Annual Review 2018 Making the UK the safest place to live and work online 2018 Welcome The National Cyber Security Centre (NCSC) was created in 2016 as part of the Government’s five-year National Cyber Security Strategy. Since then, our goal has been to make the UK the safest place to live and work online. This review tells the story of our second year, with interviews, testimonials, images and data that take you behind the scenes at the NCSC. It provides a snapshot of our work over the period 1 September 2017 to 31 August 2018. We hope it helps you understand what we do, and along the way see some of the milestones we have reached in our second year. We have also produced a digital report where you can see this year’s events come to life at: ncsc.gov.uk/annual-review-2018 NCSC ANNUAL REVIEW 2018 3 4 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 5 Contents Ministerial 08 Timeline Foreword 10 CEO Overview We have every reason to be proud and expertise to be our single centre term, strategic challenges, whether of the UK’s position at the forefront of excellence. This Annual Review that is affecting behaviour change, of the global digital revolution. recognises the transformational developing the right skills set among 12 Our collective ability to embrace impact of the National Cyber Security UK professionals, or deepening our cyberspace is already driving our Centre over the last year. As well collaborative partnerships in the UK country’s prosperity and enhancing our as providing greater insight into the and internationally. Because whatever national security. We have one of the nature of the threats we face, the the future holds, we will need to highest levels of internet access and National Cyber Security Centre’s continue to work together to protect Countering the Threat usage in the developed world, and our successes include a pioneering Active our economic and individual freedoms. digital industries are growing faster Cyber Defence programme, delivered than any other part of the economy. with industry to block attacks on At the same time, the threat from a scale of millions per month, and 20 criminals, hacktivists and nation states the development of a world-leading continues to increase and evolve. It is incident management response Rt Hon David Lidington CBE MP easier and cheaper than ever before capability, made possible through key Minister for the Cabinet Office and the for those who want to do us harm partnerships with law enforcement and Chancellor of the Duchy of Lancaster to access the tools, exploits and the wider cyber security community. It Behind the Scenes of an Incident services they need to launch attacks. has also reached out internationally That is why cyber security remains a to strengthen global cyber defences top priority for this government and and our collective ability to deter and for me personally, as the Minister disrupt malicious actors, and continues 26 responsible for improving the security to inspire the next generation of cyber and resilience of the UK, including security experts and entrepreneurs. protecting our critical national infrastructure. There are many more achievements to celebrate in this Annual Review. Building the UK’s Defences We launched our National Cyber Everyone at the National Cyber Security Strategy in 2016 to set Security Centre, and its numerous the direction and ambition for our partners in the public, private and investment and efforts. Because as the voluntary sectors, should take great 38 digital revolution touches every part pride in this work. How we set up of our society, we wanted to ensure the National Cyber Security Centre that our response was comprehensive. reflects the single, clear message that To defend our people, to deter our underpins our strategy, that while we adversaries and to develop the can lead the way, we cannot solve Cyber Capability for the Future capabilities we need to ensure the UK these problems alone. We need not remains the safest place to live and just a whole of government but a work online. Our strategy is supported whole of society approach to tackle by significant investment – £1.9bn – cyber security. 46 to drive the transformation we need to respond at the scale and pace The future remains stubbornly difficult required. to predict. But we do know that the next 12 months will continue to We have made good progress since we challenge and surprise us. We have 100 Years of the Cyber Mission launched the strategy. At the heart of built solid foundations to ensure that our response was the formation of the we can remain resilient in an ever National Cyber Security Centre, which changing world. Key to our success brings together our best intelligence will be how we take on longer- 6 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 7 Timeline 2017 3 Oct 1ST ANNIVERSARY OF THE NCSC CELEBRATED 11 Oct SMALL BUSINESS GUIDE PUBLISHED This covers the period 1 September 2017 to 31 August 2018 SECURING ELECTIONS FOR EU MEMBER STATES SUMMIT HELD 23 Oct AT NCSC HEADQUARTERS 2018 5 Feb ACTIVE CYBER DEFENCE: ONE YEAR ON REPORT PUBLISHED CHARITY SECTOR THREAT ASSESSMENT AND SMALL CHARITY 1 Mar GUIDE PUBLISHED 19 Mar CYBERFIRST GIRLS COMPETITION FINAL TOOK PLACE IN MANCHESTER 10-12 CYBERUK 2018 HOSTED IN MANCHESTER Apr 10 Apr CYBER THREAT TO UK BUSINESS JOINT REPORT WITH NATIONAL CRIME AGENCY PUBLISHED 16 Apr U.S-UK TECHNICAL ALERT ISSUED ON RUSSIAN MALICIOUS ACTIVITY PRIME MINISTERS OF THE UK, CANADA, NEW ZEALAND AND 18 Apr AUSTRALIA MET AT THE NCSC AS PART OF THE COMMONWEALTH SUMMIT 3 May GUIDANCE FOR LOCAL AUTHORITIES AHEAD OF LOCAL ELECTIONS PUBLISHED 9 May NETWORKS AND INFORMATION SYSTEMS DIRECTIVE CAME INTO EFFECT 25 May GENERAL DATA PROTECTION