We are using cookies to give you the best experience on our site. By continuing to use our website without changing the settings, you are agreeing to our use of cookies.

L
o
a
d
i
n
g
.
.
.

Can you crack the code

What 13 - letter place name is hidden in this sentence?

You need the ability to receive clues, e.g. noticing exactly thirteen examples of one vowel in a sentence - the letters just before every appearance of one of a, e, i, o or u may inspire your brain to spot the trickiness

Think you know?

Bletchley Park

Once the top-secret home of the World War Two Codebreakers is now a vibrant heritage attraction. It's filled with challenges and inspiring stories of those who pioneered to keep us safe.

Explore Bletchley Park
2020 Annual Review - Making the UK the safest place to live and work online

Welcome

The National Cyber Security Centre (NCSC), a part of GCHQ, is the UK’s technical authority for cyber threats.

Since the NCSC was created in 2016 as part of the Government’s five-year National Cyber Security Strategy, it has worked to make the UK the safest place to live and work online.

This Annual Review of its fourth year looks back at some of the key developments and highlights from the NCSC’s work between 1 September 2019 and 31 August 2020. As part of a national security organisation not all its work can be disclosed publicly but the review seeks to describe the year with insights and facts from colleagues and teams inside and out of the organisation.

Read the full Annual Review

Ministerial foreword

by The Rt Hon Penny Mordaunt MP, Paymaster General

HM Government Logo
The Rt Hon Penny Mordaunt MP, Paymaster General

For the NCSC, as for the UK as a whole, this year has been dominated by the unprecedented challenge of the coronavirus pandemic. The organisation is dedicated to making the United Kingdom the safest place in the world to live and work online. During the pandemic it has tackled more cyber threats than ever before. This Annual Review shows how the NCSC took decisive action against malicious actors in the UK and abroad who saw the UK’s digital lifelines as vectors for espionage, fraud and ransomware attacks. The NCSC helped to protect NHS Trusts, the Nightingale hospitals and vital NHS systems, ensuring they were able to function remotely in spite of coronavirus.

In this year of complex challenges, the NCSC continues to react to swiftly evolving cyber threats. The organisation’s nationwide guidance to individuals and businesses on protecting their security proved invaluable. Its new service aimed at rooting out online scams saw the public respond with reports of over two million suspicious emails. This Review demonstrates two important messages about the NCSC’s work. First: we are all the targets of cyber criminals. While preventing crime is the NCSC’s priority, working in close partnership with law enforcement, it has also supported nearly 1,200 victims of 723 attacks this year that proved impossible to deflect. Second: cyber security is a team sport.

Government, industry and the public have an important role in building UK resilience to a spectrum of risks – hostile activity from state and non-state actors, terrorism and serious organised crime.At this pivotal time for the cyber sector, I want to welcome the NCSC’s new Chief Executive Officer, Lindy Cameron, and pass on my gratitude to her predecessor, Ciaran Martin. From the NCSC’s inception, Ciaran was instrumental in developing the UK’s National Cyber Security Strategy, striking the balance between economic opportunity and security. Lindy, with over two decades’ experience of national government security policy, is well placed to steer the NCSC from strength to strength.

The pandemic continues to affect how we live and work. It is vital that cyber security remains a priority. It will help us to stay ahead of changing technologies, seize the opportunities for the UK as an independent country outside the European Union, and harness cyber’s full potential to help drive economic recovery.

Continued in the full Annual Review

Introduction

Lindy Cameron, CEO of the National Cyber Security Centre

Lindy Cameron, CEO of the National Cyber Security Centre

It is a great privilege to present the fourth Annual Review of the National Cyber Security Centre, a part of GCHQ. I am honoured to have been appointed as the NCSC’s second Chief Executive Officer, taking over from Ciaran Martin who was so pivotal in the development of this world-leading organisation.

This review outlines another impressive year of delivery for the NCSC from September 1st 2019 to August 31st 2020, largely against the backdrop of the shared global crisis of coronavirus. As you would expect, the pandemic features heavily in this Review. I am proud to lead an organisation of staff that both helped with the UK’s response to coronavirus and also sustained delivery of a nationally important brief, despite the challenges felt by us all this year.

Continued in the full Annual Review

12 month timeline

This covers the period September 2019 to August 2020

Click and drag to view

2019
2020

5 Sept

Former CEO Ciaran Martin speech at Billington Cyber Security Summit, Washington DC, and receives international award for cyber security leadership

18 Sep

Trusted Research, joint CPNI-NCSC campaign to raise awareness of hostile state activity threat to academia is published

3 Oct

Singapore Cyber Week: UK and Singapore sign Internet of Things (IoT) security pledge

21 Oct

Joint report from the NCSC and NSA highlighting Turla activity

5 Nov

Cyber Security Body of Knowledge (CyBOK) published

25-26 Nov

CyberThreat summit hosted by the NCSC & the SANS Institute

29 Nov

NCSC Guidance: Downloadable copies of cyber security information cards for schools

3-4 Dec

NATO Heads of State and Government meeting, London - former NCSC CEO Ciaran Martin takes part in NATO Engages event

12 Dec

UK General Election – the NCSC works to safeguard the election and protect the Register to Vote site

13 Dec

Cyber security advice for Members of Parliament and their staff published

22 Jan

NCSC Guidance: Mobile Devices - a comprehensive guide to the protection of mobile devices help for organisations from choosing and purchasing devices to the advice to give end users

28 Jan

UK Government announces plans to exclude high risk vendors from ‘core’ parts of 5G and full-fibre networks

10 Feb

NCSC welcomes opening of the Northern Ireland Cyber Security Centre

18 Feb

NCSC partners with Girlguiding South West England, as part of the drive to increase female representation in cyber security.

20 Feb

Foreign Secretary condemns Russia's military intelligence service, the GRU after NCSC assessment of Georgian cyber attacks

3 Mar

NCSC Guidance: Smart security cameras: Using them safely in your home - how to protect 'smart' security cameras and baby monitors from cyber attack Keeping Safe in the Internet of Things

16 Mar

King Edwards’s School crowned winners of the NCSCs CyberFirst Girls Competition at final in Cardiff

16 Mar

The NCSC reveals phishing attacks are exploiting worries over COVID-19

17 Mar

NCSC Guidance: Home Working to support those shifting to new ways of working in the wake of COVID-19

27 Mar

The NCSC publishes its Research Problem Book to shed light on some of the kinds of research problems the NCSC is working on

8 Apr

The NCSC and DHS-CISA issue a joint advisory on malicious cyber actors exploiting coronavirus

21 Apr

Cyber Aware & Suspicious Email Reporting Service (SERS) launched

20 May

NCSC Guidance: COVID-19: Moving your business from the physical to the digital

10 Jun

NCSC Guidance: Dealing with suspicious emails, phone calls and text messages

25 Jun

Suspicious email reporting receives 1 millionth report

30 Jun

Publication of consumer Internet of Things security standard ETSI EN 303 645

13 Jul

Exercise in a Box - Working from Home exercise released

14 Jul

UK government agrees to greater restrictions on the use of Huawei in UK networks Huawei decision informed by the NCSC’s updated technical review and analysis of the impact of amendment to the US direct product rule and Entity List.

15 Jul

NCSC Guidance: Cyber security in schools: questions for governors and trustees

16 Jul

UK and allies' issue advisory outlining APT29 targeting of COVID-19 vaccine development

23 Jul

Cyber Threat to the Sports Sector report published

27 Jul

New cohort of Cyber Accelerator programme (supporting growth of cyber security start-ups) begins

28 Jul

The findings of the NCSC / KPMG Diversity and Inclusion survey are published

28 Jul

Lindy Cameron announced as the NCSC’s new CEO

6 Aug

NCSC Guidance: Cyber insurance for organisations considering purchasing cyber insurance

14 Aug

The NCSC warns of online scams where criminals use rich and famous to lure victims

24 Aug

NCSC Guidance: Bring Your Own Device - the new normal - the NCSC’s view on BYOD and the rise in home working

NCSC year four highlight statistics

723

Handled 723 cyber security incidents

1200

Provided support to almost 1,200 victims

166710

Discovered and took down 166,710 phishing URLs, 65.3% of which were removed within 24 hours

414

Produced 414 threat assessments

101747

Produced 101,747 physical items for 140 customers through the UK Key Production Authority

2300000

2.3 million suspicious emails forwarded to our new Suspicious Email Reporting Service

2700000

2.7 million visitors to the NCSC’s website

30

Produced 30 pieces of guidance and 60 blogs

17100

Awarded 17,100 Cyber Essential Certificates

2953

Added almost 2,953 new members onto the NCSC’s Cyber Security Information Sharing Partnership (CiSP)

1770

Engaged with 1,770 young people in the 2020 CyberFirst summer courses

100

Delivered more than 100 workshops, podcasts and webinars all over the UK for the voluntary sector

20

Visited and welcomed visiting delegations from over 20 countries

4602

Hosted 101 events, with 4,602 attendees

Jeremy Fleming, Director GCHQ

Jeremy Fleming, Director GCHQ

“The world changed in 2020 and so did the balance of threats we are seeing. As this Review shows, the expertise of the NCSC, as part of GCHQ, has been invaluable in keeping the country safe: enabling us to defend our democracy, counter high levels of malicious state and criminal activity, and protect against those who have tried to exploit the pandemic. The years ahead are likely to be just as challenging, but I am confident that in the NCSC we have developed the capabilities, relationships and approaches to keep the UK at the forefront of global cyber security.”

1

Coronavirus: Responding to the Pandemic

Much of the NCSC’s work this year revolved around the Coronavirus outbreak, which required a government-wide response. The NCSC’s multi-faceted role included giving advice to an increasingly digitally active public, fixing vulnerabilities and responding to threats emanating from the pandemic.

Coronavirus
Responding to
the Pandemic

Much of the NCSC’s work this year revolved around the coronavirus outbreak, which required a government-wide response. The NCSC’s multi-faceted role included giving advice to an increasingly digitally active public, fixing vulnerabilities and responding to threats emanating from the pandemic.

