Annual Review 2019 Making the UK the safest place to live and work online - National Cyber Security Centre
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Annual Review 2019 Making the UK the safest place to live and work online
Annual Review 2019
Welcome
Since the National Cyber Security Centre (NCSC)
was created in 2016 as part of the government’s
five-year National Cyber Security Strategy, it
has worked to make the UK the safest place
to live and work online. This review of its third
year provides an update on some of the latest
developments and highlights, with interviews,
data and a chance to hear from some of the
people working on the NCSC’s mission. It provides
a snapshot of the organisation’s work over the
period 1 September 2018 to 31 August 2019, with
some key milestones along the way.
The NCSC has also produced a digital report
where you can see this year’s events come to
life at:
ncsc.gov.uk/annual-review-2019
National Cyber Security Centre 3
Annual Review 2019 Annual Review 2019
Ministerial foreword Contents
6 CEO foreword
The United Kingdom has one of the most security protection on the “Internet of Things” –
digitally-developed economies in the world, digital devices embedded in everyday objects
transforming the lives of citizens, driving manufactured around the world, ranging from
8 Timeline
innovation, and fuelling job opportunities and video doorbells and “nanny-cams” to fridges
national growth. We can be proud that in the and ovens, which enable them to send and
National Cyber Security Centre (NCSC) we have receive data. This is a concern for our government,
12 Cyber security for individuals and families
a world-leading body for digital protection which, as the Prime Minister made clear in September
since its launch in 2016, has made the UK safer 2019 during his speech to the United Nations
and its defences stronger. Ensuring the UK remains General Assembly, when he called for emerging
20 Targeting the biggest risks
the most secure place to live and do business technologies to be designed with the right
online, and upholding public trust in our digital safeguards already in place to protect people.
systems, are personal priorities for me and a key We can all be proud of the NCSC’s influence
46 Countering the adversary
part of this government’s vision for the UK. As the already in this area, working closely with partners
Cabinet Office Minister responsible for resilience across government and internationally.
and the National Cyber Security Strategy, I very
54 International cooperation
much welcome the achievements and progress Every chapter of the NCSC’s Annual Review is
laid out in this Annual Review. testament to the hard work and achievements
of its staff and leadership. The NCSC operates
60 Securing the digital homeland
Establishing the NCSC was a key pillar of the in a complex landscape in which the contours
National Cyber Security Strategy 2016-2021, are constantly changing and there is no room
which has transformed the UK’s fight against for complacency. Securing the internet is a
74 Cyber capability for the future
evolving online threats posed by criminals, 24/7 challenge, 365 days a year, and cannot be
hacktivists and hostile nation states. Backed by shouldered by any one organisation. While the
£1.9 billion in funding, and with a deliberately government, through the National Cyber Security
90 Celebrating 100 years of GCHQ's cyber mission
interventionist and comprehensive approach, Strategy and Centre, can lead the way, we are
the Strategy is acclaimed by other nations as also dependent on our partners in industry and
a model of its kind. Any digital economy must academia - and across society as a whole - for
be alert to new threats, and to changes in a joint approach to tackling cyber security. This
existing threats. The NCSC benefits from being is a long-term mission, and I congratulate the
part of GCHQ: it fuses the best of our national NCSC for helping to build a pipeline of specialist
security capabilities with cutting-edge technical talent for the future to achieve this. One of the
knowledge to thwart the menace of global cyber many ways it supports this mission is through
crime. In October 2018, for example, its work its CyberFirst programme, which develops the
ensured that the UK and our allies were able to careers and expertise of our younger digital
expose attacks launched by Russian military natives and brings new generations into the
intelligence on political institutions, and business, UK’s fight for a more resilient digital future.
media and sporting interests.
It is impossible to predict what the future will look
The NCSC works on behalf of many millions of like. But we know that we have the organisation
citizens and organisations. This Annual Review and the tools we need to look ahead and remain
reveals important technical interventions on resilient. Through the Strategy, and the tireless
behalf of individuals and families, as well as work of the NCSC, we are scaling up the systems,
for businesses, national and local government, structures and capabilities necessary to respond
and critical national infrastructure. One such quickly to threats – not only now, but to the end
example of this is the ground-breaking work it of the Strategy and beyond.
has done to reduce credit card fraud, preventing
hundreds of thousands of cases in the past year.
On the international stage, too, the NCSC is
extremely active. It shares the UK’s specialist
knowledge across borders to help strengthen
global cyber defences and shape global
attitudes to deterring and tackling cyber crime Rt Hon Oliver Dowden CBE MP,
wherever it may originate. Over the past year Paymaster General and Minister
this has included a drive to increase the for the Cabinet Office
4 National Cyber Security Centre National Cyber Security Centre 5
Annual Review 2019 Annual Review 2019
CEO foreword
It is a privilege to present the National Cyber Iran and North Korea continue to pose strategic The importance of partnerships in cyber
Security Centre’s third Annual Review. national security threats to the UK, but we can’t security, both at home and abroad, cannot
often talk about the operational successes and be over emphasised. We are learning that
It’s very hard to condense the world-leading work the full range of the NCSC, GCHQ and wider state securing the nation’s digital future is not
the NCSC does in 12 months into one document, capabilities that are deployed against them. just about protecting networks and devices –
but I hope this review gives you an insight into it’s about inspiring a safe and trusted product
what we are doing to understand, reduce and Whether it’s state attacks or global cyber crime, base, and a skilled and diverse workforce who
respond to cyber attacks. it’s the basics that matter. The most immediate can make the cyber landscape work for the
threats to UK citizens and businesses come from whole of the UK.
