The new United Kingdom chief of cybersecurity on Tuesday explained his new cyber center’s approach to its mission of protecting government and critical infrastructure cybersecurity, with a focus on active cyber defenses.
Ciaran Martin, the newly named Chief Executive of the new National Cyber Security Centre (NCSC), spoke at the 2016 Billington Cybersecurity Summit in his first comments since being named head of the center. He sought to explain how his center sees cybersecurity problems, why it was established within the Government Communications Headquarters (GCHQ, the U.K.’s signals intelligence and cybersecurity agency that is partnered with the NSA), and especially actions it is looking to take to increase cybersecurity.
“It’s not just a building. It’s not just there to coordinate, it’s there to deliver an ambitious strategy that our government is preparing. And that strategy is about tackling the most capable threats and protecting our most important national systems,” Martin said in his remarks.
The NCSC is set to take legal form in October and shortly thereafter move into its London headquarters, he said. Although organizationally a part of GCHQ, it will include protective security experts from MI5 – the U.K.’s domestic security service, the U.K. CERT (Computer Emergency Readiness Team), and the GCHQ’s experts in information security. The new agency will also have formalized and integrated operational partnerships with law enforcement, defense, and private industry.
The NCSC has three core functions: incident management; improvement of cybersecurity in critical sectors of the economy; and providing general advice, guidance, and active interventions to improve national cybersecurity.
He highlighted that while the U.K. is moving heavily into digital governance and services and that comes with increased risk of cyber attacks–even while the “great majority are not terribly sophisticated. They can be defended against. And even if they get through, their impact can be contained.”
However, “far too many of these basic attacks are getting through. And they are doing far too much damage,” with 65 percent of all large U.K. companies reporting a breach in the last year, Martin said.
He also said that the cyber defense operations center expects and prepares for a large cyber attack, having detected 200 national security-level cyber incidents per month in 2015, which is twice as many as in 2014.
Given the issues the U.K. is tackling, “There’s a legitimate role for the government in taking a lead, at least temporarily, and that is the thinking behind our strategy,” Martin said.
A core new part of the strategy is called active cyber defense. In the U.K. context, this involves specific government action with industry to address large-scale non-sophisticated attacks doing large amounts of damage.
“Having accepted there is a role, at least in the short term, for government, we were asked to think radically about what has and hasn’t worked in the past and what could work in the future,” Martin said.
He said that the government recognizes all defenses are vulnerable to human error and also is that information-sharing initiatives are potentially transformative but cannot themselves be a comprehensive solution to cybersecurity. Therefore, they are looking into activist and automated approaches in two particular areas.
First, the government is looking at automated measures to keep U.K. government networks secure. Martin noted one example where the government is trying to stop people from “spoofing” the .gov.uk domain by setting up a DMARC policy to stop emails from the wrong IP sets or wrong key from being delivered when purportedly coming from .gov.uk. Instead the emails are rerouted to the security services.
“And when we first trialed it, whoever was sending 58,000 malicious emails per day from the delightfully named [email protected] isn’t doing it anymore.”
The U.K. is also piloting ways to confront commodity attacks by sending automated takedown requests to hosters, registrars and others. One result of these measures is that the median time a UK government-brand phishing website is up dropped from 49 hours to five hours.
The U.K. has also voluntarily begun working with the telecommunications industry to stop abuse of the BGP (Broader Gateway Protocol) and SS7 (Signalling System No. 7) telecommunications protocols to reroute traffic. “If we’re right, this will mean it’s much much more difficult for UK machines to participate in a DDOS attack. And if we’re right then everyone else can do it,” he said.
The final active defense measure explores a flagship project to scale up DNS filtering. “What better way of providing automated defenses at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?” Martin said.
Martin emphasized that the larger economy-wide initiatives are private sector led and consumers must have a choice, with DNS filtering being opt-out based. These new active cyber defense initiatives are generally intended to complement the government’s current cybersecurity actions like the Secure by Default initiative and should be judged on results, the cyber chief said.
“Part of the agenda will be the publication of data and evidence about what is and isn’t working, and metrics about the outcomes achieved. If we succeed, we want to be able to prove it, not just assert it. If we fail, we don’t expect to be able to hide.”
Given the range of cybersecurity problems, Martin said the government believes trying these measures can hopefully achieve a breakthrough in cyber defense.
“So faced with a problem of this importance and this scale, we believe it’s worth trying something new, unleashing innovation in the hope and expectation we can achieve a very significant breakthrough in the coming years.”
Martin separately underlined that a core part of the U.K. cybersecurity strategy when dealing with the more dangerous and usually state-based advanced persistent threats (APTs) is developing “lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats.”
Although he would not go into detail on offensive capabilities, Martin highlighted the importance of a new Memorandum of Understanding between the U.S. and U.K signed last week during Defense Secretary Ashton Carter’s visit to the U.K. (Defense Daily, Sept. 9).
The MoU allows the countries to jointly investigate the advancement of offensive and defensive cyber capabilities. “And I’m pleased to say GCHQ will be at the heart of this work,” Martin said.