L
o
a
d
i
n
g
.
.
.
You need the ability to receive clues, e.g. noticing exactly thirteen examples of one vowel in a sentence - the letters just before every appearance of one of a, e, i, o or u may inspire your brain to spot the trickiness
Once the top-secret home of the World War Two Codebreakers is now a vibrant heritage attraction. It's filled with challenges and inspiring stories of those who pioneered to keep us safe.
Explore Bletchley Park
The National Cyber Security Centre (NCSC), a part of GCHQ, is the UK’s technical authority for cyber threats.
Since the NCSC was created in 2016 as part of the Government’s five-year National Cyber Security Strategy, it has worked to make the UK the safest place to live and work online.
This Annual Review of its fourth year looks back at some of the key developments and highlights from the NCSC’s work between 1 September 2019 and 31 August 2020. As part of a national security organisation not all its work can be disclosed publicly but the review seeks to describe the year with insights and facts from colleagues and teams inside and out of the organisation.
Read the full Annual Reviewby The Rt Hon Penny Mordaunt MP, Paymaster General
For the NCSC, as for the UK as a whole, this year has been dominated by the unprecedented challenge of the coronavirus pandemic. The organisation is dedicated to making the United Kingdom the safest place in the world to live and work online. During the pandemic it has tackled more cyber threats than ever before. This Annual Review shows how the NCSC took decisive action against malicious actors in the UK and abroad who saw the UK’s digital lifelines as vectors for espionage, fraud and ransomware attacks. The NCSC helped to protect NHS Trusts, the Nightingale hospitals and vital NHS systems, ensuring they were able to function remotely in spite of coronavirus.
In this year of complex challenges, the NCSC continues to react to swiftly evolving cyber threats. The organisation’s nationwide guidance to individuals and businesses on protecting their security proved invaluable. Its new service aimed at rooting out online scams saw the public respond with reports of over two million suspicious emails. This Review demonstrates two important messages about the NCSC’s work. First: we are all the targets of cyber criminals. While preventing crime is the NCSC’s priority, working in close partnership with law enforcement, it has also supported nearly 1,200 victims of 723 attacks this year that proved impossible to deflect. Second: cyber security is a team sport.
Government, industry and the public have an important role in building UK resilience to a spectrum of risks – hostile activity from state and non-state actors, terrorism and serious organised crime.At this pivotal time for the cyber sector, I want to welcome the NCSC’s new Chief Executive Officer, Lindy Cameron, and pass on my gratitude to her predecessor, Ciaran Martin. From the NCSC’s inception, Ciaran was instrumental in developing the UK’s National Cyber Security Strategy, striking the balance between economic opportunity and security. Lindy, with over two decades’ experience of national government security policy, is well placed to steer the NCSC from strength to strength.
The pandemic continues to affect how we live and work. It is vital that cyber security remains a priority. It will help us to stay ahead of changing technologies, seize the opportunities for the UK as an independent country outside the European Union, and harness cyber’s full potential to help drive economic recovery.
Continued in the full Annual ReviewLindy Cameron, CEO of the National Cyber Security Centre
It is a great privilege to present the fourth Annual Review of the National Cyber Security Centre, a part of GCHQ. I am honoured to have been appointed as the NCSC’s second Chief Executive Officer, taking over from Ciaran Martin who was so pivotal in the development of this world-leading organisation.
This review outlines another impressive year of delivery for the NCSC from September 1st 2019 to August 31st 2020, largely against the backdrop of the shared global crisis of coronavirus. As you would expect, the pandemic features heavily in this Review. I am proud to lead an organisation of staff that both helped with the UK’s response to coronavirus and also sustained delivery of a nationally important brief, despite the challenges felt by us all this year.
Continued in the full Annual ReviewThis covers the period September 2019 to August 2020
Click and drag to view
5 Sept
Former CEO Ciaran Martin speech at Billington Cyber Security Summit, Washington DC, and receives international award for cyber security leadership
18 Sep
Trusted Research, joint CPNI-NCSC campaign to raise awareness of hostile state activity threat to academia is published
3 Oct
Singapore Cyber Week: UK and Singapore sign Internet of Things (IoT) security pledge
21 Oct
Joint report from the NCSC and NSA highlighting Turla activity
5 Nov
Cyber Security Body of Knowledge (CyBOK) published
25-26 Nov
CyberThreat summit hosted by the NCSC & the SANS Institute
29 Nov
NCSC Guidance: Downloadable copies of cyber security information cards for schools
3-4 Dec
NATO Heads of State and Government meeting, London - former NCSC CEO Ciaran Martin takes part in NATO Engages event
12 Dec
UK General Election – the NCSC works to safeguard the election and protect the Register to Vote site
13 Dec
Cyber security advice for Members of Parliament and their staff published
22 Jan
NCSC Guidance: Mobile Devices - a comprehensive guide to the protection of mobile devices help for organisations from choosing and purchasing devices to the advice to give end users
28 Jan
UK Government announces plans to exclude high risk vendors from ‘core’ parts of 5G and full-fibre networks
10 Feb
NCSC welcomes opening of the Northern Ireland Cyber Security Centre
18 Feb
NCSC partners with Girlguiding South West England, as part of the drive to increase female representation in cyber security.
20 Feb
Foreign Secretary condemns Russia's military intelligence service, the GRU after NCSC assessment of Georgian cyber attacks
3 Mar
NCSC Guidance: Smart security cameras: Using them safely in your home - how to protect 'smart' security cameras and baby monitors from cyber attack Keeping Safe in the Internet of Things
16 Mar
King Edwards’s School crowned winners of the NCSCs CyberFirst Girls Competition at final in Cardiff
16 Mar
The NCSC reveals phishing attacks are exploiting worries over COVID-19
17 Mar
NCSC Guidance: Home Working to support those shifting to new ways of working in the wake of COVID-19
27 Mar
The NCSC publishes its Research Problem Book to shed light on some of the kinds of research problems the NCSC is working on
8 Apr
The NCSC and DHS-CISA issue a joint advisory on malicious cyber actors exploiting coronavirus
21 Apr
Cyber Aware & Suspicious Email Reporting Service (SERS) launched
20 May
NCSC Guidance: COVID-19: Moving your business from the physical to the digital
10 Jun
NCSC Guidance: Dealing with suspicious emails, phone calls and text messages
25 Jun
Suspicious email reporting receives 1 millionth report
30 Jun
Publication of consumer Internet of Things security standard ETSI EN 303 645
13 Jul
Exercise in a Box - Working from Home exercise released
14 Jul
UK government agrees to greater restrictions on the use of Huawei in UK networks Huawei decision informed by the NCSC’s updated technical review and analysis of the impact of amendment to the US direct product rule and Entity List.
15 Jul
NCSC Guidance: Cyber security in schools: questions for governors and trustees
16 Jul
UK and allies' issue advisory outlining APT29 targeting of COVID-19 vaccine development
23 Jul
Cyber Threat to the Sports Sector report published
27 Jul
New cohort of Cyber Accelerator programme (supporting growth of cyber security start-ups) begins
28 Jul
The findings of the NCSC / KPMG Diversity and Inclusion survey are published
28 Jul
Lindy Cameron announced as the NCSC’s new CEO
6 Aug
NCSC Guidance: Cyber insurance for organisations considering purchasing cyber insurance
14 Aug
The NCSC warns of online scams where criminals use rich and famous to lure victims
24 Aug
NCSC Guidance: Bring Your Own Device - the new normal - the NCSC’s view on BYOD and the rise in home working
723Handled 723 cyber security incidents
1200Provided support to almost 1,200 victims
166710Discovered and took down 166,710 phishing URLs, 65.3% of which were removed within 24 hours
414Produced 414 threat assessments
101747Produced 101,747 physical items for 140 customers through the UK Key Production Authority
23000002.3 million suspicious emails forwarded to our new Suspicious Email Reporting Service
27000002.7 million visitors to the NCSC’s website
30Produced 30 pieces of guidance and 60 blogs
17100Awarded 17,100 Cyber Essential Certificates
2953Added almost 2,953 new members onto the NCSC’s Cyber Security Information Sharing Partnership (CiSP)
1770Engaged with 1,770 young people in the 2020 CyberFirst summer courses
100Delivered more than 100 workshops, podcasts and webinars all over the UK for the voluntary sector
20Visited and welcomed visiting delegations from over 20 countries
4602Hosted 101 events, with 4,602 attendees
“The world changed in 2020 and so did the balance of threats we are seeing. As this Review shows, the expertise of the NCSC, as part of GCHQ, has been invaluable in keeping the country safe: enabling us to defend our democracy, counter high levels of malicious state and criminal activity, and protect against those who have tried to exploit the pandemic. The years ahead are likely to be just as challenging, but I am confident that in the NCSC we have developed the capabilities, relationships and approaches to keep the UK at the forefront of global cyber security.”
Much of the NCSC’s work this year revolved around the Coronavirus outbreak, which required a government-wide response. The NCSC’s multi-faceted role included giving advice to an increasingly digitally active public, fixing vulnerabilities and responding to threats emanating from the pandemic.