There certainly is a lot to be proud of – for large scale global cyber crime. Despite often
example, thanks to the innovation of our technical being low in sophistication, these attacks threaten At a time when confidence in the internet
experts, we have been able to increase the our social fabric, our way of life and our economic across the world is under strain, there is much
number of threat indicators we share by tenfold prosperity. That is why so much of the NCSC’s within this review to inspire pride and optimism.
to more than 1,000 per month, and the speed we efforts are geared towards raising our defences The NCSC is proud to have helped to deliver the
process them from days to seconds. against all threats in cyberspace. There are many Cabinet Office-led strategy to make the country
operational successes in this field – particularly the safest place to live and work online, and this
There is of course much work to do – as shown our pioneering Active Cyber Defence work. year the UK was rated first in the Global Cyber
by the 658 incidents we supported this year. Security Index published by the International
For the first time ever, in this review, these Looking ahead, there is also the risk that Telecommunication Union (ITU).
incidents are broken down into the most affected advanced cyber attack techniques could find
sectors. We believe that being transparent helps their way into the hands of new actors, through None of our achievements would be possible
to target the interventions we need to help those proliferation of such tools on the open market. if it were not for the exceptional people I am
who are most vulnerable. Additionally, we must always be mindful of the risk delighted to call my colleagues at the NCSC.
of accidental impact from other attacks. Cyber The work they do inspires me on a daily basis,
However, sometimes transparency has its limits. security has moved away from the exclusive and it is an honour to lead them.
A significant proportion of our work has continued prevail of security and intelligence agencies
to take the form of defending against hostile towards one that needs the involvement of all Ciaran Martin
state actors. We can say that Russia, China, of government, and indeed all of society. CEO of the National Cyber Security Centre
6 National Cyber Security Centre National Cyber Security Centre 7
Annual Review 2019 Annual Review 2019
Timeline
This covers the period 1 September 2018 to 31 August 2019
14 Oct 20 Dec 21 Mar
12 Sept Secure by Design UK and allies 13 Feb NCSC Board
NCSC CEO delivers ‘Code of Practice 23 Nov expose APT10 NCSC Directors Toolkit launched 28 Mar
speech at the for Consumer Advice to shop of cyber attacks meet with Ministers to encourage Fifth annual
Confederation of Internet of safely online on on intellectual at the National essential report from
British Industry’s Cyber Things Security’ Black Friday and property and 7 Jan Assembly for Wales cyber security the Huawei
Conference to help published with Cyber Monday sensitive Guidance on in Cardiff discussions Cyber Security
business leaders the Department published in commercial cyber security to discuss how between the Evaluation Centre
understand and manage of Digital, Culture, partnership data in Europe, for major events to boost Welsh Board and their Oversight Board
cyber security risks Media and Sport with retailers Asia and the US published cyber defences technical experts published
03 Oct 22 Nov 29 Nov 29 Jan 12 Mar 24-25 Mar
UK, Dutch and other NCSC CEO UK’s ‘Equities Process’ Academic Centres New NCSC web Royal Masonic
allies expose GRU meets with the published on how of Excellence in platform launched School for Girls
(Russian military First Minister of vulnerabilities are Cyber Security including bespoke crowned winners
intelligence) cyber Scotland, Members identified and handled Research visit NCSC guidance for six of the NCSC’s
attacks targeting of the Scottish headquarters to new audience CyberFirst Girls
political institutions, Parliament and the take part in strategic categories Competition at the
businesses, media Chief Constable discussions final which took
and sport of Police Scotland place in Edinburgh
in Edinburgh to
discuss ways
to boost cyber
security in Scotland
8 National Cyber Security Centre National Cyber Security Centre 9
Annual Review 2019 Annual Review 2019
Year Three Highlight Statistics
Handled 658 incidents
Provided support to almost 900
victim organisations
Produced 154 threat assessments
Took down 177,335 phishing URLs, 62.4% of
25 June which were removed within 24 hours
De Montfort
and Northumbria 2.8 million visitors to the NCSC’s website
Universities
23 May 13 June recognised Aug Added more than 5,000 new members onto the
NATO Cyber ‘Top Tips as Academic 16 July Appointment Cyber Security Information Sharing Partnership
24-25 Apr Defence Pledge for Staff’ Centres of ‘Active Cyber of IASME
CYBERUK Conference e-learning Excellence in Defence – the Consortium Ltd Produced 108,411 physical items for 170 customers
2019 hosted held at NCSC package Cyber Security second year’ as new Cyber through the UK Key Production Authority
in Glasgow headquarters launched Research report published Essentials partner
Produced 34 pieces of guidance and 69 blogs
Awarded 14,234 Cyber Essentials certificates
Enabled 2,886 small businesses across the UK
25 Apr 11 June 18 June 10 July July / Aug to do simulated cyber exercising for themselves
Exercise in a Guidance for 150 women from Seven companies 22 CyberFirst
Box online tool small businesses across the UK’s graduate from summer courses Challenged 11,802 girls in the 2019 CyberFirst
launched to help to respond and intelligence, the NCSC Cyber for children and Girls Competition
organisations test recover from a government Accelerator for young adults
and practice their cyber incident and security innovative held throughout Engaged with 2,614 students on the NCSC’s
response to a published communities start-ups the country to CyberFirst courses
cyber attack attended the develop the UK’s
‘Women in Security next generation of Supported 250 extra teaching hours of computer
Network’ event cyber professionals science across 4 schools through Cyber Schools
held at NCSC Hub activities
headquarters
Delivered, along with sector and law enforcement
partners, cyber security awareness and training
sessions to more than 2,700 charities
20 countries visited by the NCSC
Welcomed visiting delegations from 56 countries
Hosted 197 events, with more than 9,000 attendees
10 National Cyber Security Centre National Cyber Security Centre 11
Annual Review 2019 Annual Review 2019
Cyber security
for individuals
and families
The government’s vision is Reducing the burden
for the UK to be prosperous The general public is protected
and confident in the digital from the majority of online
world whilst remaining secure harm ever reaching them.
and resilient to cyber threats. The action they need to take
Central to the NCSC’s mission to secure their devices and
is ensuring people of all ages online services is minimal.
across the UK are more secure
when using internet-connected Making it easier
devices and online services. Citizens can act upon the cyber
security advice they receive,
The NCSC understands whatever device or online
people’s attitudes and service they use.
behaviours towards cyber
security and targets efforts Equipping the nation
based on its understanding People are given the confidence
of risk and vulnerability. and tools to protect themselves
The NCSC’s approach and those around them.
enables constant learning,
by joining up the threat Raising awareness
picture and intelligence with Enabling the general public to
continually evolving insight, better protect themselves and
based on deep experience share knowledge with others.
of managing incidents.