REGULATION CAME INTO FORCE THE NCSC’S CEO AND THE MINISTER FOR THE CABINET OFFICE GAVE EVIDENCE ON THE CYBER SECURITY OF THE UK’S CRITICAL NATIONAL 25 June INFRASTRUCTURE TO THE JOINT COMMITTEE ON THE NATIONAL SECURITY STRATEGY 27 June NINE START-UPS GRADUATED FROM THE NCSC CYBER ACCELERATOR • Handled 557 incidents • Added 2,361 new members onto our Cyber Security Information Sharing Partnership • Removed 138,398 unique phishing sites • Engaged with 1,968 students on our CyberFirst courses HELD CYBERFIRST SUMMER COURSES FOR YOUNG PEOPLE ACROSS Jul-Aug • Produced 214 threat assessments THE UK • Challenged 4,500 girls in the 2018 CyberFirst Girls • Produced 145,000 physical items for 170 customer Competition departments through the UK Key Production Authority 19 Jul CYBER THREAT TO LEGAL SECTOR REPORT PUBLISHED • Delivered cyber security awareness sessions to more than • Produced 134 pieces of guidance and 95 blogs 1,000 charities • Had 1.9 million visitors to our website • Welcomed visiting delegations from 54 countries 22 Aug THREE NEW ACADEMIC CENTRES OF EXCELLENCE IN CYBER SECURITY RESEARCH ANNOUNCED • Awarded more than 8,900 Cyber Essentials certificates • Hosted more than 80 stakeholder events 88 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 9 CEO This practical guidance really matters, organisation can reasonably assess Ireland this summer; we have a because victims of cyber crime tend to to be the risks it faces. Defences also permanent member of staff based in be less concerned with the identity of need to be good enough to contain Scotland, and Glasgow will host our the attacker than the impact on their attacks that do get through, as some flagship CYBERUK event in 2019; Cardiff lives and wellbeing, and what they can inevitably will. University’s success in becoming one of do to contain the damage. our most recent Academic Centres of Therefore, understanding how cyber Excellence means all four parts of the Indeed, whilst nation state activity attacks work is vital to get ahead of UK now host one of these centres. And is the most acute threat, low- the problem. That’s why we’ve started like the rest of GCHQ, we maintain sophistication but high-volume cyber publishing guidance to boards on presence in London, Cheltenham, Bude Overview crime is the most chronic one, dealt the types of questions they can ask and Scarborough, and we will look to with at scale by our first-rate partners their cyber security teams about how expand our presence in Manchester in in law enforcement, led by the they are managing risk. More will the coming years. National Crime Agency (NCA). follow, with the aim of helping leaders understand enough technical detail This expansion of our national Whilst these incidents individually to make the right decisions. These are footprint will help us further make a are of less strategic significance, the sorts of practical steps companies mark on UK cyber security at every cumulatively they amount to a can take to make the marginal level. There is a real opportunity here strategic threat to our prosperity by improvements that will deter some – there are already signs that other undermining our confidence in the attacks, make some others less likely countries’ admiration for what the digital economy. to succeed, and lessen the impact UK is doing in cyber security could of attacks that get through. This was secure a competitive advantage for the That is why our world-leading active launched with support from the CBI country in our digital future. As GCHQ cyber defence (ACD) initiative – using – an example of government and begins its second century of service automation to reduce some of the industry partnership at its best. to the UK, it is an exciting time for its most common weaknesses in cyber newest part, the NCSC. security defences – is one of our most Through our work on incidents important pieces of work. The Internet over the past year in particular, we So let me conclude by paying tribute was not designed with security in have become acutely conscious of to our exceptional teams, as well as mind and, from a security perspective, the role the supply chain plays in to our partners in the security and there are significant flaws in the way leaving organisations vulnerable to law enforcement communities, within it operates. In the 2016 National Cyber compromise. As the next generation wider government, in industry and Security Strategy, the Government of technology evolves, supply chain other organisations nationally and made a major strategic decision to try risk becomes an ever more important abroad. Moving forward on all fronts – to redress some of those structural challenge. Meeting it, particularly in using world-class data and skills from problems through the ACD programme. the telecommunications sector as the GCHQ and our partners at home and We were the first in the world to age of 5G approaches, is a top priority abroad; publishing clear, technically attempt this, reducing the damage for the NCSC, supporting the lead authoritative guidance to individuals done by large scale but basic cyber of the Secretary of State for Digital, and businesses; fixing some of the attacks, freeing up our world-class Culture, Media and Sport, and his underlying security problems inherent operatives to focus on the most potent department. That’s a key challenge in modern technology; and enhancing threats. Our aim is to take away as for our experts who lead on our and diversifying our skills base – are much of the harm from as many programme to protect the nation’s vital for our third year and for our people as we can, as often as we can. most critically important networks, mission to help make the UK the safest