Much of the NCSC’s work this year revolved around the coronavirus outbreak, which required a government-wide response. The NCSC’s multi-faceted role included giving advice to an increasingly digitally active public, fixing vulnerabilities and responding to threats emanating from the pandemic.
Worked closely with the Centre for Protection of National Infrastructure (CPNI) on the secure build of seven Nightingale hospitals
More than 160 instances of high-risk and critical vulnerabilities shared with NHS Trusts
Around 200 incidents the NCSC responded to this year related to the UK’s coronavirus response
Victims supported by the NCSC who faced incidents that were related to coronavirus
Rolled out Active Cyber Defence (ACD) services, including Web Check, Mail Check and protective DNS, to 235 front-line health bodies across the UK, including NHS Trusts
Engaged with over 1,200 ESPs across the UK to outline available NCSC guidance and support
Total number of Indicators of Compromise (IoCs) shared with the NHS
Scanned more than one million NHS IP addresses to detect security weaknesses
Performed threat hunting on 1.4 million NHS endpoints to detect suspicious activity
Blocked 260 SMS Sender IDs which were likely to or have been used in malicious SMS campaigns with coronavirus as their theme, such as spoofing legitimate government or healthcare IDs
More than 15,000 coronavirus-related malicious campaigns taken down by the NCSC and its commercial partner, Netcraft
During the pandemic, protecting healthcare was the NCSC’s top priority, and the organisation worked ceaselessly to support the NHS. The national objective was clear: to keep the system and its staff secure and resilient to cyber threats.
To achieve this, the NCSC introduced measures including the design of a new back-up service, pioneering discovery tradecraft and deploying analysts to look at NHS threat data. This was facilitated by the Department of Health and Social Care (DHSC) signing a “Direction” giving the NCSC consent to check the security of NHS IT systems.
As a result, more than one million NHS IP addresses were supported, over 160 high-risk and critical vulnerabilities were identified and shared, and threat hunting performed on 1.4 million endpoints. The NCSC supported the health sector through cyber security incidents, and ACD services were put in place to protect more than 235 NHS units, including Trusts.
Support to vaccines and therapeutic medicines was a clear priority for the summer. The NCSC supported the government Vaccine Taskforce, which controls decision-making on research funding and purchasing through to manufacturing and distribution, and several universities and pharmaceutical companies.
Work on vaccines and therapeutic medicines has an important supply chain component – particularly when it comes to manufacture and distribution – and this work will continue as an integral part of the NCSC’s mission.
In July, the NCSC revealed Russian cyber actors known as APT29 had been targeting organisations involved in coronavirus vaccine development. The NCSC assessed that APT29, also named “the Dukes” or “Cozy Bear” almost certainly operates as part of Russian intelligence services.
An advisory published on the NCSC’s website outlined a variety of tools and techniques, including spear-phishing and custom malware known as ‘WellMess’ and ‘WellMail’, were being used to steal valuable intellectual property. This not only exposed the hostile action directly but also demonstrated to a wide range of pharmaceutical companies that they needed to understand more about protecting themselves.
The assessment, which received front-page coverage globally, was supported by partners at the US Department for Homeland Security (DHS), Cybersecurity Infrastructure Security Agency (CISA) and National Security Agency (NSA), and the Canadian Communication Security Establishment (CSE).
Continued in the full Annual ReviewPaul Chichester, NCSC Director of Operations
Indicators of Compromise (IoCs) are pieces of data which identify potentially malicious activity on a system or network. These help network defenders detect and mitigate threat activity.
Before the NCSC created the IoC Machine last year, it took several hours for officials to share information relating to threats in the UK. The IoC machine can identify what can be shared in a matter of seconds – meaning the NCSC can share more threat information in real time.
With the improved ability to share IoCs and the need to protect the health and associated sectors during the pandemic, the NCSC exponentially increased the number of potential compromise tips to the NHS – with 51,910 shared by the end of August.
The shared IoCs were collated from the NCSC’s own declassified sources and from industry 100 (i100) secondees – our workforce initiative that sees companies loaning security-cleared experts to work alongside NCSC staff - from threat intelligence organisations. These i100 contributions have been significant and valuable, complementing the NCSC’s own collections and providing additional mitigation effects for the health sector. Secondees have worked alongside NCSC analysts to triage and investigate all IoCs before release, to ensure accuracy, validity and quality.
Continued in the full Annual ReviewWhen many organisations moved to remote working because of coronavirus, the NCSC responded with new guidance on how to help employees work and communicate securely from home, including those who needed to use their personal IT for work.
The NCSC published advice for organisations moving their business online at pace. Advisories were issued about how cyber criminals were seeking to exploit the pandemic for profit, and guidance was updated on how to spot and deal with suspicious emails, calls and texts (including coronavirus-based scams).
The pandemic led to a huge increase in employees working from home, with many making rapid adjustments to their new “office” and learning new skills, such as coping with intermittent Wi-Fi, or handling the etiquette of virtual meetings on Zoom, Microsoft Teams or Skype. With more people using personal devices for work purposes came an increased vulnerability to cyber fraud, as criminals sought to exploit the changing circumstances. Some scams, frequently using phishing emails, claimed to have a “cure” for coronavirus, or sought donations to bogus medical charities. Many users found that clicking a bad link led to malware infection, loss of data and passwords.
Continued in the full Annual Review
Cyber criminals look to exploit any vulnerability to generate income – and coronavirus has been no exception. The NCSC has led the way throughout the pandemic to expose attack methods of those exploiting the virus online - and advise on ways to defend against them.
This year a significant proportion of attempted compromises have been related to coronavirus – whether it’s linking to bogus products or targeting people using their devices in a different way due to the pandemic.
The NCSC has disrupted thousands of attempts to trick people, from fake lures of PPE, testing kits and cures and even sham key worker badges to activate supermarket discounts. Coronavirus was the catalyst for the release of the NCSC’s Suspicious Email Reporting Service (SERS) – which has received more than 2.3 million reports from the public, leading to 22,000 malicious URLs being taken down.
“We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the coronavirus outbreak.
“Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails.
“In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”
The NCSC supported the NHS Test and Trace programme, the work of the Joint Biosecurity Centre (JBC) and the development of the NHS COVID-19 app to help curb the spread of the coronavirus.
A key area of NCSC support was supporting the threat modelling used by developers, helping them to understand the risk to the app from external threats, and helping them understand the potential implications of their security and privacy decisions. The NCSC ran multiple threat modelling workshops and supported the use of a consistent approach across the project, using the STRIDE model (Spoofing, Tampering, Repudiation, Informal disclosure, Denial of service, Elevation of privilege). This model has helped the NHS team implement more security measures in the app to support users’ privacy, data security, and resilience against misuse/abuse.
The NCSC also supported the NHS to find the right balance between user privacy and utility. For example, the NCSC advised on the optimum level of analytical data collected so as not to de-anonymise users, but granular enough to provide meaningful insights into whether the app worked. Based on these discussions, the app team selected a minimum set of metrics which were chosen to fulfil the requirements – including postal district, isolation status and number of location check-ins. Where even these metrics could identify users, for example, postal districts with small populations, the analytics are aggregated into larger sets to reduce the risk of users becoming identifiable from the information they provide.
Continued in the full Annual Review
“This is an example of how we deploy our high-end security architects to key projects in government to ensure that security is at the heart of its systems.”
This year, the NCSC has played a bigger role than ever in defending the UK’s political process.
While defending democracy from cyber attacks has always been a key priority, the unique challenges thrown up by a general election and the temporary introduction of a ‘virtual Parliament’ due to coronavirus meant cyber security has never been more important in UK politics.
This year, the NCSC has played a bigger role than ever in defending the UK’s political process.
While defending liberal democracies from cyber attacks has always been a key priority, the unique challenges thrown up by a general election and the temporary introduction of a ‘virtual Parliament’ due to coronavirus meant cyber security has never been more important in UK politics.
The coronavirus pandemic changed the way everybody in the UK worked, including our Parliamentarians. The solution to enable MPs and peers to carry out their functions came through technology, and the NCSC and the Parliamentary Digital Service were central to delivering what was arguably the biggest-ever change to how Parliament operates.
Democracy relies on elected representatives meeting to debate, scrutinise and vote but restrictions on movement and contact meant MPs and peers were unable to do so in Parliament. Solutions had to be rapidly implemented to ensure Parliamentarians returning after Easter recess could conduct their business at a time when crucial decisions were being taken in Westminster.
Technology was rapidly developed to allow Parliamentarians to debate from remote locations in a secure setting. This meant in addition to the 50 MPs allowed into the Commons, a further 120 were able to participate online. To counter the risk that hackers and online intruders could disrupt proceedings, the NCSC worked with Parliamentarians to upgrade awareness and training in cyber security. It provided advice to ensure the new system had the right balance of security controls to mitigate the threat posed by cyber criminals, while safeguarding important conventions and privileges.
For centuries, voting in Parliament has been done in a very specific way: through the provision of physically entering one of the two lobbies on either side of the chamber to cast their vote.