It will take a holistic approach
to deliver cyber security for
individuals and families through
the following interventions:
12 National Cyber Security Centre National Cyber Security Centre 13
Annual Review 2019 Annual Review 2019
Understanding the threat Reducing the burden:
In the year ending March 2019, it is estimated malicious emails, social engineering Secure by Design
that there were just under one million (966,000) (the manipulation of people into performing an
incidents of computer misuse experienced by action or giving away confidential information), Many consumer products that are connected Alongside work encouraging, and eventually
adults aged 16 and over.1 water holing (a website infected with malware to the internet are found to lack basic security mandating, manufacturers to make (and keep)
or containing a link to malware) and by making features, putting consumers’ privacy and security their products secure, the NCSC and DCMS have
Whilst this represents a significant reduction on them download malicious software and apps. at risk. The NCSC has been working closely with published guidance to help people protect
the previous year, the large volume still shows the Department for Digital, Culture, Media and themselves. Grounded in its technical expertise,
that we cannot be complacent. Once the criminals have access, they can use Sport (DCMS) to support consumer ‘Internet of this includes advice on setting up devices,
malware and ransomware to access individuals’ Things’ (IoT) manufacturers of all sizes to ensure checking default settings, and managing updates.
Some typical ways in which criminals access accounts, steal data, and even stop people their devices have good cyber security practices
citizens’ online activity are through sending accessing their own files, accounts and devices. built in from the design stage.
“The progress we have made
As the UK’s lead technical authority, the NCSC
provided the technical grounding and insight on ‘Secure by Design’ has
Making cyber security relevant for the government’s Secure by Design Code of
Practice for consumer IoT security, published in
October 2018. The code presents a clear set of
been the product of a great
to people in their everyday lives 13 guidelines for manufacturers to embed into
their devices.
partnership between DCMS
and the NCSC. Both on the
The NCSC and DCMS engage with international
standards bodies that create industry-led development of standards
The NCSC's approach to The NCSC’s advice for individuals standards for IoT security. In February 2019, the
‘you-shaped’ security and families European Telecommunications Standards Institute that are based in the language
(ETSI) launched the first globally applicable
The NCSC is dedicated to finding ways of standard on the cyber security of internet- of our Code of Practice, or
making cyber security relevant to people in Protect your accounts... connected consumer devices, ETSI TS 103 645.
their everyday lives. This technical specification builds on the Code of through productive challenge
Use a unique and separate password for Practice, creating a community-driven standard
“We look at the interaction between people your email with a global scope. sessions on our future
and technology and try to make it easier for
people to be secure as they get on with all the Use three random words to create a strong The NCSC and DCMS do not think it is right to regulation proposals, we
things they need to do,” says the NCSC's Helen. and memorable password expect all consumers to be ‘cyber security experts’
and wish to remove the burden from them having work together as a united
“One of the most important things we’ve seen Store your passwords somewhere safe: to differentiate products that do or do not take
is the changing mindset between the idea save to your browser or use a password their responsibility to security seriously. That’s why front towards our ambition
of ‘let’s alter the behaviour of the person or manager the NCSC has also worked closely with DCMS’
assume they are going to make a mistake’ consultation on regulation, preparing to eradicate of protecting citizens and the
to ‘how can we support developers to make Add extra security to important online worst practice and embed transparency between
more secure and user-friendly products?’” accounts: turn on two-factor authentication the manufacturer and the consumer at the point wider economy from harm.”
of purchase.
Ceri, another NCSC expert, says “We are looking Peter Stephens, Head of Secure by Design,
to move security away from being mainly about Look after your devices... Department for Digital, Culture, Media and Sport
threat and vulnerability – the idea that there’s
always somebody trying to attack you – to a Set your phone and tablet to
more positive conversation that shows people automatically update
security should not be a barrier to things they “Everybody needs to know how to stay safe online, and our
want to do. Install the latest updates on your phone
and tablet when prompted new website is full of actionable advice to protect you and
“Instead of forcing security rules on people,
we are aiming to make it more approachable Turn on back up for data stored on your your loved ones.
through clearer language. To do this, we look phone and tablet
towards experts in communications, marketing
and advertising, to refresh the message, always
with the aim of ensuring the public feel that “While it is formed from the expertise of the UK’s top cyber security
security is a help, not a hindrance. There is a lot
of work that goes into ensuring that a simple brains, it’s vital that the advice can be understood by everyone.”
message reaches the right spot.”
1 Crime Survey for England and Wales 2019 Nicola Hudson, Director Policy and Communications, NCSC
14 National Cyber Security Centre National Cyber Security Centre 15Annual Review 2019 Annual Review 2019
% strongly
UK Cyber Survey 2019
agree
% strongly
disagree 4
15
The first UK Cyber Survey was conducted this The UK Cyber Survey found that people are 20
year to better understand what the general public concerned, confused and, to some extent,
and organisations think, feel and do – and don’t fatalistic that they will become victims of 37% agree that losing money or
agree
do – about cyber security across the country. cyber crime.
22 personal details over the internet
37%
is unavoidable these days.
