5,000 new members onto the
                          NATO Cyber              ‘Top Tips      as Academic         16 July                  Appointment             Cyber Security Information Sharing Partnership
     24-25 Apr            Defence Pledge          for Staff’     Centres of          ‘Active Cyber            of IASME
     CYBERUK              Conference              e-learning     Excellence in       Defence – the            Consortium Ltd          Produced 108,411 physical items for 170 customers
     2019 hosted          held at NCSC            package        Cyber Security      second year’             as new Cyber            through the UK Key Production Authority
     in Glasgow           headquarters            launched       Research            report published         Essentials partner
                                                                                                                                      Produced 34 pieces of guidance and 69 blogs

                                                                                                                                      Awarded 14,234 Cyber Essentials certificates

                                                                                                                                      Enabled 2,886 small businesses across the UK
         25 Apr                       11 June              18 June                 10 July              July / Aug                    to do simulated cyber exercising for themselves
         Exercise in a                Guidance for         150 women from          Seven companies      22 CyberFirst
         Box online tool              small businesses     across the UK’s         graduate from        summer courses                Challenged 11,802 girls in the 2019 CyberFirst
         launched to help             to respond and       intelligence,           the NCSC Cyber       for children and              Girls Competition
         organisations test           recover from a       government              Accelerator for      young adults
         and practice their           cyber incident       and security            innovative           held throughout               Engaged with 2,614 students on the NCSC’s
         response to a                published            communities             start-ups            the country to                CyberFirst courses
         cyber attack                                      attended the                                 develop the UK’s
                                                           ‘Women in Security                           next generation of            Supported 250 extra teaching hours of computer
                                                           Network’ event                               cyber professionals           science across 4 schools through Cyber Schools
                                                           held at NCSC                                                               Hub activities
                                                           headquarters
                                                                                                                                      Delivered, along with sector and law enforcement
                                                                                                                                      partners, cyber security awareness and training
                                                                                                                                      sessions to more than 2,700 charities

                                                                                                                                      20 countries visited by the NCSC

                                                                                                                                      Welcomed visiting delegations from 56 countries

                                                                                                                                      Hosted 197 events, with more than 9,000 attendees

10   National Cyber Security Centre                                                                                                                         National Cyber Security Centre   11
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019                                                      Annual Review 2019

                                      Cyber security
                                      for individuals
                                      and families
                                      The government’s vision is         Reducing the burden
                                      for the UK to be prosperous        The general public is protected
                                      and confident in the digital       from the majority of online
                                      world whilst remaining secure      harm ever reaching them.
                                      and resilient to cyber threats.    The action they need to take
                                      Central to the NCSC’s mission      to secure their devices and
                                      is ensuring people of all ages     online services is minimal.
                                      across the UK are more secure
                                      when using internet-connected      Making it easier
                                      devices and online services.       Citizens can act upon the cyber
                                                                         security advice they receive,
                                      The NCSC understands               whatever device or online
                                      people’s attitudes and             service they use.
                                      behaviours towards cyber
                                      security and targets efforts       Equipping the nation
                                      based on its understanding         People are given the confidence
                                      of risk and vulnerability.         and tools to protect themselves
                                      The NCSC’s approach                and those around them.
                                      enables constant learning,
                                      by joining up the threat           Raising awareness
                                      picture and intelligence with      Enabling the general public to
                                      continually evolving insight,      better protect themselves and
                                      based on deep experience           share knowledge with others.
                                      of managing incidents.

                                      It will take a holistic approach
                                      to deliver cyber security for
                                      individuals and families through
                                      the following interventions:

12   National Cyber Security Centre                                       National Cyber Security Centre   13
Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
Annual Review 2019                                                                                                                                                                    Annual Review 2019

Understanding the threat                                                                                        Reducing the burden:
In the year ending March 2019, it is estimated             malicious emails, social engineering                 Secure by Design
that there were just under one million (966,000)           (the manipulation of people into performing an
incidents of computer misuse experienced by                action or giving away confidential information),     Many consumer products that are connected                Alongside work encouraging, and eventually
adults aged 16 and over.1                                  water holing (a website infected with malware        to the internet are found to lack basic security         mandating, manufacturers to make (and keep)
                                                           or containing a link to malware) and by making       features, putting consumers’ privacy and security        their products secure, the NCSC and DCMS have
Whilst this represents a significant reduction on          them download malicious software and apps.           at risk. The NCSC has been working closely with          published guidance to help people protect
the previous year, the large volume still shows                                                                 the Department for Digital, Culture, Media and           themselves. Grounded in its technical expertise,
that we cannot be complacent.                              Once the criminals have access, they can use         Sport (DCMS) to support consumer ‘Internet of            this includes advice on setting up devices,
                                                           malware and ransomware to access individuals’        Things’ (IoT) manufacturers of all sizes to ensure       checking default settings, and managing updates.
Some typical ways in which criminals access                accounts, steal data, and even stop people           their devices have good cyber security practices
citizens’ online activity are through sending              accessing their own files, accounts and devices.     built in from the design stage.
                                                                                                                                                                         “The progress we have made
                                                                                                                As the UK’s lead technical authority, the NCSC
                                                                                                                provided the technical grounding and insight             on ‘Secure by Design’ has
Making cyber security relevant                                                                                  for the government’s Secure by Design Code of
                                                                                                                Practice for consumer IoT security, published in
                                                                                                                October 2018. The code presents a clear set of
                                                                                                                                                                         been the product of a great