With most MPs not in the chamber, a digital solution was required to allow votes to be cast remotely. A new system was built with multiple checks, to ensure a high level of confidence in the votes being cast.
The NCSC was just one part of a broader team that worked together to deliver virtual Parliamentary proceedings. Broadcasters, Parliamentary digital staff and staff across both Houses at Westminster collaborated to ensure appropriate cyber security controls were in place.
Virtual Parliament in session
Protecting the UK’s electoral processes is one of the most important objectives of the NCSC. Supporting this aim sees the organisation working all year round – offering expert cyber security guidance and advice – to support political parties and parliamentarians. As part of the NCSC’s preparation the organisation monitored developments in the lead up to the vote and worked with international partners to learn from their experiences in mitigating the risk of cyber attacks against national ballots. During the election, the NCSC responded to a wide range of incidents, working behind the scenes to triage threats, investigate leads and providing advice and assistance where required.
The NCSC supported the resilience and security of the online platform to allow citizens to access or update their details on the electoral register. The NCSC’s experts worked closely with the Register to Vote team at the Cabinet Office to review the site’s ability to withstand peaks in traffic.
On average, the Register to Vote website receives around 25,000 daily online submissions, but on 25 November, there was an unexpected spike in interest and the site received 366,000 applications.
Thanks to the groundwork done to ensure resilience, the service remained stable, despite the considerable increase in load, ensuring record levels of registrations.
Prior to the dissolution of Parliament, the NCSC hosted a seminar with the UK’s Parliamentary parties to brief them on the cyber security threat and the steps they could take to protect themselves.
Early in the campaign a series of DDoS attacks against political party websites became a major story. Whilst these were relatively low-capability attacks, the timing was concerning.
The fact these attacks were largely unsuccessful is a testament to the preparation done by the parties affected to defend themselves. The NCSC published relevant advice on its website and shared this guidance with the Parliamentary parties’ IT teams.
After the election, the NCSC provided guidance on best practice for all new MPs to ensure they and their staff were cyber security aware. Specific guidance on how to respond to targeted phishing attacks was given by the NCSC’s Incident Management (IM) team to more than 200 prominent figures – including government ministers.
The UK Government is clear that any foreign interference in the UK’s democratic process is completely unacceptable, but certain states seek to exploit elections through cyber attacks, disinformation and other methods.
The NCSC is working with the Government in taking forward a programme to ensure there are robust safeguards against hostile state activity, foreign lobbying activity and third parties seeking to interfere in democratic processes. The UK will continue to identify and respond to malign activity alongside NATO and international partners.
On the basis of extensive analysis, the Government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 General Election through the online amplification of illicitly acquired and leaked Government documents.
“Sensitive Government documents relating to the UK-US Free Trade Agreement were illicitly acquired before the 2019 General Election and disseminated online via the social media platform Reddit. When these gained no traction, further attempts were made to promote the illicitly acquired material online in the run-up to the General Election.
“Whilst there is no evidence of a broad spectrum Russian campaign against the General Election, any attempt to interfere in our democratic processes is completely unacceptable. It is, and will always be, an absolute priority to protect our democracy and elections.”
WMS by Rt Hon Dominic Raab, MP, First Secretary of State and Secretary of State for Foreign, Commonwealth and Development Affairs.
Through guidance and training, the NCSC improves the level of cyber resilience among those in national and local government, ensuring that the public sector can rely on secure access to essential services, networks and data.
The Cyber Centre of Excellence is a government security initiative to help improve cyber security advice across departments. The Centre has played a vital role in helping departments to implement the NCSC’s ACD capabilities, conducting risk analysis to address vulnerabilities and to improve cyber resilience across government.
With government needing its personnel to be able to work remotely and securely on mobile devices, the NCSC’s Advanced Mobile Solutions (AMS) has given authorised users protected access to the most sensitive networks.
This year to ensure the safe connection between less secure remote devices to secret networks, AMS created new classes of “cross domain” technology, using highly innovative infrastructure security. The new approach has enabled methods of secure communication between individuals and groups, such as video conferencing, whether they are in protected facilities or working remotely. This provides a significant improvement in protection compared to standard security technology such as Web Application Firewalls.
“Capabilities like AMS highlight both the very latest developments in cybersecurity and also the ability of highly sensitive departments to work in a modern way. The advances are the results of the NCSC’s diligent research collaborations with our academic and industry partners"
Dr Ian Levy, NCSC Technical Director
AMS & derived technologies are currently deployed to over 500 devices across multiple organisations.
The NCSC anticipates a significant increase in these numbers as a new managed service (initially scaled to 2000 devices) comes online at the end of 2020 and new secure remote working systems, currently being built, come online early to mid 2021.
In response to the fast pace and everchanging national and international security threats, the NCSC works through established partnerships to help make the UK as resilient as possible – from defending citizens, businesses and charitable institutions, to safeguarding Critical National Infrastructure, defence and security assets and operations.
In response to the fast pace and everchanging national and international security threats, the NCSC works through established partnerships to help make the UK as resilient as possible – from defending citizens, businesses and charitable institutions, to safeguarding Critical National Infrastructure, defence and security assets and operations.
The NCSC works closely with the Ministry of Defence (MOD) to ensure UK Armed Forces can operate with confidence based on reliable information shared safely with UK and international partners.
The UK’s most sensitive information and most important capabilities are protected using the NCSC’s Crypt-Key (an encryption management system), which is underpinned by the technical expertise the NCSC holds as the UK’s technical authority on cyber security.
Over the past year, the NCSC has worked with the MOD, NATO and other partners on the transformation that is required throughout the UK National Crypt/Key Enterprise and this vital collaboration will continue.
“At the NCSC, we are proud that our technical expertise helps to keep our armed forces safe and operating with confidence all around the world.”
Jacqui Chard, NCSC Deputy Director for Defence and National Security
At the heart of the NCSC’s security work is the expertise needed to create highly secure, encrypted communications for the government, military, industry and allies. Its research on improving these systems has led to significant new developments in Crypt-Key, transforming old, paper-based practices into modern, digital ones.
This year, the UK Key Production Authority (UKKPA) - a part of NCSC - replaced the long-standing method of producing cryptographic keys on punched paper tape with a more efficient capability for producing and distributing keys in an electronic, highly secure format, meeting the advanced requirements of national and international defence partners.
Eight-hole punched paper tape example
The NCSC worked to protect military personnel and the nation’s most important ground, naval and air assets, providing support with incident and threat reporting, and training for staff.
As part of this role, the NCSC provided advice on cyber security risks and policy to the Continuous At Sea Deterrent (CASD), including the mitigation of any potential supply chain vulnerabilities. Ongoing support is given to the Successor programme, which will deliver the replacement to the current Vanguard-class Trident Submarine.
The NCSC continues to provide NATO with “thought leadership” and technical expertise on cyber security and cryptography to help the organisation protect its communications and information infrastructure.
The NCSC led the development of NATO's action plan to protect its secure communications against the threat posed by future quantum computing and is providing ongoing assistance to NATO with the implementation of its plan.
HMS Vengeance, Vanguard-class submarine
“UK Strategic Command and the NCSC frequently work hand-in-hand to enhance Defence’s security posture and in the fight to protect our networks and critical national information against constant attack.
“Cyberspace is the most active domain, and the NCSC delivers critical support to us in threat and incident management, high grade cryptography and in providing specialist support such as preparing for CSG21 (UK Carrier Strike Group 21) and the ongoing support to the strategic deterrent.”
General Sir Patrick Sanders, Commander of Strategic Command
The NCSC has been working with the MoD on all security aspects of the Boeing Poseidon P-8A Maritime Patrol Aircraft, which will offer a high level of sea defence to the UK due to its unique submarine-hunting capabilities.
Operating from RAF Lossiemouth, the aircraft successfully achieved its initial operating capability in April, contributing to maritime counter-terrorism, and will be able to support search and rescue operations worldwide.
Defence’s fleet of new F-35B combat aircraft was being supported by the NCSC as they extend their operational ability with deployment into international areas of conflict. The NCSC is providing TEMPEST testing, ensuring the highest level of secure communications and has been involved in the development of Lightning Shield to maintain operational security. The latter ensures the F-35B’s Freedom of Action and is in operational use by the UK Lightning Force and Royal Australian Air Force.
The NCSC continues to review the cyber security of the aircraft’s international maintenance support and the rapid provision of the necessary key material to support carrier landings. It provides guidance to secure the international ground systems for the F-35B and provided technical expertise to mitigate the threat to the supply chain that supports the aircraft.
F-35B Lightning combat aircraft
“The work the NCSC does to battle harden our fifth generation F-35B Lightning jets from cyber security threats is vital and means the UK can deploy and support this capability at a time and place of our choosing."
Rear Admiral Matt Briers, Director Carrier Strike, Ministry of Defence
While the NCSC works to protect the UK’s national security and strategic interests around the world, closer to home it works to safeguard everyday citizens and communities from cyber crime and threats.