The NCSC’s proactive measures to defend the UK from coronavirus-related threats fell into five strands of work:

  1. Building NHS Resilience
  2. Protecting vaccine and medicine research
  3. Supporting remote working and tackling cyber crime
  4. Securing the NHS Covid-19 app and large-scale data
  5. Supporting Essential Service Providers

Responding to the pandemic: the facts

Click and drag to view

7

Worked closely with the Centre for Protection of National Infrastructure (CPNI) on the secure build of seven Nightingale hospitals

160+

More than 160 instances of high-risk and critical vulnerabilities shared with NHS Trusts

200

Around 200 incidents the NCSC responded to this year related to the UK’s coronavirus response

230

Victims supported by the NCSC who faced incidents that were related to coronavirus

235

Rolled out Active Cyber Defence (ACD) services, including Web Check, Mail Check and protective DNS, to 235 front-line health bodies across the UK, including NHS Trusts

1,283

Engaged with over 1,200 ESPs across the UK to outline available NCSC guidance and support

51,000

Total number of Indicators of Compromise (IoCs) shared with the NHS

1m

Scanned more than one million NHS IP addresses to detect security weaknesses

1.4m

Performed threat hunting on 1.4 million NHS endpoints to detect suspicious activity

260

Blocked 260 SMS Sender IDs which were likely to or have been used in malicious SMS campaigns with coronavirus as their theme, such as spoofing legitimate government or healthcare IDs

15,000

More than 15,000 coronavirus-related malicious campaigns taken down by the NCSC and its commercial partner, Netcraft

Building NHS resilience

During the pandemic, protecting healthcare was the NCSC’s top priority, and the organisation worked ceaselessly to support the NHS. The national objective was clear: to keep the system and its staff secure and resilient to cyber threats.

To achieve this, the NCSC introduced measures including the design of a new back-up service, pioneering discovery tradecraft and deploying analysts to look at NHS threat data. This was facilitated by the Department of Health and Social Care (DHSC) signing a “Direction” giving the NCSC consent to check the security of NHS IT systems.

As a result, more than one million NHS IP addresses were supported, over 160 high-risk and critical vulnerabilities were identified and shared, and threat hunting performed on 1.4 million endpoints. The NCSC supported the health sector through cyber security incidents, and ACD services were put in place to protect more than 235 NHS units, including Trusts.

Image of a nurse standing with her arms crossed.

Protecting vaccine and medicine research

Support to vaccines and therapeutic medicines was a clear priority for the summer. The NCSC supported the government Vaccine Taskforce, which controls decision-making on research funding and purchasing through to manufacturing and distribution, and several universities and pharmaceutical companies.

Work on vaccines and therapeutic medicines has an important supply chain component – particularly when it comes to manufacture and distribution – and this work will continue as an integral part of the NCSC’s mission.

illustration of medical viles.

Russian Espionage

In July, the NCSC revealed Russian cyber actors known as APT29 had been targeting organisations involved in coronavirus vaccine development. The NCSC assessed that APT29, also named “the Dukes” or “Cozy Bear” almost certainly operates as part of Russian intelligence services.

An advisory published on the NCSC’s website outlined a variety of tools and techniques, including spear-phishing and custom malware known as ‘WellMess’ and ‘WellMail’, were being used to steal valuable intellectual property. This not only exposed the hostile action directly but also demonstrated to a wide range of pharmaceutical companies that they needed to understand more about protecting themselves.

The assessment, which received front-page coverage globally, was supported by partners at the US Department for Homeland Security (DHS), Cybersecurity Infrastructure Security Agency (CISA) and National Security Agency (NSA), and the Canadian Communication Security Establishment (CSE).

Continued in the full Annual Review
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic. Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”

Paul Chichester, NCSC Director of Operations

Sharing threat information with the NHS

Indicators of Compromise (IoCs) are pieces of data which identify potentially malicious activity on a system or network. These help network defenders detect and mitigate threat activity.

Before the NCSC created the IoC Machine last year, it took several hours for officials to share information relating to threats in the UK. The IoC machine can identify what can be shared in a matter of seconds – meaning the NCSC can share more threat information in real time.

With the improved ability to share IoCs and the need to protect the health and associated sectors during the pandemic, the NCSC exponentially increased the number of potential compromise tips to the NHS – with 51,910 shared by the end of August.

The shared IoCs were collated from the NCSC’s own declassified sources and from industry 100 (i100) secondees – our workforce initiative that sees companies loaning security-cleared experts to work alongside NCSC staff - from threat intelligence organisations. These i100 contributions have been significant and valuable, complementing the NCSC’s own collections and providing additional mitigation effects for the health sector. Secondees have worked alongside NCSC analysts to triage and investigate all IoCs before release, to ensure accuracy, validity and quality.

Continued in the full Annual Review

Supporting remote working and tackling cyber crime

When many organisations moved to remote working because of coronavirus, the NCSC responded with new guidance on how to help employees work and communicate securely from home, including those who needed to use their personal IT for work.

The NCSC published advice for organisations moving their business online at pace. Advisories were issued about how cyber criminals were seeking to exploit the pandemic for profit, and guidance was updated on how to spot and deal with suspicious emails, calls and texts (including coronavirus-based scams).

The pandemic led to a huge increase in employees working from home, with many making rapid adjustments to their new “office” and learning new skills, such as coping with intermittent Wi-Fi, or handling the etiquette of virtual meetings on Zoom, Microsoft Teams or Skype. With more people using personal devices for work purposes came an increased vulnerability to cyber fraud, as criminals sought to exploit the changing circumstances. Some scams, frequently using phishing emails, claimed to have a “cure” for coronavirus, or sought donations to bogus medical charities. Many users found that clicking a bad link led to malware infection, loss of data and passwords.

Continued in the full Annual Review
Illustration of a person working on a computer on a desk at home.

Disrupting cyber crime

Cyber criminals look to exploit any vulnerability to generate income – and coronavirus has been no exception. The NCSC has led the way throughout the pandemic to expose attack methods of those exploiting the virus online - and advise on ways to defend against them.

This year a significant proportion of attempted compromises have been related to coronavirus – whether it’s linking to bogus products or targeting people using their devices in a different way due to the pandemic.

The NCSC has disrupted thousands of attempts to trick people, from fake lures of PPE, testing kits and cures and even sham key worker badges to activate supermarket discounts. Coronavirus was the catalyst for the release of the NCSC’s Suspicious Email Reporting Service (SERS) – which has received more than 2.3 million reports from the public, leading to 22,000 malicious URLs being taken down.

Illustrations of the covid-19 virus.

Timeline of NCSC coronavirus-related interventions to support people and businesses

Timeline showing: March 16 - The NCSC reveals criminals carrying out phishing attacks using coronavirus-related products as a lure. March 17 - New guidance published as home working increases. April 01 - Organisations identified as ESPs sent bespoke communications on advice, support and preventative measures to help them with cyber security. April 08 - The NCSC and DHS-CISA issue a joint advisory on malicious cyber actors exploiting coronavirus. April 21 - ‘Cyber Aware’ campaign launches to help protect citizens online during lockdown. Release of the SERS to combat fraudulent emails. May 04 - The NCSC supported DHSC on creation of NHS COVID-19 app. May 05 - Joint UK and US advisory on APT groups targeting healthcare services. June 25 - One millionth public report received into the SERS. July 13 - ‘Home and remote working’ scenario added to Exercise in a Box toolkit. July 16 - UK and allies expose Russian attacks on coronavirus vaccine development.

Nicky Hudson, NCSC Director of Policy & Communications

Nicky Hudson, NCSC Director of Policy & Communications

“We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the coronavirus outbreak.


“Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails.


“In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”

Securing the NHS Covid-19 app and large-scale data

The NCSC supported the NHS Test and Trace programme, the work of the Joint Biosecurity Centre (JBC) and the development of the NHS COVID-19 app to help curb the spread of the coronavirus.

The NCSC’s role

  • Ensuring NHS teams had the information they needed to make decisions affecting users’ privacy and data security, including integrating a senior security architect to be the app Chief Information Security Officer
  • Advising on cyber security best practice and how to implement it, helping the NHS teams to use the NCSC’s cyber security design principles as a guide
  • Maintaining transparency and openness with the public about the privacy and security decisions made by the NHS, by blog posts on the NCSC website during development and to accompany trial and national launches
  • Soliciting feedback from the cyber security community on the app, using our existing HackerOne Vulnerability Disclosure Programme (VDP) to gather input from outside experts
  • Testing the efficacy of contact tracing using Bluetooth in lab and real-world scenarios

Threat modelling

A key area of NCSC support was supporting the threat modelling used by developers, helping them to understand the risk to the app from external threats, and helping them understand the potential implications of their security and privacy decisions. The NCSC ran multiple threat modelling workshops and supported the use of a consistent approach across the project, using the STRIDE model (Spoofing, Tampering, Repudiation, Informal disclosure, Denial of service, Elevation of privilege). This model has helped the NHS team implement more security measures in the app to support users’ privacy, data security, and resilience against misuse/abuse.

The balance of privacy and utility

The NCSC also supported the NHS to find the right balance between user privacy and utility. For example, the NCSC advised on the optimum level of analytical data collected so as not to de-anonymise users, but granular enough to provide meaningful insights into whether the app worked. Based on these discussions, the app team selected a minimum set of metrics which were chosen to fulfil the requirements – including postal district, isolation status and number of location check-ins. Where even these metrics could identify users, for example, postal districts with small populations, the analytics are aggregated into larger sets to reduce the risk of users becoming identifiable from the information they provide.

Continued in the full Annual Review
Screenshot of the NHS covid-19 app.

Dr Ian Levy, NCSC Technical Director

Dr Ian Levy, NCSC Technical Director

“This is an example of how we deploy our high-end security architects to key projects in government to ensure that security is at the heart of its systems.”


Supporting Essential Service Providers

What are ESPs?

  • ESPs are public, private and third sector organisations essential to the UK’s response to the coronavirus crisis
  • They cover a wide range of areas including online supermarkets, haulage companies, ventilator manufacturers, healthcare suppliers, supply chain companies and charities
  • They also include existing CNI partners such as communications, energy and financial organisations

How were they identified by the NCSC?

  • At the start of the coronavirus outbreak the NCSC worked with government departments to identify and map ESPs
  • Those already engaged with the NCSC were contacted, then the team worked with central government, trade associations and other organisations to bring together a portfolio of contacts
  • The NCSC repurposed its CNI Knowledge Base, which maps the UK’s national infrastructure, to help government understand the interdependencies and connections between ESPs in certain sectors

What support were they given?

  • 17 new items of guidance and a range of additional engagement material were produced to advise on the actions needed to reduce the risks of cyber attacks
  • The NCSC liaised with 1,283 ESPs – enabling them to reach out to hundreds of additional supplier companies
  • Incidents and cyber enquiries were managed and findings fed back into the NCSC’s products
  • This work resulted in products being created to help the change in operating and working environment such as the ‘moving your business from physical to digital’ publication
  • Bespoke offers of support were provided, such as the Cyber Essentials offer to small and medium sized businesses supporting healthcare
2

Defending democracy

This year, the NCSC has played a bigger role than ever in defending the UK’s political process.

While defending democracy from cyber attacks has always been a key priority, the unique challenges thrown up by a general election and the temporary introduction of a ‘virtual Parliament’ due to coronavirus meant cyber security has never been more important in UK politics.

Defending democracy

This year, the NCSC has played a bigger role than ever in defending the UK’s political process.

