The National Cyber Security Centre has to build for the future

The UK’s National Cyber Security Centre (NCSC) has published its third annual report, showcasing its efforts to build a safer digital Britain. Despite roots in GCHQ, the NCSC’s commitment to transparency is clear and significant. Cybersecurity is often spoken and written about in an inaccessible way. From obscure technical language to secretive capabilities, all too frequently the topic is confined to the few in the field who already have deep knowledge. Instead, the NCSC’s non-technical annual report engages with the public. One aim is to help wider society understand cybersecurity initiatives such as “Secure by Design” or “Active Cyber Defence.” The NCSC also provides guidance on good everyday cyber hygiene in a simple and digestible format.

The next UK Cyber Security Strategy will require this sustained transparency, clear communication, and commitment from the NCSC to maintain a high level of engagement with the public. But how does the organisation build on the work it has already done? What areas of cybersecurity should it focus on in future? Where does it need to be even more transparent?

Cybersecurity is a Tier 1 threat and will remain so, as a result of the widespread and enduring impact that cyberattacks have—not just on individual citizens but also businesses and critical national infrastructure. An important focus for the NCSC is increasingly sophisticated state and non-state actors. On 21^st October, the Russia-based Turla Group was exposed as piggybacking on Iranian hacking group OilRig. Turla mimicked the Iranians’ cyberattack methods, accessed their infrastructure and used their unique tools to target its own victims. Previously, the Turla Group was attributed to the Russian intelligence agency the FSB. Paul Chichester, Director of Operations at the NCSC, said that the operation was at a level of sophistication that has never been seen before.

State actors such as Russia, China, North Korea and Iran have become bolder in their approach, launching complex attacks on hard-to-reach targets. In its report, the NCSC outlined its work in attributing such attacks to nation states. Working with the Foreign and Commonwealth Office, it has developed a robust framework for information sharing internationally, to ensure partners work together in “calling out” adversaries. The impact of public attribution in deterring adversaries remains to be seen. There are some claims that the US in particular is becoming less successful at deterring cyberattacks.

Nonetheless, collective attribution is still a linchpin in responding to adversary state actors. It provides the basis for other tools to be used by states, such as sanctions and other collective action. International engagement is vital and the NCSC is central to maintaining the UK’s position as a leading cyber nation. This will require efforts to engage with countries across the globe to help them move forward in cybersecurity. Many are in the early stages of cyber development.

The NCSC’s annual review discusses defending democracy, the work it does with political parties and risk management strategies around elections. Adversary nations are particularly interested in disrupting elections. Facebook has recently revealed four Russian and Iranian operations to spread disinformation through fake accounts on a number of platforms. One of the operations, linked to Russian troll organisation the Internet Research Agency (IRA), attempted to influence the US 2020 presidential election by targeting and discrediting Joe Biden’s campaign. In the future, the NCSC will have to work more closely with social media companies to understand and disrupt disinformation campaigns.

Another challenge the NCSC will face is people. With flagship skills programmes such as Cyber First and the Academic Centres of Excellence, the NCSC is hoping to develop a pipeline of future cyber professionals that the country will benefit from in the next 10 years and beyond. But in order to reduce the skills gap that inhibits the private and public sectors, the NCSC must focus on mid-career professionals. These individuals have a proficiency for cybersecurity but little to no guidance or opportunity. A flagship scheme for this group would reduce the current skills shortage. If targeted correctly, it could solve issues such as a lack of diversity in the industry.

While these challenges are not an exhaustive list of future priorities for the NCSC, they do require greater investment from the UK government. The NCSC should drive future UK cybersecurity strategy objectives. A serious question for the government in the next spending round is whether the NCSC has the right resources to do the vital work that only it can do.

Now read our cyber resilience report