In 2015, the National Security Strategy in the UK reiterated that cybercrime remained a top threat to the UK’s economic and national security. As a response to this, the UK government launched the new National Cyber Security Centre strategy in November, 2016.
The intention of the NCSC is to have cyber security become a true, even standardized, science, with public policy, enterprise and personal security decisions be based on high quality data and analysis, rather than hyperbole, social hype and fear. One of their solutions is the Active Cyber Defence (ACD) program, which preaches the mantra to “protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time.” A lofty goal indeed, intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks.
NCSC’s current stance is that their ACD program should be considered a ‘public good’ that delivers cyber security benefits to the population as a whole without members of the public needing to ‘opt in’ for protection online. In other words, they don’t intend to make it mandatory to onboard into their program. They would also like to see this program implemented abroad, providing a model of best practice to help shape cyber security norms - a global standardization for universal benefit. Again, a lofty goal.
At least one research team, in this case the Cyber Security Research Group, feels strongly that private companies should be incentivized to improve their defences and help combat cyber crime by enforcing subscription to a program like the NCSC’s ACD.
They go on to suggest the leaking of details to the press for companies that are not taking steps to keep users safe online. That way, those that knowingly harbor cyber-criminality or fail to promote safe cyber security practices will be forced to “up their cyber game” in order to avoid this public exposure, which can obviously affect customer confidence and, perhaps more bottom-line relevant, profit and reputation loss.
NCSC seems to agree to some extent, suggesting there may be a future need to name-and-shame persistent offenders, but they admit that how it would work has not been articulated. In reality, no one really wants to have to do this; the hope is that organizations will want to pursue better cyber security, anyway.
“Compliance is conformity, not change. The whole approach to cyber security needs to change its way of thinking. Change is the real key.”
There are merits to both the NCSC’s intentions and the use of ‘public shaming’ - to an extent. Standardization has obvious benefits and makes it easier to mitigate cyber risk, especially when everyone is on the same page. But the reporting of every incident through social and journal avenues may simply be too much. Benefit of the doubt must be considered, particularly to first time offenders, and more particularly to cyber events where no serious harm has occurred. However, cyber issues that cause major harm should absolutely be revealed to the public. In fact, it should be mandatory.
While cyber issues continue to be a growing problem, we must be careful not to further desensitize cyber issues through over-exposure in the social and media circles. Additionally, history tells us forced compliance usually garners resentment and a mindset that is counter to the kumbayatic relationship needed to really make this work. Compliance is conformity, not change. The whole approach to cyber security needs to change its way of thinking. Change is the real key.
Most companies will strengthen their cyber security to the level needed to protect their own and their stakeholders, simply to survive and thrive in today’s business environment. We are globally capable of reducing non-compliance to under 1%, but enterprises need further support to make this happen.
Note too that enterprises are not solely to blame for the lack of compliance. The tools and capabilities required to combat even the most primitive of cyber attacks are different for every scenario, forcing many enterprises to outsource their security to third parties. Many third-party cyber security companies hired for this purpose take a reactive approach, responding to the incidents after they occur. More cyber security companies need to take a proactive approach, prevention over detection, something that River Oakfield takes pride in accomplishing.
Also bear in mind that the ACD program performs actions which simply aren’t compatible with some companies. For example, they coordinate with hosting providers to take down malicious content, a time consuming task. This might be suitable for say, a communications provider or data centre provider, but wouldn’t be feasible to expect from a smaller shop.
So what are the NCSC’s security practices? Here is a quick layman’s overview that might allow one to decide for themselves if this should be a mandatory compliance.
Some NCSC practices include;
Takedown Service - which works by requesting that hosting providers remove malicious content that is pretending to be related to UK government and also certain types of malicious content hosted in the UK.
DMARC (Domain-Based Message Authentication, Reporting and Conformance) helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as though they come from a trusted address. Organizations that deploy DMARC properly can ensure that their addresses are not successfully used by criminals as part of their campaigns.
Web Check performs some simple tests on public sector websites to find security issues. It provides clear and friendly reporting to the service owners, along with advice on how to fix the problems.
The Public Sector DNS (Domain Name System) - From a cyber security point of view, almost all cyber attacks use DNS at some point in their lifecycle. This service blocks access to known bad domains and also performs analytics on the resolution data to find other security issues. The intent of the service is not just to block bad things, but to notify system owners so they can perform remediation.
Finally, the NCSC has come up with a name for a program that links the Active Cyber Defence (ACD) program together, the absolutely cartoonish “Threat-o-matic”. According to the NCSC, the goofy name is a deliberate attempt to demystify the inner working of cyber security and to convey honesty and transparency. That’s all fine and dandy, but It’s hard not to picture Wile E. Coyote ordering this from Acme.