GCHQ's National Cyber Security Centre outlines 8 ways to improve UK's cyber security

'We'll be eating our own dog food' to ensure measures work, says NCSC technical director Ian Levy

The National Cyber Security Centre's technical director has outlined how the government's Active Cyber Defence (ACD) programme will help the UK defend itself from cyber attacks.

In a blog post, Ian Levy outlines eight ways in which the NCSC, which is part of intelligence organisation GCHQ, plans to tackle cyber crime. The organisation has previously said the UK is hit by 200 serious cyber security incidents per month.

Yesterday the government announced details of its £1.9bn National Cyber Security Strategy, part of which is the NCSC's Advanced Cyber Defence (ACD) programme.

"There's a common complaint from industry to governments about cyber security. It's generally that governments tell them they're not doing enough and must do more, often without really understanding the real-world impacts or commercial implications of their demands," writes Levy, adding that all measures recommended will be tested out on government agencies first.

"We'll be eating our own dog food to prove the efficacy (or otherwise) of the measures we're asking for, and to prove they scale sensibly before asking anyone else to implement anything."

The ACD will use automation to tackle cyber threats as far as possible, focusing on eight key areas.

Improving the underlying infrastructure protocols
The Border Gateway Protocol (BGP) will be hardened and re-implemented to stop trivial re-routing of UK traffic, and make it harder for UK-based machines to be co-opted into botnets to take part in DDoS attacks.

Locating phishing sites and asking hosts to take them down
Working with UK company Netcraft, the NCSC has been tracking phishing sites globally.

"When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space," Levy says.

Tackling email spoofing
Levy says the NCSC will tackle the problem of email spoofing by introducing reputation systems for email domains and addresses.

"There exists already a number of internet standards that can help tackle spoofing, including SPF, DKIM and DMARC," he writes.

"We've already published with [Government Digital Service] GDS an email security standard that includes, among lots of other things, DMARC and that's going to become mandatory soon for government."

Filtering DNS to manage impact
NCSC will build a system to filter domain name services for malware.

"With GDS, we've partnered with Nominet to build a big anycast recursive DNS service for public sector. That's going to have a response policy zone (RPZ) on it that stops users of the service accessing things we know to be harmful," writes Levy.

He denies that such a service could be used by the government for censorship.

"Let's be clear - this isn't about the nanny state or censorship. A DNS filtering service with an easy opt out for users is a pretty useless censorship tool to be honest," he says.

Driving the UK software ecosystem to be better
The NCSC will look at whether it is possible to deny "high risk" people access to certain services if the software they are running is out of date.

"There are certain services and groups of users who are so high risk that we think that service differentiation based on software age is appropriate," Levy says.

"We haven't got to exactly what this means yet, but as a hypothetical example tax accountants may not be able to submit new returns on their customers' behalf if they consistently use out of date software."
Helping government improve security
The NCSC will look at ways to help government agencies improve their IT security, starting with a 'WebCheck' service.

"This is a relatively simple web vulnerability scanning service that we'll provide for free to all public sector organisations," says Levy.
Encouraging innovation in identity and authentication
"Passwords are sub-optimal as an authentication mechanism, but there's not much incentive for industry to take the commercial risk in trying out new stuff," Levy writes.

"So we hope to stimulate research and development - and eventually a market - in novel ID&A techniques. We'll use government services to trial some new ID&A techniques out, once we've done the work to ensure the security."

More help for owners and operators of critical national infrastructure
The NCSC will look at the security of industrial control systems and how it might be tightened up. This is a long-term project that will likely exceed the current funding round.

Going after adversaries
There will be a focus on gathering evidence on the nature and methodology of attacks.

"Many of the active defence measures are intended to generate useful data that will help us all understand much better the reality of cyber attacks and the efficacy of the various defences we'll put in place over the coming years," he writes.

"The intent is to be in a place where the skilled network defender community are free to tackle the really nasty stuff. That's what the UK's active defence programme is about."

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.