The UK government plans to expand its active cybersecurity defence scheme to include more private sector organisations, the National Cyber Security Centre (NCSC) revealed this week. In a media briefing on Monday, technical director Ian Levy said the agency plans to scale up its Active Cyber Defence (ACD) programme, which offers free cybersecurity services to UK organisations, “quite significantly in the next few years”. Cybersecurity experts have welcomed such schemes, but warn that they require effective oversight.
What is Active Cyber Defence?
Launched in 2016, ACD provides a range of free services, including intrusion detection and compliance assessments, to help combat ‘commodity’ security threats. Some of these services are currently available to anyone, with others open to public sector organisations only.
ACD’s Takedown service, which identifies and blocks malicious sites, intercepted 2.3 million ‘cyber-enabled commodity campaigns’ in 2020, according to the NCSC’s 2021 annual review, taking the UK’s share of phishing emails from 5% in 2016 down to around 3% this year. The Suspicious Email Reporting Service, which is run in partnership with the City of London Police, has received more than 7.25 million reports from the public since April 2020 and almost 60,000 scams have been taken down as a result, the NCSC says.
The various ACD services also protect organisations against ransomware, the report claims, by preventing infections, disrupting ransomware once an infection has taken place, and by providing “data and tools to investigate suspected ransomware and respond to it”.
Last year, the scheme was expanded to include healthcare providers and the Covid-19 vaccine supply chain. ACD was extended to cover the entire Health and Social Care Network, a shared network for the NHS and its suppliers, in one day, said Paul Maddinson, NCSC director of national resilience and strategy, “which was a hell of a thing to do. That’s protected between two and three million individuals in those sectors and prevented ransomware in a number of different organisations”.
Ian Levy told reporters that the NCSC’s intention is “to try and scale out [ACD] quite significantly over the next few years,” including to private sector organisations beyond the healthcare sector. He noted that it needs to be determined if and how ACD services should be delivered to certain sectors. “You probably don’t want the country’s DNS being run by [intelligence agency] GCHQ, right? … The idea is to understand where those different services would best provide benefit and then work out the best delivery model for each sector.”
This expansion would be paid for by the £114m increase in funding for cybersecurity in the government’s latest spending review. This brings the total budget to £2.6bn, not including funds for the National Cyber Force, the joint operation between GCHQ and the Ministry of Defence. “That’s a massive amount of endorsement,” said Paul Chichester, NCSC’s director of operations. “So it’s definitely a priority for the government […] but that needs to continue and increase.”
What are the risks of active cyber defence?
Governments are taking an increasingly active stance against cybercrime, says Max Heinemeyer, director of threat hunting at cybersecurity provider Darktrace. Earlier this year, the US Department of Justice authorised the FBI to remove malware associated with the HAFNIUM group from infected computers. In January, a coalition of governments took down the EMOTET botnet by taking control of its operating infrastructure.
Heinemeyer says that active cyber defence is an ‘additional tool’ in the fight against cybercrime but it is not without risks. “Often it is unclear beforehand what the exact risks and potential rewards are for the active cyber defence operations,” he says. “Removing malware from a victim’s server who might not have the technical capabilities to do so otherwise might be a good thing for some. For others, it may be seen as an intrusive nightmare that might pose risk and collateral damage.
“It is good that nation-states are evaluating and thinking about active cyber defence as one response mechanism to cyber threats,” Heinemeyer says. “But it needs frameworks, thought and assessments around it to make them secure, acceptable and responsible.”