While defending liberal democracies from cyber attacks has always been a key priority, the unique challenges thrown up by a general election and the temporary introduction of a ‘virtual Parliament’ due to coronavirus meant cyber security has never been more important in UK politics.

Virtual Parliament

The coronavirus pandemic changed the way everybody in the UK worked, including our Parliamentarians. The solution to enable MPs and peers to carry out their functions came through technology, and the NCSC and the Parliamentary Digital Service were central to delivering what was arguably the biggest-ever change to how Parliament operates.

The challenge

Democracy relies on elected representatives meeting to debate, scrutinise and vote but restrictions on movement and contact meant MPs and peers were unable to do so in Parliament. Solutions had to be rapidly implemented to ensure Parliamentarians returning after Easter recess could conduct their business at a time when crucial decisions were being taken in Westminster.

Virtual debates

Technology was rapidly developed to allow Parliamentarians to debate from remote locations in a secure setting. This meant in addition to the 50 MPs allowed into the Commons, a further 120 were able to participate online. To counter the risk that hackers and online intruders could disrupt proceedings, the NCSC worked with Parliamentarians to upgrade awareness and training in cyber security. It provided advice to ensure the new system had the right balance of security controls to mitigate the threat posed by cyber criminals, while safeguarding important conventions and privileges.

Remote divisions

For centuries, voting in Parliament has been done in a very specific way: through the provision of physically entering one of the two lobbies on either side of the chamber to cast their vote.

With most MPs not in the chamber, a digital solution was required to allow votes to be cast remotely. A new system was built with multiple checks, to ensure a high level of confidence in the votes being cast.

Working together

The NCSC was just one part of a broader team that worked together to deliver virtual Parliamentary proceedings. Broadcasters, Parliamentary digital staff and staff across both Houses at Westminster collaborated to ensure appropriate cyber security controls were in place.

Image of parliament meeting virtually.

Virtual Parliament in session

The 2019 general election

Protecting the UK’s electoral processes is one of the most important objectives of the NCSC. Supporting this aim sees the organisation working all year round – offering expert cyber security guidance and advice – to support political parties and parliamentarians. As part of the NCSC’s preparation the organisation monitored developments in the lead up to the vote and worked with international partners to learn from their experiences in mitigating the risk of cyber attacks against national ballots. During the election, the NCSC responded to a wide range of incidents, working behind the scenes to triage threats, investigate leads and providing advice and assistance where required.

Illustration af two paper planes.
Illustration of a ballot box.

Protecting the Register to Vote website

The NCSC supported the resilience and security of the online platform to allow citizens to access or update their details on the electoral register. The NCSC’s experts worked closely with the Register to Vote team at the Cabinet Office to review the site’s ability to withstand peaks in traffic.

On average, the Register to Vote website receives around 25,000 daily online submissions, but on 25 November, there was an unexpected spike in interest and the site received 366,000 applications.

Thanks to the groundwork done to ensure resilience, the service remained stable, despite the considerable increase in load, ensuring record levels of registrations.

Distributed denial of service (DDoS) attacks

Prior to the dissolution of Parliament, the NCSC hosted a seminar with the UK’s Parliamentary parties to brief them on the cyber security threat and the steps they could take to protect themselves.

Early in the campaign a series of DDoS attacks against political party websites became a major story. Whilst these were relatively low-capability attacks, the timing was concerning.

The fact these attacks were largely unsuccessful is a testament to the preparation done by the parties affected to defend themselves. The NCSC published relevant advice on its website and shared this guidance with the Parliamentary parties’ IT teams.

Support to new MPs

After the election, the NCSC provided guidance on best practice for all new MPs to ensure they and their staff were cyber security aware. Specific guidance on how to respond to targeted phishing attacks was given by the NCSC’s Incident Management (IM) team to more than 200 prominent figures – including government ministers.

Foreign interference

The UK Government is clear that any foreign interference in the UK’s democratic process is completely unacceptable, but certain states seek to exploit elections through cyber attacks, disinformation and other methods.

The NCSC is working with the Government in taking forward a programme to ensure there are robust safeguards against hostile state activity, foreign lobbying activity and third parties seeking to interfere in democratic processes. The UK will continue to identify and respond to malign activity alongside NATO and international partners.

On the basis of extensive analysis, the Government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 General Election through the online amplification of illicitly acquired and leaked Government documents.


“Sensitive Government documents relating to the UK-US Free Trade Agreement were illicitly acquired before the 2019 General Election and disseminated online via the social media platform Reddit. When these gained no traction, further attempts were made to promote the illicitly acquired material online in the run-up to the General Election.


“Whilst there is no evidence of a broad spectrum Russian campaign against the General Election, any attempt to interfere in our democratic processes is completely unacceptable. It is, and will always be, an absolute priority to protect our democracy and elections.”

WMS by Rt Hon Dominic Raab, MP, First Secretary of State and Secretary of State for Foreign, Commonwealth and Development Affairs.

Offering dynamic cyber solutions to government

Through guidance and training, the NCSC improves the level of cyber resilience among those in national and local government, ensuring that the public sector can rely on secure access to essential services, networks and data.

The Cyber Centre of Excellence is a government security initiative to help improve cyber security advice across departments. The Centre has played a vital role in helping departments to implement the NCSC’s ACD capabilities, conducting risk analysis to address vulnerabilities and to improve cyber resilience across government.

This year the NCSC has:

  • Provided advice as part of the One Government Cloud Strategy, which will allow for unprecedented cross-organisational collaboration
  • Supported HMRC with the introduction of coronavirus-related services including Job Retention, Self-Employment Income Support, and the Statutory Sick Pay Rebate Scheme
  • Provided guidance on how to risk manage employees using IT devices while working from home and mitigated cyber security vulnerabilities in government departments’ systems
  • Designed a new protocol which uses novel cryptography to allow public services to query sensitive databases on the cloud
  • Overseen the secure delivery of data from departments as part of support to the Office of National Statistics in preparation for next year’s Census.

Advanced Mobile Solutions (AMS)

With government needing its personnel to be able to work remotely and securely on mobile devices, the NCSC’s Advanced Mobile Solutions (AMS) has given authorised users protected access to the most sensitive networks.

This year to ensure the safe connection between less secure remote devices to secret networks, AMS created new classes of “cross domain” technology, using highly innovative infrastructure security. The new approach has enabled methods of secure communication between individuals and groups, such as video conferencing, whether they are in protected facilities or working remotely. This provides a significant improvement in protection compared to standard security technology such as Web Application Firewalls.

“Capabilities like AMS highlight both the very latest developments in cybersecurity and also the ability of highly sensitive departments to work in a modern way. The advances are the results of the NCSC’s diligent research collaborations with our academic and industry partners"

Dr Ian Levy, NCSC Technical Director

500

AMS & derived technologies are currently deployed to over 500 devices across multiple organisations.

2000

The NCSC anticipates a significant increase in these numbers as a new managed service (initially scaled to 2000 devices) comes online at the end of 2020 and new secure remote working systems, currently being built, come online early to mid 2021.

Illustration of a person working on a laptop.
3

Building a resilient nation

In response to the fast pace and everchanging national and international security threats, the NCSC works through established partnerships to help make the UK as resilient as possible – from defending citizens, businesses and charitable institutions, to safeguarding Critical National Infrastructure, defence and security assets and operations.

Building a resilient nation

In response to the fast pace and everchanging national and international security threats, the NCSC works through established partnerships to help make the UK as resilient as possible – from defending citizens, businesses and charitable institutions, to safeguarding Critical National Infrastructure, defence and security assets and operations.

Defence, Security & Resilience

The NCSC works closely with the Ministry of Defence (MOD) to ensure UK Armed Forces can operate with confidence based on reliable information shared safely with UK and international partners.

The UK’s most sensitive information and most important capabilities are protected using the NCSC’s Crypt-Key (an encryption management system), which is underpinned by the technical expertise the NCSC holds as the UK’s technical authority on cyber security.

Over the past year, the NCSC has worked with the MOD, NATO and other partners on the transformation that is required throughout the UK National Crypt/Key Enterprise and this vital collaboration will continue.

Jacqui Chard, NCSC Deputy Director for Defence and National Security

“At the NCSC, we are proud that our technical expertise helps to keep our armed forces safe and operating with confidence all around the world.”


Jacqui Chard, NCSC Deputy Director for Defence and National Security

UK Key Production Authority

At the heart of the NCSC’s security work is the expertise needed to create highly secure, encrypted communications for the government, military, industry and allies. Its research on improving these systems has led to significant new developments in Crypt-Key, transforming old, paper-based practices into modern, digital ones.

This year, the UK Key Production Authority (UKKPA) - a part of NCSC - replaced the long-standing method of producing cryptographic keys on punched paper tape with a more efficient capability for producing and distributing keys in an electronic, highly secure format, meeting the advanced requirements of national and international defence partners.

An image of punched paper tape.

Eight-hole punched paper tape example

Defence of the realm

The NCSC worked to protect military personnel and the nation’s most important ground, naval and air assets, providing support with incident and threat reporting, and training for staff.

As part of this role, the NCSC provided advice on cyber security risks and policy to the Continuous At Sea Deterrent (CASD), including the mitigation of any potential supply chain vulnerabilities. Ongoing support is given to the Successor programme, which will deliver the replacement to the current Vanguard-class Trident Submarine.

The NCSC continues to provide NATO with “thought leadership” and technical expertise on cyber security and cryptography to help the organisation protect its communications and information infrastructure.

The NCSC led the development of NATO's action plan to protect its secure communications against the threat posed by future quantum computing and is providing ongoing assistance to NATO with the implementation of its plan.

An image of a submarine part submerged in the water of the coast.

HMS Vengeance, Vanguard-class submarine

“UK Strategic Command and the NCSC frequently work hand-in-hand to enhance Defence’s security posture and in the fight to protect our networks and critical national information against constant attack.


“Cyberspace is the most active domain, and the NCSC delivers critical support to us in threat and incident management, high grade cryptography and in providing specialist support such as preparing for CSG21 (UK Carrier Strike Group 21) and the ongoing support to the strategic deterrent.”

General Sir Patrick Sanders, Commander of Strategic Command

Poseidon maritime patrol aircraft

The NCSC has been working with the MoD on all security aspects of the Boeing Poseidon P-8A Maritime Patrol Aircraft, which will offer a high level of sea defence to the UK due to its unique submarine-hunting capabilities.

Operating from RAF Lossiemouth, the aircraft successfully achieved its initial operating capability in April, contributing to maritime counter-terrorism, and will be able to support search and rescue operations worldwide.

Joint strike fighter

Defence’s fleet of new F-35B combat aircraft was being supported by the NCSC as they extend their operational ability with deployment into international areas of conflict. The NCSC is providing TEMPEST testing, ensuring the highest level of secure communications and has been involved in the development of Lightning Shield to maintain operational security. The latter ensures the F-35B’s Freedom of Action and is in operational use by the UK Lightning Force and Royal Australian Air Force.

