This week, the head of Britain’s National Cyber Security Centre (NCSC), Ciaran Martin, said something rather alarming in a newspaper interview that generated plenty of headline heat – the UK has never suffered the most serious category one (C1) cyberattack but it is only a matter of time before it does.
I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack.
It’s the sort of warning people would probably rather not think about but undoubtedly applies in any developed country.
For anyone unsure what a C1 cyberattack is, the NCSC puts it at the top of the following three-stage definition sent to Naked Security:
C1 – “National Emergency – an incident or threat which is causing or may cause serious damage including loss or disruption of critical systems or services.”
Interestingly, this includes not only attacks on critical systems such as power utilities but the democratic process, for example through disinformation, fake news and online voter fraud.
To date, only the US and France have suffered a C1 attack, in both cases involving alleged assaults by foreign nations on their national elections.
C2 – “A significant incident or threat requiring coordinated cross-government response.”
The best example of a C2 would be last year’s WannaCry attack, which disabled computers in enough NHS hospitals that operations had to be cancelled. Since it was founded, the NCSC has recorded 34 of these.
C3 – “Sophisticated network intrusion, cybercriminal campaign for financial gain, or the large scale posting of personal employee information.”
These attacks primarily target single companies, for example through large-scale ransomware or data breaches. To date, the NCSC knows of 762.
On closer inspection, warnings about such cyberattacks are not new if you read the NCSC’s annual report from last October or remember the pointed warnings about Russia’s alleged intentions only weeks later.
It’s more a question of emphasis – by drawing attention to the threat he’s spelling out reality with more urgency.
So if a C1 attack is pretty much a certainty, then the game is really about prediction. There is no point telling citizens of the UK (or those in any country for that matter) about a serious cyberattack after the event when the whole point is to boost preparedness.
The NCSC itself receives real-time reports from organisations via something called the Cyber Security Information Sharing Partnership (CiSP), but this requires registration.
Any C1 cyberattack on the UK would appear on its radar through this channel or from reports submitted by the public sector.
What then?
Although Naked Security understands there are no plans for it at the current time, one possibility is to use a threat warning index similar to that used by the UK and US to alert people to imminent terrorist attacks. In the case of international terrorism in the UK, this has been at “severe” or “higher” for virtually all of its existence.
Implementing something similar for cyberattacks would be complex but, in some form, might be inevitable if we are to start taking Martin at his word.
saorsa2018
To me, this sounds like fear-inducing hyperbole to restrict a free internet. Power cuts can happen at any time and will affect a lot more than just the internet. Health organisations should already have emergency plans for such an occurrence. Isn’t it amazing how humans survived before the internet and, yes, even before electricity?!
Paul Ducklin
Reminds me a bit of Private Frazer out of Dad’s Army :-)
“We’re all dooomed. Dooooooooooooooooooooooooomed.”
Bryan
Hah. Never heard of that; Wikipedia FTW!
(is it worth a watch?)
Paul Ducklin
It’s frightfully British. A good insight into how the WW2 years were seen 25 years after the war ended. Quite a number of its catch phrases are still widely known and laughed at in the UK, notably Frazer’s “We’re all doomed” and Mainwaring’s “Stupid boy,” even 40 years later. Mind you, I don’t think it has ever not been showing on some or another retro TV channel.
Bryan
Constant syndication says SOMEthing, even if it only speaks to a cult following.
Sometimes the strong British humor eludes me more than I’d care to admit, but I do find a good deal of guilty pleasure in Doctor Who despite its camp…I’ll check it out.
Bryan
*just now clicked*
I haven’t played Worms 2 (GREAT game!) in a decade, but it included multiple sound bytes for each occasion (a well-placed shot, timer expired, et cetera), in a multiple styles and dialects. My two favorite schemes were “Soul Man” and “Angry Scots.” The worms would taunt one another and complain in comical, pitch-shifted voices. Tools at a worm’s disposal included the bazooka, blowtorch, karate punch, Holy Hand Grenade…and exploding sheep.
One of the Scots’ responses to being killed was “We’re all doomed.”
IIRC, Team 17 was/is a British software company. There were likely numerous other pop culture references to fly above my head.
tinhat
But if we are vulnerable to such attacks shouldn’t groups like NCSC be seeking to ensure that critical parts of national infrastructure are not internet connected. After all they managed to work before the internet. And “not connected” does not just mean “firewalled”, it means no connection.
In respect of “the democratic process, for example through disinformation, fake news and online voter fraud”, there is a serious need to establish confidence in some form of “news” which is not dependent on hackable media or media that is vulnerable to disinformation. I don’t know the answer but am increasingly aware of the loss of confidence others have in media that I have previously relied on – and that sows doubt in my mind. How can one engage if one is not sure of the facts (and lack the bravado of a politician)?
Brad
Uh, I’m pretty sure that Ukraine has had several C1 issues in 2017 alone. If memory serves me the power grid going down is a pretty severe issue. I’m also pretty sure that other countries have suffered C1 issues as well, given the definition. You seem to be only concentrating on the voter fraud issue in the US and France.