Every day billions of emails are sent globally, helping businesses to function efficiently and keeping people connected. While the vast majority are harmless, the small proportion that are malicious still account for millions of daily cyber threats.
“Phishing” attacks see criminals sending untargeted, mass emails asking for sensitive information (such as bank details) or encouraging recipients to visit a fake website. Such emails can be highly effective at mimicking an established organisation, and even highly skilled cyber experts can be fooled into clicking a link.
The NCSC has long been committed to making emails safe. While ACD measures make it harder to commit these attacks – and minimise the harm they cause – successful attempts still land in people’s inboxes.
That’s why this April the NCSC, in partnership with the City of London Police, launched the SERS, and encouraged people to forward emails they thought could be malicious. The response was immediate – with more than 5,000 reports within 24 hours. Four months after launching, the service had received 2.3 million reports – an average of 133,000 per week.
Received 2,330,231 reports from citizens
22,237 malicious URLs taken down/blocked
9,315 scams taken down/removed
Members of the public are encouraged to forward suspicious emails to report@phishing.gov.uk to enable action to be taken to help protect other people from falling victim to crime.
The SERS analyses the flagged email and if malicious content is found, a takedown notice is issued to the hosting provider requesting it removes the content.
In parallel, the malicious URLs are added to a block list which is provided to browser, antivirus and firewall vendors.
“There's been an explosion of scam adverts in the UK. We've been fighting them on all fronts. I've even sued, but the toughest nut to crack is scam emails, because emails come from everywhere.
“That's why the NCSC's new report-and-remove function is so vital... at last, we can forward scams to report@phishing.gov.uk and know that someone will take action.
“Yet we need what I call 'social policing' too - everyone that can spot a scam must take up arms and report it to protect those who can't. It's why I've shouted it from the roof tops on my show, MSE and social media, and we've seen the rate of reports quadruple, which is proof people are ready to do their bit.”
Martin Lewis, founder of MoneySavingExpert.com
“Phishing is often the first step in a lot of fraud cases we see. It provides a gateway for criminals to steal your personal and financial details, sometimes without you even realising it, which they can then use to take your money.
“Unquestionably, a vast number of frauds will have been prevented, thanks to the public reporting all these phishing attempts. Not only that, but it has allowed for vital intelligence to be collected by police and demonstrates the power of working together when it comes to stopping fraudsters in their tracks.”
Clinton Blackburn, Commander, City of London Police
This year there has been a growing trend of fake celebrity-endorsed investment scams.
The scams saw spoofed news articles featuring public figures such as Sir Richard Branson, Ed Sheeran and Martin Lewis promoting fake “get rich quick” schemes. The reader was encouraged to click a link to invest, but in reality the money went to cyber criminals. The NCSC’s Takedown team proactively searched for these scams and took definitive action to take down 300,000 malicious URLs created to trick people into losing money.
The NCSC’s Takedown team proactively searched for these scams and took definitive action to take down 300,000 malicious URLs created to trick people into losing money.
Speaking in August, then NCSC Chief Executive Officer Ciaran Martin said:
“These investment scams are a striking example of the kind of methods cyber criminals are now deploying to try to con people.
“We are exposing them today not only to raise public awareness but to show the criminals behind them that we know what they’re up to and are taking action to stop it.”
“We have dealt with hundreds of instances of fake sites and fraudsters impersonating me or my team online.
“We are working in partnership with organisations such as the NCSC to report these sites and do all we can to get them taken down as quickly as possible.
“Sadly, the scams are not going to disappear overnight, and I would urge everyone to be vigilant and always check for official website addresses and verified social media accounts.”
Sir Richard Branson, Virgin Group Founder
In March, the NCSC issued advice on the safe use of smart security cameras and baby monitors. This followed research by organisations like Which?, revealing that live feeds or images from smart cameras can in some cases be accessed by unauthorised users, putting the public’s privacy and security at risk.
Smart cameras are often configured so people can remotely access them and some are shipped with default (highly hackable) passwords set by the manufacturer. The NCSC’s advice included some simple steps for citizens to protect themselves and their families from this threat.
To counter the threats from vulnerable devices, the NCSC has supported the Department of Culture, Media & Sport (DCMS) in its development of legislation that will require manufacturers of connected consumer devices sold in the UK to:
The NCSC alert was accompanied by media briefings to ensure citizens had the necessary information to protect themselves, resulting in prominent press coverage and strong support from Which? and other influential commentators and individuals.
Being part of the UK’s CNI it is a vital responsibility of the NCSC to help secure the financial and banking sector in its substantial online dealings.
Working alongside the UK Government, NCA, financial regulators and institutions, the NCSC has been a leading player in a groundbreaking initiative to improve the resilience of the UK’s financial sector. This year, the NCSC supported the creation of the FSCCC, and hosted the new initiative.
The FSCCC is a partnership which identifies, investigates and coordinates the response to incidents that have potential consequences for the finance sector, by combining, analysing and distributing information from across the sector to produce timely outputs for the financial industry.
Continued in the full Annual Review“The NCSC, alongside the entire UK Government, is working closely with the most critical UK businesses of today and tomorrow to increase their resilience to cyber threats.
“This is exemplified in the joint work between industry and the NCSC in developing the FSCCC to defend UK interests against cyber threats.
“Working with trusted international partners helps multiply our impact globally and ensures our work remains at the cutting edge of what is possible.”
Dr Deborah Petterson, NCSC Deputy Director for Private Sector Critical National Infrastructure
Last year, the NCSC launched the online tool ‘Exercise in a Box’, which enables businesses to test how resilient they are to cyber attacks. The toolkit offers a range of realistic scenarios organisations could face, allowing them to carry out drills in preparation for real-life events.
Due to the shift in the number of staff working remotely, in July a ‘Home and Remote Working’ exercise was released. It focused on three key areas of distributed working; how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident while working remotely.
As part of the exercises, staff members were given prompts for discussion about the processes and technical knowledge needed to enhance their cyber security practices. At the end, an evaluative summary was created, outlining next steps and pointing to the NCSC guidance.
“Businesses wanted to do all they could to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.
“While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative.
“We urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks.”
Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement
The Exercise in a Box toolkit has at the end of August, more than 7,500 registered users with interest in the tool around the globe.
The top 10 countries by use with Exercise in a Box:
“Exercise in a Box is a fantastic tool that’s free, well thought-out, easy-to-use and can help improve an organisation’s security posture – what’s not to love in that?”
Eventura spokesperson
“In many cases the effects of cyber attacks could be mitigated by putting good cyber hygiene principles into practice, or by planning and implementing an incident response capability.
“Exercise in a Box is designed for the non-cyber expert with everything the facilitator needs to set up, plan, and deliver the exercise. Among the topics covered are phishing attack leading to ransomware infection, the threatened leak of sensitive data, and mobile phone theft and response.
“On completion there is an end report with links to NCSC advice and guidance. In addition, we’ve just added micro exercises on single topics designed to provide the basics over 15-20 minutes.
Steve, NCSC Exercise in a Box team
The 10 scenarios you can test in Exercise in a Box are:
The NCSC’s Knowledge Base is the ‘Single Source of Truth’ that allows the government and CNI sector to better understand and manage the UK’s CNI, its supply chains, and the interdependencies between them all.
The Knowledge Base is a mapping tool (IT system) which helps analysts view the CNI data on a map or as a network diagram with each interdependency mapped across it. It was used to support the response to the coronavirus pandemic, and next year, the user base will be extended to help foster collaboration and discussion more widely across UK Government.
Both the criticalities approach (an assessment based on the importance of an organisation, supply chain or sub-sector) and the CNI Knowledge Base were developed and implemented by the NCSC on behalf of Cabinet Office (Civil Contingencies Secretariat) as part of the National Cyber Security Programme.
Continued in the full Annual Review“The new functionality delivered by the CNI Knowledge Base will be a game changer for the UK Government. For the first time, we will have the tools needed to identify the functional, organisational and geographic dependencies within and across CNI sectors, informing meaningful collaboration with stakeholders and helping us make the UK safe, secure and resilient.”
Andrew Bell, Critical National Infrastructure Programme Manager, Department for Transport
“The NCSC Knowledge Base will enable a step-change in the way the Government anticipates, prevents and responds to cascading risks that could impact our most essential services. A flagship project under the 2016 National Cyber Security Programme, it provides a world-leading capability in CNI risk management.”
Civil Contingencies Secretariat, Cabinet Office
Cyber security is a team sport, and while the NCSC is a key player, it can’t make the UK the safest place to live and work online alone. Over the last 12 months government, industry and the general public came together to enhance their shared cyber security.
This chapter sets out how the NCSC developed existing and new partnerships with individuals, communities and institutions to create new ideas and solutions to give the UK a winning edge.
Cyber security is a team sport, and while the NCSC is a key player, it can’t make the UK the safest place to live and work online alone. Over the last 12 months government, industry and the general public came together to enhance their shared cyber security.
This chapter sets out how the NCSC developed existing and new partnerships with individuals, communities and institutions to create new ideas and solutions to give the UK a winning edge.
