Since the National Cyber Security Centre (NCSC) was created in 2016 as part of the government’s five-year National Cyber Security Strategy, it has worked to make the UK the safest place to live and work online. This review of its third year provides a snapshot of the organisation’s work over the period 1 September 2018 to 31 August 2019.

• Crack the code

The United Kingdom has one of the most digitally-developed economies in the world, transforming the lives of citizens, driving innovation, and fuelling job opportunities and national growth. We can be proud that in the National Cyber Security Centre (NCSC) we have a world-leading body for digital protection which, since its launch in 2016, has made the UK safer and its defences stronger. Ensuring the UK remains the most secure place to live and do business online, and upholding public trust in our digital systems, are personal priorities for me and a key part of this government’s vision for the UK. As the Cabinet Office Minister responsible for resilience and the National Cyber Security Strategy, I very much welcome the achievements and progress laid out in this review.

The NCSC takes a holistic approach to deliver cyber security for individuals and families through the following interventions:

Reducing the burden: The general public is protected from the majority of online harm ever reaching them. The action they need to take to secure their devices and online services is minimal.

Making it easier: Citizens can act upon the cyber security advice they receive, whatever device or online service they use.

Equipping the nation: People are given the confidence and tools to protect themselves and those around them.

Raising awareness: Enabling the general public to better protect themselves and share knowledge with others.

The NCSC’s advice for individuals and families

Protect your accounts…

• Use a unique and separate password for your email.
• Use three random words to create a strong and memorable password.
• Store your passwords somewhere safe: save to your browser or use a password manager.
• Add extra security to important online accounts: turn on two-factor authentication.

Look after your devices…

• Set your phone and tablet to automatically update.
• Install the latest updates on your phone and tablet when prompted.
• Turn on back up for data stored on your phone and tablet.

Many consumer products that are connected to the internet are found to lack basic security features, putting consumers’ privacy and security at risk. The NCSC has been working closely with the Department for Digital, Culture, Media and Sport (DCMS) to support consumer ‘Internet of Things’ (IoT) manufacturers of all sizes to ensure their devices have good cyber security practices built in from the design stage.

The NCSC and DCMS do not think it is right to expect all consumers to be ‘cyber security experts’ and wish to remove the burden from them having to differentiate products that do or do not take their responsibility to security seriously. That’s why the NCSC has also worked closely with DCMS’ consultation on regulation, preparing to eradicate worst practice and embed transparency between the manufacturer and the consumer at the point of purchase.

A significant priority for the NCSC is keeping individuals and families safe from cyber threats. It does this by bringing its technical and operational expertise to bear, to identify and fix cyber security problems.

Haulster - Automated defence of credit cards

The NCSC’s pioneering Haulster operation has disrupted financial cyber crime by flagging fraudulent intention against more than one million stolen credit cards. It is in the process of scaling this operation, and hopes to reduce considerably more attacks in the near future.

Increasingly, criminal groups are using criminal marketplaces in cyberspace to buy and sell personal information and credit card details. Haulster takes stolen credit cards collected by the NCSC and partners, then, working with UK Finance, repatriates them to banks, often before they are ever used for crime. Card providers are then able to block cards to protect both financial institutions and the public.

In most cases, this has been done before a crime has taken place, meaning hundreds of thousands of victims of high-end cyber crime were protected before they lost a penny.

Ever wondered which passwords get hacked most frequently? Play our passwords game to find out!

The first UK Cyber Survey was conducted this year to better understand what the general public and organisations think, feel and do – and don’t do – about cyber security across the country.

The polling was independently carried out on behalf of the NCSC and DCMS.

The UK Cyber Survey found that people are concerned, confused and, to some extent, fatalistic that they will become victims of cyber crime.

The insights are informing the government’s approach, and the guidance offered by the NCSC, to help organisations and the public protect themselves against cyber threats.

Two in three say they know a great deal/fair amount about how to protect themselves online

70% believe they will likely be a victim of at least one specific type of cyber crime over the next two years, and most feel there would be a big personal impact.

