What does the NCSC do and how can it help UK enterprises?

The UK’s National Cyber Security Centre (NCSC) has a wide remit and range of initiatives and services. How can UK enterprises work with the NCSC to make their own networks more secure?

UK | United Kingdom  >  London  >  skyline with virtual connections
IR Stone / Getty Images

What is the NCSC?

The UK’s National Cyber Security Centre (NCSC) is a government organization that helps protect the public and private sector from cyberattacks and deal with cyber incidents, especially to those on critical national infrastructure and the government.

Though its parent agency Government Communications Headquarters (GCHQ) traces its roots back to the end of the first world war, NCSC’s history is much more recent.  

In 2015 the government announced a new five-year £1.9 billion National Cyber Security Strategy, which included the founding of the NCSC to provide “a hub of world-class, user-friendly expertise for businesses and individuals” as well as rapid response to incidents.

The NCSC, which launched in October 2016, brought together the Communications Electronics Security Group (CESG) – the information security arm of GCHQ – the cybersecurity functions of the Centre for the Protection of National Infrastructure (CPNI), the CERT-UK Computer Emergency Response Team, and the Centre for Cyber Assessment (CCA) which provided cyber threat assessments for government departments to help inform policy decisions, all under one roof. “We're trying to secure the entirety of the UK from everybody — from states, cyber criminals, whatever the threat is,” says Chichester. “We want to be a one-stop shop for anybody in the UK, so you name an organisation in the UK and they should be able to come the NCSC and get some kind of advice. That might be our website, it might be by directly engaging with us.”

What does the NCSC do?

By amalgamating various government bodies and having a broad remit — along with a long list of acronyms and initiatives with “cyber” in the name — it can be hard to identify everything that the NCSC does.

Here’s an overview of the different services the NCSC provides that may be helpful to UK enterprises.

Information sharing & sector-specific guidance: Since 2013 the NCSC has run the Cyber Security Information Sharing Partnership (CiSP), a free joint industry and government initiative designed to facilitate the exchange of cyber threat information in real time with over 4,000 member organisations.

The NCSC also publishes regular threat updates online that focus on specific groups, vulnerabilities, campaigns or threat vectors. Advice is available for various verticals, including charities, schools and higher education and even politicians. There is also a strong focus on helping secure small- to medium-sized businesses (SMBs).

“SMBs are mainly the supply chain for the handful of bigger companies in the UK,” says Chichester. “One of the big challenges we see, and I think around the world most companies are realising it, is the supply chain because it's not just about securing the FTSE250. They will only be secure if you can actually have confidence that their supply chain is secure, which is why we  have Cyber Essentials.”

Accreditation and certification: The NCSC provides a wide range of security accreditation and certification. The Cyber Essentials and Cyber Essentials Plus accreditation schemes provide smaller organisations with a certificate acknowledging they have good level of basic cyber-hygiene (and is a requirement for doing business with the UK government and Ministry of Defense). Over 30,000 organisations have gained accreditation since the scheme’s introduction in 2014. While most enterprises will be far more sophisticated in their security posture, it can help provide a baseline requirement in a supply chain.

The NCSC will also certify individual cyber professionals, training courses, and cybersecurity products and  services. For companies looking for technology and service providers, the Commodity Information Assurance Services (CAS), Commercial Product Assurance (CPA), and Cyber Incident Response (CIR) certifications highlight companies the NCSC has vetted and approved to work with the public sector.

The Certified Professional (CCP) scheme was developed with academia, certification bodies such as CREST, and others and means you are eligible to work on UK government networks and Critical National Infrastructure (CNI) projects. CHECK accreditation certifies NCSC-approved penetration testing and means those companies can conduct authorised penetration tests of public sector and CNI systems and networks. NCSC Certified Training marks government-approved security training courses based on the CIISEC Skills Framework, and certifies bachelor's and master’s degrees it feels are up to a high standard.

Direct cybersecurity help: The NCSC runs the UK’s national CERT and provides support to government bodies and organizations classified as critical national infrastructure during cybersecurity incidents. It also offers a Cyber Assessment Framework (CAF) designed to help organisations achieve and demonstrate an appropriate level of cyber resilience.

While the CAF is primarily targeted at CNI providers, the principles and ideas of the framework — governance, risk and device management, managing supply chain risk, ensuring resilience — are relevant to all major businesses. Even if you’re already implementing most of the ideas in the framework, it allows you to you assess your security posture.

As with many intelligence-related agencies, GCHQ has a public GitHub page with projects including a guide to logging and zero trust architecture. The NCSC also has a number of tools and services that it provides mostly for the public sector and CNI providers under the Active Cyber Defense banner. These include the Mail Check email security compliance tool, the Web Check website vulnerability scanner, the Protective Domain Name Service, and Exercise in a Box, which helps organisations run cybersecurity exercises to test their readiness.

The NCSC also helped the government with Project Foxhound, a new secure government IT network  designed to replace 15 separate confidential networks and other classified systems, including the delivery of encrypted devices to senior policy makers and cabinet ministers.

