New Cyber Attack categorisation system to improve UK response to incidents

Created:  12 Apr 2018
Updated:  12 Apr 2018
The NCSC and law enforcement are implementing a new cyber incident prioritisation framework.
  • NCSC and law enforcement to implement new cyber incident prioritisation framework
  • Existing system of three categories of incident broadened to six detailed classifications
  • Categorisation spans full range of incidents from national campaigns to personal attacks
  • Move reflects ever-strengthening partnership between law enforcement and the NCSC
  • Announcement comes on the final day of the NCSC’s flagship conference CYBERUK 2018

HACKERS wanting to harm the UK will be thwarted thanks to a step-change in how intelligence experts align with law enforcement, it has been announced today

The new, world-leading approach will see the National Cyber Security Centre (NCSC), a part of GCHQ, working hand-in-hand with law enforcement agencies to defend against the growing threat.

The NCSC has responded to more than 800 significant incidents since October 2016, and their incident responders will now classify attacks into six specific categories rather than the previous three.

The changes, which are effective immediately, will improve consistency around the incident response and better use resources – ultimately leading to more victims receiving support.

Paul Chichester, the NCSC’s Director of Operations, said:

“This new joint approach, developed in partnership with UK law enforcement, will strengthen the UK’s ability to respond to the significant, growing and diverse cyber threats we face.

“The new system will offer an improved framework for dealing with incidents, especially as GDPR and the NIS Directive come into force shortly.

“Individual judgements will of course still be applied to respond to incidents as necessary.”

Information processed by the new framework will ultimately be used to generate the most comprehensive national picture to date of the cyber threat landscape, spanning the full range of incidents from national crises to cyber attacks on individuals.

The incident category definitions give increased clarity on response mechanisms for incidents by identifying what factors would happen to activate a specific classification, which organisation responds and what actions they would take.

National Police Chiefs' Council Lead for Cybercrime, Chief Constable Peter Goodman, said:

“This is a hugely important step forward in joint working between law enforcement and the intelligence agencies

“Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response.

“This is good news for the safety of our communities, business and individuals.”

The framework encompasses cyber incidents in all sectors of the economy, including central and local government, industry, charities, universities, schools, small businesses and individuals.

Any cyber attack which may have a national impact should be reported to the NCSC immediately. This includes cyber attacks which are likely to harm UK national security, the economy, public confidence, or public health and safety.

Depending on the incident, the NCSC may be able to provide direct technical support. The NCSC also provides comprehensive guidance and advice on its website for companies or individuals in need.

People or businesses suffering from a cyber attack below the national impact threshold should contact Action Fraud, UK’s national fraud and cyber crime reporting centre, who will respond in accordance with the new incident categorisation.

Ollie Gower, Deputy Director at the National Crime Agency said:

“The NCA and wider law enforcement already work hand in hand with the NCSC to provide a strong, coordinated response to cyber incidents targeting the UK.

“This new framework will ensure we are using the same language to describe and prioritise cyber threats, helping us deliver an even more joined up response.

“I hope businesses and industry will be encouraged to report any cyber attacks they suffer, which in turn will increase our understanding of the cyber threat facing the UK.”

The announcement was made on the final day of CYBERUK18, the NCSC’s flagship conference that has brought more than 1,800 people from the cyber security industry, law enforcement, government and academia.

CYBERUK18 saw Manchester Central Convention Complex transformed by state-of-the-art industry and government displays on demonstrating cutting edge technology to help the UK thrive in the digital age.

Simultaneously, a series of lectures keynotes, panel debates and workshops were delivered around the NCSC’s four objectives – nurture cyber skills and understand, reduce and respond to attacks.


Notes to editors

An overview of the new incident categorisation framework is below.

The NCSC defines a cyber security incident as:

  • A breach of a system’s security policy in order to affect its integrity or availability
  • The unauthorised access or attempted access to a system

 Activities commonly recognised as cyber incidents are:

  • attempts to gain unauthorised access to a system and/or to data
  • the unauthorised use of systems and/or data
  • modification of a system's firmware, software or hardware without the system-owner's consent
  • malicious disruption and/or denial of service

The NCSC provides a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice.

GCHQ is the parent body for the Centre, meaning that it can draw on the organisation’s world-class skills and sensitive capabilities.

  Category definition Who responds? What do they do?

Category 1

National cyber emergency

A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life. Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement Coordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response.

Category 2

Highly significant incident

A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy. Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC. NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities.

Category 3

Significant incident

A cyber attack which has a serious impact on a large organisation or on wider / local government, or which poses a considerable risk to central government or UK essential services. Response typically led by NCSC, working with Law Enforcement (typically NCA) as required. NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided.

Category 4

Substantial incident

A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider / local government. Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident. NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception.

Category 5

Moderate incident

A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government. Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required. Law Enforcement will provide remote support and standard guidance, with on-site response by exception.

Category 6

Localised incident

A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation. Automated Protect advice or local response led by Law Enforcement (likely local Police Force). Remote support and provision of standard advice. On-site response by exception.

Was this news helpful?

We need your feedback to improve this content.

Yes No