The NCSC continues to review the cyber security of the aircraft’s international maintenance support and the rapid provision of the necessary key material to support carrier landings. It provides guidance to secure the international ground systems for the F-35B and provided technical expertise to mitigate the threat to the supply chain that supports the aircraft.

An image of the new F-35B fighter plane.

F-35B Lightning combat aircraft

“The work the NCSC does to battle harden our fifth generation F-35B Lightning jets from cyber security threats is vital and means the UK can deploy and support this capability at a time and place of our choosing."


Rear Admiral Matt Briers, Director Carrier Strike, Ministry of Defence

Supporting the citizen

While the NCSC works to protect the UK’s national security and strategic interests around the world, closer to home it works to safeguard everyday citizens and communities from cyber crime and threats.

Suspicious Email Reporting Service

Every day billions of emails are sent globally, helping businesses to function efficiently and keeping people connected. While the vast majority are harmless, the small proportion that are malicious still account for millions of daily cyber threats.

“Phishing” attacks see criminals sending untargeted, mass emails asking for sensitive information (such as bank details) or encouraging recipients to visit a fake website. Such emails can be highly effective at mimicking an established organisation, and even highly skilled cyber experts can be fooled into clicking a link.

The NCSC has long been committed to making emails safe. While ACD measures make it harder to commit these attacks – and minimise the harm they cause – successful attempts still land in people’s inboxes.

That’s why this April the NCSC, in partnership with the City of London Police, launched the SERS, and encouraged people to forward emails they thought could be malicious. The response was immediate – with more than 5,000 reports within 24 hours. Four months after launching, the service had received 2.3 million reports – an average of 133,000 per week.

April to August 2020

2330231

Received 2,330,231 reports from citizens

22237

22,237 malicious URLs taken down/blocked

9315

9,315 scams taken down/removed

How it works

Members of the public are encouraged to forward suspicious emails to report@phishing.gov.uk to enable action to be taken to help protect other people from falling victim to crime.


The SERS analyses the flagged email and if malicious content is found, a takedown notice is issued to the hosting provider requesting it removes the content.


In parallel, the malicious URLs are added to a block list which is provided to browser, antivirus and firewall vendors.

“There's been an explosion of scam adverts in the UK. We've been fighting them on all fronts. I've even sued, but the toughest nut to crack is scam emails, because emails come from everywhere.


“That's why the NCSC's new report-and-remove function is so vital... at last, we can forward scams to report@phishing.gov.uk and know that someone will take action.


“Yet we need what I call 'social policing' too - everyone that can spot a scam must take up arms and report it to protect those who can't. It's why I've shouted it from the roof tops on my show, MSE and social media, and we've seen the rate of reports quadruple, which is proof people are ready to do their bit.”


Martin Lewis, founder of MoneySavingExpert.com

“Phishing is often the first step in a lot of fraud cases we see. It provides a gateway for criminals to steal your personal and financial details, sometimes without you even realising it, which they can then use to take your money.


“Unquestionably, a vast number of frauds will have been prevented, thanks to the public reporting all these phishing attempts. Not only that, but it has allowed for vital intelligence to be collected by police and demonstrates the power of working together when it comes to stopping fraudsters in their tracks.”


Clinton Blackburn, Commander, City of London Police

Celebrity scams

This year there has been a growing trend of fake celebrity-endorsed investment scams.

The scams saw spoofed news articles featuring public figures such as Sir Richard Branson, Ed Sheeran and Martin Lewis promoting fake “get rich quick” schemes. The reader was encouraged to click a link to invest, but in reality the money went to cyber criminals. The NCSC’s Takedown team proactively searched for these scams and took definitive action to take down 300,000 malicious URLs created to trick people into losing money.

The NCSC’s Takedown team proactively searched for these scams and took definitive action to take down 300,000 malicious URLs created to trick people into losing money.

Speaking in August, then NCSC Chief Executive Officer Ciaran Martin said:

“These investment scams are a striking example of the kind of methods cyber criminals are now deploying to try to con people.


“We are exposing them today not only to raise public awareness but to show the criminals behind them that we know what they’re up to and are taking action to stop it.”


“We have dealt with hundreds of instances of fake sites and fraudsters impersonating me or my team online.


“We are working in partnership with organisations such as the NCSC to report these sites and do all we can to get them taken down as quickly as possible.


“Sadly, the scams are not going to disappear overnight, and I would urge everyone to be vigilant and always check for official website addresses and verified social media accounts.”


Sir Richard Branson, Virgin Group Founder

Three headlines reading, English songwriter, 1. singer and actor Ed Sheeran explains why he decided to invest £1,000,000 in bitcoin and reveals a secret money-making loophole to his fans. 2. Sir Richard Branson brings financial freedom for all - here is how he is doing it. 3. Student reveals how he earns more then £35,000 every month working from home.

Securing smart cameras

In March, the NCSC issued advice on the safe use of smart security cameras and baby monitors. This followed research by organisations like Which?, revealing that live feeds or images from smart cameras can in some cases be accessed by unauthorised users, putting the public’s privacy and security at risk.

Smart cameras are often configured so people can remotely access them and some are shipped with default (highly hackable) passwords set by the manufacturer. The NCSC’s advice included some simple steps for citizens to protect themselves and their families from this threat.

To counter the threats from vulnerable devices, the NCSC has supported the Department of Culture, Media & Sport (DCMS) in its development of legislation that will require manufacturers of connected consumer devices sold in the UK to:

  1. Not include universal default passwords in their products
  2. Have a vulnerability disclosure policy
  3. Provide clarity to the consumer around how long a device will receive security updates for

The NCSC alert was accompanied by media briefings to ensure citizens had the necessary information to protect themselves, resulting in prominent press coverage and strong support from Which? and other influential commentators and individuals.

Key steps to stay safe:

  1. Change any default passwords to use three random words instead
  2. Regularly update your camera (preferably auto-update), to keep it secure
  3. Turn off remote viewing feature if you don’t need it
An illustration of a camera lens.

Securing Financial Instituations

Being part of the UK’s CNI it is a vital responsibility of the NCSC to help secure the financial and banking sector in its substantial online dealings.

Financial Sector Cyber Collaboration Centre (FSCCC)

Working alongside the UK Government, NCA, financial regulators and institutions, the NCSC has been a leading player in a groundbreaking initiative to improve the resilience of the UK’s financial sector. This year, the NCSC supported the creation of the FSCCC, and hosted the new initiative.

What is the FSCCC?

The FSCCC is a partnership which identifies, investigates and coordinates the response to incidents that have potential consequences for the finance sector, by combining, analysing and distributing information from across the sector to produce timely outputs for the financial industry.

Continued in the full Annual Review

“The NCSC, alongside the entire UK Government, is working closely with the most critical UK businesses of today and tomorrow to increase their resilience to cyber threats.


“This is exemplified in the joint work between industry and the NCSC in developing the FSCCC to defend UK interests against cyber threats.


“Working with trusted international partners helps multiply our impact globally and ensures our work remains at the cutting edge of what is possible.”


Dr Deborah Petterson, NCSC Deputy Director for Private Sector Critical National Infrastructure

Exercise in a box

Last year, the NCSC launched the online tool ‘Exercise in a Box’, which enables businesses to test how resilient they are to cyber attacks. The toolkit offers a range of realistic scenarios organisations could face, allowing them to carry out drills in preparation for real-life events.

Due to the shift in the number of staff working remotely, in July a ‘Home and Remote Working’ exercise was released. It focused on three key areas of distributed working; how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident while working remotely.

As part of the exercises, staff members were given prompts for discussion about the processes and technical knowledge needed to enhance their cyber security practices. At the end, an evaluative summary was created, outlining next steps and pointing to the NCSC guidance.

“Businesses wanted to do all they could to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.


“While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative.


“We urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks.”


Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement

Global take-up

The Exercise in a Box toolkit has at the end of August, more than 7,500 registered users with interest in the tool around the globe.

An illustration of the world map pin pointing the countries that use Exercise in a box.

The top 10 countries by use with Exercise in a Box:

  1. United Kingdom
  2. United States
  3. Ireland
  4. India
  5. Spain
  6. Finland
  7. Pakistan
  8. Germany
  9. Netherlands
  10. Canada

“Exercise in a Box is a fantastic tool that’s free, well thought-out, easy-to-use and can help improve an organisation’s security posture – what’s not to love in that?”


Eventura spokesperson

“In many cases the effects of cyber attacks could be mitigated by putting good cyber hygiene principles into practice, or by planning and implementing an incident response capability.


“Exercise in a Box is designed for the non-cyber expert with everything the facilitator needs to set up, plan, and deliver the exercise. Among the topics covered are phishing attack leading to ransomware infection, the threatened leak of sensitive data, and mobile phone theft and response.


“On completion there is an end report with links to NCSC advice and guidance. In addition, we’ve just added micro exercises on single topics designed to provide the basics over 15-20 minutes.


Steve, NCSC Exercise in a Box team

The 10 scenarios you can test in Exercise in a Box are:

The 10 scenarios you can test in Exercise in a Box

New ‘Single Source of Truth’ for the UK’s Critical National Infrastructure

The NCSC’s Knowledge Base is the ‘Single Source of Truth’ that allows the government and CNI sector to better understand and manage the UK’s CNI, its supply chains, and the interdependencies between them all.

The Knowledge Base is a mapping tool (IT system) which helps analysts view the CNI data on a map or as a network diagram with each interdependency mapped across it. It was used to support the response to the coronavirus pandemic, and next year, the user base will be extended to help foster collaboration and discussion more widely across UK Government.

Both the criticalities approach (an assessment based on the importance of an organisation, supply chain or sub-sector) and the CNI Knowledge Base were developed and implemented by the NCSC on behalf of Cabinet Office (Civil Contingencies Secretariat) as part of the National Cyber Security Programme.

Continued in the full Annual Review

“The new functionality delivered by the CNI Knowledge Base will be a game changer for the UK Government. For the first time, we will have the tools needed to identify the functional, organisational and geographic dependencies within and across CNI sectors, informing meaningful collaboration with stakeholders and helping us make the UK safe, secure and resilient.”


Andrew Bell, Critical National Infrastructure Programme Manager, Department for Transport

“The NCSC Knowledge Base will enable a step-change in the way the Government anticipates, prevents and responds to cascading risks that could impact our most essential services. A flagship project under the 2016 National Cyber Security Programme, it provides a world-leading capability in CNI risk management.”


Civil Contingencies Secretariat, Cabinet Office

4

Proactive engagement

Cyber security is a team sport, and while the NCSC is a key player, it can’t make the UK the safest place to live and work online alone. Over the last 12 months government, industry and the general public came together to enhance their shared cyber security.