Most of the cyber threat to the public is in high volume, low sophistication, which can be prevented with basic actions. However, a considerable proportion of the public are not taking the simple steps to protect themselves. In 2019, it was reported that 23.2 million hacking victims had “123456” as their password. Without actively encouraging the adoption of protective behaviours, the UK will remain an attractive target for cyber crime.
The Cyber Aware campaign relaunched in April to build resilience to the increased cyber security threats related to the coronavirus outbreak. The campaign drove the public to a microsite with actionable guidance for staying secure online and advice on how to report a suspicious email.
With individuals spending more time online, and businesses moving increasingly from physical to digital practices, the Cyber Aware campaign will relaunch in November to encourage citizens and micro businesses to adopt the six behaviours that will help protect them from the most common attacks.
Find out more at www.cyberaware.gov.uk
The NCSC is committed to raising cyber security maturity and resilience across every part of our national life. This includes supporting and empowering UK businesses, academia and the charity sector.
A snapshot of our partnership over the past 12 months:
The NCSC worked with the National Education Network to distribute 33,000 ‘cyber security information cards’ to help those working in UK schools to better understand cyber threats. The cards were also presented to Ofsted inspectors at their November conference.
They were so popular they can now be downloaded from the NCSC website and printed at home.
With the National Association of Community and Voluntary Action and the Foundation for Social Improvement, the NCSC upskilled over 40 local delivery partners and to date has trained over 5,000 small charities in cyber security.
In total, the NCSC delivered more than 100 workshops, podcasts and webinars all over the UK for the voluntary sector.
The NCSC’s Small Business Guide was reused in innovative ways to reach NatWest business customers.
This included a blog posted to their Bankline platform and references within their ‘Security tip toasters’ and FAQ content – which were live for two weeks, receiving 40,000 unique views.
Additionally 9,000 bespoke versions of the guide were created and distributed to Natwest's business customers.
The pandemic resulted in many organisations moving operations online. For sole traders or small business owners, establishing exactly what cyber security measures they needed to put in place was likely to be a challenge.
The NCSC stepped in and produced, in quick time, guidance to help organisations determine how ready they were for this digital transition and pointed the way to any new cyber security measures they should put in place.
Continued in the full Annual ReviewThe NCSC published its first analysis of the sports industry in July – which revealed 70% of sports institutions suffered a cyber incident in the past year, double the average for UK businesses.
‘The Cyber Threat to Sports Organisations’ report outlined measures recommended to prevent criminals cashing in on their industry.
Case studies in the report included;
“The issue of cyber security is one all sports, including Rugby League, take seriously. As we grow our digital capabilities and online platforms, protecting the governing body, our members, customers and stakeholders is paramount.
“We welcome the NCSC Report and the guidance it offers the sports sector.”
Tony Sutton, Chief Operating Officer at Rugby Football League
“Improving cyber security across the sports sector is critical. The British Olympic Association sees this report as a crucial first step, helping sports organisations to better understand the threat and highlighting practical steps that organisations should take to improve cyber security practices.”
Sir Hugh Robertson, Chair of the British Olympic Association
The NCSC continued its support for the academic sector this year as it saw a spate of ransomware attacks against UK schools, colleges and universities.
Through engagement with key institutions such as the Department for Education (DfE) and Jisc (a not-forprofit organisation providing digital and IT services to education and research institutions), rapid and tailored guidance was offered to the sector on how to improve cyber security.
Continued in the full Annual Review“It has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance.
“This needs a whole college approach and for a focus wider than just systems, it needs to include supporting leaders, teachers and students to recognise threats, mitigate against them, and act decisively when something goes wrong.
“The NCSC’s guidance will prove incredibly useful for colleges to ensure that they can do just that.”
David Corke, Director of Education and Skills Policy at the Association of Colleges
The UK has a thriving research and innovation sector that attracts investment from across the world – but the open nature of research collaboration also entails certain risks. ‘Trusted Research’ is the NCSC and Centre for the Protection of National Infrastructure’s (CPNI) latest advisory paper for UK universities and research institutions, which aims to help them make informed decisions about international collaboration and protect their own researchers and academic values.
Continued in the full Annual ReviewThe NCSC’s i100 scheme continues to expand, delivering results across all areas of the organisation. The initiative sees a variety of companies with unique insights and capability in cyber defence loan staff to the NCSC on a part-time basis to collaborate in defending the UK. The secondees are given a security clearance and sign an agreement that enables them to work alongside the NCSC’s staff, including on sensitive projects and investigations.
Continued in the full Annual ReviewThe NCSC’s Business Engagement team worked with over 80 new and established partners across the private sector, for example within construction, civil engineering, architecture and farming.
More than 150 legal firms were hosted by the NCSC in February for an event which articulated the threat to the legal sector and helped companies understand what mitigations they can put in place.
Continued in the full Annual Review“It is vital businesses take action to protect themselves and their customers from security risks and cyber insurance can play an important part in robust risk management strategies.
“I encourage firms to consider this guidance and use programmes such as Cyber Essentials to make sure they have fundamental cyber security defences in place.”
Matt Warman, MP Parliamentary Under-Secretary of State for Digital Infrastructure, DCMS
In consultation with major stakeholders and industry partners, the NCSC produced its first ever guidance on cyber insurance after calls for expert technical advice on the growing cyber insurance market.
The seven questions the guidance recommends senior leaders ask about cyber insurance are:
Cyber Essentials is a Government-backed, industry-supported programme to help organisations protect themselves against common online threats. They can apply for two levels of certification;
In April, IASME Consortium Ltd became the NCSC’s sole delivery partner for Cyber Essentials. To ensure a smooth transition, they issued regular briefings for certification bodies, and they will work alongside the NCSC over the next 12 months to keep pace with the changing landscape and consider additional Cyber Essentials levels.
Continued in the full Annual Review
“We were absolutely delighted to step into the role of Cyber Essentials Partner.
“We see the Cyber Essentials scheme already having such a positive effect on the security of UK business and the strong partnership with the NCSC allows us now to enhance the scheme to be even more effective.”
Dr Emma Philpott MBE, CEO, the IASME Consortium Ltd
The NCSC’s acclaimed Cyber Accelerator programme works with dynamic startups to encourage new products, skills, jobs and growth. It is a collaboration between the NCSC, DCMS, and Wayra, Telefónica’s open innovation arm.
Based in Cheltenham, it offers mentorship to tech businesses that are creating solutions for the security industry and spurs innovation and competition to boost the country’s economic growth.
Read our case studies in the full Annual Review
CYBERUK is usually a highlight in the NCSC calendar, bringing together both leaders and technical experts with an interest in cyber security from across the UK and abroad. CYBERUK 2020 was due to take place in Newport in May, but sadly had to be cancelled due to coronavirus.
The NCSC adapted to the challenges of the pandemic, switching from the physical to the virtual. It has set up a programme of work to build its capacity to continue to deliver bigger and better virtual offerings in the future. This will include a meeting of CYBERUK Leaders early in 2021.
Continued in the full Annual ReviewThe core aim of the NCSC is to make the UK the safest place to live and work online. The NCSC loves technology and seeks to help the UK enjoy the benefits of the digital age in a safe and secure way.
To do this, measures are put in place to remove vulnerabilities and prevent as many attacks in the first place. Where attacks do get through the NCSC is there: to respond to incidents, to help support victims and to continually refine the best defences.
The core aim of the NCSC is to make the UK the safest place to live and work online. The NCSC loves technology and seeks to help the UK enjoy the benefits of the digital age in a safe and secure way.
To do this, measures are put in place to remove vulnerabilities and prevent as many attacks in the first place. Where attacks do get through the NCSC is there: to respond to incidents, to help support victims and to continually refine the best defences.
While the NCSC works 24/7 with its partners to prevent cyber attacks, some will inevitably get through. In the last year the NCSC dealt with 723 cyber security incidents involving almost 1200 victims. These are the highest annual totals since the NCSC was formed.
This year’s total means that since the NCSC commenced operations in 2016, the organisation has coordinated the UK’s defence against a total of 2,528 incidents (annual totals of 590, 557, 658 and 723).
Several incidents came onto the NCSC’s radar proactively, through the expert work of its threat operations and assessments teams. Many others were raised by victims of malicious cyber activity and cyber attacks.
According to the DCMS ‘Cyber Security Breaches Survey 2020’, almost half of businesses (46%) and a quarter of charities (26%) reported having cyber security breaches or attacks over a 12-month period. Of the 46% of businesses that identified breaches or attacks, more were experiencing these issues at least once a week in 2020 (32%, vs. 22% in 2017).
The nature of cyber attacks has also changed since 2017. Over this period there has been, among those identifying breaches or attacks, a rise in businesses experiencing phishing attacks (from 72% to 86%), and a fall in attacks involving viruses or other malware (from 33% to 16%).
“At the NCSC, we get ahead of the cyber threats and defend critical sectors before damage is done.
“Thanks to our access to key intelligence, our ability to predict trends and the agility of response, we refocused many of our capabilities to focus on coronavirus-related sectorsthis year.
“It’s vital that we stay ahead of threats and are able to quickly react to the threat landscape.”
