The United Kingdom’s National Cyber Security Centre (NCSC) has released its Annual Review for 2024. As in prior years, the report covers the UK’s cyber security position, both in terms of threats to the public and private sectors, as well as the country’s readiness to deal with those threats.
Unsurprisingly, the NCSC notes that the greatest nation state sponsored threats to the UK emanate from China, Russia, Iran and North Korea. The report highlights the now relatively well known threat of remote IT workers from North Korea infiltrating companies under the guise of being freelance contractors, and then utilising the access to the company’s IT systems for the state’s financial gain.
As in previous years, the report notes the threat that ransomware poses to the UK. The sectors reporting the highest ransomware activity were academia, manufacturing, IT, legal, charities and construction. The NCSC managed 20 ransomware incidents, 13 of which were classified as nationally significant such as attacks on the British Library and various National Health Service trusts.
Increasing numbers of individuals are reporting vulnerabilities identified in government services via the Vulnerability Reporting Service. The majority of these vulnerabilities have been identified in services operated by the UK’s various local government agencies and departments, which is perhaps unsurprising given that there are over 10,000 local councils in the UK, each operating their own online services.
Like many other government agencies, the NCSC is concerned about the development of AI. It reports that it is working with several US based organisations, including the Cybersecurity and Infrastructure Security Agency and the AI Security Center on matters connected to AI. It has coordinated with 21 international agencies to publish “Guidelines for Secure AI System Development”, which aim to raise cyber security levels in all aspects of AI design, development and deployment. The NCSC is also focusing efforts on the UK’s migration to post-quantum cryptography.
The NCSC cautions that the UK as a whole “needs to wake up to the severity of the cyber threat” it faces. It notes that too many organisations are not taking even basic protective measures, and considers that the technology market does not incentivise organisations to develop secure products. The NCSC repeats in the report that it does not consider the barriers to improving cyber resilience to be technical, but rather market and culture driven. The NCSC wants to encourage the development of products that are “secure by design” and to incentivise the fixing of classes of vulnerability, rather than the patching of individual vulnerabilities as they arise.
The NCSC report notes that the UK Government is planning to introduce a new Cyber Security and Resilience Bill to Parliament, which should act as a crucial step towards hardening the UK’s cyber defences. However, it notes that legislation alone cannot solve the challenges that the UK faces. It will be important to ensure that the implementation is managed effectively and in a way that works with industry and the private sector.