This chapter sets out how the NCSC developed existing and new partnerships with individuals, communities and institutions to create new ideas and solutions to give the UK a winning edge.

Proactive engagement

Cyber security is a team sport, and while the NCSC is a key player, it can’t make the UK the safest place to live and work online alone. Over the last 12 months government, industry and the general public came together to enhance their shared cyber security.

This chapter sets out how the NCSC developed existing and new partnerships with individuals, communities and institutions to create new ideas and solutions to give the UK a winning edge.

Cyber Aware

Most of the cyber threat to the public is in high volume, low sophistication, which can be prevented with basic actions. However, a considerable proportion of the public are not taking the simple steps to protect themselves. In 2019, it was reported that 23.2 million hacking victims had “123456” as their password. Without actively encouraging the adoption of protective behaviours, the UK will remain an attractive target for cyber crime.

The Cyber Aware campaign relaunched in April to build resilience to the increased cyber security threats related to the coronavirus outbreak. The campaign drove the public to a microsite with actionable guidance for staying secure online and advice on how to report a suspicious email.

With individuals spending more time online, and businesses moving increasingly from physical to digital practices, the Cyber Aware campaign will relaunch in November to encourage citizens and micro businesses to adopt the six behaviours that will help protect them from the most common attacks.

Cyber Aware logo

Cyber Aware Six Top Tips:

  • Create a separate password for your email
  • Create a strong password using three random words
  • Save your passwords in your browser
  • Turn on two-factor authentication
  • Update your devices
  • Turn on backup

Find out more at www.cyberaware.gov.uk

Keep your personal files safe by backing up
Keep passwords strong by combined 3 random words that you remember

Partnership snapshot

The NCSC is committed to raising cyber security maturity and resilience across every part of our national life. This includes supporting and empowering UK businesses, academia and the charity sector.

A snapshot of our partnership over the past 12 months:

Illustration of a stack of books.

Cyber security information cards for schools.

The NCSC worked with the National Education Network to distribute 33,000 ‘cyber security information cards’ to help those working in UK schools to better understand cyber threats. The cards were also presented to Ofsted inspectors at their November conference.

They were so popular they can now be downloaded from the NCSC website and printed at home.

Illustration of coins going into a donation box.

Guidance on cyber security

With the National Association of Community and Voluntary Action and the Foundation for Social Improvement, the NCSC upskilled over 40 local delivery partners and to date has trained over 5,000 small charities in cyber security.

In total, the NCSC delivered more than 100 workshops, podcasts and webinars all over the UK for the voluntary sector.

Illustration of a fictional graph showing steady increase.

Entry level advice for NatWest business customers

The NCSC’s Small Business Guide was reused in innovative ways to reach NatWest business customers.

This included a blog posted to their Bankline platform and references within their ‘Security tip toasters’ and FAQ content – which were live for two weeks, receiving 40,000 unique views.

Additionally 9,000 bespoke versions of the guide were created and distributed to Natwest's business customers.

The pandemic resulted in many organisations moving operations online. For sole traders or small business owners, establishing exactly what cyber security measures they needed to put in place was likely to be a challenge.

The NCSC stepped in and produced, in quick time, guidance to help organisations determine how ready they were for this digital transition and pointed the way to any new cyber security measures they should put in place.

Continued in the full Annual Review

Fair play for sport

The NCSC published its first analysis of the sports industry in July – which revealed 70% of sports institutions suffered a cyber incident in the past year, double the average for UK businesses.

‘The Cyber Threat to Sports Organisations’ report outlined measures recommended to prevent criminals cashing in on their industry.

Case studies in the report included;

  • A member of staff at a racecourse losing £15,000 in a scam involving the spoofing of eBay.
  • A Premier League club’s managing director was hacked before a transfer negotiation – meaning the £1 million fee almost fell into the hands of cyber criminals.
  • An employee at an organisation holding athletes performance data had their email address compromised, allowing the hackers access to sensitive information over several months.
  • An English Football League club suffered a ransomware attack which crippled their corporate and security systems. As a result of the attack the CCTV and turnstiles at their ground were unable to operate, almost leading to a game’s cancellation.

“The issue of cyber security is one all sports, including Rugby League, take seriously. As we grow our digital capabilities and online platforms, protecting the governing body, our members, customers and stakeholders is paramount.


“We welcome the NCSC Report and the guidance it offers the sports sector.”


Tony Sutton, Chief Operating Officer at Rugby Football League

“Improving cyber security across the sports sector is critical. The British Olympic Association sees this report as a crucial first step, helping sports organisations to better understand the threat and highlighting practical steps that organisations should take to improve cyber security practices.”


Sir Hugh Robertson, Chair of the British Olympic Association

Protecting academia

The NCSC continued its support for the academic sector this year as it saw a spate of ransomware attacks against UK schools, colleges and universities.

Through engagement with key institutions such as the Department for Education (DfE) and Jisc (a not-forprofit organisation providing digital and IT services to education and research institutions), rapid and tailored guidance was offered to the sector on how to improve cyber security.

Continued in the full Annual Review

“It has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance.


“This needs a whole college approach and for a focus wider than just systems, it needs to include supporting leaders, teachers and students to recognise threats, mitigate against them, and act decisively when something goes wrong.


“The NCSC’s guidance will prove incredibly useful for colleges to ensure that they can do just that.”


David Corke, Director of Education and Skills Policy at the Association of Colleges

Trusted Research

The UK has a thriving research and innovation sector that attracts investment from across the world – but the open nature of research collaboration also entails certain risks. ‘Trusted Research’ is the NCSC and Centre for the Protection of National Infrastructure’s (CPNI) latest advisory paper for UK universities and research institutions, which aims to help them make informed decisions about international collaboration and protect their own researchers and academic values.

Continued in the full Annual Review

Industry 100 – The private sector secondee initiative

The NCSC’s i100 scheme continues to expand, delivering results across all areas of the organisation. The initiative sees a variety of companies with unique insights and capability in cyber defence loan staff to the NCSC on a part-time basis to collaborate in defending the UK. The secondees are given a security clearance and sign an agreement that enables them to work alongside the NCSC’s staff, including on sensitive projects and investigations.

Continued in the full Annual Review

Cyber Security Toolkit

The NCSC’s Business Engagement team worked with over 80 new and established partners across the private sector, for example within construction, civil engineering, architecture and farming.

More than 150 legal firms were hosted by the NCSC in February for an event which articulated the threat to the legal sector and helped companies understand what mitigations they can put in place.

Continued in the full Annual Review

“It is vital businesses take action to protect themselves and their customers from security risks and cyber insurance can play an important part in robust risk management strategies.


“I encourage firms to consider this guidance and use programmes such as Cyber Essentials to make sure they have fundamental cyber security defences in place.”


Matt Warman, MP Parliamentary Under-Secretary of State for Digital Infrastructure, DCMS

Cyber insurance

In consultation with major stakeholders and industry partners, the NCSC produced its first ever guidance on cyber insurance after calls for expert technical advice on the growing cyber insurance market.

The seven questions the guidance recommends senior leaders ask about cyber insurance are:

  1. What existing cyber security defences do you already have in place?
  2. How do you bring expertise together to assess a policy?
  3. Do you fully understand the potential impacts of a cyber incident?
  4. What does the cyber insurance policy cover (or not cover)?
  5. What cyber security services are included in the policy, and do you need them?
  6. Does the policy include support during (or after) a cyber security incident?
  7. What must be in place to claim against (or renew) your cyber insurance policy?
Continued in the full Annual Review

Cyber Essentials

Cyber Essentials is a Government-backed, industry-supported programme to help organisations protect themselves against common online threats. They can apply for two levels of certification;

  1. Cyber Essentials – a self-assessment that gives an organisation protection against a wide variety of cyber attacks
  2. Cyber Essentials Plus – a hands-on technical verification is carried to assess an organisation’s cyber security

In April, IASME Consortium Ltd became the NCSC’s sole delivery partner for Cyber Essentials. To ensure a smooth transition, they issued regular briefings for certification bodies, and they will work alongside the NCSC over the next 12 months to keep pace with the changing landscape and consider additional Cyber Essentials levels.

Continued in the full Annual Review
Cyber Essentials logo

“We were absolutely delighted to step into the role of Cyber Essentials Partner.


“We see the Cyber Essentials scheme already having such a positive effect on the security of UK business and the strong partnership with the NCSC allows us now to enhance the scheme to be even more effective.”


Dr Emma Philpott MBE, CEO, the IASME Consortium Ltd

Cyber Accelerator

The NCSC’s acclaimed Cyber Accelerator programme works with dynamic startups to encourage new products, skills, jobs and growth. It is a collaboration between the NCSC, DCMS, and Wayra, Telefónica’s open innovation arm.

Based in Cheltenham, it offers mentorship to tech businesses that are creating solutions for the security industry and spurs innovation and competition to boost the country’s economic growth.

Read our case studies in the full Annual Review
Accelerator graphic

Events

CYBERUK is usually a highlight in the NCSC calendar, bringing together both leaders and technical experts with an interest in cyber security from across the UK and abroad. CYBERUK 2020 was due to take place in Newport in May, but sadly had to be cancelled due to coronavirus.

The NCSC adapted to the challenges of the pandemic, switching from the physical to the virtual. It has set up a programme of work to build its capacity to continue to deliver bigger and better virtual offerings in the future. This will include a meeting of CYBERUK Leaders early in 2021.

Continued in the full Annual Review
5

Defending the digital
homeland 24/7

The core aim of the NCSC is to make the UK the safest place to live and work online. The NCSC loves technology and seeks to help the UK enjoy the benefits of the digital age in a safe and secure way.

To do this, measures are put in place to remove vulnerabilities and prevent as many attacks in the first place. Where attacks do get through the NCSC is there: to respond to incidents, to help support victims and to continually refine the best defences.

Defending the digital homeland 24/7

The core aim of the NCSC is to make the UK the safest place to live and work online. The NCSC loves technology and seeks to help the UK enjoy the benefits of the digital age in a safe and secure way.

To do this, measures are put in place to remove vulnerabilities and prevent as many attacks in the first place. Where attacks do get through the NCSC is there: to respond to incidents, to help support victims and to continually refine the best defences.

Cyber attack trends

While the NCSC works 24/7 with its partners to prevent cyber attacks, some will inevitably get through. In the last year the NCSC dealt with 723 cyber security incidents involving almost 1200 victims. These are the highest annual totals since the NCSC was formed.

This year’s total means that since the NCSC commenced operations in 2016, the organisation has coordinated the UK’s defence against a total of 2,528 incidents (annual totals of 590, 557, 658 and 723).

Several incidents came onto the NCSC’s radar proactively, through the expert work of its threat operations and assessments teams. Many others were raised by victims of malicious cyber activity and cyber attacks.

According to the DCMS ‘Cyber Security Breaches Survey 2020’, almost half of businesses (46%) and a quarter of charities (26%) reported having cyber security breaches or attacks over a 12-month period. Of the 46% of businesses that identified breaches or attacks, more were experiencing these issues at least once a week in 2020 (32%, vs. 22% in 2017).

The nature of cyber attacks has also changed since 2017. Over this period there has been, among those identifying breaches or attacks, a rise in businesses experiencing phishing attacks (from 72% to 86%), and a fall in attacks involving viruses or other malware (from 33% to 16%).

“At the NCSC, we get ahead of the cyber threats and defend critical sectors before damage is done.


“Thanks to our access to key intelligence, our ability to predict trends and the agility of response, we refocused many of our capabilities to focus on coronavirus-related sectorsthis year.


“It’s vital that we stay ahead of threats and are able to quickly react to the threat landscape.”


Paul Chichester, NCSC Director of Operations

Trends

  • Around a quarter of the incidents the NCSC responded to this year related to coronavirus
  • 10% rise in the number of incidents (723 v 658), and 33% increase in the number of victims (<1200 v c900) this year compared to last
  • The NCSC also handled more than three times as many ransomware incidents than last year

“We actively redirected our efforts to defend the health sector and because it was such a priority, it rose to our second most supported sector this year.”


Eleanor Fairford, NCSC Deputy Director for Incident Management

Incidents supported each year

A bar graph showing incidents supported each year 2016/17 (590), 2017/18 (557), 2018/19 (658), 2019/20 (723)

The NCSC’s incident response to coronavirus-related cyber incidents

This map illustrates the broad geographic spread across the UK of all the cyber incidents the NCSC managed that may have had some bearing on the national response to the pandemic between February and July.

The location is indicative rather than a precise pinpoint of each incident. These incidents varied in terms of their severity and type.

Illustration of UK map showing hotspots where incidents occurred.

Ransomware

Over the past year, the NCSC saw a significant rise in ransomware attacks on the UK, including an attack against Redcar and Cleveland Council which caused considerable damage and disruption.

There has also been a significant change in the way ransomware attacks are carried out. Rather than simply preventing access to data, criminals are stealing it and threatening to leak the most sensitive parts publicly. There are obvious business sensitivities to ransomware attacks, and there have long been fears the crime is underreported. The NCSC, in collaboration with the NCA, is committed to helping victims and tackling the wider issue, working as part of a team with law enforcement colleagues.

While the NCSC tracks trends and attempts to disrupt operations, it works closely with the NCA, which coordinates and leads the national law enforcement response to ransomware incidents. This includes supporting victims, successfully resolving incidents through a range of outcomes and pursuing criminal proceedings against those responsible.

“We worked closely with the NCSC following the cyber attack and its expertise and guidance enabled us to recover our systems effectively and plan additional security measures above industry-approved standards.”


Redcar and Cleveland Borough Council spokesperson

An image of a person on a laptop with ransomeware.

So what is ransomware, why are criminals using it and how can you avoid being a victim?

What is ransomware?

Ransomware is a type of malicious software (malware) that prevents victims from accessing their device, or the data that is stored on it.

Once the malicious software is on a network, the criminals can encrypt data that would have an impact on the organisation’s services and then withhold it until a payment is made.

The system itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network – such as the WannaCry malware that impacted the NHS in May 2017 – meaning it is untargeted and potentially viral.

The criminal ransomware model

Traditionally, the victim is told that they have been denied access to their own data which will not be restored until they make a payment in cryptocurrency, such as Bitcoin. Once this payment is made, the criminal will unlock their computer or allow access to the data.

The NCSC has seen an increase in the scale and impact of ransomware attacks and a new and growing trend to be more targeted and more aggressive than ever before.

What is the new trend?

Criminals are increasingly found lurking on a network, searching before ransomware is even deployed, looking for specific sensitive data that the victim would not want to be made public – such as a secret patent, or information about staff salaries.

Rather than simply seeking to withhold data, criminals are increasingly threatening to leak the most valuable information publicly unless the victim pays the ransom. This new trend to extort means that victims are at risk even if they have backed up their data, as they would not want the information published externally.

The data available suggests that the UK is not the most heavily targeted country, predominantly because British victims are traditionally less likely to pay the ransom than those from other parts of the world. However, the trends suggest that unless defences are improved, ransomware will increase globally and in the UK, with criminals developing new techniques to circumvent cyber defences.

What happens after a victim pays the ransom?

Even if the ransom is paid, there is no guarantee that victims will get access to their computer or files – or that the criminal won’t just charge again under threat of leaking the same information. It will also likely result in repeat incidents as criminals become emboldened in holding people to ransom.

Depending on the comprehensiveness of disaster recovery and business continuity plans in place, normal service can take weeks, if not months, to resume.

How to avoid being a victim?

The NCSC has updated its ‘Mitigating Ransomware and Malware Attacks’ guidance, recommending that organisations deploy a “defence in depth” strategy. By implementing a technical architecture with multiple defensive layers, if one mechanism fails another is there to thwart an attack.

Organisations should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised.

More generally, a good first step to avoid being a victim is making offline backups of data. The criminal will hold less power over an organisation or individual if they already have copies of the thing they are trying to withhold.

“The NCSC is a key partner for the NCA’s National Cyber Crime Unit; helping us achieve our mission to reduce the threat to the UK from cyber crime, through investigations and disruptions delivered in partnership with Team Cyber UK.


“We work closely at both a strategic and tactical level. From shaping the whole system response to assisting industry with advice on protecting their systems and preventing malicious activity.


“We jointly deploy to crime scenes, allowing the NCA to obtain evidence, whilst managing ‘crimes in action leading’ to the identification of suspects, arrests and prosecutions.


“Nowhere is this more important than in the response to ransomware – where our partnership assists the victim with restoration of their systems whilst enabling us to pursue the suspects in the UK and overseas, using a range of measures including arrest, prosecution and international sanctions.”


Lynne Owens, Director General of the National Crime Agency

Inside the nerve centre

The NCSC’s operations and incident response team is comprised of highly skilled experts based across the UK. The team discover new cyber threats, respond in support of victims, assess the trends in cyberspace, share information with partners and industry and lead on counter campaigns to deter threat actors. In doing so, the team uses a wide range of data sources, including from industry partners. They work closely with law enforcement and lead the intelligence community in defending the UK 24/7.

Threat operations

  • Predict adversaries’ future behaviour and mitigate damage
  • Consider both secret intelligence and open-source trends to assess cyber threats
  • Share classified assessments wherever possible to UK defenders, on the NCSC website and threat sharing

Assessments

  • Generating technical knowledge on the cyber threats facing the UK
  • Discover and detect attacks proactively, through the NCSC’s unique intelligence and trusted partnerships
  • Develop and deploy counter cyber campaigns that deter threat actors and make it harder for them to attack the UK

Incident Management

  • Support for UK organisations that are the victims of the most damaging cyber attacks
  • The IM team works closely with law enforcement, the UK intelligence community and the private sector
  • Lessons learned from incidents are used to inform future assessments and public guidance to the sector

“Support, reassurance and effective team working”

victim testimonial

One of the more than 1,200 UK-based victims of a cyber attack supported by the NCSC this year recalls their experience. Anybody who alerts IM is treated in confidence, and the below has been offered in anonymity from a representative of the victim, which was a large international organisation.

Under attack

In response to a significant and sustained cyber-attack, our company approached the NCSC to request support with the management of the investigation.

“The initial engagement consisted of information sharing, triaging and establishing a cadence for future meetings. This quickly evolved into a strong and beneficial partnership, based on mutual trust, transparency and a spirit of collective responsibility.”

Strengthening the defence

After appointing Cyber Incident Response (CIR) accredited suppliers and having further discussions with the NCSC’s Incident Management team, an introduction was made to Law Enforcement partners.

“This invoked a stream of investigative activity which not only served to stabilise a volatile and uncertain situation, but materially improved our understanding of the threat actor’s motives and intent.

“As a result, the company’s Executive Team were able to take appropriate risk-based decisions from a highly informed perspective, thereby minimising the impact of the attacker’s presence on the company’s operations.”

The NCSC’s role

“From a technical perspective, the NCSC’s Incident Response team provided significant support throughout the full investigative lifecycle.

“Operating as a central co-ordination unit, the team offered ongoing recommendations and guidance, ensuring that our continuity arrangements, eradication approach, evidence gathering, and cyber uplift activities were harmonised, prioritised and correctly orchestrated.”

Communicating with the public

A highly effective relationship was also built between communications team at our organisation, the NCSC and law enforcement. This ensured that consistent messaging was agreed and published in response to media speculation and enquiries from interested third parties.

“It also strengthened the assurances provided to our existing client base and perception of the partnership between the NCSC and the company to fully respond to the cyber-attack.”

“We owe a debt of gratitude”

“The overriding theme of the engagement was one of support, reassurance and effective team working.

“The professionalism, commitment and knowledge of the NCSC and Law Enforcement teams was exemplary throughout the incident.

“We owe a debt of gratitude to all those involved, who helped the company ensure critical operations continued to be provided to our customers during the incident and wider COVID-19 pandemic.”

5G in the UK

The NCSC has regularly provided essential telecommunications advice to DCMS, Ministers and the wider public that has directly influenced UK policy. A prominent example this year has been the advice related to facilitating the country’s move from 4G to a more advanced 5G network.

In January, the UK Government announced plans to put in place additional safeguards and exclude high risk vendors, such as Huawei, from “core” parts of 5G and full-fibre networks. This decision, taken by the Prime Minister chaired National Security Council (NSC) was informed by detailed technical evidence from the NCSC as determined by the threat landscape at the time.

In a global first, detailed advice on this high-risk vendor decision was published to operators and the public, alongside a 30-page summary of the UK Government’s multi-year analysis into the risks to telecoms networks. This oversight has included the Huawei Cyber Security Evaluation Centre (HCSEC), which has been running for nine years.

Continued in the full Annual Review

“The technical advice and expertise of the NCSC has been at the heart of our approach towards the telecoms supply chain review, high-risk vendors, and the development of the UK’s diversification strategy.


“We are making strong progress to drive up telecoms security standards and this is testament to the excellent and seamless partnership working across DCMS and the NCSC.”


Kathryn Roe, Deputy Director,Telecoms Security & Resilience, Digital Culture, Media and Sport

Active Cyber Defence

The ACD programme seeks to stop a range of different attacks ever reaching UK citizens, institutions or businesses. Working in a relatively automated and scalable way, it removes the burden of action from the user and enables attacks to be taken down at scale.