to people in their everyday lives                                                                               13 guidelines for manufacturers to embed into
                                                                                                                their devices.
                                                                                                                                                                         partnership between DCMS
                                                                                                                                                                         and the NCSC. Both on the
                                                                                                                The NCSC and DCMS engage with international
                                                                                                                standards bodies that create industry-led                development of standards
               The NCSC's approach to                      The NCSC’s advice for individuals                    standards for IoT security. In February 2019, the
               ‘you-shaped’ security                       and families                                         European Telecommunications Standards Institute          that are based in the language
                                                                                                                (ETSI) launched the first globally applicable
     The NCSC is dedicated to finding ways of                                                                   standard on the cyber security of internet-              of our Code of Practice, or
     making cyber security relevant to people in           Protect your accounts...                             connected consumer devices, ETSI TS 103 645.
     their everyday lives.                                                                                      This technical specification builds on the Code of       through productive challenge
                                                                  Use a unique and separate password for        Practice, creating a community-driven standard
     “We look at the interaction between people                   your email                                    with a global scope.                                     sessions on our future
     and technology and try to make it easier for
     people to be secure as they get on with all the              Use three random words to create a strong     The NCSC and DCMS do not think it is right to            regulation proposals, we
     things they need to do,” says the NCSC's Helen.              and memorable password                        expect all consumers to be ‘cyber security experts’
                                                                                                                and wish to remove the burden from them having           work together as a united
     “One of the most important things we’ve seen                 Store your passwords somewhere safe:          to differentiate products that do or do not take
     is the changing mindset between the idea                     save to your browser or use a password        their responsibility to security seriously. That’s why   front towards our ambition
     of ‘let’s alter the behaviour of the person or               manager                                       the NCSC has also worked closely with DCMS’
     assume they are going to make a mistake’                                                                   consultation on regulation, preparing to eradicate       of protecting citizens and the
     to ‘how can we support developers to make                    Add extra security to important online        worst practice and embed transparency between
     more secure and user-friendly products?’”                    accounts: turn on two-factor authentication   the manufacturer and the consumer at the point           wider economy from harm.”
                                                                                                                of purchase.
     Ceri, another NCSC expert, says “We are looking                                                                                                                     Peter Stephens, Head of Secure by Design,
     to move security away from being mainly about         Look after your devices...                                                                                    Department for Digital, Culture, Media and Sport
     threat and vulnerability – the idea that there’s
     always somebody trying to attack you – to a                  Set your phone and tablet to
     more positive conversation that shows people                 automatically update
     security should not be a barrier to things they                                                            “Everybody needs to know how to stay safe online, and our
     want to do.                                                  Install the latest updates on your phone
                                                                  and tablet when prompted                      new website is full of actionable advice to protect you and
     “Instead of forcing security rules on people,
     we are aiming to make it more approachable                   Turn on back up for data stored on your       your loved ones.
     through clearer language. To do this, we look                phone and tablet
     towards experts in communications, marketing
     and advertising, to refresh the message, always
     with the aim of ensuring the public feel that                                                              “While it is formed from the expertise of the UK’s top cyber security
     security is a help, not a hindrance. There is a lot
     of work that goes into ensuring that a simple                                                              brains, it’s vital that the advice can be understood by everyone.”
     message reaches the right spot.”
                                                           1   Crime Survey for England and Wales 2019          Nicola Hudson, Director Policy and Communications, NCSC

14       National Cyber Security Centre                                                                                                                                                     National Cyber Security Centre   15
Annual Review 2019                                                                                                                                                                                                                             Annual Review 2019
                                                                                                                                                                                                           % strongly

UK Cyber Survey 2019
                                                                                                                                                                                                           agree
                                                                                                                                                          % strongly
                                                                                                                                                          disagree                     4
                                                                                                                                                                                                 15
The first UK Cyber Survey was conducted this                                   The UK Cyber Survey found that people are                                                    20
year to better understand what the general public                              concerned, confused and, to some extent,
and organisations think, feel and do – and don’t                               fatalistic that they will become victims of                                                                                                    37% agree that losing money or
                                                                                                                                                                                       agree
do – about cyber security across the country.                                  cyber crime.
                                                                                                                                                                                                             22               personal details over the internet
                                                                                                                                                                                        37%
                                                                                                                                                                                                                              is unavoidable these days.
The polling was independently carried out on                                   The insights are informing the government’s
behalf of the NCSC and DCMS.                                                   approach, and the guidance offered by the
                                                                               NCSC, to help organisations and the public                                                     31
                                                                               protect themselves against cyber threats.                                                                           8                 % tend
                                                                                                                                                                                                                     to agree
                                                                                                                                                            % tend to
                                                                                                                                                            disagree
                                                                                                                                                                                                             % neither/
                         % nothing
                                                             % a great                                                                                                                                       nor
                         at all
                                                             deal

                                   7       1                                                                                                                                      % very low
                                                     15
     % not very                                                                                                                                                      % fairly low priority                 % very high
     much                                                                                                                                                            priority                              priority
                       23                                                                                                                                 % medium
                               know great deal                                 Two in three say they know a                                               priority                 4 41
                                /fair amount                                   great deal/fair amount about how
                                     68%                                       to protect themselves online.                                                               12

                                                                                                                                                                                                                              80% say cyber security is a high
                                                                                                                                                                                   high priority                              priority to them, half citing it a
                                                                                                                                                                                       80%                  50
                                                    53                                                                                                                                                                        ‘very’ high priority.
                                                              % a fair
                                                              amount                                                                                                       30

                                                                                                                                                        % fairly high
                                                                                                                                                        priority

70% believe they will likely be a victim of at least one specific type of cyber crime over
the next two years, and most feel there would be a big personal impact.
                                                                                                                                                                                                      % strongly
                                                                                                                                                                                                      agree
                      likely to happen to you over the next two years

                      very/fairly big impact
                                                                                                                                                       % strongly                       2
                                                                                                                                                       disagree                                  17

                                                                                                                                                                         33
                                                                                                                                                                                                                              One in three rely to some extent
                                                                                                                                                                                      agree
                                                                                                                                                                                       34%                   17               on friends and family for help on
                                                                                                                                                                                                                              cyber security.