Cyber security is a tough, complex threat is abating. Proof of that – if it strategic or commercial reasons, and alongside their work on our social place to live and work online. challenge. But the UK is making were needed – is that in the two years give themselves a starting point – In February this year, our Technical security payments systems, the new significant progress in strengthening of our existence the NCSC has dealt ‘prepositioning’ – for a significant Director, Dr. Ian Levy, published a generation of civil nuclear reactors, our defences against those who seek with well over 1,000 cyber security attack in the future. groundbreaking paper setting out our systems to protect our national to harm us online. This matters as we incidents. the results of the first year of the defence secrets, and the payments and Ciaran Martin, look to an ever more digital future for That’s why earlier this year, along programme. The latest results show clearing networks that underpin the CEO of the National Cyber our prosperity. The majority of these incidents were, with the Government of the United that since the programme started, UK’s world-leading financial system. Security Centre we believe, perpetrated from within States, the NCSC published evidence the proportion of phishing sites in the In this report – GCHQ’s National nation states in some way hostile of Russian pre-positioning on some of world that are hosted in the UK has Finally – for us, heading in the right Cyber Security Centre’s second Annual to the UK. They were undertaken by our critical sectors, along with detailed fallen from 5.3 per cent to 2.4 per cent. direction means becoming a truly Review – we set out: groups of computer hackers directed, technical guidance to business on how This, and other impressive results, national centre, reflecting, and being sponsored or tolerated by the to get rid of it from our networks. means we are going to roll out existing present in, the communities we serve. • the latest overview of the threats governments of those countries. These measures further, and expand the We remain very proud of our work we face; groups constitute the most acute and That landmark publication – not just programme over the next few years. on skills in schools, particularly our • the progress we’ve made in meeting direct cyber threat to our national calling out unacceptable behaviour CyberFirst Girls Competition which them, including some world- security. I remain in little doubt we but providing the tools to clean it The ACD programme shows what this year attracted more than 4,500 leading initiatives to rectify some of will be tested to the full, as a centre, up – was one example of how we’ve government can do directly to improve highly talented 12 and 13-year-old the systemic security weaknesses of and as a nation, by a major incident at been moving in the right direction over cyber security. But getting ahead of female students with an interest in the modern Internet; some point in the years ahead, what the past year. It built on other, similar the problem involves equipping every cyber security. Although just over half • the cyber security challenges we would call a Category 1 attack. publications where we have drawn organisation, however large or small, of the NCSC’s senior leadership are facing families, businesses, critical on an array of technical data – some with the tools they need to protect female, there remains a mountain to network owners and government, Although there have been several classified, some not – and published themselves as best they can. climb within government service and and what they can do to meet very significant incidents, thus far, transparent, technically authoritative Getting the right cyber security nationally to harness the power of all them; and the UK has avoided a Category 1 – guidance on it. These attacks have capabilities for an organisation sections of the population and end • our plans for the future. most of our foremost international come from a range of states, as well starts with a better understanding the serious underrepresentation of all partners have not. But even if this as many non-state sources. There is of the risks. No one is asking British minority groups within the profession. Although the UK is making significant continues, we must be alert to the much, much more to the cyber security citizens and businesses to have cyber progress in improving our cyber constant threat from countries who threat to the UK than just Russia. defence capabilities akin to those We will also continue to expand our security, that does not mean that we will attack critically important national of a nation state. They just need to footprint geographically. We held our are getting everything right, or that the networks to steal information for be good enough to fend off what an first ever CyberFirst event in Northern 10 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 11 1 Countering the Threat At the NCSC, we take a proactive approach to securing the UK’s online defences at home and collaborating with our allies overseas. Instead of waiting for an attack, we anticipate problems and find solutions to prevent them doing harm. 12 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 22001188 13 UK share of visible Availability time Active Cyber Defence global phishing for sites spoofing attacks dropped government brands from 5.3% (June down from 42 hours Active Cyber Defence (ACD) is a collection of services that aim to protect the UK from the high-volume commodity attacks that affect people’s everyday lives. These attacks 2016) to 2.4% (July (2016) to 10 hours involve using tools and techniques openly available on the internet