There are six key programmes within ACD that have been rolled out in the public sector;

Web Check Helps owners of public sector websites to identify and fix common security issues – making sites in the UK a less attractive target to attackers

Protective DNS Prevents access to known malicious domains and puts restrictions on malware communications on compromised networks

Takedown Service Locates malicious sites and alerts hosts and owners to ask them to remove them from the Internet

Mail Check Helps public sector email administrators improve and maintain the security of their email domains by preventing spoof emails

Vulnerability Disclosure Platform Identifying, reporting and remediating vulnerabilities in government and other key services

Host Based Capability Advanced NCSC threat detection capability that can be deployed to detect threats on an organisation’s network

This year has also seen the NCSC build on previous successes with established tools. It has enhanced functionality of its Web Check and Mail Check services – which help owners of public sector websites to identify and fix common security issues. These have since been rolled out across the public sector and beyond.

Web Check

Monthly statistics for all issues discovered for remediation across users of the service in 2019 are as follows:

A graph showing the monthly issues reported to users over the last year.

2931

There are 2,931 service users representing over 1,000 customer organisations.

The security issues reported to them are categorised Urgent, Advisory and Informational.

700+

On average, the service results in the resolution of over 700 urgent issues by customer organisations every month.

Protective DNS

2800000

2.8 million public sector internet users protected by PDNS (estimated)

201 billion

201 billion successfully resolved PDNS queries between 1 September 2019 and 31 August 2020

290

290 more organisations using PDNS compared to 1 year ago, including many NHS and critical sector organisations onboarded in March , pre-pandemic peak

760

760+ organisations are using the service and it blocks around 18,000 unique domains at a rate of 7.2 million times per month

A graph showing the number of monthly organisations using PDNS.

Takedown Service

The takedown service finds malicious content hosted on the internet and seeks to have it removed, the goal being to reduce the harm that common cyber security threats cause.

99.6%

99.6% of all discovered phishing attacks are (taken) down, 65.3% were down within 24 hours

166710

Discovered and took down 166,710 phishing URLs

65.3%

65.3% of these were removed within 24 hours of being determined malicious

42576

42,576 URLs were associated with UK Government themed phishing attacks, hosted globally

1.27 %

UK share of visible global phishing attacks further reduced to 1.27 % (from 2.1% last year)

Covid-19 themed takedowns

Since March, the NCSC has taken down 15,354 campaigns which used coronavirus themes in the ‘lure’. These were hosted globally.

8800

were Advance Fee Fraud (419 scams)

1156

were associated with Fake Shops selling bogus PPE, coronavirus products, test kits (and even vaccines)

251

phishing campaigns

2984

mail servers distributing malware

Celebrity Endorsed Cryptocurrency Investment Scams Takedowns

384118

Between April and end of August, 384,118 URLs associated with these scams were taken down.

Ecommerce

113000

The NCSC started work against bogus online shopping sites (fake shops) and have taken down 113,000 URLs.

  • With these sites, victims either post their credit card details and will either get fake goods in return or no goods at all.

1318

The NCSC found 1,318 sites that had been compromised with credit card skimming malware.

  • The takedown service automatically notifies the site owner and the skimming code was subsequently removed.

Mail Check

11417

Mail Check monitors 11,417 domains classed as public sector

1805 to 3097

The number of public sector domains using DMARC nearly doubled from 1,805 at the end of August 2019 to 3,097 by the end of August 2020

899 to 2253

The number of public-sector domains protected by a DMARC policy that blocks suspicious emails (quarantine or reject) more than doubled from 899 at the end of August 2019 to 2,253 by the end of August 2020

A graph showing the number of domains monthly using DMARC.

Vulnerability Disclosure:
Supporting organisations and finders

Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organisation responsible. The NCSC has worked with organisations and those who find security vulnerabilities to make it easier to report and therefore quicker for the system owner to remediate the issue.

The NCSC runs three initiatives:

  • Vulnerability Reporting Service allows vulnerabilities in UK Government services to be reported to the NCSC, if the system owner cannot be contacted. The NCSC will work to get the vulnerability information to the owner so the issue can be remediated. This year the NCSC has worked with over 150 UK Government organisations to remediate a range of security vulnerabilities
  • The Vulnerability Disclosure Pilot aims to improve the UK Government’s ability to adopt vulnerability disclosure best practices. Departments signed up to the pilot gain access to a dedicated platform and a technical triage service. This year seven have launched their own vulnerability disclosure processes through the pilot
  • The Vulnerability Disclosure Toolkit is designed for organisations of all sizes who want to learn more about implementing a vulnerability disclosure process. It contains the essential components they need to set up their own process

Host Based Capability

The service has grown over the past year to provide coverage for 130,000 government devices (up from 35,000 last year). The NCSC continues to provide a three-part service offering: Detect, Threat Surface, and Forewarn. In addition to detecting malicious and suspicious cyber activity within government, the NCSC has cumulatively provided over 170 ‘Threat Surface’ reports to its partners.

Detecting and mitigating vulnerabilities

The Domain Name System (DNS) is one of the core technologies used on the internet, essentially acting as a phonebook or contact list to translate between human-readable domain names and machine-readable addresses.

Like all contact lists, errors can easily be introduced from causes such as human error or information simply becoming stale and inaccurate over time. In the context of DNS, this can lead to domain names pointing to resources that are unregistered.

The NCSC refers to these as “dangling DNS records”. Sometimes it’s possible for an attacker to register the resource that such a record points to, therefore giving them control over what is returned to anyone who visits the domain name. This attack, known as “subdomain takeover”, can have serious consequences and can result in victims being tricked into interacting with malicious websites, despite the domain name displayed in their web browser looking completely legitimate.

Continued in the full Annual Review
6

Driving Cyber Skills

A critical element of the UK’s cyber security future is growing the skills and capabilities that will help safeguard the services and institutions the country depends on, as well as creating the opportunities and advantages that will benefit the UK and its citizens for generations to come.

The NCSC has an important part to play in fulfilling this strategic objective and creating the next generation of cyber security experts and specialists, as well as developing today’s practitioners is a key priority for the organisation.

Driving Cyber Skills

A critical element of the UK’s cyber security future is growing the skills and capabilities that will help safeguard the services and institutions the country depends on, as well as creating the opportunities and advantages that will benefit the UK and its citizens for generations to come.

The NCSC has an important part to play in fulfilling this strategic objective and creating the next generation of cyber security experts and specialists, as well as developing today’s practitioners is a key priority for the organisation.

Developing the cyber profession

The NCSC has continued to grow its own internal specialists and talent pipeline, as well as supporting the Government Security Profession and wider government cyber security community. For the latter, the NCSC shared its Technical Reconnect programme with specialists from across government. The course teaches the latest NCSC guidance to ensure delegates are familiar with cyber security best practice and can recognise the drivers behind it. Delegates learn through highly practical hands-on opportunities to build, attack and repair the various technologies that are encountered in modern security environments.

The training is delivered periodically over six months, and instructor-led training, practical lab activities, group exercises and regular consolidation exercises. Together with the NCSC’s other cyber security training and development offerings, this offering quickly pivoted to online delivery as coronavirus took hold.

Continued in the full Annual Review

“Working for the public-facing side of the business allows an insight you wouldn’t normally see anywhere else in the building. The limits for customer engagement are endless, and the work produced always has a real influence.


“I enjoy that you can see the impact you have on customers. On top of this, the atmosphere in teams is always so friendly and encouraging, so overall the NCSC is a great area to work for.”


CyberFirst Apprentice on a Year 3 placement in NCSC

CYBOK

For the first time, a guide collating the knowledge of the world’s leading cyber security experts was created this year. Sponsored by the NCSC, the CyBOK is an 828-page resource offering a foundation for education, training and professional practice.

“This guide will act as a real enabler for developing cyber security as a profession. It’s been developed by the community, for the community and will play a major role in education, training and professional practice.”


Chris Ensor, NCSC Deputy Director for Cyber Skills and Growth

An image of 9 people standing together at CyBOK.

CyBOK was launched at London's Science Museum, January 2020

Creating a talent pipeline

One of the most important programmes in the NCSC’s future skills agenda is CyberFirst, which encourages and supports young people into the world of cyber security.

It’s been an exciting year for the team and for the thousands of secondary and undergraduate students who took part in courses, competitions and applied for career-defining university bursaries to learn a host of interesting subjects such as digital forensics, ethical hacking, cryptography and cyber security challenges.

A photo of 3 young students learning about cyber security.

CyberFirst Students

CyberFirst Courses

Every summer, 1,100 free places are made available on five-day residential courses at universities across the UK. Courses were offered at three levels; Defenders (14 to 15-year-olds), Futures (15 to 16-year-olds), and Advanced (16 to 17-year-olds) – aimed at helping pupils develop the digital and problem-solving skills needed to operate in the field of cyber security.

In response to the pandemic the NCSC moved the summer courses online, with virtual classes led by instructors running from June through to August.

This year saw the highest number of applications yet (3,992) and an increase in applications from ethnic minority students (making up 23% of the total applicants) compared to previous years.

Cyber First logo
A photo of the winners of the CyberFirst girls competition.

CyberFirst Girls' Competition Winners

“I’m really pleased that the NCSC also chose to pilot the CyberFirst Schools programme here in Wales, and we’ll continue to work closely with them to actively encourage schools and colleges in Wales to take advantage of the excellent opportunities provided by CyberFirst.”


Kirsty Williams, Minister for Education, Welsh Government

CyberFirst Bursary and Academy

The CyberFirst bursary scheme continues to grow, attracting highly motivated and very talented undergraduates. There are over 900 hand-picked students either currently on or recently graduated from the scheme.

This summer, 165 undergraduates attended an eight-week virtual CyberFirst Academy programme and a further 224 students were placed with our industry and government members or on further online training programmes – providing invaluable work experience to help make the UK the safest place to live and work online.

Any company wishing to help develop and recruit these highly talented students and become a member of the CyberFirst community, should contact CFStakeholders@ncsc.gov.uk.

Continued in the full Annual Review

“The academy was an amazing experience that has had a massive impact on me, and my summer placement was amazing.


“I had a great time and discovered so much more about cyber security, possibly even solidifying what I want to do going into the future in terms of career choice.”


CyberFirst Bursary Student, End of Year Review

“I’m incredibly pleased with my summer placement, the project was joint with a government agency and I was able to conduct research and learn aspects of cyber security which I’d never have considered previously.”


CyberFirst Bursary Student, End of Year Review

Girl Guides

As part of its ongoing drive to increase female representation in cyber security, the NCSC worked with the South West division of Girlguiding UK to develop a badge and supporting activity pack called ‘On the Net’.

The initiative was launched in February at the University of the West of England (UWE), where 100 girls aged between 12 and 14 were invited to learn about online safety and how cyber skills can lead to career opportunities in cyber security – a field in which women remain underrepresented.

Continued in the full Annual Review
Two photos of young girls taking part in the CyberFirst Gilrs competition.

