UK's cyber-security watchdog flexes muscle; not enough, says auditor

The biggest threat to cyber-security is weak cyber-security, National Cyber Security Centre UK chief Ciaran Martin told delegates at today's InfoSecurity Europe 2019.

"The biggest threat to our cyber-security is weak cyber-security," said Ciaran Martin, CEO of the National Cyber Security Centre, UK, speaking at Infosecurity Europe in London today (6 June).

His observation, based on 1,600 cyber-security breaches from across the past four years, came a day after the Commons Public Accounts Committee’s warning that the UK is more vulnerable to cyber-attacks than ever before.

The UK, one of the most sophisticated digital economies in the world with "a brilliant cyber-security industry" is susceptible to cyber-security threats because of two major factors, said Martin. "There are structural flaws in the way the internet works, that market forces won’t fix and therefore some sort of public intervention is necessary."

The ubiquitous smartphone has connected us to a network of insecurity and, he said. The NCSC came up with the Automated Cyber Defence programme to check the ability of a "low-sophistication, high-volume actor" to inflict "sustained low-level harm" on the British people, he said.

He said the NCSC was successful in getting malicious code taken down from more than 200,000 websites in 2017. The average time for a phishing site in the UK to wind up has fallen from over a day to around an hour. The UK’s share of phishing incidents has gone down from 5.5 percent in June 2016 to just over two percent in June 2018, he said.

On the recent uproar over Chinese telecom vendor Huawei’s role in setting up the 5G network in the UK, Martin recalled facing similar concerns when the government introduced internet-connected smart meters in 2013. The NCSC worked "extremely closely" with the companies developing to design some cyber-security safeguards "not to immunise the smart meters - that’s impossible - but to provide resilience into the system".

The shut-off points installed to counter a national damage in the network of smart meters are so widespread that it will take "three independent, simultaneous, nation-state level cyber-attacks" to counter it, he claimed.

His claims have not impressed the public auditors. "The government has not made sufficient progress on developing long-term objectives for the National Security Strategy, which has been hampered by a weak evidence base and lack of business case," said the latest report from the Public Accounts Committee.

However, the MPs have acknowledged that the department, "is beginning to make progress in meeting the strategic outcomes of strategy after a poor start".

"A large proportion of these breaches can be attributed to organisations who haven’t shored up their defences across all parts of their ecosystems," said Chris Hodson, EMEA CISO at Tanium.

"Visibility is a key concern here. At bigger organisations containing legacy systems, security and IT operations often find themselves working from different data sets, and across many different solutions which means they often arrive at different conclusions about the scope of a threat and how to control it. With infected endpoints escalating to security-wide incidents in merely a matter of minutes, any delays in arriving at a way to mitigate that threat can prove to be critical," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews