In November 2011, the government published the UK Cyber Security Strategy which set out the government’s vision of ‘a vibrant, resilient and secure cyberspace’. The objectives were to make the UK one of the most secure places in the world to do business in cyberspace and make the UK more resilient to cyber attack and better able to protect its interests in cyberspace. The strategy also aims to help shape an open, vibrant and stable cyberspace that supports open societies, followed by building the UK’s cyber security knowledge, skills and capability.
Every year since the launch of the strategy, the government produces an annual report on the progress against the strategy’s objectives. The 2014 report was presented to Parliament on 11 December.
Cyber Security Programme
To support the Strategy, the government put in place a National Cyber Security Programme backed by £860 million of investment to 2016. Through the programme the government is working to further deepen the UK’s national sovereign capability to detect and defeat high‑end threats, and to ensure law enforcement has the skills and capabilities needed to tackle cyber crime and maintain the confidence needed to do business on the Internet.
The programme also works to ensure critical UK systems and networks are robust and resilient and improve cyber awareness and risk management amongst UK business. It also aims to bolster cyber security research and education, so the UK has the knowledge and expertise to keep pace with this fast‑moving issue into the medium-term.
The government also works with international partners to bear down on havens for cybercrime, and to help shape international dialogue to promote an open, secure and vibrant cyberspace.
What’s more, the government is working to ensure members of the public know what they can do to protect themselves, and are demanding good cyber security in the products and services they consume.
The 2014 progress report on the strategy shows that the government has made E F significant strides towards these goals.
Notable progress from this year include the inauguration of the new CERT-UK (Computer Emergency Response Team) which coordinates the UK’s national response to significant cyber incidents. CERT-UK has played a significant role already in protecting the Commonwealth Games and the NATO Summit in Wales from cyber threats.
The National Cyber Crime Unit has led global law enforcement operations in conjunction with the FBI and other counterparts to target cyber criminals.
The government has also introduced a new scheme, Cyber Essentials, which sets a basic standard for cyber security for all organisations in the UK. Much of this work is done in partnership with business and the academic community.
National Cyber Crime Unit
The National Cyber Crime Unit NCCU), part of the National Crime Agency (NCA), leads operations on serious cyber crime whether it originates in the UK or internationally. Programme funding is being used to enhance the broader digital investigation skills of NCA officers. 3,519 NCA Officers have completed the e-learning digital awareness e-learning course (called the Internet and You). The GCHQ is supporting the NCCU in helping it develop the skills and technology required to combat the most sophisticated cyber crime threats to the UK.
At the regional level the NCSP has funded the police to establish dedicated cyber units in each of the nine Regional Organised Crime Units (ROCUs) across England and Wales.
There are currently over 85 operations being progressed with regional and national impact.
In London, Operation FALCON (Fraud and Linked Crime Online) has brought together the Metropolitan Police’s fraud squad and the cyber crime unit to disrupt and arrest cyber criminals attacking London businesses. FALCON made 117 arrests from its inception in August through to October 2014.
Training in tackling cyber crime has also been delivered to mainstream police forces. The College of Policing has designed four e-learning modules on cyber crime aimed at police officers and staff, which give an introduction to cyber, digital and social media. Since they were rolled out in 2013, over 120,000 of these modules have been completed. The College and police forces have also been delivering a classroom-based course to police investigators which gives them understanding of how to exploit intelligence and evidential opportunities offered by technology, social networking and communications data. Together these initiatives are helping train up frontline police to be able to fight crime effectively in a digital age.
The role of CERT-UK
The government is working with industry to ensure that critical services are resilient should a serious incident occur and that public authorities and infrastructure providers are ready to respond.
CERT-UK was launched in March 2014 and works with industry, academia and the public sector to enhance the UK’s cyber resilience.
CERT-UK oversees a programme of exercises to support critical sectors in preparing for the potential impact of a destructive cyber attack. It also works with other CERTs internationally to ensure the response to transborder incidents is prompt and co-ordinated and that the UK can benefit from international sharing of information on cyber security threats.
CERT-UK made an immediate impact providing information and advice on mitigation on the recently discovered Heartbleed and Shellshock vulnerabilities. CERT-UK provided information to Cyber security Information Sharing Partnership (CISP) members and issued alerts and advisories on its public website. Working with partners in industry, the police and the Scottish and Welsh Governments, CERT-UK successfully oversaw the safety of the digital infrastructure that supported the Commonwealth Games in Glasgow and the Wales NATO Summit.
In June 2014, the Government Communications Headquarters (GCHQ), the Department for Business, Innovation & Skills (BIS) and the Cabinet Office launched Cyber Essentials, a new government‑backed and industry supported scheme to incentivise widespread adoption of basic security controls that will help to protect organisations against the commonest kind of internet attacks. The scheme is constructed to be affordable and practical for all firms, small as well as large. Certification comes with a badge which firms can use to help demonstrate their security credentials to customers and investors, and which insurers can take into account when considering firms for relevant insurance policies.
The scheme has generated significant interest, with over 30,000 views of the summary and associated documents.
Since the launch 124 companies have been awarded the Cyber Essentials badge including high-profile organisations such as Barclays, Vodafone and the CBI, and more are going through the process. Many more are expressing support and the desire to encourage companies in their supply chains to use it. From October 2014, possession of Cyber Essentials accreditation has been mandatory for suppliers to government in certain categories of procurement. This, along with the 50 certification bodies now in operation, will further drive adoption and contribute to increasing take-up during 2015.
John Cridland, director general of the Confederation of British Industry said: “Increasing awareness of the cyber security threat to business is an important issue to the CBI, so we are pleased to be one of the first organisations to take part in the Cyber Essentials scheme. Business leaders will benefit from the access to helpful and authoritative cyber security guidance. Encouraging firms to adopt this scheme is a positive step towards greater awareness of cyber security and more widespread action to manage the risks”
At the strategic level all government department boards and the boards of key government agencies have incorporated cyber risk into their risk management regimes.
The National Archives’ successful ‘Responsible for Information’ e-learning course for staff in the public sector has been completed by around 500,000 public servants and face-to-face training for more than 3,600 staff has been delivered for those in critical roles.
The Government Digital Service completed the move this year of every local authority and council to the Public Services Network (PSN), the high-performance government IT network enabling secure collaboration between local authorities. The majority of central government departments and suppliers will also be moved to the PSN before the end of the financial year.
A new PSN compliance process is currently being piloted and will be rolled out in 2015. It validates adherence to appropriate technical and security standards, ensuring that the PSN community can do business together safely, securely and efficiently.
Supported by National Cyber Security Programme funding, the Government Digital Service are working on GOV.UK Verify, which will be the way for members of the public to prove who they are when using digital government services. It will replace face‑to-face and postal methods of verifying people’s identity, so the process can be done securely online. During 2014, GOV.UK Verify has been testing the service with invited users of the HMRC’s PAYE for employees service, DVLA’s View Driving 14 Licence service and Defra’s CAP Information Service. Five identity verifiers have been appointed – Experian, Digidentity, Post Office, Verizon, and Mydex.
DWP has developed a comprehensive intelligence led cyber security capability to ensure its digital service programmes are secure. DWP and GCHQ experts continue to work together to ensure programmes are robust against interference or attempted fraud.
To ensure government finances are secure against cyber threats HMRC established a dedicated cyber security team in 2012. The team has been educating HMRC staff to identify suspicious behaviour, and deploying new technologies to enhance HMRC’s ability to identify and tackle cyber crime. The team has assisted in the prevention of fraud totalling more than £100 million this financial year.