CyberFirst Girls’ Competition 2020

Diversity and inclusion

The NCSC partnered with KPMG to produce the first-ever review of diversity and inclusion in the cyber security sector. The report set an initial benchmark in the UK’s cyber security industry and began a long-term programme to make the profession more diverse and inclusive.

Inclusive Language:

In April, the NCSC published a blog post talking about the decision to stop using the terms ‘blacklist’ and ‘whitelist’ on our website. It’s a small change, but one that we hope is useful as part of our wider anti-racism efforts. The blog post resonated with many people across the UK – several got in touch to thank the NCSC for taking this step, and to say that this leadership has emboldened them to make similar changes in their own workplaces. The NCSC is proud to have added our voice to the wider discussion around the use of discriminatory terminology in tech - we want cyber security to be an inclusive and welcoming place for everyone, and our language should always reflect that.

An infographic highlighting some of the stats around diversity and inclusion.

Manchester Hub

In September a team from the NCSC joined its partners in GCHQ who have established a new research hub in the centre of Manchester. The aim of both organisations is to foster increased collaboration with the city’s burgeoning number of tech experts in business and academia.

Acknowledging that the city has one of the fastest growing digital and creative communities in Europe, the NCSC will be recruiting further personnel to join those experts already in place, with a brief to support its mission on protecting Critical National Infrastructure (CNI). The CNI mission at the Manchester Hub will include such areas as Energy, Transport, Finance and Smart Cities.

An illustration of 3 people stood around a table having a meeting.
7

International Influence

It has been a year of two halves for the NCSC in its international engagement. Between September 2019 and March 2020, the NCSC welcomed delegations from over 20 different countries, and its representatives visited a similar number of countries for bilateral and multilateral engagements, and participation in cyber security conferences.

However, the impact of the coronavirus pandemic necessitated a shift to virtual engagement. Since March, the NCSC has taken part in 46 international engagements – meaning despite fewer face-to-face meetings, it has been possible to maintain global reach and influence.

International Influence

It has been a year of two halves for the NCSC in its international engagement. Between September 2019 and March 2020, the NCSC welcomed delegations from over 20 different countries, and its representatives visited a similar number of countries for bilateral and multilateral engagements, and participation in cyber security conferences.

However, the impact of the coronavirus pandemic necessitated a shift to virtual engagement. Since March, the NCSC has taken part in 46 international engagements – meaning despite fewer face-to-face meetings, it has been possible to maintain global reach and influence.

A global perspective

The NCSC’s technical expertise affords the UK a vital source of thought leadership and influence overseas. International engagement with our partners continues to be a central component of the NCSC’s work to enhance the UK’s cyber security and resilience. The NCSC regards cyber security as a global issue that is most effectively addressed together. By sharing information and working with international partners, not only can the NCSC better protect the UK, but it can also influence and assist its partners to do the same for their own countries.

Owing to the uniqueness of cyber security as a domain, the NCSC’s international collaboration goes beyond conventional forms of engagement, or cyber diplomacy.

Examples include:

  • time-critical emergency response collaboration on live cyber incidents
  • engaging with cyber security leaders on policy matters in global forums
  • sharing best practice on operational technologies with overseas cyber security agencies
  • working with companies headquartered overseas with links to the UK to ensure their cyber security practices are robust
  • sharing ACD services

“From my engagements in many countries around the world it is very clear that the NCSC continues to set the benchmark against which other national cyber security organisations can measure themselves. It forms a cornerstone to the UK’s continued ambitions as a cyber power and an important underpinning element of UK cyber security companies’ offer in their overseas markets.”


Dr Henry Pearson, UK Cyber Security Ambassador, Department for International Trade

Stronger together

The UK has a long-held security alliance with the USA, Canada, Australia and New Zealand, known as “the Five Eyes”. The alignment between the countries facilitates greater information-sharing across a wide range of cyber security issues.

One such example of this close working relationship was the creation of an incident response playbook that could be applicable to the widest set of countries and situations possible.

With the NCSC leading the agenda, using its experiences and skills in incident management, the objective was to offer a product that an organisation or institution overseas could grab ‘’off the shelf’ during a crisis, providing best practice on starting an investigation and serving as a check list for a cyber incident response.

As cyber threats become more numerous, more technically diverse and more damaging, the NCSC continues to drive the agenda in international collaboration to help boost the resilience of its strategic partners and to help deter the UK’s adversaries.

Continued in the full Annual Review
UK flag
US flag
Australian flag
New Zealand flag
Canadian flag

“With our allied cyber security government partners, we work together every day to help improve and strengthen the cyber security of organisations and sectors of our economy that are increasingly targeted by criminals and nation states alike.


“Fortunately, there’s strength in numbers and this unified approach to combining our experiences with a range of malicious actors means that we’re able to extend our defensive umbrella on a global scale.”


Chris Krebs, Director, Cybersecurity and Infrastructure Security Agenda, USA

“At the Australian Cyber Security Centre, we collaborate closely with our international partners by sharing threat intelligence, technical tradecraft and indicators of compromise. Our joint advisories with Five Eyes nations are crucial to ensuring that valuable threat information is shared quickly and efficiently, to mitigate and protect against malicious cyber activity around the world.


“The long-standing relationship between the Australian Signals Directorate (ASD) and GCHQ is an important force multiplier for our cyber security efforts, and our joint operations to combat cyber criminals is a prime example. In one case from the last year, our collaboration identified over 200,000 stolen credit cards globally, including over 11,000 stolen Australian cards. These stolen credit cards represent potential losses of over A$90 million globally, and over A$7.5 million within Australia.”


Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre

“Coronavirus has had a profound impact on the world. This uncertain environment is ripe for exploitation by threat actors seeking to advance their own interests. To counter these threats, the Canadian Centre for Cyber Security (Cyber Centre) is working hand-in-hand with the NCSC to detect and disrupt shared threats. We exchange information to better protect our health sectors and over the past year, we have released cyber alerts and threat bulletins leveraging each other’s reporting and advice. Furthermore, we issued technical information about cyber threat activity directed at Canadian and United Kingdom organisations, including vaccine research entities, involved in coronavirus response and recovery efforts.


“The Cyber Centre and the NCSC continue to work together to protect critical infrastructure sectors from cyber threats, through regular information exchanges and by working collaboratively on joint programmes and initiatives. For example, the NCSC has leveraged and deployed some of the Cyber Centre’s defensive capabilities across UK Government departments. Similarly, the Cyber Centre has been promoting items such as DMARC where the NCSC was leading.


“We continue to share knowledge and threat information with each other on important and challenging topics including cloud security, encryption and cryptology, and election security. Looking ahead, we will continue to amplify each other’s notifications on critical cyber threats to raise awareness of the evolving threats in our respective countries.”


Scott Jones, Head, Canadian Centre for Cyber Security, Communications Security Establishment

Singapore Cyber Week

In October, then NCSC CEO Ciaran Martin led a UK delegation at one of the most significant cyber policy gatherings in the Asia-Pacific region: Singapore International Cyber Week (SICW). He was accompanied by representatives from the UK cyber industry, academia and government. At a bilateral meeting between the UK and Singapore, covering issues including information-sharing and collaboration on emerging priorities and technology, the two countries signed an IoT Security Statement. The signing demonstrated the UK’s international leadership in improvements in the security of smart consumer products, and strengthened the relationship with a partner in a region of strategic importance to UK interests.

“The UK was delighted to play an active role in SICW 2019. International partnerships across industry, academic and government, are key to a safe and secure cyber space.


“We were particularly pleased that the CEO of UK National Cyber Security Centre joined us in Singapore and signed a joint statement of cooperation between our two nations on the Internet of Things.”


Natalie Black, HM Trade Commissioner for Asia Pacific

Global cooperation on operational technology and industrial control systems

The UK’s CNI has a number of dependencies overseas with Operational Technology (OT) and related Industrial Control Systems (ICS) being used across the world to monitor, control and manage the operation of physical assets linked to key CNI areas such as energy and finance. The threat to OT / ICS is real, and the NCSC has seen examples internationally, where OT has been negatively impacted by cyber attacks, ranging from modifying how an industrial process operates, through to disrupting them altogether.

Strengthening the cyber resilience of the global OT and ICS is a priority for the NCSC and its international partners. Some of the NCSC’s virtual engagements on this matter this year included joint working with counterparts in the US. The NCSC’s ‘Secure Design Principles’ blog and CISA’s ‘Industrial Controls Systems Cybersecurity Best Practices’ guide, launched in May, signified a joint commitment by the UK and United States to protecting their nations’ respective ICS infrastructure.

The joint venture set out risks faced by ICS owners and operators of interconnected operational and information technology including IoT, to help them design and secure ICS, mitigate risks, and protect against the ever-evolving threats. The product also features operational CISA assessments data, along with proactive defensive practices to help CNI stakeholders defend ICS against cyber attacks and encourage a long-term, strategic approach to ICS protection. Looking ahead, the coordination and sharing of technical research, resulting in multi-national publications, will continue to be an important area for the UK ICS Community of Interest contribution – and a key way in which technical collaboration can enhance the security of the UK and overseas partners.

Continued in the full Annual Review

“Cyber threats don’t care about borders, so collaboration between international partners is key to raising our collective cyber security.


“CISA and the NCSC have worked together on a number of important efforts over the past year, such as the NCSC’s ‘Secure Design Principles’ blog, CISA’s ‘Industrial Control Systems Cybersecurity Best Practices’ infographic and joint advisories about nation state and malicious cyber actors.


“We look forward to working with the NCSC on other actionable, informative and timely products to protect critical infrastructure and our citizens.”


Bryan Ware, Assistant Director for Cybersecurity, US Cybersecurity and Infrastructure Security Agency

Collective action on incidents

The NCSC is proud to work with global partners to detect and disrupt shared threats. One of its key strengths in international collaboration is on cyber incident management and response, in which the ability to work alongside international partners is fundamental. For example, when investigating reports of a ransomware infection that had not been seen in the UK before, law enforcement colleagues in the NCA observed and reported that their investigations had shown a similar ransomware strain that had previously been decrypted by the Polish NCSC equivalent, CERT Polska.

The NCSC contacted the CERT Polska team to gain further information on the ransomware variant, and about the tool it had developed to decrypt it. The team at CERT Polska was open to collaboration and provided the NCSC with the code behind its decryptor, explaining how this could be turned into a standalone tool that could be used to support the UK victim.

“The NCSC’s world-leading expertise has provided a strong foundation at home for our efforts overseas to protect and promote a free, open, peaceful and secure cyberspace.


“The respect and admiration it commands from international partners has opened doors for our diplomats, and it has been generous in sharing its skills and knowledge to strengthen global resilience and security.”


Will Middleton, Director Cyber, Foreign, Commonwealth and Development Office