Paul Chichester, NCSC Director of Operations
“We actively redirected our efforts to defend the health sector and because it was such a priority, it rose to our second most supported sector this year.”
Eleanor Fairford, NCSC Deputy Director for Incident Management
This map illustrates the broad geographic spread across the UK of all the cyber incidents the NCSC managed that may have had some bearing on the national response to the pandemic between February and July.
The location is indicative rather than a precise pinpoint of each incident. These incidents varied in terms of their severity and type.
Over the past year, the NCSC saw a significant rise in ransomware attacks on the UK, including an attack against Redcar and Cleveland Council which caused considerable damage and disruption.
There has also been a significant change in the way ransomware attacks are carried out. Rather than simply preventing access to data, criminals are stealing it and threatening to leak the most sensitive parts publicly. There are obvious business sensitivities to ransomware attacks, and there have long been fears the crime is underreported. The NCSC, in collaboration with the NCA, is committed to helping victims and tackling the wider issue, working as part of a team with law enforcement colleagues.
While the NCSC tracks trends and attempts to disrupt operations, it works closely with the NCA, which coordinates and leads the national law enforcement response to ransomware incidents. This includes supporting victims, successfully resolving incidents through a range of outcomes and pursuing criminal proceedings against those responsible.
“We worked closely with the NCSC following the cyber attack and its expertise and guidance enabled us to recover our systems effectively and plan additional security measures above industry-approved standards.”
Redcar and Cleveland Borough Council spokesperson
Ransomware is a type of malicious software (malware) that prevents victims from accessing their device, or the data that is stored on it.
Once the malicious software is on a network, the criminals can encrypt data that would have an impact on the organisation’s services and then withhold it until a payment is made.
The system itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network – such as the WannaCry malware that impacted the NHS in May 2017 – meaning it is untargeted and potentially viral.
Traditionally, the victim is told that they have been denied access to their own data which will not be restored until they make a payment in cryptocurrency, such as Bitcoin. Once this payment is made, the criminal will unlock their computer or allow access to the data.
The NCSC has seen an increase in the scale and impact of ransomware attacks and a new and growing trend to be more targeted and more aggressive than ever before.
Criminals are increasingly found lurking on a network, searching before ransomware is even deployed, looking for specific sensitive data that the victim would not want to be made public – such as a secret patent, or information about staff salaries.
Rather than simply seeking to withhold data, criminals are increasingly threatening to leak the most valuable information publicly unless the victim pays the ransom. This new trend to extort means that victims are at risk even if they have backed up their data, as they would not want the information published externally.
The data available suggests that the UK is not the most heavily targeted country, predominantly because British victims are traditionally less likely to pay the ransom than those from other parts of the world. However, the trends suggest that unless defences are improved, ransomware will increase globally and in the UK, with criminals developing new techniques to circumvent cyber defences.
Even if the ransom is paid, there is no guarantee that victims will get access to their computer or files – or that the criminal won’t just charge again under threat of leaking the same information. It will also likely result in repeat incidents as criminals become emboldened in holding people to ransom.
Depending on the comprehensiveness of disaster recovery and business continuity plans in place, normal service can take weeks, if not months, to resume.
The NCSC has updated its ‘Mitigating Ransomware and Malware Attacks’ guidance, recommending that organisations deploy a “defence in depth” strategy. By implementing a technical architecture with multiple defensive layers, if one mechanism fails another is there to thwart an attack.
Organisations should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised.
More generally, a good first step to avoid being a victim is making offline backups of data. The criminal will hold less power over an organisation or individual if they already have copies of the thing they are trying to withhold.
“The NCSC is a key partner for the NCA’s National Cyber Crime Unit; helping us achieve our mission to reduce the threat to the UK from cyber crime, through investigations and disruptions delivered in partnership with Team Cyber UK.
“We work closely at both a strategic and tactical level. From shaping the whole system response to assisting industry with advice on protecting their systems and preventing malicious activity.
“We jointly deploy to crime scenes, allowing the NCA to obtain evidence, whilst managing ‘crimes in action leading’ to the identification of suspects, arrests and prosecutions.
“Nowhere is this more important than in the response to ransomware – where our partnership assists the victim with restoration of their systems whilst enabling us to pursue the suspects in the UK and overseas, using a range of measures including arrest, prosecution and international sanctions.”
Lynne Owens, Director General of the National Crime Agency
The NCSC’s operations and incident response team is comprised of highly skilled experts based across the UK. The team discover new cyber threats, respond in support of victims, assess the trends in cyberspace, share information with partners and industry and lead on counter campaigns to deter threat actors. In doing so, the team uses a wide range of data sources, including from industry partners. They work closely with law enforcement and lead the intelligence community in defending the UK 24/7.
One of the more than 1,200 UK-based victims of a cyber attack supported by the NCSC this year recalls their experience. Anybody who alerts IM is treated in confidence, and the below has been offered in anonymity from a representative of the victim, which was a large international organisation.
In response to a significant and sustained cyber-attack, our company approached the NCSC to request support with the management of the investigation.
“The initial engagement consisted of information sharing, triaging and establishing a cadence for future meetings. This quickly evolved into a strong and beneficial partnership, based on mutual trust, transparency and a spirit of collective responsibility.”
After appointing Cyber Incident Response (CIR) accredited suppliers and having further discussions with the NCSC’s Incident Management team, an introduction was made to Law Enforcement partners.
“This invoked a stream of investigative activity which not only served to stabilise a volatile and uncertain situation, but materially improved our understanding of the threat actor’s motives and intent.
“As a result, the company’s Executive Team were able to take appropriate risk-based decisions from a highly informed perspective, thereby minimising the impact of the attacker’s presence on the company’s operations.”
“From a technical perspective, the NCSC’s Incident Response team provided significant support throughout the full investigative lifecycle.
“Operating as a central co-ordination unit, the team offered ongoing recommendations and guidance, ensuring that our continuity arrangements, eradication approach, evidence gathering, and cyber uplift activities were harmonised, prioritised and correctly orchestrated.”
A highly effective relationship was also built between communications team at our organisation, the NCSC and law enforcement. This ensured that consistent messaging was agreed and published in response to media speculation and enquiries from interested third parties.
“It also strengthened the assurances provided to our existing client base and perception of the partnership between the NCSC and the company to fully respond to the cyber-attack.”
“The overriding theme of the engagement was one of support, reassurance and effective team working.
“The professionalism, commitment and knowledge of the NCSC and Law Enforcement teams was exemplary throughout the incident.
“We owe a debt of gratitude to all those involved, who helped the company ensure critical operations continued to be provided to our customers during the incident and wider COVID-19 pandemic.”
The NCSC has regularly provided essential telecommunications advice to DCMS, Ministers and the wider public that has directly influenced UK policy. A prominent example this year has been the advice related to facilitating the country’s move from 4G to a more advanced 5G network.
In January, the UK Government announced plans to put in place additional safeguards and exclude high risk vendors, such as Huawei, from “core” parts of 5G and full-fibre networks. This decision, taken by the Prime Minister chaired National Security Council (NSC) was informed by detailed technical evidence from the NCSC as determined by the threat landscape at the time.
In a global first, detailed advice on this high-risk vendor decision was published to operators and the public, alongside a 30-page summary of the UK Government’s multi-year analysis into the risks to telecoms networks. This oversight has included the Huawei Cyber Security Evaluation Centre (HCSEC), which has been running for nine years.
Continued in the full Annual Review“The technical advice and expertise of the NCSC has been at the heart of our approach towards the telecoms supply chain review, high-risk vendors, and the development of the UK’s diversification strategy.
“We are making strong progress to drive up telecoms security standards and this is testament to the excellent and seamless partnership working across DCMS and the NCSC.”
Kathryn Roe, Deputy Director,Telecoms Security & Resilience, Digital Culture, Media and Sport
The ACD programme seeks to stop a range of different attacks ever reaching UK citizens, institutions or businesses. Working in a relatively automated and scalable way, it removes the burden of action from the user and enables attacks to be taken down at scale.
There are six key programmes within ACD that have been rolled out in the public sector;
Web Check Helps owners of public sector websites to identify and fix common security issues – making sites in the UK a less attractive target to attackers
Protective DNS Prevents access to known malicious domains and puts restrictions on malware communications on compromised networks
Takedown Service Locates malicious sites and alerts hosts and owners to ask them to remove them from the Internet
Mail Check Helps public sector email administrators improve and maintain the security of their email domains by preventing spoof emails
Vulnerability Disclosure Platform Identifying, reporting and remediating vulnerabilities in government and other key services
Host Based Capability Advanced NCSC threat detection capability that can be deployed to detect threats on an organisation’s network
This year has also seen the NCSC build on previous successes with established tools. It has enhanced functionality of its Web Check and Mail Check services – which help owners of public sector websites to identify and fix common security issues. These have since been rolled out across the public sector and beyond.
Monthly statistics for all issues discovered for remediation across users of the service in 2019 are as follows:
There are 2,931 service users representing over 1,000 customer organisations.
