Despite companies “hanging up” when GCHQ rings them to say they’ve been hacked (true story), “the UK has avoided a category 1 [infosec incident]”, according to National Cyber Security Centre chief Ciaran Martin.
NCSC’s annual review, the second of its kind and which was issued today, contained few surprises, consisting mostly of GCHQ’s public-facing arm patting itself on the back and highlighting its response to last year’s WannaCry malware outbreak in the UK’s National Health Service, which took down a large chunk of its infrastructure in early 2017, among other orgs across the world.
Perhaps unsurprisingly, the review failed to mention WannaCry hero and friend to the NCSC Marcus Hutchins, the UK security researcher known as MalwareTech who found the killswitch and played a critical role in halting the spread of the ransomware worm by registering a web domain specified in the reverse-engineered binary.
GCHQ reportedly allowed Hutchins* to be arrested by its US friends during a trip to Las Vegas.
The organisation, which continues to focus on protecting the public sector from infosec threats, still works with the Five Eyes spy alliance (the UK, USA, Canada, Australia and New Zealand) and is still defending critical national infrastructure, including the UK’s privatised air traffic control networks.
So far this year NCSC said it has handled 557 incidents, had 139,000 phishing sites deleted and written more than 130 pamphlets and advice blogs on what to do when security badness happens to your organisation.
It also described what happens when its “handlers” pick up signs that a company has been victim of an attack. A staffer said: “That’s not always easy – we get a lot of people hanging up! They might think it’s just someone on the inside or don’t realise the seriousness, so sometimes we need to have persuasive skills as well as technical knowledge.”
Dixons Carphone, however, agreed to be quoted in the report as saying “the NCSC has been supportive and provided valuable advice” following the theft of 10 million customer records earlier this year, so while it is easy to sneer, the NCSC is beginning to earn its keep within the private sector.
Building on those links with the wider economy, the NCSC has also come up with an initiative named Industry 100, in which private-sector infosec folk get seconded to the NCSC itself “on a part-time basis” to learn more about security, though “participating organisations are expected to continue to pay salaries” for employees going off on one of the short-term placements.
Attribution plays a key part in NCSC/GCHQ’s work, on the basis that “it helps us to better understand who is targeting us, investigate them and share our findings”, according to the review. By attributing WannaCry to North Korean state-backed hackers, the agency was able to discount the idea that a for-profit group of criminals was trying to make a fast buck out of ransomware – and instead concluded that hacking tools originally developed by the American National Security Agency were now being used by hostile states as weapons.
As for the future, among the usual boilerplate of apprenticeships, sponsored student placements and kitemark-style certification schemes, the NCSC is heavily involved in Queen’s University Belfast’s Research Institute in Secure Hardware and Embedded Systems, which we are told will “announce its first funded projects in December 2018”. Middlesex University is also said to be working on “a cryptosystem that is immune to quantum computer attacks”.
The full 27-page review can be read online or downloaded from the NCSC website. The agency has hidden a little codebreaking challenge in there as well, which can be accessed by scrolling down a bit and clicking “crack the code” after the screen-blanking cookie warning. ®
* Hutchins faces multiple charges related to the 2014 development of the Kronos banking trojan. He has always maintained his innocence.