The first joint annual threat assessment of NCA and NCSC is pushed today. The NCSC, part of GCHQ and formed by an amalgamation of various cyber-security related bodies, is the governmental advisory agency on cyber crime issues and is supported by the law enforcement powers of the NCA. It is intended that they will jointly deliver many aspects of the 2016-2021 National Cyber Security Strategy.
Today's report identifies the main current cyber threats, describes the "pivotal" cyber security incidents of the last year, predicts future trends and emerging threats, and suggests a number of ways in which business can combat cyber crime.
In general, the scope for cyber attacks is growing: the skills required to launch attacks are more readily accessible and the continued spread of internet connected devices (which often lack the same security levels as conventional computers) has broadened the target area for cyber criminals. Knowledge sharing among criminals has led to a more sophisticated threat, and the suspicion grows that nation state actors are (directly or indirectly) assisting in attacks on financial and, in the case of the US presidential election, democratic institutions.
Cyber extortion and fraud are becoming more aggressive and targeted. Ransomware continues to be the most commonly used mode of attack, and as with other cyber threats, its sophistication is growing. Businesses are advised to maintain a form focus on backup and defensive systems. Financial trojans (such as Dridex, Trickbot and Ramnit) designed to attack banking institutions have evolved, illustrating their resilience in the face of intense law enforcement and internal security attention.
Difference in US approach
Interestingly, while UK businesses continue to be regarded by the authorities very much as potential victims of cyber crime, the US appears to be taking a stricter approach: the New York State Department of Financial Services’ (DFS) introduced regulations on 1 March which oblige financial services companies (including branches of foreign banks) to enact minimum cyber security measures. Consultation on imminent similar Federal regulations closed in February 2017, so one can see a trend developing that places cyber security on the compliance spectrum alongside, for example, anti-money laundering procedures.
Overall such threats will arise from the evolving sophistication of current methods and the increasingly widespread use of new technology. Significant targets for future attacks are thought to be Domain Name Servers (DNS servers) and other fundamental parts of the internet’s infrastructure (email, website hosting and so on). An attack on such “upstream services” rather than individual websites could have a much broader disruptive effect, which would distract from the true target of an attack. Industry may find itself at greater risk of high profile as the adoption of low security internet-connected devices (for smart meters and networked CCTV) continues apace. Such devices provide a gateway to previously inaccessible systems and the risk they create can be hard to predict. Connected devices will also pose a problem for consumers, putting at risk the security of personal data and so providing a potentially rich seam of fuel for fraudulent activity.
Increasingly sophisticated and tailored malware will make identification and attribution of cyber attackers more difficult, hindering law enforcement efforts at deterrence and reducing the disincentives for attackers. At the same time the growing market in malware on criminal forums lowers the barriers to entry for any aspiring cyber criminal.
What to do?
The thrust of the report’s recommendations is the improvement of awareness of and the sharing of knowledge on cyber crime. Businesses are encouraged to develop a full-spectrum response to cyber threats, with a focus on technology (cyber security), people (training and awareness) and processes (communication within organisations). A major concern is that many cyber attacks go unreported, hindering the authorities’ ability to accurately gauge the scale of the problem and the resources needed to fight back. Without proper, effective cooperation from businesses and consumers alike (and alongside encouragement to report is a commitment to promote better “cyber hygiene”) the already difficult task of combatting cyber crime is made still harder.