National Cyber Security Centre (NCSC), part of UK GCHQ, Releases 2021 Annual Review
Dating back even longer than the more familiar and storied intelligence community history of collaboration between British Intelligence and the U.S. Office of Strategic Services (OSS) during World World II, the UK intelligence agencies have always been a vital partner with the U.S. intelligence community and, arguably, have been the most integral global partner in the prevention of an attack on U.S. soil since 9/11.
Enter the current cyber threat landscape, and it is instructional to review how the Brits are framing the challenges and outcomes of the last year in cybersecurity. The National Cyber Security Centre (NCSC), a part of Government Communications Headquarters (GCHQ), was created in 2016 as part of the UK’s 5-year National Cyber Security Strategy. Self-described as “the UK’s technical authority for cyber security,” the NCSC has put out an annual review every year since its inception.
In this year’s report, “Annual Review 2021: Making the UK the safest place to live and work online“, the NCSC, as part of a national security agency, is unable to disclose all its work publicly, but seeks in the annual review “to describe the year with insights and facts from colleagues inside and out of the organisation.”
Lindy Cameron, CEO of the National Cyber Security Centre since October 2020, notes in the CEO Foreword to the Annual Review:
- NCSC support of the Covid-19 vaccine roll out. The NCSC dealt with 777 [cyber] incidents – an increase on last year – of which 20% were linked to the health sector and vaccines.
- A worrying growth in criminal groups using ransomware to extort organisations. Cameron advises the UK business community that” [ransomeware extortion] is now the most immediate cyber security threat to UK businesses and one that I think should be higher on the boardroom agenda.
- An international supply-chain data breach emanating from a compromise of SolarWinds was one of the most significant incidents that the NCSC dealt with over the last year. This attack involved one of the world’s most popular IT system management platforms being breached by the Russian Foreign Intelligence Service and is an important reminder of the need for organisations to be resilient if one of their suppliers is affected.
In his Foreword Statement, Sir Jeremy Fleming (Director of the UK GCHQ) remarked that “in the UK there was an increase in the scale and severity of ransomware attacks, targeting all sectors from businesses to public services. Of course, coronavirus continues to shape what we see. Cybercriminals are still exploiting the pandemic, while hostile states shifted their cyber operations to steal vaccine and medical research. The NCSC worked..to protect those involved in the UK’s response, including the NHS, medical research and the vaccine supply chain. Its impact has been substantial and far-reaching at a time of global crisis.”
From the NCSC Fifth Annual Review
The review has as its focus five areas of cybersecurity:
The Threat: Assessing, responding to, disrupting and deterring cyber threats.
Resilience: Building a cyber-resilient UK.
Technology: Spearheading research and analysis to find new ways to secure the UK’s digital systems.
Ecosystem: Strengthening and growing the UK’s cyber security ecosystem.
Global Leadership: Advancing UK leadership in support of a free, open, peaceful and secure cyberspace.
Each chapter of the review highlights key achievements and developments, including:
- Real-World impact: In 2021, according to the review, “food supplies were affected, local fuel prices increased, citizens were denied access to public services, at-risk children’s details were lost and the costs to businesses and public funds ran into hundreds of millions of pounds.”
- Identifying threat actors, and attributing their malign activity: Attribution continued to be an important part of cyber deterrence, with perpetrators identified and their actions exposed. In April 2021 the NCSC, together with its security counterparts in the US, revealed for the first time that Russia’s Foreign Intelligence Service (SVR) was behind one of the most serious cyber intrusions of recent times, an attack on the popular SolarWinds IT management platform. This major attribution came five months after the first warning by the NCSC that SolarWinds had been compromised and could be used for further attacks on connected systems.
- 39% of all UK businesses (2.3m) reported a cyber breach or attack in 2020/21, compounding an already difficult year for many small to medium-sized enterprises, according to the Department for Digital, Culture, Media & Sport, Cyber Security Breaches Survey published in March).