                                                                                                                                                                                                       7
                                                                                                                                                                                     23                                  % tend to
                                                                                                                                                                                                                         agree
                                                                                                                                                                                                       % neither/
                                                                                                                                                                                                       nor

                                                                                                                                                                              % tend to
                                                                                                                                                                              disagree
         Having              Personal            Apps on your           Having a        Having money      Losing access to       Personal
                                                                                                                                               Note
      money stolen      information such        devices such as     power cut in your   stolen which is    your accounts       information     The UK Cyber Survey 2019 was commissioned by the National Cyber Security Centre and Department for Digital, Culture,
      which is then      as photos being       Uber, Deliveroo or    home because       not reimbursed      such as your     such as photos    Media and Sport as part of the UK government’s National Cyber Security Programme.
      reimbursed         accessed in an        Instagram being         your energy                           backups or       being stolen
                        unauthorised way       accessed without       company has                          cloud storage       and access
                                                 your consent       suffered a cyber                                          denied until a   Ipsos MORI surveyed 2,700+ respondents: general public aged 16+, businesses, charities and public sector representatives
                                                                         attack                                              ransom is paid    from November 2018 to January 2019 via telephone.
16                                                                                                                                                                                                                                                                           17
Annual Review 2019                                                                                                                                                   Annual Review 2019

Quietly fixing the technology                                                                                  Most_Hacked_Passwords
A significant priority for the NCSC is keeping       Securing the UK’s mobile networks
individuals and families safe from cyber
threats. It does this by bringing its technical      Mobile networks worldwide establish signalling
and operational expertise to bear, to identify       connections between one another to support
and fix cyber security problems.                     a range of services, such as international calls
                                                     and roaming. As these connections could also
By working behind the scenes, the NCSC can           be used to negatively impact services in the UK,
ensure that cyber security issues have as little     the NCSC has worked with mobile operators to
impact on UK citizens as possible, in many           perform live security testing of the UK’s signalling
cases resolving problems before they arise.          interfaces. The NCSC has now tested 19 networks
After all, prevention is better than cure.           of different types across the six major mobile
                                                     operators and has fed back the results of the
Haulster: Automated defence                          testing to those operators.
of credit cards
                                                     This has helped the operators, with the support
The NCSC’s pioneering Haulster operation has         of the NCSC, to better understand the risk,
disrupted financial cyber crime by flagging          share best practice and make improvements.
fraudulent intention against more than one           Ultimately, this will help to ensure the UK’s mobile
million stolen credit cards. It is in the process    services become more secure and robust.
of scaling this operation, and hope to reduce
considerably more attacks in the near future.        Protecting our internet routing

Increasingly, criminal groups are using criminal     The Border Gateway Protocol (BGP) is used
marketplaces in cyberspace to buy and sell           to route the internet between Internet Service
personal information and credit card details.        Providers (ISPs) around the world. When BGP
Haulster takes stolen credit cards collected by      is misused, either accidentally or maliciously,
the NCSC and partners, then, working with UK         it can disrupt the internet until the issue is
Finance, repatriates them to banks, often before     resolved. For example, sending data via an
they are ever used for crime. Card providers are     attacker’s network.
then able to block cards to protect both financial
institutions and the public.                         The quicker misuse is discovered, the lower the
                                                     impact, which is why the NCSC has worked with
In most cases, this has been done before a           a major UK carrier to speed up the UK’s response
crime has taken place, meaning hundreds of           to BGP misuse. The NCSC has built BGP Spotlight,
thousands of victims of high-end cyber crime         a detection and analysis system for BGP, that will                                                                          X                 A

were protected before they lost a penny.             alert the UK’s carriers when BGP misuse occurs to
                                                     allow them to respond quickly, analyse the cause,
Online shopping                                      and minimise disruption to the UK’s internet.

Criminals had been exploiting Magento,               BGP Spotlight processes 25 million messages
an open source ecommerce shopping                    per hour from over 200 sources, converting these
platform commonly deployed on many websites.         into 800,000 daily events across 240,000 unique
They had written malicious JavaScript code           destinations, a number which is set to expand as
which copied all credit card transactions and        UK ISPs are in the process of adding data to, and
silently sent the results to domains controlled      receiving alerts from, the BGP Spotlight system.                                                                                                   V
by them. The NCSC conducted a successful trial
to identify and mitigate vulnerable Magento carts
via take down to protect the public. The work
now continues. To date, the NCSC has taken
down 1,102 attacks running skimming code               The NCSC has published analysis of the
(with 19% taken down within 24 hours of                100,000 most commonly re-occurring
discovery). Without the NCSC’s Active Cyber            passwords accessed by third parties in
Defence intervention, it is likely these attacks       global cyber breaches, having been sold
would have continued indefinitely.                     or shared by hackers.

                                                       The NCSC aims to reduce risk of further
                                                       breaches by building awareness of how
                                                       attackers use easy-to-guess passwords.               List created in April 2019 after breached usernames and
                                                                                                            passwords were published on ‘Have I Been Pwned’ website.

18   National Cyber Security Centre                                                                                                                                    National Cyber Security Centre       19
Annual Review 2019                                                       Annual Review 2019

                                      Targeting the
                                      biggest risks:
                                      what we do to protect people

                                      The UK continues to be one of       The NCSC’s breadth of work,
                                      the most digitally advanced         programmes and projects,
                                      countries in the world, with our    together with its close
                                      lives being online more than        partnerships with industry
                                      ever before. As this digitisation   and government, mean that
                                      continues, it is vital that the     it is able to help protect the
                                      UK remains able to protect its      institutions, infrastructure and
                                      organisations, business and         services that people so heavily
                                      citizens against cyber crime.       rely on day to day.