37% agree that losing money or personal details over the internet is unavoidable these days

80% say cyber security is a high priority to them, half citing it a ‘very’ high priority

One in three rely to some extent on friends and family for help on cyber security

A cooperative approach: the UK’s Active Cyber Defence programme

The ultimate goal for Active Cyber Defence (ACD) is for there to be fewer cyber attacks in the world, causing less harm. It represents a significant step-change in the country’s approach to cyber security, because of its voluntary, non-regulatory, non-statutory approach delivered in partnership with central government, local government and business.

Active Cyber Defence includes some of the following pioneering programmes:

Web Check helps make websites a less attractive target, by finding obvious security issues and pointing them out to the website’s owner so that they can be fixed.

Protective DNS (PDNS) blocks public sector organisations from accessing known malicious domains or allowing malware on already compromised networks from calling home.

Takedown Service finds malicious sites and sends notifications to the host or owner to get them removed from the internet.

Mail Check helps public sector organisations take control of their emails, making phishing attacks which spoof those organisations more difficult.

UK share of visible global phishing attacks reduced to 2.1% (August 2019).

In 2016, HMRC was the 16th most phished brand globally. In Sept 2019, as a result of ACD services and HMRC countermeasures, their ranking had dropped to 126th in the world.

The NCSC works closely with public sector bodies to protect the networks, data and services which the UK depends upon.

Working with central government

The NCSC provides assurance on key systems across central government departments and agencies, assisting them to develop their security strategies and secure their networks.

Building on the success of the Transforming Government Security Programme, the NCSC is working with the Cabinet Office’s Government Security Group, providing advice and guidance to shape policy development on cyber security.

Working with local government

The NCSC assists local government both through direct engagement at a local level, supporting its networks of technical staff, and working with representatives from member organisations including the Local Government Association (LGA) and the Society of Local Authority Chief Executives (SOLACE).

Defending democracy

The foundations of liberal democracy are under increasing threat from cyber attacks and the NCSC plays a key role in defending the UK’s political process.

The NCSC meets with UK political parties (which take up at least two seats in the House of Commons) every three months and regularly gives cyber security advice to parliamentarians. During the local elections (March 2019) and European elections (May 2019), the NCSC provided guidance, informed by comprehensive cyber threat assessment, on risks and advice on protecting systems and people to political parties.

The NCSC monitors known adversaries who look to target parties or even politicians. If threats are detected, the NCSC shares the details of the threat and tailored advice, allowing the individual or organisation to put mitigations in place.

The NCSC continues to work across the whole of the UK. This includes support to devolved administrations in Wales, Scotland and Northern Ireland, raising cyber resilience across all sectors.

Everyone in the country relies on the UK’s Critical National Infrastructure (CNI) day in, day out. We all need the country’s communications networks to keep in touch with friends and family, transport networks to travel to work and school, and energy networks to power and heat our homes. Interruption to any of these critical services could cause serious disruption to our lives and potentially damage the economy.

Strengthening the cyber resilience of the UK’s most critical systems therefore remains a top priority. The NCSC’s work spans CNI in the public sector, as well as a focus on nine critical private sectors: communications, transport, energy, civil nuclear, finance, water, chemicals, space and food. It provides direct support to hundreds of public and private sector organisations that own, manage and maintain CNI assets in the UK. This includes one-to-one technical advice, sharing threat information, facilitating cyber exercises and running information on exchanges for organisations to share knowledge and expertise.

The NCSC collaborates closely with government and industry partners to develop secure systems for national security at home, and with the UK’s allies across the world. By doing this, the NCSC can help to ensure that critical operations continue globally.

The NCSC aims to develop, operate and maintain world class technical security capabilities to counter the threat from the country’s most capable adversaries, raising the cyber resilience across government and industry partners.

It’s through these partnerships, as well as its investment in developing the country’s cyber skills, that the NCSC can continue to help protect the UK from cyber threats.

Securing Britain’s secrets

Foxhound/ROSA

The NCSC has supported ROSA – a central government IT system – as it transitions to become a fully supported service across government. ROSA provides fixed and mobile SECRET collaborative tools and communications in 152 countries across the globe, allowing users to create and share data securely.

