“The question of a Category 1 cyber-attack in the UK is a matter of when, not if.” – Ciaran Martin, NCSC
In last week’s IRM cybersecurity news roundup, we highlighted the National Cyber Security Centre’s (NCSC) latest news. The NCSC’s Deputy Director, Peter Yapp, announced that the UK is likely to face a “Category 1” cyber-attack in the years ahead.
This announcement, which had already been touched upon in previous months, caused huge coverage across the UK media. Despite the attention, many media outlets failed to offer a detailed explanation of a Category 1 cyber-attack. As a result, this blog will cover what a Category 1 cyber-attack is, what it could entail for the UK and what we can do to prevent one.
Defining ‘Category 1’ cyber-attacks
In April 2018, the NCSC and UK law enforcement introduced a set of new category definitions for cyber-attacks. The broadening of three categories to six was aimed at improving the consistency for incident response and guidance.
Firstly, ‘Category 1’ is defined as “A cyber-attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or loss of life”.
If a Category 1 cyber-attack occurred, the NCSC would be involved and an “immediate, rapid and coordinated government response” would follow. On-site presence would be organised to gather evidence and support incident response.
What does this mean for the UK? A Category 1 attack would likely cripple key parts of our critical national infrastructure (CNI). The diagram below highlights the key areas of CNI for the UK.
A Category 1 attack is likely to impact the national power grid, airlines, railways, power plants or weapon systems. The incident is likely to be caused by a small group of people, but it would have an impact on the majority of UK population.
Most importantly, if the attack is deemed “likely to harm UK national security, the economy, public confidence, or public health and safety”, the NCSC needs to be informed and it is likely to be classified at Category 1.
The 2017 WannaCry attack can help to put things into perspective. The attack caused the shutdown of several hospitals for prolonged periods, but was only classified as Category 2. This is because, fortunately, the incident did not result in loss of life.
Full categorisation of cyber-attacks can be found on the NCSC website.
Why is the UK vulnerable to a Category 1 attack?
The NCSC has warned of a high-level cyber-attack since its inception. So why is the threat of a Category 1 being emphasised now? Mainly, due to the increase in major incidents in the last 18 months. This includes the WannaCry attack last year and the more recent Equifax breach in May.
Unfortunately, a large part of the UK’s vulnerability to attack comes from the fact that organisations don’t realise many breaches are preventable. This is usually due to the lack of understanding of the value and importance of the assets the organisation holds and what impact it would have if stolen.
The cyber-skill gap is also a weakness in the UK – not having enough skilled workers in the cybersecurity industry to support organisations.
What could happen with a Category 1 cyber-attack?
Some of the most notorious cyber-attacks in recent years have targeted CNI. The Stuxnet computer worm was thought to be used by US and Israeli intelligence agencies to derail an Iranian nuclear weapon program. This is thought to have been organised to prevent a regional war between Iran and Israel. But what about if a cyber-attack was used to encourage a war?
In 2015, a cyber-attack in the Ukraine created a massive power outage which left over 230,000 people without power for hours. Whilst this didn’t lead to loss of life, what would happen if the UK lost power, water and other energy supplies for a prolonged period of time? How would emergency services run? How would civilisation react? You can read about other examples of attacks to CNI in our blog post here.
On the other end of the spectrum, many cybersecurity experts conclude that politics is highly vulnerable. With the recent US midterm elections, concerns were cast over the disruption that Russian or other nation states could have caused on the votes.
But how do nation states affect elections? They can change websites and use social media to spread propaganda or hack polling stations to complicate the casting of ballots. This malicious activity would then cast uncertainty across the voting public, similar to the Russian hacking in the 2016 US election.
What are we doing about it?
As mentioned above, the lack of awareness and understanding on the importance of data assets is one of the first hurdles. This can be improved by investing in a strong cybersecurity strategy and employee development. Making workers understand all levels of cybersecurity and what to look out for can help recover the smallest of vulnerabilities within a business.
It’s well understood that we are suffering from a cyber-skill gap worldwide. Educational institutions and organisations have a responsibility to invest in developed cyber-skills amongst students and existing employees to ensure we can fight cybercrime.
In a landmark move, the NCSC worked with the US Government to publish evidence in April 2018 that Russia had attacked critical national infrastructure. This report provided tools to help clean up the attack as well as important guidance going forward for dealing with external threats.
As a whole, the NCSC has developed automation to reduce some of the UK’s common cybersecurity defence weaknesses. At an organisational-level, there needs to be better cooperation between businesses and their employees. Contrary to the popular opinion that workers on the ground are the weakest link in cyber-attacks, they can be developed to be your strongest line of defence.
It’s vital that we raise awareness of the importance of cybersecurity at all levels. It only takes one small weakness to allow a hacker into a vulnerable system. Minimising the amount of weak spots will not only strengthen your own organisation, but it will help protect national infrastructure.