The polling was independently carried out on The insights are informing the government’s
behalf of the NCSC and DCMS. approach, and the guidance offered by the
NCSC, to help organisations and the public 31
protect themselves against cyber threats. 8 % tend
to agree
% tend to
disagree
% neither/
% nothing
% a great nor
at all
deal
7 1 % very low
15
% not very % fairly low priority % very high
much priority priority
23 % medium
know great deal Two in three say they know a priority 4 41
/fair amount great deal/fair amount about how
68% to protect themselves online. 12
80% say cyber security is a high
high priority priority to them, half citing it a
80% 50
53 ‘very’ high priority.
% a fair
amount 30
% fairly high
priority
70% believe they will likely be a victim of at least one specific type of cyber crime over
the next two years, and most feel there would be a big personal impact.
% strongly
agree
likely to happen to you over the next two years
very/fairly big impact
% strongly 2
disagree 17
33
One in three rely to some extent
agree
34% 17 on friends and family for help on
cyber security.
7
23 % tend to
agree
% neither/
nor
% tend to
disagree
Having Personal Apps on your Having a Having money Losing access to Personal
Note
money stolen information such devices such as power cut in your stolen which is your accounts information The UK Cyber Survey 2019 was commissioned by the National Cyber Security Centre and Department for Digital, Culture,
which is then as photos being Uber, Deliveroo or home because not reimbursed such as your such as photos Media and Sport as part of the UK government’s National Cyber Security Programme.
reimbursed accessed in an Instagram being your energy backups or being stolen
unauthorised way accessed without company has cloud storage and access
your consent suffered a cyber denied until a Ipsos MORI surveyed 2,700+ respondents: general public aged 16+, businesses, charities and public sector representatives
attack ransom is paid from November 2018 to January 2019 via telephone.
16 17Annual Review 2019 Annual Review 2019
Quietly fixing the technology Most_Hacked_Passwords
A significant priority for the NCSC is keeping Securing the UK’s mobile networks
individuals and families safe from cyber
threats. It does this by bringing its technical Mobile networks worldwide establish signalling
and operational expertise to bear, to identify connections between one another to support
and fix cyber security problems. a range of services, such as international calls
and roaming. As these connections could also
By working behind the scenes, the NCSC can be used to negatively impact services in the UK,
ensure that cyber security issues have as little the NCSC has worked with mobile operators to
impact on UK citizens as possible, in many perform live security testing of the UK’s signalling
cases resolving problems before they arise. interfaces. The NCSC has now tested 19 networks
After all, prevention is better than cure. of different types across the six major mobile
operators and has fed back the results of the
Haulster: Automated defence testing to those operators.
of credit cards
This has helped the operators, with the support
The NCSC’s pioneering Haulster operation has of the NCSC, to better understand the risk,
disrupted financial cyber crime by flagging share best practice and make improvements.
fraudulent intention against more than one Ultimately, this will help to ensure the UK’s mobile
million stolen credit cards. It is in the process services become more secure and robust.
of scaling this operation, and hope to reduce
considerably more attacks in the near future. Protecting our internet routing
Increasingly, criminal groups are using criminal The Border Gateway Protocol (BGP) is used
marketplaces in cyberspace to buy and sell to route the internet between Internet Service
personal information and credit card details. Providers (ISPs) around the world. When BGP
Haulster takes stolen credit cards collected by is misused, either accidentally or maliciously,
the NCSC and partners, then, working with UK it can disrupt the internet until the issue is
Finance, repatriates them to banks, often before resolved. For example, sending data via an
they are ever used for crime. Card providers are attacker’s network.
then able to block cards to protect both financial
institutions and the public. The quicker misuse is discovered, the lower the
impact, which is why the NCSC has worked with
In most cases, this has been done before a a major UK carrier to speed up the UK’s response
crime has taken place, meaning hundreds of to BGP misuse. The NCSC has built BGP Spotlight,
thousands of victims of high-end cyber crime a detection and analysis system for BGP, that will X A
were protected before they lost a penny. alert the UK’s carriers when BGP misuse occurs to
allow them to respond quickly, analyse the cause,
Online shopping and minimise disruption to the UK’s internet.
Criminals had been exploiting Magento, BGP Spotlight processes 25 million messages
an open source ecommerce shopping per hour from over 200 sources, converting these
platform commonly deployed on many websites. into 800,000 daily events across 240,000 unique
They had written malicious JavaScript code destinations, a number which is set to expand as
which copied all credit card transactions and UK ISPs are in the process of adding data to, and
silently sent the results to domains controlled receiving alerts from, the BGP Spotlight system. V
by them. The NCSC conducted a successful trial
to identify and mitigate vulnerable Magento carts
via take down to protect the public. The work
now continues. To date, the NCSC has taken
down 1,102 attacks running skimming code The NCSC has published analysis of the
(with 19% taken down within 24 hours of 100,000 most commonly re-occurring
discovery). Without the NCSC’s Active Cyber passwords accessed by third parties in
Defence intervention, it is likely these attacks global cyber breaches, having been sold
would have continued indefinitely. or shared by hackers.
The NCSC aims to reduce risk of further
breaches by building awareness of how
attackers use easy-to-guess passwords. List created in April 2019 after breached usernames and
passwords were published on ‘Have I Been Pwned’ website.
18 National Cyber Security Centre National Cyber Security Centre 19Annual Review 2019 Annual Review 2019
Targeting the
biggest risks:
what we do to protect people
The UK continues to be one of The NCSC’s breadth of work,
the most digitally advanced programmes and projects,
countries in the world, with our together with its close
lives being online more than partnerships with industry
ever before. As this digitisation and government, mean that
continues, it is vital that the it is able to help protect the
UK remains able to protect its institutions, infrastructure and
organisations, business and services that people so heavily
citizens against cyber crime. rely on day to day.
