Severity of the risk facing the UK is widely underestimated, NCSC annual review warns
- Reference: 1733226309
- News link: https://www.theregister.co.uk/2024/12/03/ncsc_annual_review/
- Source link:
Published today, GCHQ's tech offshoot's 2024 review reveals that 12 incidents topped the NCSC's severity classification system out of a total 430 cases that required support from its Incident Management (IM) team between September 2023 and August 2024. The finding represents a 16 percent increase year-over-year.
The number of nationally significant incidents also rose from 62 last year to 89 in the latest data, six of which were caused by exploiting two Palo Alto and Cisco zero-days (CVE-2024-3400 and CVE-2023-20198). This number includes the 12 deemed maximally severe and an undetermined number of attacks on the UK's central government.
[1]
The most severe category of incidents is Category 1: National cyber emergency – an attack that causes sustained disruption of critical services and a Cabinet Office Briefing Rooms (COBR) meeting to be held.
[2]
[3]
The NCSC said that 347 reports involved some degree of data exfiltration and extortion and – surprise – 317 of these involved ransomware, another year-over-year increase from 297 in 2023's data.
The numbers demonstrate a growing cyber risk to the UK that NCSC board members feel is "widely underestimated" and outpacing the country's ability to defend against threats.
[4]
"What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defenses that are in place to protect us," the NCSC's new CEO Richard Horne will say later today.
"And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries."
Horne and others on the board at Nova South renewed their calls to the public and private sectors on Tuesday to continue building cyber resilience, citing the rise in headline-grabbing incidents such as the attacks on [5]Synnovis and the [6]British Library .
[7]
"The NCSC, as the National Technical Authority, has been publishing advice, guidance, and frameworks since our inception, in a bid to drive up the cybersecurity of the UK," Horne will add. "The reality is that advice, that guidance, those frameworks need to be put into practice much more across the board.
"We need all organizations, public and private, to see cybersecurity as both an essential foundation for their operations and a driver for growth. To view cybersecurity not just as a 'necessary evil' or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose."
When talking about cyber resilience, as the NCSC so often does, it refers to all organizations being able to detect, neutralize, and recover from attacks at pace, be it through their own technical implementations or with support from the likes of the NCSC's Active Cyber Defence services.
Of course, GCHQ's cyber arm also never misses an opportunity to remind the world that organizations that earn its Cyber Essentials certification are 92 percent less likely to make a claim on their cyber insurance policy.
Despite there being a 20 percent increase in organizations gaining that certification this year, and an equal increase in Cyber Essentials Plus recipients too, the NCSC still feels the basics aren't being deployed widely enough, or quickly enough.
A sense of doom drips from every page of its [8]annual review . It goes on to explain how the volumetric increase in attacks and their complexity presents a dual threat that stokes a sense of fear in the reader.
By 2030, the NCSC predicts a full-scale cyber intrusion ecosystem will be established. It believes this ecosystem will make available highly capable tools to the most seasoned adversaries and unsophisticated up-and-comers alike, lowering the barrier to entry into the world of cybercrime.
This all follows the current state of affairs where we have lowly cybercriminals routinely reading about how their state-sponsored seniors are going about things from intel reports and copying their tactics for greater success, all while the global economy increasingly relies on tech propped up by an insecure supply chain.
There remains the inevitable impact of artificial intelligence (AI), which is slated to intensify this complex threat landscape and empower adversaries in their ventures too, not to mention the [9]deeply broken market making any proposed improvement a challenge.
Further afield
In the same way that [10]China has, for years now, occupied the attention of national security chiefs more than any other foreign adversary, the NCSC's latest annual review equally dedicates more attention to the Middle Kingdom than any other overseas threat.
[11]Another 'major cyber incident' at a UK hospital, outpatients asked to stay away
[12]Britain Putin up stronger AI defences to counter growing cyber threats
[13]UK councils bat away DDoS barrage from pro-Russia keyboard warriors
[14]US and UK govts warn: Russia scanning for your unpatched vulnerabilities
It was at the NCSC's annual conference earlier this year that GCHQ director Anne Keast-Butler [15]emphasized the claim that dealing with China tops the UK's list of security priorities.
