The authoritative voice on UK cyber security
The UK government has recently confirmed that its National Cyber Security Centre ("NCSC") will begin operations in October 2016. This newest body to be established as part of the UK's continuing fight against Cybercrime will be headquartered in London and is to be "the authoritative voice on information security in the UK".
The NCSC is expected to consolidate the UK's existing expertise in this area. It is anticipated that it will provide much needed coordination between the various government bodies and initiatives that relate to the government's Cyber Security Strategy, and Cyber Security Policy (2010-2015).
One of its first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively. This is a clear recognition that financial services are at high risk when it comes to cyber security and that many financial institutions are prime targets for cyber-attacks.
As things stand, the intention is for the NCSC to report to the Director of GCHQ (currently Robert Hannigan). This is a strong indication that the government sees this issue as a matter of national security and intelligence. Ciaran Martin, currently Director General Cyber at GCHQ, will lead the team and Dr Ian Levy, currently Technical Director of Cyber Security at GCHQ, will join the organisation as Technical Director.
The government intends to consult with private industry as part of the process for setting up the NCSC.
Role under the Network and Information Security Directive (the "NIS Directive")?
It will be interesting to see what role the NCSC might play under the regime to be introduced by the NIS Directive. The EU institutions reached political agreement on the proposed NIS Directive in December 2015, although formal approval of the final text is still outstanding (see the most recent draft here). The plan will be to introduce a new regulatory regime with a tiered reporting structure.
The NIS Directive will impose new network and information security requirements on digital service providers and operators of essential services. Amongst other things, they will be required to report certain security incidents to either a "competent authority" or a "Computer Security Incident Response Team" ("CSIRT"). It seems possible that CERT-UK, the National Computer Emergency Response Team formed in March 2014, would be designated as a "CSIRT" in the UK.
As well as being responsible for monitoring the application of the NIS Directive at national level, the designated "competent authorities" will be responsible for the security of network and information systems for:
- at least the following sectors: energy, transport, banking, financial markets and infrastructure, health care, drinking water supply and distribution, digital infrastructure; and
- the following digital services: the online marketplace; online search engines; and cloud computing services.
In order to safeguard existing sectoral arrangements and to avoid duplication, the NIS Directive allows Member States to designate more than one national competent authority to be responsible for fulfilling the tasks linked to the security of the networks and information systems of operators of essential services and digital service providers. It is not clear at this stage who the designated competent authorities would be in the UK, although it is possible that these would be the existing sectoral regulators such as the FCA/PRA in the financial services sector.
The NIS Directive envisages that the reports that are received by CSIRTs and competent authorities will be funnelled up to a designated national "single point of contact". This will be responsible for coordinating network and information security issues and take charge of cross-border cooperation at EU level.
NCSC as the UK's single point of contact?
The NCSC would seem be an obvious choice to act as the UK's national single point of contact under (Provisional) Article 6 (2a) of the NIS Directive, given that it is already being positioned as the authoritative voice on information security in the UK. The Chancellor's November 2015 speech certainly suggests that this is the role the NCSC is intended to play:
The Centre will be a unified source of advice and support for the economy, replacing the current array of bodies with a single point of contact…we will build in the National Cyber Centre a series of teams, expert in the cyber security of their own sectors, from banking to aviation, but able to draw on the deep expertise here, and advise companies, regulators, and government departments.
To the extent that the NCSC is designated for this role, regulated entities will be dealing with an authority that acts as a regulator on the one hand and a national security and intelligence organisation on the other – this would be a first for many industries. How the NCSC itself would choose to work with other regulators and exercise its powers remains to be seen.
Of course many of the entities that are likely to be regulated under the NIS Directive will no doubt already be taking steps to ensure that they are compliant with the General Data Protection Regulation which is aimed at reforming data protection across the EU. It makes sense for these entities to have the NIS Directive in mind when introducing these changes since in practice they are likely to require similar measures to be taken. It will be interesting to see how these two regimes, and their respective regulators, will work in parallel given the significant overlap between them – this may well be one of the many challenges the NCSC faces in the near future.