20 National Cyber Security Centre National Cyber Security Centre 21Annual Review 2019 Annual Review 2019
Active Cyber Takedown Service Web Check
Defence 98% of phishing URLs
Change over time of the number of users signed
up to Web Check, by month.
UK share of visible
discovered to be malicious were successfully
3,200
A cooperative approach: the UK’s taken down.
Active Cyber Defence programme
global phishing
attacks reduced to
The ultimate goal for Active Cyber Defence Number
of Web
(ACD) is for there to be fewer cyber attacks This totalled Check 2,387
users
2.1% (August 2019). 177,335 phishing URLs
in the world, causing less harm. It represents
a significant step-change in the country’s
approach to cyber security, because of its
voluntary, non-regulatory, non-statutory (23,311 attacks by group).
approach delivered in partnership with
central government, local government UK share of global phishing – change over time Sep
18
Nov
18
Jan
19
Mar
19
May
19
Jul
19
and business. from June 2016 to Aug 2019
As difficult as this sounds, the NCSC can 5.31% 62.4% The number of urgent findings resolved
provide evidence that it works. In sharing by users after being detected by Web Check
this knowledge, it hopes to inspire other of these were removed within 24 hours of being doubled to a level of approximately
500 per month
countries to adopt bold measures, 3.33% determined malicious.
in partnership with industry, to protect
their digital homelands.
2.07%
Jun Sep Dec Mar Jun Sep Dec Mar Jun Sep Dec Mar Jun
16 16 16 17 17 17 17 18 18 18 18 19 19
Active Cyber Defence includes some of the Mail Check Protective DNS
following pioneering programmes:
1 Web Check helps make websites a less
More than double
More government domains are now using DMARC,
In 2016, HMRC was
attractive target, by finding obvious security the email authentication, policy and reporting
issues and pointing them out to the website’s protocol, making phishing attacks which spoof
the 16th most phished
owner so that they can be fixed. these domains more difficult. the number of government organisations
are now protected by the PDNS, preventing
2 Protective DNS (PDNS) blocks public sector
brand globally. In Sept
Change over time of the number of gov.uk them from accessing websites hosting known
organisations from accessing known malicious domains using Mail Check/DMARC, by month. malicious content.
2019, as a result of ACD
domains or allowing malware on already
compromised networks from calling home.
services and HMRC 460+ organisations
1782
3 Takedown Service finds malicious sites and
countermeasures,
sends notifications to the host or owner to get Domains
with DMARC
them removed from the internet. are using the service and it blocks around
their ranking had
Number
of domains
20,000 unique domains at a rate of 6.5 million
4 Mail Check helps public sector organisations times per month.
dropped to 126th in
take control of their emails, making phishing
attacks which spoof those organisations 220
the world.
more difficult. Change over time of the number of active
organisations using PDNS, by month for the
Jul Nov Mar Jul Nov Mar Jul
17 17 18 18 18 19 19 period of this report.
460
Number of
organisations
216
Aug 18 Oct 18 Dec 18 Feb 19 Apr 19 Jun 19 Aug 19
22 National Cyber Security Centre National Cyber Security Centre 23Annual Review 2019 Annual Review 2019
Case studies “The NCSC is not the only What’s next
organisation with good
ideas, and the UK is not the
for Active
only country connected to Cyber Defence?
the internet. We welcome
Active Cyber Defence has protected thousands
partnerships with people of UK citizens and further reduced the threat of
UK brands being exploited by criminals.
and organisations who wish
to contribute to the Active While these successes are encouraging, the NCSC
Protecting schools Protecting the legal sector knows there is more to do and it has a number of
Cyber Defence service projects in the pipeline, including:
Active Cyber Defence tools highlighted a local For the first time, the NCSC used ACD tools ecosystem, analysis of the • An automated system which acts on
authority (LA) primary school network behaving to tackle advanced fee fraud impersonating information from the public to take down
as though infected with Ramnit – a worm which the UK legal sector. Both bogus law firms, data, contributing data or malicious sites.
affects Windows systems. The LA was notified, and impersonation of legitimate law firms,
and an investigation found that the antivirus are techniques used by fraudsters in an infrastructure to help it make • The NCSC 'Internet Weather Centre', which will
that was installed on the school’s systems was attempt to increase the credibility of their aim to draw on multiple data sources to enable
not working. As a result, the school had a wide attacks. Increasingly, scammers use real law better inferences. We believe full understanding of the UK’s digital landscape.
level of infection. Not only did the Active Cyber firms and other entities to try to make their
Defence tool block the malicious connections, attacks look more legitimate. that evidence-based cyber • The Infrastructure Check service: a web-based
containing any harm, it also identified the tool to help public sector and critical national
malware and notified the LA. The LA was able security policy – driven by infrastructure providers scan their internet
to install a working antivirus and the infection connected infrastructure for vulnerabilities.
was cleaned up within a day. evidence and data rather
• Breach Check: a web-based tool to help
than hyperbole and fear government and private sector organisations
check whether employee email addresses
– is the way forward.” have been compromised in a data breach.
Dr. Ian Levy, Technical Director, NCSC • The NCSC is also exploring additional ways
to use the data created as part of the normal
operation of the public sector protective
DNS service to help users better understand
ADVADGAA and protect the technologies in use on
their networks.
