National Security in the Fifth Domain
It’s an unfortunate fact of life today, but the cyber threat is now ever-present and evolving at breakneck pace. This is the age of the Internet of Things after all, with more devices online than there are people in the world. And while the digital trend looks set to continue, our reliance on connectivity brings with it greater risk. The cyber attack is now a certainty, which makes the efforts of the National Cyber Security Centre, established in October 2016, all the more important.
For the uninitiated, the National Cyber Security Centre (NCSC) was set up in support of a single national ambition – to make Great Britain the “safest place to live and do business online”. Today, the organisation is very much part of GCHQ – the Government Communications Headquarters – and it remains the cornerstone of the Government’s own National Cyber Security Strategy. That strategy has pooled the expertise of central government, MI5 and GCHQ to create a single lead authority on UK cyber security.
According to Ciaran Martin, Chief Executive Officer of the National Cyber Security Centre: “Turning off the lights and the power supply by cyber attack is harder than Hollywood films sometimes make out. But we’ve seen enough malicious cyber attacks across the world, including against UK health services by a North Korean group last year, to know how services can be disrupted.
“Absolute protection is neither possible nor desirable; it’s about having more resilience in the systems we care about the most, those where loss of service would have the most impact on our way of life.”
It was NCSC who publicly exposed an “extensive and sustained” campaign of Russian intrusion earlier in the year, and they who masterminded the UK’s measured response in the weeks and months following. This was a campaign of push-back – one in which the UK united with its allies to apply pressure to the Russian government. But for NCSC and its US counterparts the priority was outfitting businesses and public bodies with the information necessary to push back themselves.
“This is more about future risk than harm already done,” said Martin. “An extensive Russian presence in our internet infrastructure is not an acceptable national security risk for us as a nation to allow.”
Understandably, future-proofing the UK’s digital infrastructure has proven to be an area of significant concern for NCSC. Cyberspace is widely regarded as the fifth domain of warfare, and it is just as much an arms race as any other aspect of defence. The difficulty now is in predicting how cyber threats might evolve and change over time with the emergence of new technology. Above all, the UK must keep pace.
“None of us knows what the international security picture will look like in ten or twenty years’ time,” continued Martin. “But we can assume there will be threats, and that those seeking to do us harm will try to use the cyber domain to do so. That’s why it is an urgent national priority to address two issues – protecting critical infrastructure, services and ourselves at all levels from cyber attacks; and the growing problem of rampant global cyber crime.”
Consequently, steps are being taken to shore up the resilience of our most important systems. During April’s Commonwealth Summit in London a £15 million funding package was announced to strengthen cyber defence across the alliance, and NCSC is now working with government departments, UK industry and law enforcement to ready the country’s critical national infrastructure for possible intrusion. While methods of prevention are still important, there are no guarantees. After all, in Martin’s own words “absolute protection” is simply not possible. Instead, the thinking is that by bolstering the security of our systems the impacts of cyber attacks can be diminished with little compromise or downtime.
“Just as importantly, we must recognise that attackers, whether criminals or working for a hostile foreign government, exploit basic weaknesses,” added Martin. “So we are strengthening the UK’s cyber defences in other ways, at all levels. One is by automation: 165 public sector organisations form part of a scheme that blocks access to sites we know to be related to cyber attack.”
In recent months these organisations have conducted 1.6 billion ‘lookups’ for websites, with a quarter of a million blocked due to malicious code. But the UK is not alone in the fight. In fact, a joined-up approach – one in which knowledge, innovation and best practice are shared between allied nations – is widely seen as our best bet in the fight against cyber terrorism.
“We should avoid the temptation to succumb to despair when we think about cyber attacks,” concluded Martin. “There is cause for realistic optimism: the threats are there but whether they’re from Russia, criminals or anyone else, we are putting in place national-level defences as good as anywhere in the world. But we cannot do it alone.”
For more information, visit: www.ncsc.gov.uk