Likewise, Horne, who made his first major public speech as the NCSC's new top dog on Tuesday, echoed the sentiment once more, repeating the organization's stance on the UK's inadequate cyber resilience.
"Last week, the Chancellor of the Duchy of Lancaster warned about the aggression and recklessness of cyber activity we see coming from Russia," he said. "And with our partners, including at the NPSA, we can see how cyberattacks are increasingly important to Russian actors, along with sabotage threats to physical security, which the director general of MI5 spoke about recently.
"All the while, China remains a highly sophisticated cyber actor, with increasing ambition to project its influence beyond its borders.
"And yet, despite all this, we believe the severity of the risk facing the UK is being widely underestimated."
Horne referenced the [16]speech made by the Chancellor of the Duchy of Lancaster, Pat McFadden, last week, which made some sensational claims that were later [17]criticized by security thought leaders.
Dissecting McFadden's speech, the Hollywood verbiage used to describe Russia's cyber capabilities raised eyebrows among experts. Claims such as "with a cyberattack, Russia can turn off the lights for millions of people" and "it can shut down power grids" contain the type of language the industry has tried to rid itself of for years.
The speech came amid a backdrop of Russian aggression from what McFadden said was state-sponsored cybercriminals targeting NATO partner South Korea. Former MI6 director Sir Richard Dearlove also recently [18]said he believed the current situation between Western Europe and [19]Russia is tantamount to a full-blown war, all while Russia's efforts in Ukraine show no sign of relenting.
"Russia continues to act as a capable, motivated, and irresponsible threat actor in cyberspace," the review reads. "Russian threat actors almost certainly intensified their cyber operations against Ukraine and its allies in support of their military campaign and wider geopolitical objectives.
"Through its activities in Ukraine, Russia is inspiring non-state threat actors to carry out cyber attacks against Western CNI. These threat actors are not subject to formal or overt state control, which makes their activities less predictable. However, this does not lessen the Russian state's responsibility for these ideologically driven attacks.
"The NCSC continues to publicly expose Russian cyber activity, which makes it a more challenging environment for them to operate in." ®
Get our [20]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z085MTfmiQq7f-id6OCnDgAAAQ4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z085MTfmiQq7f-id6OCnDgAAAQ4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z085MTfmiQq7f-id6OCnDgAAAQ4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z085MTfmiQq7f-id6OCnDgAAAQ4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/07/05/qilin_impacts_patient/
[6] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z085MTfmiQq7f-id6OCnDgAAAQ4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024
[9] https://www.theregister.com/2024/05/16/ncsc_cto_broken_market_must/
[10] https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/
[11] https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/
[12] https://www.theregister.com/2024/11/26/uk_ai_security/
[13] https://www.theregister.com/2024/11/01/uk_councils_russia_ddos/
[14] https://www.theregister.com/2024/10/12/russia_is_targeting_you_for/
[15] https://www.theregister.com/2024/05/16/the_uks_alarm_over_china/
[16] https://www.gov.uk/government/speeches/chancellor-of-the-duchy-of-lancasters-speech-to-the-nato-cyber-defence-conference
[17] https://therecord.media/uk-minister-criticized-hyperbolic-russia
[18] https://news.sky.com/story/europe-is-in-actual-war-with-russia-says-former-mi6-chief-13262129
[19] https://www.theregister.com/2024/10/01/evil_corp_russia_relationship/
[20] https://whitepapers.theregister.com/
The key omission
" being able to detect, neutralize, and recover from attacks at pace, be it through their own technical implementations or with support... "
This excellently exemplifies the root of the problem. Almost everyone still thinks that cyber security is a technical issue. It's most definitely not - it's a cultural one with technical facets. While I accept without reservation that our technologies are deeply flawed and need constant protective attention, almost every reported data breach has fundamentally been down to poor decision making or sloppy management on the victim side or in their supply chain. Whether or not an entity can be secure is at least as much a matter of attitude as it is the deployment of tech fixes, including whether that entity operates proactively or purely reactively to identified threats, whether it operates a blame culture or not, and a host of other psychosocial characteristics. Indeed, the culture mostly drives the choices and adoption of protective technologies, so tech robustness and resilience can only be achieved where the entity is willing to invest the effort and expenditure to select, implement and maintain the most appropriate technologies.
