I’m so proud to launch our annual review today, marking the first anniversary since the National Cyber Security Centre came into existence.
I can’t quite believe it’s been a whole year.
The review sets out what we’ve achieved, so I won’t go into the detail here (although please do have a glance at it – there’s even a hidden puzzle). But I think it’s worth me adding a bit about how it’s felt over the past year, and how it feels now.
When we started, our 600 or so people were scattered across four different organisations in five different buildings and three IT systems. We had no headquarters. In the early days we did our best to coordinate our response to incidents – there were a number of high profile criminal attacks in late 2016 – with what we had.
A headquarters was on its way – the ‘preening cockerel’ was being built – but it was just a shell (we love it, by the way, whatever the judges think). An incredible amount of effort by a colossus of a project team meant that we were able to create a really special new facility in the heart of central London.
The new offices reflect our organisation. They’re modern, bright, open, welcoming and outward facing. But when we need to, we can have access easily to classified facilities and the awesome power of GCHQ’s global intelligence reach and capabilities. Having this blend helps enormously during a major incident, as we found during Wannacry in May. Having the new building allowed us to study classified data about the attack, while at the same time reaching out quickly to experts across the globe while giving rapid, relevant advice to affected organisations.
For me, the building has come to be a symbol of the attitude of our staff – creative, can-do and collaborative.
Creative in our approach to new areas of work. For a long time now smaller businesses have been asking us what they can do to protect themselves with the more limited resources at their disposal. We thought hard about how we could help and are very proud of the simple and clear guidance we issued recently.
This can-do attitude showed too in our pioneering work on automatic, large scale cyber defences which we call active cyber defence. Our partners in government had been asking us what we thought they could do to increase their basic level of defence. So in June we set out four free, easy-to-implement steps for the whole of government to use to reduce the harm of cyber attacks that are now mandated across the whole of government.
Collaborative because everything we do has been amplified by our partners in law enforcement, the rest of the intelligence community, wider government and industry at home and abroad. When I think of the work we did in response to the major attack on managed service providers it involved international partners in government and industry as well as significant partnerships with a very wide range of commercial sectors in the UK.
Within the NCSC, the atmosphere continues to feel like a start-up. We want to try new things, take risks, publish the evidence about what works and – importantly – what doesn’t. We know we won’t get everything right and that the job will get more difficult. It’s a hard mission. But it matters, and we are passionate about it. And I want to thank my magnificent team – the unsung heroes of what we do – for their efforts over the past twelve months.
The threat is real, growing and changing. But don’t underestimate the scale of our ambition or the determination of our staff to help the UK meet the challenges of the digital age. And please work with us in our second year and beyond as we strive to defend the values of an open, free and safe digital society, the safest place in the world to live and do business online.