Indirect support for the cybersecurity industry: The NCSC fosters UK cybersecurity startups through its Cyber Accelerator program, while its Cyber Invest program encourages and promotes industry investment in cybersecurity research within UK universities (companies include HPE, BT, Thales and GSK). It also runs various STEM initiatives to widen the pipeline of young people coming into the field.

In the education and awareness space, it supports the Cyber Security Body of Knowledge (CyBOK) project to help codify cybersecurity to make it easier to teach and explain the subject across the industry. It has also created a “board toolkit” to help non-technical board members understand cyber risk and the potential impact it can have on their businesses.

“If they're not sure about where to begin, [the board toolkit] starts to allow a board to have a conversation with the tech teams, CISOs, the part of the organisation that they probably rarely talk to,” explains Chichester. “What we're trying to do is come up with a common language that boards and security teams can share.

How businesses can work with NCSC

Given the NCSC’s remit of protecting the UK, much of its focus is on helping secure the nation’s critical infrastructure, but the NCSC is keen to extend its reach beyond CNI and aims to provide the same level of help to other sectors in collaboration with the most cyber-savvy companies in their respective industries.

Everything we do with CNI, we're trying to do for the [individual] sectors, and we take a sector-based approach to helping industry,” Chichester explains. “We want sectors to become self-sustaining because ultimately there's only so much government can help with. We don't own their systems. We can't protect them from everything, but what we can do is help them understand the threat.”

Part of this work includes writing sector-specific threat assessments. Recent examples include advice for retail, legal and higher education, each tailored to emphasize the unique threats, risk, and actors in those spaces. “We're trying to tailor advice, guidance, tools, capabilities to those different places,” says Chichester. “We’re doing a lot with retail at the moment. Clearly, there's a threat to retailers. They hold a lot of personal data; they hold a lot of money. Point-of-sale cybercrime is a huge threat and we need to make sure that retailers understand that.”

Those reports are often created in collaboration with companies from the sector the NSCS is looking to provide guidance for. “We published the threat assessment for legal sector online, and one particular law firm gave us free effort to help us write the guidance for the law sector,” says Chichester. “We're not experts in those sectors. We need them to help us understand what's going to work for those sectors.

The NCSC also wants to foster more collaboration between companies and industries. Chichester calls its CiSP information sharing platform a “hugely vibrant community of companies from every sector. Communities are a really important part of the vision of the UK, having a really collaborative community around cybersecurity across every sector. We try to bring them in, talk to them about how we do perceive threats, hold events and workshops.”

A more direct way to get involved with the NCSC is volunteering. The Centre runs an initiative called the i100, which sees cyber-professionals from industry donate their time and skills to the cause. Chichester describes the initiative as “a vision around getting 100 people from industry who understand sectors to work with us to help us do the mission.”

“If you come to Nova [Nova South, NCSC’s London HQ] you would see a large number of people from industry helping us do the mission. Companies can contribute their insights, their time, their knowledge, their expertise, their leadership. Very often we're looking for companies that can help us spread the message and be evangelists for cybersecurity.”

Working with GCHQ doesn’t have to be scary

The elephant in the room — and potentially a concern for many companies wary of working with the NCSC — is the fact the Centre sits underneath the UK’s intelligence agency. “GCHQ has always had the dual mission of intelligence and security,” says Chichester. “We're not going around the world saying ours is the best model. Because we always have had intelligence and security so intimately entwined, having the cybersecurity agency in an intelligence agency, that makes sense for us. We think that gives us an edge. We think it allows us to operate at pace, with agility, act on intelligence”

He says that GCHQ was asked to lead the creation of the NCSC because of its technical understanding of threats, the skills and talent it already had residing there, and its international reputation and pre-existing links to other security communities and industry.  While he acknowledges that this close relationship may make some people concerned, Chichester is quick to point out that everything the NCSC does is done in an “open and transparent way…. The single biggest challenge that we focused on when we launched the Centre was transparency and being open and public facing and accessible. Our job is to make sure that people trust us enough to want to work with us. Trust is earned. It doesn't come intrinsically necessarily, especially in security.”

Chichester says that the NCSC and businesses share a “common purpose” that allows them to work together easily. “Ultimately, we absolutely want to reduce harm in cyberspace. We want to reduce cybercrime and make sure that UK critical infrastructure is safe and secure. We're not doing anything sneaky or spooky. If somebody absolutely thinks we're doing something nefarious, call it out.”

As is often the case with law enforcement and cyber incidents, the NCSC is keen to reassure businesses that it is there to help the victims and not report them to regulators for any compliance failures. “We're not a regulator. We have a close relationship with regulators and government departments, but we are very clear that there is a very thick wall between us; what a company tells us doesn't get to the regulator and they can't compel us to report.”

While he promises they won’t report you, Chichester says that the NCSC thinks regulations are an “important tool” in making the UK better and safer and will usually advise victims of cyberattacks to work with a regulator. This may change in the future, however. Labour’s 2019 election manifesto outlined a policy that would potentially give the Centre powers as an auditing body, with the “ability to issue warnings to private and public sector organisations and designate risk.”

Chichester says that ultimately it is up to the government of the day to decide the NCSC’s role and that having regulatory powers has both positive and negative aspects, but in changes to the Centre’s remit would be made in an open and transparent way.


Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)