that are relatively simple to use. 2018) median (2018) We have developed and tested our ACD services on government with great success. Our longer-term goal is to encourage solutions like these to be adopted across other sectors in the UK. 1 2 3 4 Mail Check Takedown Service Web Check Protective DNS Takedown Service Mail Check Spotting website weaknesses Protecting the Government Taking down malicious Blocking fake emails Over the last 12 months, the service from malicious websites content removed 138,398 Web Check is a service The Protective Domain We know that people are Cyber attackers spoof email that enables UK public Name System (DNS) blocks more likely to click on a addresses to trick victims sector bodies to scan their malicious sites from being link if it appears to come into opening their phishing websites for common accessed by public bodies. from the UK Government. emails as this makes it vulnerabilities. To help these The Takedown Service easier for them to commit bodies identify potential The aim of the service is aims to prevent identity fraud and theft. phishing sites hosted in the UK weak spots, Web Check not just to block harmful cyber criminals from Mail Check enables an generates an easy-to- sites, but to notify the impersonating organisation to authenticate understand report showing public bodies about any the Government online. the email they send so that what needs fixing and how issues so they can fix them. a receiver can determine and a further to fix it. It is currently being used In the past year, we have if it is genuine or fake. As 14,116 by more than 200 public worked with Netcraft to people don’t receive the This year, every local sector organisations across remove phishing sites fake emails, they don’t have authority in England, the UK. The DNS service has that were being used to make judgments about Scotland and Wales, and now detected and blocked to impersonate the UK which attachments to open almost all in Northern attempts to access over 30 Government and notify and which links to click on. worldwide spoofing the UK Ireland have signed up to million malicious websites. internet mail providers Government Web Check. that are sending malware Using the Domain-based to unsuspecting members Message Authentication of the public using the UK Protocol (DMARC) as part Government brand. Over of this solution, Mail Check the past year, the month- has already prevented by-month volume of each a huge number of fake Protective of these threats has fallen, emails getting through. And suggesting that criminals are the number of messages DNS Web Check using the UK Government spoofing protected UK brand less and hosting fewer Government domains of their malicious sites in has fallen, suggesting Average of We have identified the UK. that our work is deterring 10,975 2,372 criminals from spoofing the unique malicious domains blocked every Government. month Protecting Government Domains urgent findings that have been fixed We started Mail Check in 2017. Soon after, cyber criminals After a few months we saw a significant drop in the abuse of responded by spoofing sites that look like UK Government these fake domains. We are now blocking emails spoofing domains but in fact do not exist. For example, instead of tax-service.gov.uk, and anything else that spoofers create using tax.service.gov.uk, they attempted to use tax-service. which ends in gov.uk. gov.uk. As the address does not exist, this means there is no record and as a result it will not get blocked. Working in partnership with government and technical experts, we developed a solution, Synthetic DMARC, and used Cyber Security Information Sharing Partnership (CiSP) to keep gov.uk domain administrators informed. 14 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 15 Protective DNS International Partnerships The NCSC’s international partnerships In partnership with the rest of help us share information and combat government, we have furthered our common cyber threats. In our second cooperation overseas, and we aim year, we had the honour of hosting to expand our reach in 2019. four Heads of Government during the Commonwealth Heads of Government Meeting in April. We have welcomed delegations from 54 countries across six continents, and we have visited 18 countries for bilateral meetings and public engagements. What Next for Active Cyber Defence? Five Eyes Partnerships The Five Eyes intelligence alliance New Zealand has a thriving National The cyber threat is always evolving so we need to continue We pilot our ACD tools with the public sector first and, comprises Australia, Canada, New Cyber Security Centre within their to build a pipeline of ACD services that can deal with where relevant, demonstrate the benefits to other sectors. Zealand, the United Kingdom and Government Communications Security them. These include a service that reports on the condition This year, we are working with a range of companies and the United States. The alliance – now Bureau. And over the past year, our of an organisation’s infrastructure, a service that helps departments to understand how we can help different nearly eight decades old – remains colleagues in Canada and Australia vulnerability researchers to report bugs in government sectors. We are also encouraging a range of technology at the heart of our international have announced the creation of websites, and an online package containing cyber exercises providers to offer similar services to their customers so that partnerships. their equivalent cyber security that help organisations prepare for an incident. together we can ensure that cyber crime doesn’t pay. organisations. With the United States, the To improve information sharing