The NCSC itself uses ROSA to collaborate more effectively and securely with government customers and industry partners.

This year, NCSC experts designed new systems that enable easy mobile working at SECRET in a safe way. This ground-breaking work is protecting our national security whilst enabling users to work in far better ways than any previous solutions have allowed in this space.

ROSA is expanding across a number of government departments, delivering tangible benefits and ensuring government communications are appropriately protected.

The top five sectors supported by NCSC Incident Management

Calling out Hostile State Actors

The NCSC works collaboratively with a strong network of partners in the UK and internationally. Through this work with partners, the NCSC knows more about its main nation state threats, including Russia, China, Iran and North Korea, than it ever has before.

Working with the Foreign Commonwealth Office (FCO) on the public attributions of states, has been an overt action that shows other nation states that there will be consequences of their actions.

Underpinning a public attribution by government of this kind requires months of investigative work and sharing of information with partners, to build the investigative picture and a coalition of partners who will move in lockstep with UK government.

Launching the NCSC’s Cyber Defence Ecosystem

The NCSC’s ambition is to deliver an ecosystem that transforms cyber threat knowledge sharing, brings disparate initiatives together by giving them a clear purpose (to reduce harm), and enhances them in a coherent and coordinated way. Ultimately the Cyber Defence Ecosystem (CDE) ensures the right knowledge gets to the right people at the right time, in the right format.

The CDE aims to foster a national (and hopefully international) ecosystem of collaborative threat analysis and automated threat sharing using open industry standards. The initiative complements the ACD programme, which since 2016 has shown how simple measures can greatly reduce commodity cyber attacks.

The IOC Machine

The NCSC is committed to sharing as much of its knowledge in real time as possible. This has manifested itself in the creation of the Indicator of Compromise (IOC) Machine, which has transformed the way top sensitive material is ‘declassified’ into the public domain – greatly increasing the UK’s resilience to cyber threats.

Since it went live this year, the technology has enabled a tenfold increase of vital indicators the NCSC shares with external internet service providers and industry partners. This now means that in an average month more than 1,000 vital indicators are being shared at the click of a button.

Situated in the heart of Victoria, London, the NCSC’s ‘Nova South’ headquarters offer a dynamic environment to deliver the organisation’s mission. It fosters a culture of innovation and ways of working fit to address 21st century security challenges.

Its central location, within walking distance to Whitehall, ensures the NSCS’s expertise on key matters of national security can be called upon at short notice.

The facilities offer an open and flexible workspace, complemented by the full range of security capabilities enabling seamless working across classifications.

The NCSC has welcomed a huge variety of guests, including prime ministers, ministers, senior officials and parliamentarians from across the world, through to industry leaders and the next generation of cyber talent with schools visits.

In the past year, the NCSC has hosted 197 events, with more than 9,000 attendees visiting its London headquarters.

International security cooperation

A range of international cyber dialogues were attended by leaders from across UK government including the Cabinet Office, the Foreign and Commonwealth Office, DCMS and the Department for International Trade. These conversations help develop the UK’s relationships around cyber security and policy with its key partners. The NCSC’s contributions include threat assessments, technical advice and insights from incident management practice to help coordinate operational approaches and enhance cyber security standards.

Cyber Defence with NATO

The NCSC works closely with NATO to support its deterrence and defence objectives. As part of the Cyber Defence conference, NATO allies reinforced a pledge to ensure strong and resilient cyber defences.

The UK’s Foreign and Defence secretaries hosted NATO’s Secretary General, the North Atlantic Council Ambassadors and 120 cyber experts from 29 countries for conference sessions at the NCSC’s headquarters and Lancaster House in London.

The NCSC strongly supports the full implementation of the Cyber Defence Pledge agreed in Warsaw in 2016, to ensure that the Alliance is cyber aware, cyber trained, cyber secure and cyber enabled.

Five Eyes: Intelligence alliance at CYBERUK 2019

Experts from the ‘Five Eyes’ intelligence agency alliance advocated for global cyber attack resilience when sharing a stage together for the first time on UK soil.

