The head of the UK’s new National Cyber Security Centre (NCSC) has said the government is planning to take a more active role in defending the country against online attacks, as the National Audit Office (NAO) published a damning report indicating the disarray of current government information security efforts.
Until recently private-sector efforts were expected to be sufficient to contain online attacks against British users and organisations. But the government now recognises it must take the lead on information security, said Ciaran Martin, giving his first public comments as chief executive of the NCSC in Washington, DC.
“If we’re to maintain confidence in the digital economy, we’ve got to tackle this end of the problem,” Martin told the Billington Cyber Security Summit on Tuesday. “I believe there’s a legitimate role for the government in taking a lead… at least temporarily. This is the thinking behind our strategy.”
He said twice as many “national-security-level cyber-incidents” were detected in 2015 compared with the year before, adding up to about 200 per month, while the NAO noted that the 17 largest government departments recorded 8,995 data breaches in 2014-15.
A NAO report timed to coincide with Martin’s appearance said that overall the coordination of central government’s information security efforts remained confused, even as recent trends toward information sharing tended to increasingly expose sensitive data to attacks.
As of April of this year there were at least 12 separate teams or organisations at the centre of government with overlapping roles in protecting information, the NAO found.
While the NCSC’s formation should “bring together much of government’s cyber expertise” the NAO warned that in its view “wider reforms will be necessary” and currently reporting personal data breaches is “chaotic” with different departments’ mechanisms making it impossible to collect coherent data.
“The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies,” the NAO stated.
The NCSC, due to launch next month, is intended to coordinate existing efforts to protect government and critical information infrastructure as well as engaging with businesses and the public.
The centre results from a government plan announced in November of last year to nearly double IT security spending to £1.9 billion by 2020, and while it grows out of GCHQ is to be headquartered in London.
After prioritising “the most serious threats” the centre intends to investigate ways of protecting the UK’s wider digital infrastructure, including attacks on businesses and individuals that may not be sophisticated but which cause “a lot of damage”, Martin said.
“The great majority of cyber attacks are not terribly sophisticated,” he said. “They can be defended against. And if they get through their impact can be contained.”
Current pilot measures include sending automated takedown requests to web hosting companies, registrars and others found to be facilitating malicious attacks.
Martin said the government is working with service providers to help block the abuse of traffic rerouting protocols that enable UK-based systems to participate in denial-of-service attacks.
Another pilot effort involves large-scale DNS filtering that would keep users from coming into contact with “known malware and bad addresses”, although users would need to opt into such a programme.
He said a government pilot involving the use of DMARC authentication for emails had been successful and could be expanded more broadly.
“It’s crucial that all of these economy-wide initiatives are private sector-led,” he said. “The government does not own or operate the Internet.”
Martin acknowledged the government faces a “skills challenge” in addressing such threats, a factor echoed in the NAO’s report.
“Plans to cluster security teams may initially share scarce skills, but will not solve the long-term challenge,” the NAO said, adding that the problem is part of a broader “challenging national picture”.
A senior Ministry of Justice security leader earlier this week expressed the government’s frustration with the difficulty of finding qualified IT security staff, who often don’t view the work as “cool”, and argued a broader shift in approach was necessary.
Martin identified the switch to universal credit, which will see a single online system paying out 7 percent of the UK’s gross domestic product, as a significant security challenge, along with the increasing use of Internet-connected energy meters.
The NAO added that ever-greater information sharing between government departments and trends toward making digital information available directly to the public also make data more vulnerable as “the traditional security boundaries have become blurred”.
“Protecting information while redesigning public services and introducing the technology necessary to support them is an increasingly complex challenge,” said NAO head Amyas Morse. “The Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance.”
The government has been reworking government IT around services centres shared between different government departments, which the NAO previously said have caused considerable disruption to government departments’ back-end systems while delivering questionable savings.
Some industry observers saw further evidence of a confused and fragmented government digital strategy in last month’s departure of Government Digital Service (GDS) executive director Stephen Foreshew-Cain, prompting the GDS’ new head to say there were no plans to break the service up.
Are you a security pro? Try our quiz!
Ban on easy to guess default passwords, plus obligation on manufacturers to be transparent about…