with the cyber security cornerstone remains the relationship We are very proud of the work we industry, we are continuing to develop a suite of services between GCHQ and the National all do together and as we expand which automate the processing and sharing of information Security Agency but we are working our collaboration on threat sharing, and events. We have already launched a pilot that shares closely with other U.S. agencies. joint operations and beyond, our indicators of compromise with one of the UK’s leading The U.S. Department of Homeland organisations will become closer internet service providers. This gives their customers better Security and the Federal Bureau of still, to the mutual benefit of all. “You don’t need to beat cyber crime – protection automatically at no extra cost. Investigation, with whom we released the joint Technical Alert in April 2018 and it would be unrealistic to think we As part of the ACD programme, the NCSC has started to about malicious cyber activity carried deliver a pilot host-based capability to central government. out by the Russian Government, are could. But we do want to make it as hard This involves deploying software that analyses device becoming more and more important to data to understand and detect threats that target the UK cyber security. as possible and that means making it as Government’s IT systems. The service complements an organisation’s existing cyber security and has now been unprofitable and risky as we can for cyber successfully deployed to 14,500 government devices. The number of devices enrolled will increase significantly in criminals to act in the UK.” the coming months. By using the data this generates, we were able to issue our first Threat Surface reports, help early adopters understand the attacks they face, and detect targeted cyber attacks against government systems. Dr. Ian Levy, Technical Director, NCSC 16 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 17 Keynote speech by NCSC Director of Operations Paul Chichester at NATO’s annual cyber Visit to NCSC headquarters by four Heads of Government security summit Cyber Defence Cooperation European Security Cooperation The NCSC Hosts Four with NATO Prime Ministers During Commonwealth Summit “Cyber security affects us all as online crime Building on the Memorandum of As the next phase of the UK’s European Conferences A commitment to improve does not respect international borders. I have Understanding signed in 2017, the relationship with the rest of Europe international cyber security was made called on Commonwealth leaders to take action NCSC worked with NATO to deepen takes shape, our ongoing collaboration In September 2017, NCSC CEO Ciaran during a visit to the NCSC headquarters our shared understanding of the to tackle common cyber threats will Martin set out the importance of by four Heads of Government in April and to work collectively to tackle this threat. cyber threat. help protect our shared values of continued international cooperation 2018. freedom, democracy and prosperity. in cyber security in his keynote address Our package of funding will enable members to We have shared information and at a major conference held in Tallinn GCHQ Director Jeremy Fleming hosted taken the steps we need to take to during the Estonian Presidency of the the UK Prime Minister alongside prime Protecting the Integrity of review their cyber security capability and deliver strengthen our cyber defences and EU Council. A few weeks later he was ministers from New Zealand, Canada, to deter and respond to malicious Elections part of the Prime Minister’s delegation and Australia, where the leaders were the stability and resilience that we all need to stay cyber activity. to Estonia, where she attended the EU also briefed by Ciaran Martin. Electoral security is one of the areas Digital Summit. safe online and grow our digital economies.” In a keynote speech at NATO’s annual in which we are working closely with The visit was part of the biennial cyber security summit in October 2017, our European counterparts. In October Ciaran Martin further reinforced the UK Commonwealth Heads of Government the NCSC’s Director of Operations 2017, the NCSC hosted approximately message of unconditional commitment Meeting, in which Ciaran Martin Rt Hon. Theresa May, UK Prime Minister Paul Chichester emphasised the UK’s 50 delegates from across the EU to to European security at the Munich addressed the Foreign Ministers of all support to NATO operations and discuss how to tackle interference in Security Conference in 2018, a global 53 member countries and discussed encouraged members of the Alliance to the electoral process and strengthen forum for security policy, shortly common threats and what the embrace their role as lead responders the collective response to the threat. before the Prime Minister set out Commonwealth could do together to to global attacks from state and her vision for post-Brexit European combat those threats. non-state actors, who could harm our The summit helped initiate the security cooperation. democracies and critical infrastructure. creation of a new guide to securing The summit culminated in the UK elections across Europe and beyond. Prime Minister’s announcement of Co-led by Estonia and the Czech an investment of up to £15 million1 Republic, the NCSC made a significant over the next three years to help the contribution to the product which was Commonwealth strengthen its cyber published in July, six months before security capabilities. the next round of European Parliament elections. 1https://www.gov.uk/government/news/uk-commits-to-a-safer-commonwealth-in-cyber-space 18 NCSC ANNUAL REVIEW 2018 NCSC ANNUAL REVIEW 2018 19