The Five Eyes intelligence alliance comprises the UK, USA, Canada, Australia and New Zealand. Through the alliance, participating countries work closely together to keep their citizens safe from cyber threats.

The public session took place at the NCSC’s annual conference, CYBERUK 2019, which saw 2,500 cyber security experts come together for a two-day event in Glasgow’s Scottish Exhibition Centre.

The panel considered the shared threats and global vulnerabilities that exist in cyber systems. During the event, delegates had the opportunity to share their experiences of countering these threats and the different approaches used.

Five Eyes intelligence alliance panel chaired by Yasmin Brooks, Director of Cyber, DCMS

Cyber security is of growing importance, but many people do not understand the potential impact that threats can have, or how to manage them when they do. That’s why the NCSC supports the UK’s individuals and families to deal with the common cyber problems they may encounter in their everyday lives, helping them to stay secure.

The NCSC online

As well as advice on keeping secure at home and work by protecting people’s devices and data, guidance is now easily accessible on topics such as how to shop online securely, how to use social media safely, and how to choose the right antivirus product.

The NCSC also offers advice on dealing with cyber crime, and how to report a problem when something goes wrong online. The NCSC’s website includes tips for staying secure online, such as simple steps that can be taken in less than five minutes which significantly reduce the chance of falling victim to cyber crime. It also guides users on what to do if their computer has been attacked by a virus or an account has been hacked.

The NCSC enquiries service

The NCSC’s public enquiries service dealt with 11,000 queries over the past year, representing more than 200 enquiries every week. The NCSC enquiries team can be contacted via enquiries@ncsc.gov.uk or by calling 0300 020 0964.

Supporting organisations

The vast majority of organisations in the UK rely on digital technology to function. Good cyber security helps them take full advantage of the opportunities that technology brings.

The NCSC has worked with DCMS to identify priority sectors to tailor support. It has developed effective partnerships across 14 economic sectors as well as in education, charities and voluntary organisations. Since the NCSC launched, it has built trusted relationships, produced actionable guidance and innovative self-help tools to raise cyber security resilience across the sectors it serves.

Exercise in a Box

Exercise in a Box is an online tool which allows organisations to find out how resilient they are to a cyber attack, and to evaluate their readiness to respond. The tool was originally designed for SMEs, local government and emergency services, but high demand has seen many larger organisations using the tool to determine their own resilience.

Ciaran Martin, NCSC CEO, says: “Large or small, private or public sector, getting your organisation to practice what happens in a cyber attack helps you to spot the gaps in your fitness regime and shows where you might need to change up a gear.”

Steve, one of the NCSC’s experts who helped design the concept, says that exercising is one of the best ways for a business to find out how they would react to an incident.

“There are plenty of commercial products that offer exercises for companies, but they can be very expensive. We designed this to be a free tool because we wanted SMEs to get used to the concept of exercising.

“Any company can do these exercises on their own and know they are doing it in a safe environment. It’s much better to practice beforehand rather than waiting for the real event.

“You don’t have to be technically-minded to use this product. It’s all done in a language that can be readily understood, with lots of supporting material and resources.

“We’ve been really impressed with how popular these exercises have been, not only in the UK, but around the world. We are now looking to evolve the concept for bigger businesses and the public sector.”

Learn more about Exercise in a Box

Top Tips for Staff

The NCSC’s e-learning video, Top Tips for Staff, has proved immensely popular with small businesses and individuals, as a free, easily accessible guide to keeping safe online.

The 30-minute video, aimed at a nontechnical audience, covers four key areas: protection against phishing, the importance of strong passwords, securing devices and reporting incidents when things go wrong.

The NCSC’s Jack says: “The tips can be used by anyone, from large companies to people working on their own from home. It’s highlighting the message to organisations that their first line of security is their staff.

“The advice has been taken up by many smaller businesses and charities which may not have their own IT departments or the resources to train employees in cyber security, attracting 1,500 hits per month to the NCSC website.”