The security issues reported to them are categorised Urgent, Advisory and Informational.
On average, the service results in the resolution of over 700 urgent issues by customer organisations every month.
2.8 million public sector internet users protected by PDNS (estimated)
201 billion successfully resolved PDNS queries between 1 September 2019 and 31 August 2020
290 more organisations using PDNS compared to 1 year ago, including many NHS and critical sector organisations onboarded in March , pre-pandemic peak
760+ organisations are using the service and it blocks around 18,000 unique domains at a rate of 7.2 million times per month
The takedown service finds malicious content hosted on the internet and seeks to have it removed, the goal being to reduce the harm that common cyber security threats cause.
99.6% of all discovered phishing attacks are (taken) down, 65.3% were down within 24 hours
Discovered and took down 166,710 phishing URLs
65.3% of these were removed within 24 hours of being determined malicious
42,576 URLs were associated with UK Government themed phishing attacks, hosted globally
UK share of visible global phishing attacks further reduced to 1.27 % (from 2.1% last year)
Since March, the NCSC has taken down 15,354 campaigns which used coronavirus themes in the ‘lure’. These were hosted globally.
were Advance Fee Fraud (419 scams)
were associated with Fake Shops selling bogus PPE, coronavirus products, test kits (and even vaccines)
phishing campaigns
mail servers distributing malware
Between April and end of August, 384,118 URLs associated with these scams were taken down.
The NCSC started work against bogus online shopping sites (fake shops) and have taken down 113,000 URLs.
The NCSC found 1,318 sites that had been compromised with credit card skimming malware.
Mail Check monitors 11,417 domains classed as public sector
The number of public sector domains using DMARC nearly doubled from 1,805 at the end of August 2019 to 3,097 by the end of August 2020
The number of public-sector domains protected by a DMARC policy that blocks suspicious emails (quarantine or reject) more than doubled from 899 at the end of August 2019 to 2,253 by the end of August 2020
Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organisation responsible. The NCSC has worked with organisations and those who find security vulnerabilities to make it easier to report and therefore quicker for the system owner to remediate the issue.
The NCSC runs three initiatives:
The service has grown over the past year to provide coverage for 130,000 government devices (up from 35,000 last year). The NCSC continues to provide a three-part service offering: Detect, Threat Surface, and Forewarn. In addition to detecting malicious and suspicious cyber activity within government, the NCSC has cumulatively provided over 170 ‘Threat Surface’ reports to its partners.
The Domain Name System (DNS) is one of the core technologies used on the internet, essentially acting as a phonebook or contact list to translate between human-readable domain names and machine-readable addresses.
Like all contact lists, errors can easily be introduced from causes such as human error or information simply becoming stale and inaccurate over time. In the context of DNS, this can lead to domain names pointing to resources that are unregistered.
The NCSC refers to these as “dangling DNS records”. Sometimes it’s possible for an attacker to register the resource that such a record points to, therefore giving them control over what is returned to anyone who visits the domain name. This attack, known as “subdomain takeover”, can have serious consequences and can result in victims being tricked into interacting with malicious websites, despite the domain name displayed in their web browser looking completely legitimate.
Continued in the full Annual Review
A critical element of the UK’s cyber security future is growing the skills and capabilities that will help safeguard the services and institutions the country depends on, as well as creating the opportunities and advantages that will benefit the UK and its citizens for generations to come.
The NCSC has an important part to play in fulfilling this strategic objective and creating the next generation of cyber security experts and specialists, as well as developing today’s practitioners is a key priority for the organisation.
A critical element of the UK’s cyber security future is growing the skills and capabilities that will help safeguard the services and institutions the country depends on, as well as creating the opportunities and advantages that will benefit the UK and its citizens for generations to come.
The NCSC has an important part to play in fulfilling this strategic objective and creating the next generation of cyber security experts and specialists, as well as developing today’s practitioners is a key priority for the organisation.
The NCSC has continued to grow its own internal specialists and talent pipeline, as well as supporting the Government Security Profession and wider government cyber security community. For the latter, the NCSC shared its Technical Reconnect programme with specialists from across government. The course teaches the latest NCSC guidance to ensure delegates are familiar with cyber security best practice and can recognise the drivers behind it. Delegates learn through highly practical hands-on opportunities to build, attack and repair the various technologies that are encountered in modern security environments.
The training is delivered periodically over six months, and instructor-led training, practical lab activities, group exercises and regular consolidation exercises. Together with the NCSC’s other cyber security training and development offerings, this offering quickly pivoted to online delivery as coronavirus took hold.
Continued in the full Annual Review“Working for the public-facing side of the business allows an insight you wouldn’t normally see anywhere else in the building. The limits for customer engagement are endless, and the work produced always has a real influence.
“I enjoy that you can see the impact you have on customers. On top of this, the atmosphere in teams is always so friendly and encouraging, so overall the NCSC is a great area to work for.”
CyberFirst Apprentice on a Year 3 placement in NCSC
For the first time, a guide collating the knowledge of the world’s leading cyber security experts was created this year. Sponsored by the NCSC, the CyBOK is an 828-page resource offering a foundation for education, training and professional practice.
“This guide will act as a real enabler for developing cyber security as a profession. It’s been developed by the community, for the community and will play a major role in education, training and professional practice.”
Chris Ensor, NCSC Deputy Director for Cyber Skills and Growth
CyBOK was launched at London's Science Museum, January 2020
One of the most important programmes in the NCSC’s future skills agenda is CyberFirst, which encourages and supports young people into the world of cyber security.
It’s been an exciting year for the team and for the thousands of secondary and undergraduate students who took part in courses, competitions and applied for career-defining university bursaries to learn a host of interesting subjects such as digital forensics, ethical hacking, cryptography and cyber security challenges.
CyberFirst Students
Every summer, 1,100 free places are made available on five-day residential courses at universities across the UK. Courses were offered at three levels; Defenders (14 to 15-year-olds), Futures (15 to 16-year-olds), and Advanced (16 to 17-year-olds) – aimed at helping pupils develop the digital and problem-solving skills needed to operate in the field of cyber security.
In response to the pandemic the NCSC moved the summer courses online, with virtual classes led by instructors running from June through to August.
This year saw the highest number of applications yet (3,992) and an increase in applications from ethnic minority students (making up 23% of the total applicants) compared to previous years.
CyberFirst Girls' Competition Winners
“I’m really pleased that the NCSC also chose to pilot the CyberFirst Schools programme here in Wales, and we’ll continue to work closely with them to actively encourage schools and colleges in Wales to take advantage of the excellent opportunities provided by CyberFirst.”
Kirsty Williams, Minister for Education, Welsh Government
The CyberFirst bursary scheme continues to grow, attracting highly motivated and very talented undergraduates. There are over 900 hand-picked students either currently on or recently graduated from the scheme.
This summer, 165 undergraduates attended an eight-week virtual CyberFirst Academy programme and a further 224 students were placed with our industry and government members or on further online training programmes – providing invaluable work experience to help make the UK the safest place to live and work online.
Any company wishing to help develop and recruit these highly talented students and become a member of the CyberFirst community, should contact CFStakeholders@ncsc.gov.uk.
Continued in the full Annual Review“The academy was an amazing experience that has had a massive impact on me, and my summer placement was amazing.
“I had a great time and discovered so much more about cyber security, possibly even solidifying what I want to do going into the future in terms of career choice.”
CyberFirst Bursary Student, End of Year Review
“I’m incredibly pleased with my summer placement, the project was joint with a government agency and I was able to conduct research and learn aspects of cyber security which I’d never have considered previously.”
CyberFirst Bursary Student, End of Year Review
As part of its ongoing drive to increase female representation in cyber security, the NCSC worked with the South West division of Girlguiding UK to develop a badge and supporting activity pack called ‘On the Net’.
The initiative was launched in February at the University of the West of England (UWE), where 100 girls aged between 12 and 14 were invited to learn about online safety and how cyber skills can lead to career opportunities in cyber security – a field in which women remain underrepresented.
Continued in the full Annual Review
CyberFirst Girls’ Competition 2020
The NCSC partnered with KPMG to produce the first-ever review of diversity and inclusion in the cyber security sector. The report set an initial benchmark in the UK’s cyber security industry and began a long-term programme to make the profession more diverse and inclusive.
In April, the NCSC published a blog post talking about the decision to stop using the terms ‘blacklist’ and ‘whitelist’ on our website. It’s a small change, but one that we hope is useful as part of our wider anti-racism efforts. The blog post resonated with many people across the UK – several got in touch to thank the NCSC for taking this step, and to say that this leadership has emboldened them to make similar changes in their own workplaces. The NCSC is proud to have added our voice to the wider discussion around the use of discriminatory terminology in tech - we want cyber security to be an inclusive and welcoming place for everyone, and our language should always reflect that.
In September a team from the NCSC joined its partners in GCHQ who have established a new research hub in the centre of Manchester. The aim of both organisations is to foster increased collaboration with the city’s burgeoning number of tech experts in business and academia.