20   National Cyber Security Centre                                        National Cyber Security Centre    21
Annual Review 2019                                                                                                                                                                                                                  Annual Review 2019

Active Cyber                                                                                                                          Takedown Service                                           Web Check

Defence                                                                                                                               98% of phishing URLs
                                                                                                                                                                                                 Change over time of the number of users signed
                                                                                                                                                                                                 up to Web Check, by month.

                                                      UK share of visible
                                                                                                                                      discovered to be malicious were successfully
                                                                                                                                                                                                                                                                           3,200
A cooperative approach: the UK’s                                                                                                      taken down.
Active Cyber Defence programme
                                                      global phishing
                                                      attacks reduced to
The ultimate goal for Active Cyber Defence                                                                                                                                                       Number
                                                                                                                                                                                                 of Web
(ACD) is for there to be fewer cyber attacks                                                                                          This totalled                                               Check      2,387
                                                                                                                                                                                                  users

                                                      2.1% (August 2019).                                                             177,335 phishing URLs
in the world, causing less harm. It represents
a significant step-change in the country’s
approach to cyber security, because of its
voluntary, non-regulatory, non-statutory                                                                                              (23,311 attacks by group).
approach delivered in partnership with
central government, local government                  UK share of global phishing – change over time                                                                                                       Sep
                                                                                                                                                                                                            18
                                                                                                                                                                                                                          Nov
                                                                                                                                                                                                                           18
                                                                                                                                                                                                                                      Jan
                                                                                                                                                                                                                                       19
                                                                                                                                                                                                                                                 Mar
                                                                                                                                                                                                                                                  19
                                                                                                                                                                                                                                                            May
                                                                                                                                                                                                                                                             19
                                                                                                                                                                                                                                                                       Jul
                                                                                                                                                                                                                                                                       19
and business.                                         from June 2016 to Aug 2019

As difficult as this sounds, the NCSC can              5.31%                                                                          62.4%                                                      The number of urgent findings resolved
provide evidence that it works. In sharing                                                                                                                                                       by users after being detected by Web Check
this knowledge, it hopes to inspire other                                                                                             of these were removed within 24 hours of being             doubled to a level of approximately

                                                                                                                                                                                                 500 per month
countries to adopt bold measures,                                                                           3.33%                     determined malicious.
in partnership with industry, to protect
their digital homelands.
                                                                                                                              2.07%
                                                      Jun   Sep   Dec   Mar   Jun   Sep   Dec   Mar   Jun   Sep   Dec   Mar   Jun
                                                       16    16    16    17    17    17    17    18    18    18    18    19    19
Active Cyber Defence includes some of the                                                                                             Mail Check                                                 Protective DNS
following pioneering programmes:

1    Web Check helps make websites a less
                                                                                                                                                                                                 More than double
                                                                                                                                      More government domains are now using DMARC,

                                                      In 2016, HMRC was
     attractive target, by finding obvious security                                                                                   the email authentication, policy and reporting
     issues and pointing them out to the website’s                                                                                    protocol, making phishing attacks which spoof

                                                      the 16th most phished
     owner so that they can be fixed.                                                                                                 these domains more difficult.                              the number of government organisations
                                                                                                                                                                                                 are now protected by the PDNS, preventing
2 Protective DNS (PDNS) blocks public sector
                                                      brand globally. In Sept
                                                                                                                                      Change over time of the number of gov.uk                   them from accessing websites hosting known
  organisations from accessing known malicious                                                                                        domains using Mail Check/DMARC, by month.                  malicious content.

                                                      2019, as a result of ACD
  domains or allowing malware on already
  compromised networks from calling home.

                                                      services and HMRC                                                                                                                          460+ organisations
                                                                                                                                                                                        1782
3 Takedown Service finds malicious sites and

                                                      countermeasures,
  sends notifications to the host or owner to get                                                                                                                                   Domains
                                                                                                                                                                                    with DMARC
  them removed from the internet.                                                                                                                                                                are using the service and it blocks around

                                                      their ranking had
                                                                                                                                       Number
                                                                                                                                      of domains
                                                                                                                                                                                                 20,000 unique domains at a rate of 6.5 million
4 Mail Check helps public sector organisations                                                                                                                                                   times per month.

                                                      dropped to 126th in
  take control of their emails, making phishing
  attacks which spoof those organisations                                                                                                           220

                                                      the world.
  more difficult.                                                                                                                                                                                Change over time of the number of active
                                                                                                                                                                                                 organisations using PDNS, by month for the
                                                                                                                                                   Jul    Nov   Mar   Jul   Nov   Mar      Jul
                                                                                                                                                    17     17    18   18     18    19      19    period of this report.

                                                                                                                                                                                                                                                                             460

                                                                                                                                                                                                  Number of
                                                                                                                                                                                                 organisations

                                                                                                                                                                                                                  216

                                                                                                                                                                                                                 Aug 18     Oct 18    Dec 18    Feb 19   Apr 19   Jun 19     Aug 19

22     National Cyber Security Centre                                                                                                                                                                                                National Cyber Security Centre             23
Annual Review 2019                                                                                                                                               Annual Review 2019

Case studies                                                                                          “The NCSC is not the only                What’s next
                                                                                                      organisation with good
                                                                                                      ideas, and the UK is not the
                                                                                                                                               for Active
                                                                                                      only country connected to                Cyber Defence?
                                                                                                      the internet. We welcome
                                                                                                                                               Active Cyber Defence has protected thousands
                                                                                                      partnerships with people                 of UK citizens and further reduced the threat of
                                                                                                                                               UK brands being exploited by criminals.
                                                                                                      and organisations who wish
                                                                                                      to contribute to the Active              While these successes are encouraging, the NCSC
         Protecting schools                                 Protecting the legal sector                                                        knows there is more to do and it has a number of
                                                                                                      Cyber Defence service                    projects in the pipeline, including:

Active Cyber Defence tools highlighted a local      For the first time, the NCSC used ACD tools       ecosystem, analysis of the               • An automated system which acts on
authority (LA) primary school network behaving      to tackle advanced fee fraud impersonating                                                   information from the public to take down
as though infected with Ramnit – a worm which       the UK legal sector. Both bogus law firms,        data, contributing data or                 malicious sites.
affects Windows systems. The LA was notified,       and impersonation of legitimate law firms,
and an investigation found that the antivirus       are techniques used by fraudsters in an           infrastructure to help it make           • The NCSC 'Internet Weather Centre', which will
that was installed on the school’s systems was      attempt to increase the credibility of their                                                 aim to draw on multiple data sources to enable
not working. As a result, the school had a wide     attacks. Increasingly, scammers use real law      better inferences. We believe              full understanding of the UK’s digital landscape.
level of infection. Not only did the Active Cyber   firms and other entities to try to make their
Defence tool block the malicious connections,       attacks look more legitimate.                     that evidence-based cyber                • The Infrastructure Check service: a web-based
containing any harm, it also identified the                                                                                                      tool to help public sector and critical national
malware and notified the LA. The LA was able                                                          security policy – driven by                infrastructure providers scan their internet
to install a working antivirus and the infection                                                                                                 connected infrastructure for vulnerabilities.
was cleaned up within a day.                                                                          evidence and data rather
                                                                                                                                               • Breach Check: a web-based tool to help
                                                                                                      than hyperbole and fear                    government and private sector organisations
                                                                                                                                                 check whether employee email addresses
                                                                                                      – is the way forward.”                     have been compromised in a data breach.

                                                                                                      Dr. Ian Levy, Technical Director, NCSC   • The NCSC is also exploring additional ways
                                                                                                                                                 to use the data created as part of the normal
                                                                                                                                                 operation of the public sector protective
                                                                                                                                                 DNS service to help users better understand
                                                            ADVADGAA                                                                             and protect the technologies in use on
                                                                                                                                                 their networks.

                                                                                                                                               Protective DNS is actively engaging with
         Protecting airports                                Protecting emergency services                                                      organisations from central government, local
                                                                                                                                               authorities, emergency services, devolved
                                                                                                                                               administrations, the NHS and Ministry of Defence
The NCSC has been tackling the abuse of public      Two fire services merged to form a new super                                               (MoD). For those sectors that are not eligible to
sector email domains in the UK. One such incident   service with a new name and associated internet                                            use PDNS, the NCSC is working with industry to
occurred when criminals tried to send in excess     domain. One of the organisations subsequently                                              broaden the benefits of the service. The NCSC
of 200,000 emails purporting to be from a UK        deregistered their original domain. However in                                             intends to share indicators of compromise
airport, using a non-existent gov.uk address in a   just three months, Synthetic DMARC blocked more                                            with DNS providers to use on their own services.
bid to defraud people. However, the emails never    than 150,000 emails from this now non-existent                                             This will mean organisations and individuals who
reached the intended recipients’ inboxes because    domain. There is no way of knowing whether                                                 are not eligible for the PDNS still benefit from the
the Active Cyber Defence system automatically       these were as a result of fraudulent purposes                                              NCSC's knowledge and expertise. Through the
detected the suspicious domain name and the         or misconfiguration, but shows the necessity                                               NCSC and industry working together, a greater
recipients’ mail providers never delivered the      to correctly curate domains throughout                                                     number of users can benefit from DNS filtering.
spoof messages. The email account used by           their lifecycle.
the criminals to communicate with victims was
also taken down.

24   National Cyber Security Centre                                                                                                                                National Cyber Security Centre   25
Annual Review 2019                                                                                                                              Annual Review 2019

Raising cyber                                  Mail Check monitors        Working with local government

resilience                                      6,273                     The NCSC assists local government both through
                                                                          direct engagement at a local level, supporting
                                                                          its networks of technical staff, and working with
                                                                          representatives from member organisations
                                                                                                                              the English regions, to build understanding
                                                                                                                              of cyber threat and foster good practice to
                                                                                                                              manage risk. As a result, 85% of delegates
                                                                                                                              have said they would make changes to

across                                           domains classed
                                                 as public sector.
                                                                          including the Local Government Association
                                                                          (LGA) and the Society of Local Authority Chief
                                                                          Executives (SOLACE).
                                                                                                                              their cyber security practice.

                                                                                                                              Digital Government Lofts

government                                                                Commissioned by the Ministry of Housing,
                                                                          Communities and Local Government (MHCLG),
                                                                                                                              The successful sharing of the NCSC’s expert
                                                                                                                              advice and guidance across UK government

and the                                                                   and funded by the National Cyber Security
                                                                          Programme, the NCSC is supporting the design
                                                                          and delivery of the MHCLG ‘Think Cyber, Think
                                                                                                                              and the public sector through Digital Lofts
                                                                                                                              continues. This year’s locations and hosts
                                                                                                                              have included Warwickshire County Council,

public sector                                                             Resilience’, Cyber Pathfinder training scheme.
                                                                          This provides a series of workshops for senior
                                                                          leaders, policy makers and practitioners across
                                                                                                                              the Met Office in Exeter, as well as the Scottish
                                                                                                                              government in Edinburgh.

The NCSC works closely with public
sector bodies to protect the networks,
data and services which the UK
depends upon.

