How GCHQ plans to protect the UK from all-out cyberwar

As evidence of the increasingly central role cybersecurity plays in the UK, the National Cyber Security Centre (NCSC) is tightening its ties with law enforcement – announcing a new joint approach to how the country handles digital attacks.

The GCHQ-based NCSC has unveiled an extensive cyber incident framework, broadening existing guidelines around identified threats. The aim, according to the centre, is to create the most comprehensive picture of the cyber threats facing the nation.

Paul Chichester, the NCSC’s Director of Operations, said the new framework of six categories will “strengthen the UK’s ability to respond to the significant, growing and diverse cyber threats we face”.

Some 800 “significant incidents” have been responded to by the NCSC since October 2016, which were dealt with under a classifying system of three categories. The new guidelines, developed in coordination with the National Police Chiefs’ Council and the National Crime Agency (NCA), expands that system to a total of six categories – ranging from attacks on individuals to full-scale national cyber emergencies. The table at the bottom of this article highlights the differences between categories.

“This is a hugely important step forward in joint working between law enforcement and the intelligence agencies,” said the National Police Chiefs’ Council lead for cybercrime, chief constable Peter Goodman.

“Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response.”

Indeed, the framework is designed to make it clear which particular body is responsible for taking action for different levels of attacks, as well as what those bodies are supposed to be doing.

On the lowest end of the spectrum, for example, a Category 6 attack is defined as a localised incident on an individual, or “preliminary indications of cyber activity against a small or medium-sized organisation”. According to the guidelines, automated advice will be able to offer remote support with local police called on for an on-site response, as an exception.

As the categories get more serious, the NCA will become involved, then the NCSC. At the highest level, Category 1, ministers will give strategic leadership, along with cross-government coordination by the NCSC. This level is defined as an attack that “causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life”.

Speaking at a panel last year, the technical director for the NCSC, Ian Levy, said he was “reasonably confident” that a major attack will happen, and that organisations should be prepared.

“Sometime in the next few years we’re going to have our first – what we would call – Category 1 cyber-incident; one that will need a national response.”

The announcement about the extended framework comes at the close of the CYBERUK18 conference in Manchester, against a backdrop of increasing threats to UK business and infrastructure from cyberattacks. Yesterday, the NCSC’s annual report warned that UK firms are facing an acceleration of online threats, with particular attention to the vulnerabilities of the interconnected household devices.

Last year, parts of the NHS infrastructure were knocked out of action after its computers were infected with WannaCry ransomware. Security experts now believe the attack originated from North Korea.

Below is the full table of NCSC’s new framework.

 

Category definition

Who responds?

What do they do?

Category 1

 

National cyber emergency

A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.

Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement.

Coordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response.

Category 2

 

Highly significant incident

A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.

Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC.

NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities.

Category 3

 

Significant incident

A cyber attack which has a serious impact on a large organisation or on wider / local government, or which poses a considerable risk to central government or UK essential services.

Response typically led by NCSC, working with Law Enforcement (typically NCA) as required.

NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided.

Category 4

 

Substantial incident

A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider / local government.

Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident.

NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception.

Category 5

 

Moderate incident

A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.

Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required.

Law Enforcement will provide remote support and standard guidance, with on-site response by exception.

Category 6

 

Localised incident

A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation.

Automated Protect advice or local response led by Law Enforcement (likely local Police Force).

Remote support and provision of standard advice. On-site response by exception.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.