Acknowledging that the city has one of the fastest growing digital and creative communities in Europe, the NCSC will be recruiting further personnel to join those experts already in place, with a brief to support its mission on protecting Critical National Infrastructure (CNI). The CNI mission at the Manchester Hub will include such areas as Energy, Transport, Finance and Smart Cities.
It has been a year of two halves for the NCSC in its international engagement. Between September 2019 and March 2020, the NCSC welcomed delegations from over 20 different countries, and its representatives visited a similar number of countries for bilateral and multilateral engagements, and participation in cyber security conferences.
However, the impact of the coronavirus pandemic necessitated a shift to virtual engagement. Since March, the NCSC has taken part in 46 international engagements – meaning despite fewer face-to-face meetings, it has been possible to maintain global reach and influence.
It has been a year of two halves for the NCSC in its international engagement. Between September 2019 and March 2020, the NCSC welcomed delegations from over 20 different countries, and its representatives visited a similar number of countries for bilateral and multilateral engagements, and participation in cyber security conferences.
However, the impact of the coronavirus pandemic necessitated a shift to virtual engagement. Since March, the NCSC has taken part in 46 international engagements – meaning despite fewer face-to-face meetings, it has been possible to maintain global reach and influence.
The NCSC’s technical expertise affords the UK a vital source of thought leadership and influence overseas. International engagement with our partners continues to be a central component of the NCSC’s work to enhance the UK’s cyber security and resilience. The NCSC regards cyber security as a global issue that is most effectively addressed together. By sharing information and working with international partners, not only can the NCSC better protect the UK, but it can also influence and assist its partners to do the same for their own countries.
Owing to the uniqueness of cyber security as a domain, the NCSC’s international collaboration goes beyond conventional forms of engagement, or cyber diplomacy.
Examples include:
“From my engagements in many countries around the world it is very clear that the NCSC continues to set the benchmark against which other national cyber security organisations can measure themselves. It forms a cornerstone to the UK’s continued ambitions as a cyber power and an important underpinning element of UK cyber security companies’ offer in their overseas markets.”
Dr Henry Pearson, UK Cyber Security Ambassador, Department for International Trade
The UK has a long-held security alliance with the USA, Canada, Australia and New Zealand, known as “the Five Eyes”. The alignment between the countries facilitates greater information-sharing across a wide range of cyber security issues.
One such example of this close working relationship was the creation of an incident response playbook that could be applicable to the widest set of countries and situations possible.
With the NCSC leading the agenda, using its experiences and skills in incident management, the objective was to offer a product that an organisation or institution overseas could grab ‘’off the shelf’ during a crisis, providing best practice on starting an investigation and serving as a check list for a cyber incident response.
As cyber threats become more numerous, more technically diverse and more damaging, the NCSC continues to drive the agenda in international collaboration to help boost the resilience of its strategic partners and to help deter the UK’s adversaries.
Continued in the full Annual Review
“With our allied cyber security government partners, we work together every day to help improve and strengthen the cyber security of organisations and sectors of our economy that are increasingly targeted by criminals and nation states alike.
“Fortunately, there’s strength in numbers and this unified approach to combining our experiences with a range of malicious actors means that we’re able to extend our defensive umbrella on a global scale.”
Chris Krebs, Director, Cybersecurity and Infrastructure Security Agenda, USA
“At the Australian Cyber Security Centre, we collaborate closely with our international partners by sharing threat intelligence, technical tradecraft and indicators of compromise. Our joint advisories with Five Eyes nations are crucial to ensuring that valuable threat information is shared quickly and efficiently, to mitigate and protect against malicious cyber activity around the world.
“The long-standing relationship between the Australian Signals Directorate (ASD) and GCHQ is an important force multiplier for our cyber security efforts, and our joint operations to combat cyber criminals is a prime example. In one case from the last year, our collaboration identified over 200,000 stolen credit cards globally, including over 11,000 stolen Australian cards. These stolen credit cards represent potential losses of over A$90 million globally, and over A$7.5 million within Australia.”
Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre
“Coronavirus has had a profound impact on the world. This uncertain environment is ripe for exploitation by threat actors seeking to advance their own interests. To counter these threats, the Canadian Centre for Cyber Security (Cyber Centre) is working hand-in-hand with the NCSC to detect and disrupt shared threats. We exchange information to better protect our health sectors and over the past year, we have released cyber alerts and threat bulletins leveraging each other’s reporting and advice. Furthermore, we issued technical information about cyber threat activity directed at Canadian and United Kingdom organisations, including vaccine research entities, involved in coronavirus response and recovery efforts.
“The Cyber Centre and the NCSC continue to work together to protect critical infrastructure sectors from cyber threats, through regular information exchanges and by working collaboratively on joint programmes and initiatives. For example, the NCSC has leveraged and deployed some of the Cyber Centre’s defensive capabilities across UK Government departments. Similarly, the Cyber Centre has been promoting items such as DMARC where the NCSC was leading.
“We continue to share knowledge and threat information with each other on important and challenging topics including cloud security, encryption and cryptology, and election security. Looking ahead, we will continue to amplify each other’s notifications on critical cyber threats to raise awareness of the evolving threats in our respective countries.”
Scott Jones, Head, Canadian Centre for Cyber Security, Communications Security Establishment
In October, then NCSC CEO Ciaran Martin led a UK delegation at one of the most significant cyber policy gatherings in the Asia-Pacific region: Singapore International Cyber Week (SICW). He was accompanied by representatives from the UK cyber industry, academia and government. At a bilateral meeting between the UK and Singapore, covering issues including information-sharing and collaboration on emerging priorities and technology, the two countries signed an IoT Security Statement. The signing demonstrated the UK’s international leadership in improvements in the security of smart consumer products, and strengthened the relationship with a partner in a region of strategic importance to UK interests.
“The UK was delighted to play an active role in SICW 2019. International partnerships across industry, academic and government, are key to a safe and secure cyber space.
“We were particularly pleased that the CEO of UK National Cyber Security Centre joined us in Singapore and signed a joint statement of cooperation between our two nations on the Internet of Things.”
Natalie Black, HM Trade Commissioner for Asia Pacific
The UK’s CNI has a number of dependencies overseas with Operational Technology (OT) and related Industrial Control Systems (ICS) being used across the world to monitor, control and manage the operation of physical assets linked to key CNI areas such as energy and finance. The threat to OT / ICS is real, and the NCSC has seen examples internationally, where OT has been negatively impacted by cyber attacks, ranging from modifying how an industrial process operates, through to disrupting them altogether.
Strengthening the cyber resilience of the global OT and ICS is a priority for the NCSC and its international partners. Some of the NCSC’s virtual engagements on this matter this year included joint working with counterparts in the US. The NCSC’s ‘Secure Design Principles’ blog and CISA’s ‘Industrial Controls Systems Cybersecurity Best Practices’ guide, launched in May, signified a joint commitment by the UK and United States to protecting their nations’ respective ICS infrastructure.
The joint venture set out risks faced by ICS owners and operators of interconnected operational and information technology including IoT, to help them design and secure ICS, mitigate risks, and protect against the ever-evolving threats. The product also features operational CISA assessments data, along with proactive defensive practices to help CNI stakeholders defend ICS against cyber attacks and encourage a long-term, strategic approach to ICS protection. Looking ahead, the coordination and sharing of technical research, resulting in multi-national publications, will continue to be an important area for the UK ICS Community of Interest contribution – and a key way in which technical collaboration can enhance the security of the UK and overseas partners.
Continued in the full Annual Review“Cyber threats don’t care about borders, so collaboration between international partners is key to raising our collective cyber security.
“CISA and the NCSC have worked together on a number of important efforts over the past year, such as the NCSC’s ‘Secure Design Principles’ blog, CISA’s ‘Industrial Control Systems Cybersecurity Best Practices’ infographic and joint advisories about nation state and malicious cyber actors.
“We look forward to working with the NCSC on other actionable, informative and timely products to protect critical infrastructure and our citizens.”
Bryan Ware, Assistant Director for Cybersecurity, US Cybersecurity and Infrastructure Security Agency
The NCSC is proud to work with global partners to detect and disrupt shared threats. One of its key strengths in international collaboration is on cyber incident management and response, in which the ability to work alongside international partners is fundamental. For example, when investigating reports of a ransomware infection that had not been seen in the UK before, law enforcement colleagues in the NCA observed and reported that their investigations had shown a similar ransomware strain that had previously been decrypted by the Polish NCSC equivalent, CERT Polska.
The NCSC contacted the CERT Polska team to gain further information on the ransomware variant, and about the tool it had developed to decrypt it. The team at CERT Polska was open to collaboration and provided the NCSC with the code behind its decryptor, explaining how this could be turned into a standalone tool that could be used to support the UK victim.
“The NCSC’s world-leading expertise has provided a strong foundation at home for our efforts overseas to protect and promote a free, open, peaceful and secure cyberspace.
“The respect and admiration it commands from international partners has opened doors for our diplomats, and it has been generous in sharing its skills and knowledge to strengthen global resilience and security.”
Will Middleton, Director Cyber, Foreign, Commonwealth and Development Office