Working with central government

The NCSC provides assurance on key            The number of public        Web Check for Local Authorities
systems across central government
departments and agencies, assisting         sector domains protected
them to develop their security strategies     by DMARC [an Active
and secure their networks.
                                               Cyber Defence tool]
Building on the success of the                  more than tripled

                                            from 412
Transforming Government Security
Programme, the NCSC is working with                                                 Local Authorities                            % Using Web Check
the Cabinet Office’s Government
Security Group, providing advice and
guidance to shape policy development
on cyber security.
                                                                                         England           336                          97%
                                            at the end of December 2017

                                             to 1,940
                                                                                         Wales		           22                           100%

                                                                                         Scotland          32                           100%
                                                in September 2019.
                                                                                         NI		 11                                        90%

                                                                                         UK		              401                          97.75%

26   National Cyber Security Centre                                                                                                               National Cyber Security Centre   27
Annual Review 2019                                                                                                                                                        Annual Review 2019

     Cyber health check for the NHS                                                                    Vulnerability Disclosure                              Detect and forewarn to protect
                                                                                                                                                             government departments
     The NCSC is working with health authorities    such progress and improvement to the               If someone finds a vulnerability in a UK
     across the UK to reduce the risk of another    security posture and resilience of Health          government website and cannot contact                 The NCSC’s Host-Based Capability tool
     major cyber attack affecting the NHS.          and Care in such a short period of time.”          the system owner, they can report the                 collects and analyses technical metadata
                                                                                                       vulnerability to the NCSC’s Vulnerability             to help government departments
     The WannaCry ransomware attack of              All hospital trusts in England will be offered     Reporting Service. This is part of its wider          understand the threats they face. Following
     2017 caused disruption in a third of all       the free Secure Boundary solution which            efforts to improve vulnerability handling             a successful pilot year, the service has been
     hospital trusts across England, leading to     includes next generation firewalls and             across the public sector. Following                   deployed to 35,000 government devices
     cancelled operations and appointments          the NCSC’s Protective Domain Name                  the service’s launch, the NCSC has                    across nine departments. The capability
     for many patients. The incident brought        System (PDNS) service. This will help NHS          received reports covering a number                    is complementary to departments’ own
     to light a number of weaknesses in             organisations to defend against future             of security issues including cross-site               security measures. The data the NCSC
     the cyber defences of the NHS.                 attacks, including ransomware, and enable          scripting and subdomain takeover.                     collects is used to detect malicious activity,
                                                    them to keep providing care for patients.                                                                provide monthly threat reporting and
     For this reason, the NCSC has been working                                                        In addition to the Reporting Service,                 assess exposure to serious cyber threats.
     with NHS Digital, the national information     Another benefit of the new system is that          the NCSC also launched the Vulnerability
     and technology partner for the health          it will be possible to spot when a cyber           Disclosure Pilot, working with a number
     service in England, on the procurement         attack is attempted on a particular hospital       of UK government departments to
     of a new perimeter security solution           trust. NHS Digital will use this information       kick start best practice in vulnerability
     for the NHS. The NCSC lent its technical       to better understand the threats facing            disclosure across the public sector.
     expertise, providing cyber experts to review   the health sector and also to give
     the bids against security standards.           tailored advice to specific hospitals.

     Dan Jeffery, Head of Innovation, Delivery      The NCSC has also been working closely with
     & Business Operations at NHS Digital,          the health services in Scotland, Wales and
     stated: “The NCSC has provided critical,       Northern Ireland to ensure they can benefit
     timely, and invaluable technical and           from PDNS and other Active Cyber Defence
     strategic advice, input, and guidance to       services. It is also providing technical support
     the Secure Boundary programme as well          to bespoke devolved health platforms.
     as the Cyber Programme in general.

     “The enduring strength of the relationship
     between the NCSC and NHS Digital’s
     Data Security Centre is one of the
     reasons we have been able to deliver

                                                                    GDFGGFADAVVGVGADAADVAXFV                                                          XVDAADGAVGDGXAAAGGAGDA

28      National Cyber Security Centre                                                                                                                                         National Cyber Security Centre   29
Annual Review 2019                                                                                                                                                     Annual Review 2019

Defending democracy

The foundations of liberal democracy are under     European elections (May 2019), the NCSC provided
increasing threat from cyber attacks and the       guidance, informed by comprehensive cyber             “We depend on the work of                   “Digital technology continues
NCSC plays a key role in defending the UK’s        threat assessment, on risks and advice on
political process.                                 protecting systems and people to political parties.   hundreds of thousands of                    to change the way that
The NCSC meets with UK political parties           The NCSC monitors known adversaries who look          volunteers, and so collect                  elections are run and fought;
(which take up at least two seats in the House     to target parties or even politicians. If threats
of Commons) every three months and regularly       are detected, the NCSC shares the details of the      and hold a great deal of                    it also changes the way that
gives cyber security advice to parliamentarians.   threat and tailored advice, allowing the individual
During the local elections (March 2019) and        or organisation to put mitigations in place.          data – and we work hard to                  voters are informed and
                                                                                                         keep it safe. Knowing the NCSC              influenced. Since its creation,
“The NCSC is very proactive                        “The role of Chief Information                        is also there to look after the             the NCSC has provided valued
and efficient in quickly                           Officer, for one of the UK’s                          integrity of our information,               support to the Commission
speaking to all the relevant                       major political parties,                              especially at election time, is             and wider electoral sector,
staff here to alert us to an                       has its stressful moments.                            a tremendous reassurance.                   to mitigate the risks posed
issue. Beyond just dealing with                    Having the NCSC on hand                               The NCSC’s advice has been                  by these innovations. We
incidents at hand, we have also                    helps you sleep at night.                             invaluable in making our                    welcome their important role
received a number of very clear                    The online briefing material                          systems more secure.”                       in supporting the ongoing
and helpful recommendations                        is excellent and is frequently                        Tim Waters, Director of Data & Targeting,   integrity of elections in the UK.”
                                                                                                         The Labour Party
to further harden our systems                      quoted. When an incident                                                                          Bob Posner, Chief Executive.,
                                                                                                                                                     The Electoral Commission
which we have subsequently                         happens, their support and
undertaken. It was great to                        advice quickly gets the
have the support at the time,                      incident under control
but also to have our contact                       and helps calm senior
follow up with us some weeks                       management.”
later to check whether any                         Paul D Bolton, Chief Information Officer,
                                                   Conservative Campaign Headquarters
further support was needed
or desired.”
Sian Waddington, Director of Operations,
Liberal Democrats