Learn more about Top Tips for Staff

Charities

A government survey found that many of the UK’s 180,000 charities had experienced cyber breaches, including viruses, phishing emails, ransomware attacks and identity theft.

While criminals may pursue financial gain, charities have also been attacked by hackers motivated by a personal or political agenda.

One UK charity lost £13,000 after its CEO’s email account was hacked, and a fraudulent message sent to its financial manager with instructions to release the funds. Often such crimes go unreported because of a charity’s fear of reputational damage.

In response to this, the NCSC has developed an educational programme designed to put the charity sector on a much stronger footing in cyberspace. The programme features a series of simple steps to protect organisations from attack, saving reputation, funds and data from falling into the hands of criminals.

Charities often prefer to seek advice from the bodies that represent them, so a partnership has been made with NAVCA which supports 145,000 charities and voluntary groups in England. A successful programme has been developed to train volunteers to deliver cyber safety awareness sessions for charities and voluntary groups within local communities.

The pilot showed a clear need for these sessions, with 96% of participants having felt that their increased awareness of cyber safety would improve their organisation.

Cyber Security Toolkit for Boards

Boards are pivotal in improving the cyber security of their organisations. The Board Toolkit has been created by the NCSC to encourage essential discussions about cyber security to take place between the Board and their technical experts, helping to raise the maturity, readiness and resilience of the UK’s largest organisations against cyber threats.

New regulations, such as GDPR, mean that board members have a responsibility to ensure good cyber security protects their organisation’s resilience in a complex digital world.

The NCSC’s Katie says that while those on a board may have the confidence to ask the right questions on accounting or health and safety matters, they don’t have the same confidence on cyber security issues.

“The Board Toolkit gives organisations a starting point to examine this topic. They may want to put cyber security on the agenda, but are looking for a good place to start. This toolkit provides an introduction to a wide range of subjects in a digestible format.

“Board members can ask any questions, knowing they will receive an engaging and informed discussion with technical experts that will enable them to take positive action.”

Learn more about the Cyber Security Toolkit for Boards

CYBERUK 2019

Hosted in Scotland for the first time, CYBERUK 2019 reached nearly 3,000 delegates across industry, government and academia. The event delivered a wide range of content through demonstrations, talks and interactive workshops with worldleading experts.

The NCSC will be hosting CYBERUK 2020 in Wales.

CYBERUK 2019 at the Scottish Event Campus in Glasgow

People

CyberFirst

CyberFirst aims to identify and nurture young talent, engaging students from all backgrounds and regions, helping them to explore their passion for technology and providing them with the necessary skills and knowledge to put it into practice.

CyberFirst Bursaries

Now in its fourth year, the CyberFirst Bursary is continuing to provide financial support, cyber security training and work experience to over 750 UK undergraduates, helping young people kick start their career in cyber.

To date, 56 Bursary students have graduated from the CyberFirst programme and have moved into full time cyber security roles with companies and government departments, including; BAE Systems, Barclays, IBM, Netcraft, Encipher Ltd, Lockheed Martin, DSTL, HMGCC, MET Police, the MoD, GCHQ and at the NCSC.

CyberFirst Courses

The CyberFirst Courses are carefully designed to bring out every student’s potential. Open to 11 to 17 year-olds, students are encouraged to understand how everyday technology works and importantly, how to protect it. This year, courses took place in Paisley, Cardiff and Belfast, as well as Newcastle, Southampton, Warwick, Gloucester and London.

All CyberFirst summer courses have been credit rated by the Scottish Qualification Authority (SQA) and have been independently certified as a GCHQ Certified course, which is a fantastic endorsement of the course content, quality and delivery.

Finalists of the CyberFirst Girls Competition 2019 grand final in Edinburgh

CyberFirst Girls Competition

With the largest and most diverse set of participants, the CyberFirst Girls Competition 2019 was the most successful to date. Nearly 12,000 girls from 841 schools entered from all corners of the UK – from Jersey to Caithness, Essex to Londonderry – with double the number of schools participating from Scotland and Wales.

Following the competition, 98% said they would like to learn more about cyber security.