Protective DNS is actively engaging with
Protecting airports Protecting emergency services organisations from central government, local
authorities, emergency services, devolved
administrations, the NHS and Ministry of Defence
The NCSC has been tackling the abuse of public Two fire services merged to form a new super (MoD). For those sectors that are not eligible to
sector email domains in the UK. One such incident service with a new name and associated internet use PDNS, the NCSC is working with industry to
occurred when criminals tried to send in excess domain. One of the organisations subsequently broaden the benefits of the service. The NCSC
of 200,000 emails purporting to be from a UK deregistered their original domain. However in intends to share indicators of compromise
airport, using a non-existent gov.uk address in a just three months, Synthetic DMARC blocked more with DNS providers to use on their own services.
bid to defraud people. However, the emails never than 150,000 emails from this now non-existent This will mean organisations and individuals who
reached the intended recipients’ inboxes because domain. There is no way of knowing whether are not eligible for the PDNS still benefit from the
the Active Cyber Defence system automatically these were as a result of fraudulent purposes NCSC's knowledge and expertise. Through the
detected the suspicious domain name and the or misconfiguration, but shows the necessity NCSC and industry working together, a greater
recipients’ mail providers never delivered the to correctly curate domains throughout number of users can benefit from DNS filtering.
spoof messages. The email account used by their lifecycle.
the criminals to communicate with victims was
also taken down.
24 National Cyber Security Centre National Cyber Security Centre 25Annual Review 2019 Annual Review 2019
Raising cyber Mail Check monitors Working with local government
resilience 6,273 The NCSC assists local government both through
direct engagement at a local level, supporting
its networks of technical staff, and working with
representatives from member organisations
the English regions, to build understanding
of cyber threat and foster good practice to
manage risk. As a result, 85% of delegates
have said they would make changes to
across domains classed
as public sector.
including the Local Government Association
(LGA) and the Society of Local Authority Chief
Executives (SOLACE).
their cyber security practice.
Digital Government Lofts
government Commissioned by the Ministry of Housing,
Communities and Local Government (MHCLG),
The successful sharing of the NCSC’s expert
advice and guidance across UK government
and the and funded by the National Cyber Security
Programme, the NCSC is supporting the design
and delivery of the MHCLG ‘Think Cyber, Think
and the public sector through Digital Lofts
continues. This year’s locations and hosts
have included Warwickshire County Council,
public sector Resilience’, Cyber Pathfinder training scheme.
This provides a series of workshops for senior
leaders, policy makers and practitioners across
the Met Office in Exeter, as well as the Scottish
government in Edinburgh.
The NCSC works closely with public
sector bodies to protect the networks,
data and services which the UK
depends upon.
Working with central government
The NCSC provides assurance on key The number of public Web Check for Local Authorities
systems across central government
departments and agencies, assisting sector domains protected
them to develop their security strategies by DMARC [an Active
and secure their networks.
Cyber Defence tool]
Building on the success of the more than tripled
from 412
Transforming Government Security
Programme, the NCSC is working with Local Authorities % Using Web Check
the Cabinet Office’s Government
Security Group, providing advice and
guidance to shape policy development
on cyber security.
England 336 97%
at the end of December 2017
to 1,940
Wales 22 100%
Scotland 32 100%
in September 2019.
NI 11 90%
UK 401 97.75%
26 National Cyber Security Centre National Cyber Security Centre 27Annual Review 2019 Annual Review 2019
Cyber health check for the NHS Vulnerability Disclosure Detect and forewarn to protect
government departments
The NCSC is working with health authorities such progress and improvement to the If someone finds a vulnerability in a UK
across the UK to reduce the risk of another security posture and resilience of Health government website and cannot contact The NCSC’s Host-Based Capability tool
major cyber attack affecting the NHS. and Care in such a short period of time.” the system owner, they can report the collects and analyses technical metadata
vulnerability to the NCSC’s Vulnerability to help government departments
The WannaCry ransomware attack of All hospital trusts in England will be offered Reporting Service. This is part of its wider understand the threats they face. Following
2017 caused disruption in a third of all the free Secure Boundary solution which efforts to improve vulnerability handling a successful pilot year, the service has been
hospital trusts across England, leading to includes next generation firewalls and across the public sector. Following deployed to 35,000 government devices
cancelled operations and appointments the NCSC’s Protective Domain Name the service’s launch, the NCSC has across nine departments. The capability
for many patients. The incident brought System (PDNS) service. This will help NHS received reports covering a number is complementary to departments’ own
to light a number of weaknesses in organisations to defend against future of security issues including cross-site security measures. The data the NCSC
the cyber defences of the NHS. attacks, including ransomware, and enable scripting and subdomain takeover. collects is used to detect malicious activity,
them to keep providing care for patients. provide monthly threat reporting and
For this reason, the NCSC has been working In addition to the Reporting Service, assess exposure to serious cyber threats.
with NHS Digital, the national information Another benefit of the new system is that the NCSC also launched the Vulnerability
and technology partner for the health it will be possible to spot when a cyber Disclosure Pilot, working with a number
service in England, on the procurement attack is attempted on a particular hospital of UK government departments to
of a new perimeter security solution trust. NHS Digital will use this information kick start best practice in vulnerability
for the NHS. The NCSC lent its technical to better understand the threats facing disclosure across the public sector.
expertise, providing cyber experts to review the health sector and also to give
the bids against security standards. tailored advice to specific hospitals.
Dan Jeffery, Head of Innovation, Delivery The NCSC has also been working closely with
& Business Operations at NHS Digital, the health services in Scotland, Wales and
stated: “The NCSC has provided critical, Northern Ireland to ensure they can benefit
timely, and invaluable technical and from PDNS and other Active Cyber Defence
strategic advice, input, and guidance to services. It is also providing technical support
the Secure Boundary programme as well to bespoke devolved health platforms.
as the Cyber Programme in general.