30   National Cyber Security Centre                                                                                                                                      National Cyber Security Centre   31
Annual Review 2019                                                                                                                                                                         Annual Review 2019

Serving every part of the UK                                                                                   “Our engagement with the NCSC has helped us to establish
                                                                                                               our executive agency, Social Security Scotland, followed by
The NCSC continues to work across the whole             platform for payment of devolved benefits to
of the UK. This includes support to devolved            citizens, plus their platform for supplier payments.   the launch of our public facing cloud based digital platform,
administrations in Wales, Scotland and Northern         This year, the NCSC hosted the CyberFirst Girls
Ireland, raising cyber resilience across all sectors.   Competition final in Edinburgh and CYBERUK 2019        which underpins the delivery of the first live devolved benefit
                                                        in Glasgow, with Scottish government taking the
The NCSC worked with Welsh government                   opportunity to showcase in parallel the work of        payments Scotland. The NCSC has provided us with expert
to ensure its advice for citizens and families was      the Scottish Cyber community with a number of
included in its Digital Inclusion Programme, to         side events, including “Scotland Cyber Week”.          advice and guidance through technical workshops and
help all citizens to get online safely. In support of
the TARIAN and North West Regional Organised            The NCSC worked in partnership with Scottish           engaging its partners to share experiences. This has given
Crime Units, the NCSC provided materials and            government to deliver bespoke workshops
speakers for the Welsh Cyber Bus Tour, supporting       for small businesses, charities, CEOs, and             us valuable assurance in support of our strategic security
local business, community groups and the public         launched the Exercise in a Box tool. It continued
to enhance their cyber resilience. The NCSC also        its support of the cyber catalyst network, ensuring    objectives and our own ‘Secure by Design’ principle.”
provided technical security advice to the Welsh         effective peer to peer sharing of best practice
Revenue Authority, which collects and manages           and NCSC guidance.                                     John Campbell, Head of Digital Risk & Security Social Security Directorate,
devolved taxes in Wales.                                                                                       Scottish Government
                                                        The Scottish Qualifications Authority and
In Northern Ireland, the NCSC advised on                Scottish Credit Qualification Framework have
IT controls, protecting the country’s ~1.75m            also approved the NCSC’s CyberFirst awards
citizen electoral records. It continues to build        for Defenders, Futures and Advanced courses,
partnerships across the economy and society in          meaning that anyone completing these courses           “We have made significant investments in improving our cyber
Northern Ireland, including delivering briefings to     will now receive recognised learning credits.
charity leaders in partnership with the Northern                                                               defences and cyber hygiene. The NCSC has proven to be an expert
Ireland Council for Voluntary Action, helping to        Take up of the NCSC’s Active Cyber Defence
ensure cyber is considered alongside business           continues across all three devolved                    advisor in defining and refining our requirements, most especially
risks. The NCSC also partnered with Northern            administrations, helping to protect local
Ireland Department for Education to improve             government and other public online services.           in our plans to implement a Security Information and Events
cyber resilience in schools across the country.         In Scotland, the majority of public sector
                                                        organisations are using one or more of the             Management Service and associated Security Operating Centre.
In Scotland, the NCSC has provided significant          tools, and increased take-up in Wales and
bespoke technical advice on several new online          Northern Ireland continues at pace.                    Their experience of forensics, analytics, alerts and appropriate
services. This includes the new Scottish online
                                                                                                               approaches to monitoring has been invaluable.”
                                                                                                               Chief Strategy Officer, Northern Ireland Civil Service

                                                                                                               “The NCSC continues to provide valuable advice and
                                                                                                               guidance for us to share with Welsh stakeholders which
                                                                                                               greatly contributes to increasing cyber security capability
                                                                                                               within Wales. We value the engagement and ongoing
                                                                                                               support in several areas, including increasing take-up
                                                                                                               of Active Cyber Defence tools in the Welsh public sector
                                                                                                               and encouraging participation of Welsh students on
                                                                                                               CyberFirst courses.”
                                                                                                               Representative, Welsh government

32   National Cyber Security Centre                                                                                                                                                          National Cyber Security Centre   33
Annual Review 2019                                                                                                                                               Annual Review 2019

                                                                                                                          ATM

                   Critical National
                   Infrastructure
                                                                                           Thwarting ATM attacks

                                                                                           On multiple occasions, the NCSC has alerted          As a result, banks swiftly put defensive measures
                   Everyone in the country relies      The NCSC’s work spans CNI in        UK financial institutions to imminent threats from   in place that protect them against financial loss
                   on the UK’s Critical National       the public sector, as well as a     ATM cash-out fraud at home and abroad. This is       and reputational damage. Most recently, the
                   Infrastructure (CNI) day in, day    focus on nine critical private      where cyber criminals compromise banking and         NCSC alerted 56 banks to a specific ATM cash-out
                   out. We all need the country’s      sectors: communications,            payment infrastructure, and obtain card details      threat after receiving actionable information. As a
                   communications networks to          transport, energy, civil nuclear,   that can be used to withdraw large sums of cash      result, the banks were able to block any attempt
                   keep in touch with friends and      finance, water, chemicals,          from ATMs. Once already in progress, these           by the attackers to fraudulently withdraw money
                   family, transport networks to       space and food. It provides         attacks can be difficult to stop.                    from customer accounts.
                   travel to work and school, and      direct support to hundreds
                   energy networks to power and        of public and private sector        The NCSC works with industry and government
                   heat our homes. Interruption        organisations that own,             partners around the world to share information
                   to any of these critical services   manage and maintain CNI             and disseminate alerts about threats and
                   could cause serious disruption      assets in the UK. This includes     anticipated malicious activity.
                   to our lives and potentially        one-to-one technical advice,
                   damage the economy.                 sharing threat information,
                                                       facilitating cyber exercises
                   Strengthening the cyber             and running information on
                   resilience of the UK’s most         exchanges for organisations to
                   critical systems therefore          share knowledge and expertise.
                   remains a top priority.