Cyber Schools Hubs

The last 12 months have seen the first full academic year of Cyber Schools Hubs, created to develop a model for engaging with schools on cyber security. The project currently supports schools across Gloucestershire, in a variety of ways, from sharing technical equipment and lesson plans, to funding educational visits and linking with industry supporters.

Certified Degrees

The NCSC Certified Degree community has continued to grow, with seven certified undergraduate degrees and 24 certified postgraduate degrees. Universities across the UK, from Bristol to Dundee, Pontypridd to Belfast, now offer certified degrees. This year also saw the publication of a new standard to certify Degree Apprenticeships in Cyber Security, based on the Institute for Apprenticeships and Technical Education’s recently published Cyber Security Technical Professional standard.

Cyber Security Body of Knowledge

Cyber security encompasses a wide range of disciplines, but its relative youth means it lacks the coherence found in more mature STEM fields. In response to this, the NCSC set up the Cyber Security Body of Knowledge, with the long-term aim of contributing to the development of the cyber security profession. The project’s purpose is to codify the cyber security knowledge which underpins the profession. The project focuses on providing learning pathways, professional development and careers information for the people of the UK.

Working with partners in government, industry and academia, the NCSC identifies and supports excellence in cyber security research and encourages industry investment. By continuing to work with external partners, the NCSC is helping to put the UK at the forefront of internationally leading cyber security research.

Academic Centres of Excellence in Cyber Security Research

Academic Centres of Excellence in Cyber Security Research (ACE-CSR) are at the forefront of cyber security research in the UK and showcase the UK’s research capabilities on the global stage. The NCSC and the Engineering and Physical Sciences Research Council recently welcomed De Montfort University and Northumbria University to the ACE-CSR community, bringing the total number of universities recognised to 19.

Research Institutes

The NCSC is now supporting four successful academic Research Institutes, to develop cyber security capability in strategically important areas. Each one is focusing community effort in its respective area and encouraging interaction between academia and industry.

The Research Institute academics are increasingly providing their expertise into relevant government policy activity. Examples include the UK Research and Innovation-managed ‘Digital Security by Design’ challenge advisory board and assisting the DCMS and the NCSC with developing the Institute of Technology Code of Practice.

The NCSC aims to develop the UK’s cyber security ecosystem by transforming innovative ideas into real world solutions.

Cyber Accelerator

The NCSC Cyber Accelerator supports the growth of start-up cyber companies which are bringing new security products to market. It aims to support the emerging cyber security industry within the UK, encouraging skills, jobs and growth.

The third cohort of the NCSC Cyber Accelerator has created 30 jobs, won 18 trials, proof of concept and contracts and raised more than £15 million in funding.

NCSC Cyber Accelerator entrepreneurs

The Science Museum launches exhibition revealing GCHQ secrets

Coinciding with the centenary and in a first for a UK intelligence agency, GCHQ has launched a new exhibition which will take visitors through the history of secret communications. 'Top Secret: from Ciphers to Cyber Security', explores a century’s worth of intelligence that underpin GCHQ’s vital role.

Supported by funding from the National Cyber Security Programme, free tickets are available to book on the Science Museum’s website. From July to September 2019, 80,000 people visited the exhibition. It runs in London until February 2020, moving to Manchester’s Science and Industry Museum in October the same year.

Bletchley Park section at 'Top Secret' at the Science Museum
© Jody Kingzett, Science Museum Group

Royal celebrations for GCHQ

Her Majesty The Queen visited the original top secret home of GCHQ as part of the centenary celebrations for the UK’s intelligence, security, and cyber agency.

During The Queen’s visit, she met with the 2018 CyberFirst Girls Competition winners from The Piggott School.

Her Majesty The Queen unveils an historic plaque at Watergate House, the 1919 birthplace of GCHQ

The GCHQ Centenary Puzzle book II

The NCSC contributed to the development of GCHQ’s Puzzle Book II. It includes stories from the organisation’s inception, all the way through to the opening of the NCSC and puzzle designs based on previous cyber competitions.

The proceeds from the sales of Puzzle Book II will be donated to Heads Together, which works to raise the profile of the importance of mental health.