“The enduring strength of the relationship
between the NCSC and NHS Digital’s
Data Security Centre is one of the
reasons we have been able to deliver
GDFGGFADAVVGVGADAADVAXFV XVDAADGAVGDGXAAAGGAGDA
28 National Cyber Security Centre National Cyber Security Centre 29Annual Review 2019 Annual Review 2019
Defending democracy
The foundations of liberal democracy are under European elections (May 2019), the NCSC provided
increasing threat from cyber attacks and the guidance, informed by comprehensive cyber “We depend on the work of “Digital technology continues
NCSC plays a key role in defending the UK’s threat assessment, on risks and advice on
political process. protecting systems and people to political parties. hundreds of thousands of to change the way that
The NCSC meets with UK political parties The NCSC monitors known adversaries who look volunteers, and so collect elections are run and fought;
(which take up at least two seats in the House to target parties or even politicians. If threats
of Commons) every three months and regularly are detected, the NCSC shares the details of the and hold a great deal of it also changes the way that
gives cyber security advice to parliamentarians. threat and tailored advice, allowing the individual
During the local elections (March 2019) and or organisation to put mitigations in place. data – and we work hard to voters are informed and
keep it safe. Knowing the NCSC influenced. Since its creation,
“The NCSC is very proactive “The role of Chief Information is also there to look after the the NCSC has provided valued
and efficient in quickly Officer, for one of the UK’s integrity of our information, support to the Commission
speaking to all the relevant major political parties, especially at election time, is and wider electoral sector,
staff here to alert us to an has its stressful moments. a tremendous reassurance. to mitigate the risks posed
issue. Beyond just dealing with Having the NCSC on hand The NCSC’s advice has been by these innovations. We
incidents at hand, we have also helps you sleep at night. invaluable in making our welcome their important role
received a number of very clear The online briefing material systems more secure.” in supporting the ongoing
and helpful recommendations is excellent and is frequently Tim Waters, Director of Data & Targeting, integrity of elections in the UK.”
The Labour Party
to further harden our systems quoted. When an incident Bob Posner, Chief Executive.,
The Electoral Commission
which we have subsequently happens, their support and
undertaken. It was great to advice quickly gets the
have the support at the time, incident under control
but also to have our contact and helps calm senior
follow up with us some weeks management.”
later to check whether any Paul D Bolton, Chief Information Officer,
Conservative Campaign Headquarters
further support was needed
or desired.”
Sian Waddington, Director of Operations,
Liberal Democrats
30 National Cyber Security Centre National Cyber Security Centre 31Annual Review 2019 Annual Review 2019
Serving every part of the UK “Our engagement with the NCSC has helped us to establish
our executive agency, Social Security Scotland, followed by
The NCSC continues to work across the whole platform for payment of devolved benefits to
of the UK. This includes support to devolved citizens, plus their platform for supplier payments. the launch of our public facing cloud based digital platform,
administrations in Wales, Scotland and Northern This year, the NCSC hosted the CyberFirst Girls
Ireland, raising cyber resilience across all sectors. Competition final in Edinburgh and CYBERUK 2019 which underpins the delivery of the first live devolved benefit
in Glasgow, with Scottish government taking the
The NCSC worked with Welsh government opportunity to showcase in parallel the work of payments Scotland. The NCSC has provided us with expert
to ensure its advice for citizens and families was the Scottish Cyber community with a number of
included in its Digital Inclusion Programme, to side events, including “Scotland Cyber Week”. advice and guidance through technical workshops and
help all citizens to get online safely. In support of
the TARIAN and North West Regional Organised The NCSC worked in partnership with Scottish engaging its partners to share experiences. This has given
Crime Units, the NCSC provided materials and government to deliver bespoke workshops
speakers for the Welsh Cyber Bus Tour, supporting for small businesses, charities, CEOs, and us valuable assurance in support of our strategic security
local business, community groups and the public launched the Exercise in a Box tool. It continued
to enhance their cyber resilience. The NCSC also its support of the cyber catalyst network, ensuring objectives and our own ‘Secure by Design’ principle.”
provided technical security advice to the Welsh effective peer to peer sharing of best practice
Revenue Authority, which collects and manages and NCSC guidance. John Campbell, Head of Digital Risk & Security Social Security Directorate,
devolved taxes in Wales. Scottish Government
The Scottish Qualifications Authority and
In Northern Ireland, the NCSC advised on Scottish Credit Qualification Framework have
IT controls, protecting the country’s ~1.75m also approved the NCSC’s CyberFirst awards
citizen electoral records. It continues to build for Defenders, Futures and Advanced courses,
partnerships across the economy and society in meaning that anyone completing these courses “We have made significant investments in improving our cyber
Northern Ireland, including delivering briefings to will now receive recognised learning credits.
charity leaders in partnership with the Northern defences and cyber hygiene. The NCSC has proven to be an expert
Ireland Council for Voluntary Action, helping to Take up of the NCSC’s Active Cyber Defence
ensure cyber is considered alongside business continues across all three devolved advisor in defining and refining our requirements, most especially
risks. The NCSC also partnered with Northern administrations, helping to protect local
Ireland Department for Education to improve government and other public online services. in our plans to implement a Security Information and Events
cyber resilience in schools across the country. In Scotland, the majority of public sector
organisations are using one or more of the Management Service and associated Security Operating Centre.
In Scotland, the NCSC has provided significant tools, and increased take-up in Wales and
bespoke technical advice on several new online Northern Ireland continues at pace. Their experience of forensics, analytics, alerts and appropriate
services. This includes the new Scottish online
approaches to monitoring has been invaluable.”
Chief Strategy Officer, Northern Ireland Civil Service
“The NCSC continues to provide valuable advice and
guidance for us to share with Welsh stakeholders which
greatly contributes to increasing cyber security capability
within Wales. We value the engagement and ongoing
support in several areas, including increasing take-up
of Active Cyber Defence tools in the Welsh public sector
and encouraging participation of Welsh students on
CyberFirst courses.”