Cybersecurity job market
It would be nice to understand the structure of the cybersecurity job market. How many security tasks are low level (low pay jobs, boring, tedious, mostly outsourced)? What if the problem is taxation and difficulties running small business?
Re: Cybersecurity job market
Nobody wants them! That is the state of the Cybersecurity job market. Because everyone knows that the attack surface is near-infinite and a comprehensive defence is near-impossible, and management will resist any attempt at you doing your job, because it mildly inconveniences theirs. Until it all goes wrong of course, in which case they have You to take all the blame.
The job adverts might as well read:
Urgently Required: Chief Scapegoat
Pay: Not nearly enough
Budget: None
Remit: None
Job Description: When the shit hits the fan, we need someone to blame. That person is You! Your head will be on the block, You will face prosecution, not us, etc.
FAQ: Have you already been compromised? Yes, err, I mean we're not telling you until you start the job but the post is URGENTLY required!
FAQ: Is there any opportunity at all for success? No it's a poison chalice, er I mean a FANTASTIC opportunity!*
* for disaster
Category 1
"The most severe category of incidents is Category 1: National cyber emergency – an attack that causes sustained disruption of critical services and a Cabinet Office Briefing Rooms (COBR) meeting to be held."
When I briefly worked consulting to the then DTI and other UK Govt Departments, the worst thing the Civil Servants could conceive of was 'a Parliamentary Question', which meant they had to stop whatever they were doing and provide their minister with an answer. The reference to a COBR meeting being a measure of the severity of a cyber attack is misleading. There are probably attacks and incidents going on which should rate a COBR meeting but don't because people do not understand the consequences and implications, yet. Witness how long it took to have a COBR meeting concerning COVID-19 (and the fact that the then PM did not initially consider it sufficiently important to attend the first few).
I remember consulting a bid to take over management of the IT of a public utility. The SysAdmin claimed with a straight face that they had on average two class 1 events per week. I.e., their IT system was broken to such an extent that a large proportion of staff could not do their work and there were no work-arounds twice a week . And this was considered normal and acceptable.
Cyber Security should be a regular briefing item for the entire UK cabinet, as every department depends on IT infrastructure to carry out its functions, not an occasional 'oh look the country is under attack, let's have a chat about this shall we?' event.
Talk all you want...
As a long time supporter of end Users of IT who are generally speaking not IT proficient, they are simply users of very complex technical equipment which they have little or no understanding of how it works. They just want to stay in touch with friends and relatives, do a bit of convenience shopping, or watch a music video. They tinker with the Apps which are easy to use and offer some level of novelty, or which are used by members of their own peer group.
Otherwise, trying pointing out to one of these lovely people that they would have more success and less anxiety if they changed their keyboard to UK from the Default American English. But even this is too much information for a lot of people.Never mind, "Do you have anti virus ?", or "Is your Firewall switched on ?". "Updates ?", What did that "Pop Up window say ?"
I have experience which shows me that even CEO's fall under this category of End Users. Then every budding new business I have ever come across would rather use WordPress for it's web presence, or would chose another web service which is built on top of WordPress(like) convenience, stock images supplied from unknown sources via scripts who's functionality they know nothing about.
We even have Go Vermin buying into Microshites latest Xmess channel stuffing, Oracle the ONLY ERP on sale to GoVermin service providers.......
This is only scraping the top of the IT security iceberg, I mean........what can go wrong ? Using chips and hardware made "elsewhere" for our convenience and to keep the price down.........
Job at GCHQ anyone ?
ALF
the clearly widening gap between the exposure and threat
I'm somewhat concerned this appears to have come as a surprise.