Government Plans ‘Active’ Cyber Security Approach

The head of the UK’s new National Cyber Security Centre (NCSC) has said the government is planning to take a more active role in defending the country against online attacks, as the National Audit Office (NAO) published a damning report indicating the disarray of current government information security efforts.

Until recently private-sector efforts were expected to be sufficient to contain online attacks against British users and organisations. But the government now recognises it must take the lead on information security, said Ciaran Martin, giving his first public comments as chief executive of the NCSC in Washington, DC.

Government push

“If we’re to maintain confidence in the digital economy, we’ve got to tackle this end of the problem,” Martin told the Billington Cyber Security Summit on Tuesday. “I believe there’s a legitimate role for the government in taking a lead… at least temporarily. This is the thinking behind our strategy.”

He said twice as many “national-security-level cyber-incidents” were detected in 2015 compared with the year before, adding up to about 200 per month, while the NAO noted that the 17 largest government departments recorded 8,995 data breaches in 2014-15.

A NAO report timed to coincide with Martin’s appearance said that overall the coordination of central government’s information security efforts remained confused, even as recent trends toward information sharing tended to increasingly expose sensitive data to attacks.

As of April of this year there were at least 12 separate teams or organisations at the centre of government with overlapping roles in protecting information, the NAO found.

While the NCSC’s formation should “bring together much of government’s cyber expertise” the NAO warned that in its view “wider reforms will be necessary” and currently reporting personal data breaches is “chaotic” with different departments’ mechanisms making it impossible to collect coherent data.

“The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies,” the NAO stated.

Security coordination

The NCSC, due to launch next month, is intended to coordinate existing efforts to protect government and critical information infrastructure as well as engaging with businesses and the public.

The centre results from a government plan announced in November of last year to nearly double IT security spending to £1.9 billion by 2020, and while it grows out of GCHQ is to be headquartered in London.

After prioritising “the most serious threats” the centre intends to investigate ways of protecting the UK’s wider digital infrastructure, including attacks on businesses and individuals that may not be sophisticated but which cause “a lot of damage”, Martin said.

“The great majority of cyber attacks are not terribly sophisticated,” he said. “They can be defended against. And if they get through their impact can be contained.”

Current pilot measures include sending automated takedown requests to web hosting companies, registrars and others found to be facilitating malicious attacks.

Internet filters

Martin said the government is working with service providers to help block the abuse of traffic rerouting protocols that enable UK-based systems to participate in denial-of-service attacks.

Another pilot effort involves large-scale DNS filtering that would keep users from coming into contact with “known malware and bad addresses”, although users would need to opt into such a programme.

He said a government pilot involving the use of DMARC authentication for emails had been successful and could be expanded more broadly.

“It’s crucial that all of these economy-wide initiatives are private sector-led,” he said. “The government does not own or operate the Internet.”

Skills crisis

Martin acknowledged the government faces a “skills challenge” in addressing such threats, a factor echoed in the NAO’s report.

“Plans to cluster security teams may initially share scarce skills, but will not solve the long-term challenge,” the NAO said, adding that the problem is part of a broader “challenging national picture”.

A senior Ministry of Justice security leader earlier this week expressed the government’s frustration with the difficulty of finding qualified IT security staff, who often don’t view the work as “cool”, and argued a broader shift in approach was necessary.

New data security risks

Martin identified the switch to universal credit, which will see a single online system paying out 7 percent of the UK’s gross domestic product, as a significant security challenge, along with the increasing use of Internet-connected energy meters.

The NAO added that ever-greater information sharing between government departments and trends toward making digital information available directly to the public also make data more vulnerable as “the traditional security boundaries have become blurred”.

“Protecting information while redesigning public services and introducing the technology necessary to support them is an increasingly complex challenge,” said NAO head Amyas Morse. “The Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance.”

Government digital turmoil

The government has been reworking government IT around services centres shared between different government departments, which the NAO previously said have caused considerable disruption to government departments’ back-end systems while delivering questionable savings.

Some industry observers saw further evidence of a confused and fragmented government digital strategy in last month’s departure of Government Digital Service (GDS) executive director Stephen Foreshew-Cain, prompting the GDS’ new head to say there were no plans to break the service up.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • In principle I like the idea. Great for DDOS etc. What about censorship? We need a bill of rights about what they will and will not block. Also, throw in DNScrypt to the mix and I might be tempted.

Recent Posts

Google Increases Concessions, Amid CMA Oversight Of Cookie Removal

Google expands data pledges to address concerns of British competition regulator, overseeing tech giant's removal…

23 hours ago

India Moves To Ban Private Cryptocurrencies

India is to launch its own official digital currency, but will also ban private cryptocurrencies…

1 day ago

Google To Pay Millions To Ireland In Back Taxes

Google is to pay £183m in back taxes to the Irish government, in line with…

1 day ago

Orange CEO Resigns After Court Conviction

Stephane Richard steps down from his CEO and chairman positions of French mobile giant Orange,…

2 days ago

Apple To Use Own iPhone 5G Modem Design In 2023 – Report

Bad news Qualcomm. Team up with TSMC will see Apple utilise its own 5G modems…

2 days ago