Representative, Welsh government
32 National Cyber Security Centre National Cyber Security Centre 33Annual Review 2019 Annual Review 2019
ATM
Critical National
Infrastructure
Thwarting ATM attacks
On multiple occasions, the NCSC has alerted As a result, banks swiftly put defensive measures
Everyone in the country relies The NCSC’s work spans CNI in UK financial institutions to imminent threats from in place that protect them against financial loss
on the UK’s Critical National the public sector, as well as a ATM cash-out fraud at home and abroad. This is and reputational damage. Most recently, the
Infrastructure (CNI) day in, day focus on nine critical private where cyber criminals compromise banking and NCSC alerted 56 banks to a specific ATM cash-out
out. We all need the country’s sectors: communications, payment infrastructure, and obtain card details threat after receiving actionable information. As a
communications networks to transport, energy, civil nuclear, that can be used to withdraw large sums of cash result, the banks were able to block any attempt
keep in touch with friends and finance, water, chemicals, from ATMs. Once already in progress, these by the attackers to fraudulently withdraw money
family, transport networks to space and food. It provides attacks can be difficult to stop. from customer accounts.
travel to work and school, and direct support to hundreds
energy networks to power and of public and private sector The NCSC works with industry and government
heat our homes. Interruption organisations that own, partners around the world to share information
to any of these critical services manage and maintain CNI and disseminate alerts about threats and
could cause serious disruption assets in the UK. This includes anticipated malicious activity.
to our lives and potentially one-to-one technical advice,
damage the economy. sharing threat information,
facilitating cyber exercises
Strengthening the cyber and running information on
resilience of the UK’s most exchanges for organisations to
critical systems therefore share knowledge and expertise.
remains a top priority.
34 National Cyber Security Centre National Cyber Security Centre 35Annual Review 2019 Annual Review 2019
Defending online banking Keeping the lights on
There has recently been a rise in the attacks, determine how they were being carried A successful cyber attack against the energy Digital integration is only adding to the security
sophistication of SMS-interception attacks, out, and develop mitigations. This information sector could disrupt the fuel and power supplies challenge. The NCSC’s recent review of smart
with multiple financial institutions and sharing continues through the NCSC’s Cyber our country so heavily relies on. That’s why the metering infrastructure for BEIS, and the
Communications Service Providers (CSPs) Security Information Sharing Partnership NCSC’s work with energy firms has been diverse recommendations it produced, is one illustration
being affected. (CiSP) platform. and extensive. of how the NCSC works with government
departments to ensure the highest cyber security
The attackers intercepted SMS messages This year the NCSC worked with one of the UK’s standards across the sector.
sent as part of the two-factor authentication “At the heart of the NCSC's mission is protecting largest oil refineries to review and advise on an
(2FA) needed for online banking. Whilst 2FA is critical pieces of our infrastructure; keeping the upgrade to its systems, greatly increasing its
generally recommended by the NCSC, in this service they provide secure keeps the country resilience. The NCSC’s Cyber Adversary Simulation “We would like to thank the NCSC for the
case messages from multiple banks via multiple running. It's only through these partnerships team also conducted an exercise against a invitation and our subsequent involvement
mobile networks were targeted, allowing the with industry that we can understand the risk critical supplier of road fuels, which identified in the sector-wide cyber security test.
criminals to make fraudulent payments to their we face, protect current systems and secure vulnerabilities that the company has since The challenge and results from the scenario
accounts at the expense of the wider public. the infrastructure of tomorrow.” protected itself against. exercising has been invaluable in applying
The NCSC was in a unique position to bring improvements to our emergency planning
experts in the telecoms and finance industries Clare Gardiner, Director National Resilience In partnership with the Department for Business, and resilience processes, along with
together to share information regarding the & Strategy, NCSC Energy and Industrial Strategy (BEIS), the NCSC recognising the importance of cross industry
held a complex technical exercise with electricity support and alignment during such events.”
distribution network operators. It was the
culmination of a two-year project and involved John, Scottish and Southern Electricity Networks
more than 170 participants at 13 different UK
locations to test the sector’s response to a
national-level incident.
36 National Cyber Security Centre National Cyber Security Centre 37Annual Review 2019 Annual Review 2019
Threats to air passenger data Securing the future: Smart cities
The aviation sector has continued to be an It has also continued working with NATS, the main Across all sectors the drive to reduce costs, effectively. While it would take a lot of paint and
attractive target for cyber attackers. Airlines air navigation service provider in the UK, to review increase efficiency and provide new data- physical presence to manually deface all the
store vast amounts of personal identifiable the cyber security of their air traffic control and driven services is leading to increased digitisation traditional road signs in an area, it could be
information (PII), which criminals can sell or management system. and automation. Cities are no exception, with possible to change all the signs in a city without
use for spear phishing and identity theft. councils looking to technology to help with a ever setting foot in it, if smart signage projects
State actors may also be interested in airline suite of challenges including reducing congestion, are badly implemented.
PII for counter-intelligence purposes or “The challenge and results from the scenario improving public safety, and enhancing local
tracking dissidents. exercising have been invaluable in applying health care services. The NCSC is applying its experience in helping
improvements to our emergency planning national and local government ensure that
The NCSC’s work with the sector has included and resilience processes, along with There are two main themes to the security personal data is protected, and its understanding
assisting UK airlines targeted by a group known recognising the importance of cross industry challenges in smart cities. The first is ensuring of the security challenges in critical national
as Chafer. This group, which security companies support and alignment during such events.” that citizen privacy is maintained, and that infrastructure, to the new and emerging
have linked to Iran, has a history of targeting personal details required to operate the services challenges presented by smart cities.
global organisations for bulk personal data sets. NATS, the UK’s leading provider of air traffic are secured. The second is understanding the
The NCSC helped the airlines identify potential control service interdependencies between a smart city’s In one real-world example, a council is using
risks to their networks and offered mitigation services, and the impact of failure. For example, traffic flow data to adjust road signs in the city
advice, minimising the impact. computerised road signs may depend on to divert traffic, saving citizens an average of
power and a data connection in order to work 60 hours per year on their journey times.
38 National Cyber Security Centre National Cyber Security Centre 39You can also read
