This week, the head of Britain’s National Cyber Security Centre (NCSC), Ciaran Martin, said something rather alarming in a newspaper interview that generated plenty of headline heat – the UK has never suffered the most serious category one (C1) cyberattack but it is only a matter of time before it does.
I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack.
It’s the sort of warning people would probably rather not think about but undoubtedly applies in any developed country.
For anyone unsure what a C1 cyberattack is, the NCSC puts it at the top of the following three-stage definition sent to Naked Security:
C1 – “National Emergency – an incident or threat which is causing or may cause serious damage including loss or disruption of critical systems or services.”
Interestingly, this includes not only attacks on critical systems such as power utilities but the democratic process, for example through disinformation, fake news and online voter fraud.
To date, only the US and France have suffered a C1 attack, in both cases involving alleged assaults by foreign nations on their national elections.
C2 – “A significant incident or threat requiring coordinated cross-government response.”
The best example of a C2 would be last year’s WannaCry attack, which disabled computers in enough NHS hospitals that operations had to be cancelled. Since it was founded, the NCSC has recorded 34 of these.
C3 – “Sophisticated network intrusion, cybercriminal campaign for financial gain, or the large scale posting of personal employee information.”
These attacks primarily target single companies, for example through large-scale ransomware or data breaches. To date, the NCSC knows of 762.
On closer inspection, warnings about such cyberattacks are not new if you read the NCSC’s annual report from last October or remember the pointed warnings about Russia’s alleged intentions only weeks later.
It’s more a question of emphasis – by drawing attention to the threat he’s spelling out reality with more urgency.
So if a C1 attack is pretty much a certainty, then the game is really about prediction. There is no point telling citizens of the UK (or those in any country for that matter) about a serious cyberattack after the event when the whole point is to boost preparedness.
The NCSC itself receives real-time reports from organisations via something called the Cyber Security Information Sharing Partnership (CiSP), but this requires registration.
Any C1 cyberattack on the UK would appear on its radar through this channel or from reports submitted by the public sector.
Although Naked Security understands there are no plans for it at the current time, one possibility is to use a threat warning index similar to that used by the UK and US to alert people to imminent terrorist attacks. In the case of international terrorism in the UK, this has been at “severe” or “higher” for virtually all of its existence.
Implementing something similar for cyberattacks would be complex but, in some form, might be inevitable if we are to start taking Martin at his word.