- Chinese state-backed actors gained access to computer networks around the world via Microsoft Exchange servers: NCSC experts assessed the attack was highly likely to enable large-scale espionage, including acquiring personally identifiable information and intellectual property. It was reported that at least 30,000 organisations were compromised in the US alone…acts included the targeting of maritime industries and naval defence contractors in the US and Europe, and the targeting of foreign democratic institutions, including the Finnish parliament in 2020. The NCSC used its technical understanding of the Chinese cyber threat to attribute variously HAFNIUM, APT31 and/or APT 40 to the Chinese state.
- The ransomware model has developed further into what is termed Ransomware as a Service (RaaS): As the business model has become more and more successful…the market for ransomware has become increasingly ‘professional’. The review spells out specific ransomware activities which companies are advised to take into serious consideration in the year ahead:
“Organised crime groups spend time conducting in-depth reconnaissance on their targeted victims. They will identify exploitable cyber security weaknesses. They will use spoofing and spearphishing to masquerade as employees to get access to the networks they need. They will look for the business-critical files to encrypt and hold hostage. They may identify embarrassing or sensitive material that they can threaten to leak or sell to others. And they may even research to see if a potential victim’s insurance covers the payment of ransoms. This process can be painstaking and lengthy, but it means that, when they are ready to deploy, the effect of ransomware on an unprepared business is brutal.”
Many of the developments highlighted by the NCSC Annual Review mirror findings from the Google Cybersecurity Action Team Cloud Threat Intel Report.
Proactive Steps and Cyber Measures
In 2021, the NCSC continued to roll out their CSC’s Active Cyber Defence Services, including launching the Early Warning Service, to alert organisations to emerging threats, and the increasing success of the Suspicious Email Reporting Service, which allows the public to report potential scams. The Suspicious Email Reporting Service is run in partnership with the City of London Police, and since its launch in April 2020 has received more than 7.25 million reports from the public, with almost 60,000 scams taken down as a result.
Equivalent USG DHS CISA type services for the U.S public and private sector is the National Cyber Awareness System | CISA.
Sharing and collaborating with organisations and the public is also a core function of the NCSC, working with a range of sectors from education to farming, sport to Critical National Infrastructure (CNI), providing custom advice to each industry vertical on becoming more resilient. In an innovative effort to create “cyber awareness” amongst the general public in the UK, GCHQ’s first TV advertising campaign was launched, “directly engaging the British public with advice on how they can increase their cyber security.”
The Next National Cyber Security Strategy: The Threat from the East, Public/Private Partnership and Innovation
This year also marks the culmination of the most recent 5-year National Cyber Security Strategy (the first was from 2011-1016).
Director Fleming addresses the 5-year benchmark: “The Government’s investment in cyber security means we know much more about the changing threats the country faces today than we did five years ago, when the NCSC was set up. And we are looking ahead too. We can see technology leadership is shifting eastwards. The key technology we will rely on for future prosperity and security won’t necessarily have democratic values at its core. We will work with partners around the world to help the UK and allies face this moment of reckoning.”
Also, not much unlike the public-private partnership considerations and the role of the market in cybersecurity in the U.S., in 2019 an independent defense and security think-tank RUSI (the Royal United Services Institute) put together a research project “to determine the best course for UK national cyber security beyond 2021, stressing…the need for an enhanced role for private sector providers partnering with the public sector and government.” The RUSI research project found that “there must be a clear mutual understanding as to where UK government responsibility ends, and private sector accountability begins. This dialogue is at present only in the early stages.”
An early report also suggests the next National Cyber Strategy will reflect the need to develop “an industrial base that delivers innovative and effective cyber security products and services that help everyone stay safe in cyberspace.”
For more on the types of threats discussed in the NCSC Annual Review, see Cybersecurity Sensemaking | OODA Loop.
Black Swans and Gray Rhinos
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
Corporate Sensemaking: Establishing an Intelligent Enterprise
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking
Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage
This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking
COVID-19 Sensemaking: What is next for businesses and governments
From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.
Space Sensemaking: What does your business need to know now
A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking
Quantum Computing Sensemaking
OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.
The OODAcast Video and Podcast Series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See The OODAcast.