HMRC has also deployed proactive technical measures to secure web domains that may otherwise be used by criminals to send fraudulent e-mails to customers for the purposes of delivering malware or stealing personal information. This is now in the process of being rolled out across all identified web domains. As a result, more than 94 per cent of all fraudulent e-mails spoofing HMRC web domains are now being deleted by ISPs, preventing delivery to customers’ mailboxes. The department also takes down illegitimate phishing websites looking to steal data from taxpayers. To date this financial year, HMRC has responded to more than 75,000 phishing reports and taken down more than 4,000 illegal websites. Meanwhile HMRC provides cyber security advice to its customers on a daily basis via online guidance and Twitter – for example by raising awareness of phishing attacks using fake HMRC emails. Its cyber security pages have been viewed more than 400,000 times.
Cyber Security and Defence
The government has continued to strengthen the cyber security of the armed forces and the military supply chain. The Defence Cyber Protection Partnership (DCPP) was formed to improve cyber security within the defence supply chain, and continues to focus on best practice, awareness, and proportionate standards. The DCPP, which includes thirteen prime defence contractors and, representing smaller businesses, the trade associations ADS and techUK, has developed a framework that clearly identifies expected cyber standards.
The Cyber Security Model for Defence will be officially implemented in 2015. Cyber Essentials is a basic building block for good cyber security practice across all organisations and as such will be an essential component of the new model. Suppliers are asked to achieve Cyber Essentials in preparation for this process.
International co-operation on cyber crime; disruption of criminal networks.
Many cyber criminals operate from outside UK jurisdiction. With NCSP funding the NCCU has been able to increase its overseas footprint in order to understand the 10 global cyber crime threats, coordinate activity against priority threats, and develop relationships with international partners that can support transborder co-operation on prosecutions, including additional posts in Europol and Interpol.
The UK Government is working more generally to build international capacity to fight cyber crime. It has worked with the Organisation of American States to develop national cyber strategies in the Caribbean which will help those countries protect themselves as well as reducing threats to the UK. The UK Government also worked with the Council of Europe (CoE) to help establish a National Cyber Crime Centre in Romania, which acts as a co-ordinating body for all CoE capacity building activity relating to cyber crime and has also led cyber crime investigations. The Centre has enabled the CoE to manage the growing number of assistance requests and is now able to support countries worldwide in their efforts to tackle cyber crime, recently including Sri Lanka and South Africa.
Where co-operation with other jurisdictions is difficult, or where prosecutions are not possible for other reasons, criminal activity can still be disrupted. Working with the FBI, GCHQ and other law enforcement partners as well as private industry the National Crime Agency has led for the UK on several major international operations on cyber crime. Backed by public messaging these can be highly effective in reducing UK firms – and citizens – exposure to cyber crime. For example in May 2014, the National Crime Agency (NCA) launched a major operation with international law enforcement and industry partners against two significant pieces of malware: Game Over Zeus (GOZeuS) and CryptoLocker. This resulted in over 3 million visits to HMG channels for advice on combating malware. The period from June to November 2014 showed a 70% reduction in GOZeus-infected UK computers.
The government’s strategy also involves preventing crime through helping citizens and businesses get better protected. The government is working to ensure that consumers are better informed of the potential risks and what they can do to reduce them, and demand better cyber security in the products and services they buy. Law enforcement has played its part in this wider effort by following up its operations with media campaigns aimed at highlighting the risks and signposting advice on responses.
Following the publication of the Internet Service Providers (ISPs) Guiding Principles in December 2013, the signatories formed a working group to co-ordinate and monitor progress made in these areas. BIS and law enforcement continue to work in partnership with ISPs to minimise and mitigate the internet cyber threats facing ISP customers. The ISPs have improved their security advice and support for customers and promoted the government’s cyber security awareness campaigns.
Cyber Streetwise launched in January 2014 with the goal of measurably improving cyber security amongst the public and small and medium sized businesses. A second phase of the campaign launched in October 2014 with a greater focus on. Since its launch it has driven over 600,000 unique visitors to the Cyber Streetwise website and the online films have attracted over 5 million views. The first phase improved take-up among more than 2 million adults of recognised cyber security activities such as using stronger passwords and checking signs for a secure website when shopping online.