Image source: NCSC, Open Government Licence v3.0
The UK urgently needs to close the gap between growing cyber threats and its resilience, the National Cyber Security Centre (NCSC) has warned.
It has sounded the warning in its newly published annual review, accompanied by its chief executive officer, Richard Horne, describing the cyber risks facing the nation as “widely underestimated”.
The review makes clear that the situation is making the public sector vulnerable.
“The NCSC believes that the severity of the risk facing the UK is being widely underestimated, and that the cyber security of critical infrastructure, supply chains and the public sector must improve,” it says.
“There is a growing disparity between the resilience of our infrastructure and the threat we face. The gap between the threat and the cyber resilience of the UK needs to close as a matter of urgency.”
Vendor issue
It adds that the public sector – along with charities, education bodies and SMEs – often has to treat cost as a big factor in procuring cyber security solutions, and that this prompts vendors to concentrate on reducing time to market at the expense of designing products that improve security.
This has to change and requires business and commercial incentives for suppliers to provide products are secure, private, resilient and accessible to all.
It identifies a need for further research into the dynamics of the technology market, and for government to develop strategic policy on the issue. This will involve NCSC working with the Department for Science, Innovation and Technology, highlighting poor cyber security standards that organisations have grown used to accepting, and making those responsible for decisions accountable for investing in any defective products.
More incidents
The review also notes a rising frequency of cyber incidents and a growing severity in their impact.
Over the past 12 months, the NCSC has observed how conflicts are fuelling a volatile threat landscape, including Russia’s deployment of destructive malware against Ukrainian targets, and routine attempts to interfere with the systems of NATO countries in support of its war effort.
China is described as a highly sophisticated and capable actor targeting a wide range of sectors. In February 2024, the NCSC co-signed an advisory on observed compromises of US Critical National Infrastructure by Volt Typhoon, and in March 2024 the UK Government called out China state affiliated actors for targeting democratic institutions.
Iran based threat actors remain aggressive in cyberspace, and North Korea continues to prioritise raising revenue to circumvent sanctions and collect intelligence in its cyber activity.
Exposure and defences
In a speech at the formal launch of the review, Horne said: “What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us.
“And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries.
“The NCSC, as the National Technical Authority, has been publishing advice, guidance and frameworks since our inception, in a bid to drive up the cyber security of the UK. The reality is that advice, that guidance, those frameworks need to be put into practice much more across the board.
“We need all organisations, public and private, to see cyber security as both an essential foundation for their operations and a driver for growth. To view cyber security not just as a ‘necessary evil’ or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose.”