34   National Cyber Security Centre                                                                                                                                National Cyber Security Centre   35
Annual Review 2019                                                                                                                                                          Annual Review 2019

Defending online banking                                                                              Keeping the lights on

There has recently been a rise in the            attacks, determine how they were being carried       A successful cyber attack against the energy         Digital integration is only adding to the security
sophistication of SMS-interception attacks,      out, and develop mitigations. This information       sector could disrupt the fuel and power supplies     challenge. The NCSC’s recent review of smart
with multiple financial institutions and         sharing continues through the NCSC’s Cyber           our country so heavily relies on. That’s why the     metering infrastructure for BEIS, and the
Communications Service Providers (CSPs)          Security Information Sharing Partnership             NCSC’s work with energy firms has been diverse       recommendations it produced, is one illustration
being affected.                                  (CiSP) platform.                                     and extensive.                                       of how the NCSC works with government
                                                                                                                                                           departments to ensure the highest cyber security
The attackers intercepted SMS messages                                                                This year the NCSC worked with one of the UK’s       standards across the sector.
sent as part of the two-factor authentication    “At the heart of the NCSC's mission is protecting    largest oil refineries to review and advise on an
(2FA) needed for online banking. Whilst 2FA is   critical pieces of our infrastructure; keeping the   upgrade to its systems, greatly increasing its
generally recommended by the NCSC, in this       service they provide secure keeps the country        resilience. The NCSC’s Cyber Adversary Simulation    “We would like to thank the NCSC for the
case messages from multiple banks via multiple   running. It's only through these partnerships        team also conducted an exercise against a            invitation and our subsequent involvement
mobile networks were targeted, allowing the      with industry that we can understand the risk        critical supplier of road fuels, which identified    in the sector-wide cyber security test.
criminals to make fraudulent payments to their   we face, protect current systems and secure          vulnerabilities that the company has since           The challenge and results from the scenario
accounts at the expense of the wider public.     the infrastructure of tomorrow.”                     protected itself against.                            exercising has been invaluable in applying
The NCSC was in a unique position to bring                                                                                                                 improvements to our emergency planning
experts in the telecoms and finance industries   Clare Gardiner, Director National Resilience         In partnership with the Department for Business,     and resilience processes, along with
together to share information regarding the      & Strategy, NCSC                                     Energy and Industrial Strategy (BEIS), the NCSC      recognising the importance of cross industry
                                                                                                      held a complex technical exercise with electricity   support and alignment during such events.”
                                                                                                      distribution network operators. It was the
                                                                                                      culmination of a two-year project and involved       John, Scottish and Southern Electricity Networks
                                                                                                      more than 170 participants at 13 different UK
                                                                                                      locations to test the sector’s response to a
                                                                                                      national-level incident.

36   National Cyber Security Centre                                                                                                                                           National Cyber Security Centre   37
Annual Review 2019                                                                                                                                                                  Annual Review 2019

Threats to air passenger data                                                                              Securing the future: Smart cities

The aviation sector has continued to be an          It has also continued working with NATS, the main      Across all sectors the drive to reduce costs,          effectively. While it would take a lot of paint and
attractive target for cyber attackers. Airlines     air navigation service provider in the UK, to review   increase efficiency and provide new data-              physical presence to manually deface all the
store vast amounts of personal identifiable         the cyber security of their air traffic control and    driven services is leading to increased digitisation   traditional road signs in an area, it could be
information (PII), which criminals can sell or      management system.                                     and automation. Cities are no exception, with          possible to change all the signs in a city without
use for spear phishing and identity theft.                                                                 councils looking to technology to help with a          ever setting foot in it, if smart signage projects
State actors may also be interested in airline                                                             suite of challenges including reducing congestion,     are badly implemented.
PII for counter-intelligence purposes or            “The challenge and results from the scenario           improving public safety, and enhancing local
tracking dissidents.                                exercising have been invaluable in applying            health care services.                                  The NCSC is applying its experience in helping
                                                    improvements to our emergency planning                                                                        national and local government ensure that
The NCSC’s work with the sector has included        and resilience processes, along with                   There are two main themes to the security              personal data is protected, and its understanding
assisting UK airlines targeted by a group known     recognising the importance of cross industry           challenges in smart cities. The first is ensuring      of the security challenges in critical national
as Chafer. This group, which security companies     support and alignment during such events.”             that citizen privacy is maintained, and that           infrastructure, to the new and emerging
have linked to Iran, has a history of targeting                                                            personal details required to operate the services      challenges presented by smart cities.
global organisations for bulk personal data sets.   NATS, the UK’s leading provider of air traffic         are secured. The second is understanding the
The NCSC helped the airlines identify potential     control service                                        interdependencies between a smart city’s               In one real-world example, a council is using
risks to their networks and offered mitigation                                                             services, and the impact of failure. For example,      traffic flow data to adjust road signs in the city
advice, minimising the impact.                                                                             computerised road signs may depend on                  to divert traffic, saving citizens an average of
                                                                                                           power and a data connection in order to work           60 hours per year on their journey times.

38   National Cyber Security Centre                                                                                                                                                   National Cyber Security Centre    39
You can also read