A UK government strategy to reduce the exposure of public sector websites and services to cyber-attacks should be rolled out to private sector firms, according to a new study by academics.
The country’s Active Cyber Defence (ACD) program has reduced cybercrime targeted at government agencies and service users since it was launched in November 2016.
The program – developed and spearheaded by the UK's National Cyber Security Centre (NCSC) – has helped reduced the problem of scam emails from spoofed government addresses and the removal of thousands of phishing sites that target the personal information of users.
Academics at King’s College London argue that the strategy ought to be expanded to private sector firms. A report (PDF), published on Tuesday, argues that there are no significant technical obstacles and plenty of benefits in extending the approach to the commercial sector.
Dr Tim Stevens, convener of the Cyber Security Research Group at King’s College London, explained: “The Active Cyber Defence programme has been a huge success in protecting government agencies – and those who use them – from cyber threats.
“Our research finds that it could be legally, cheaply and efficiently rolled out beyond the public sector, to further protect people online.”
Active Cyber Defence (ACD) is a collection of services geared towards protecting the UK from high-volume everyday attacks.
Components of the program include a service that reports on the condition of an organization’s infrastructure, a service that helps vulnerability researchers to report bugs in government websites, and an online package containing cyber exercises that help organizations to formulate an incident response strategy.
The term ‘active cyber defense’ is often used in an offensive context to refer to ‘hacking back’ against the perceived sources of cyber-attacks – a strategy that might invite escalation or retaliation.
In the UK government context, however, Active Cyber Defence is a purely defensive strategy, and mostly geared towards thwarting everyday malware and phishing attacks, rather than more sophisticated assaults (GCHQ has offensive capabilities but these are not part of ACD).
Since its launch, ACD is said to have reduced the UK’s share of visible global phishing attacks by more than half – from 5.3% (June 2016) to 2.4% (July 2018). Between September 2017 and August 2018, the service removed 138,398 phishing sites hosted in the UK, according to stats supplied by the NCSC.
Given the apparent success of the initiative, the UK government has already been exploring the possibility of its expansion.
An earlier study by the NCSC – Active Cyber Defence – One Year On, published in February 2018 – outlines the UK government’s plans to expand its defense program to private sector organizations (see Chapter 8 for details).
In a response to a request for comment on the King’s College London report, Dr Ian Levy, technical director of the NCSC, told The Daily Swig: “We have developed and tested our ACD services on government with great success. Our long-term goal has always been to encourage solutions like these to be adopted in the private sector.
“The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber-attacks.”
Dr Stevens acknowledged that the “NCSC has mooted extending ACD from day one”.
“It’s always been a question of whether to and how,” he told The Daily Swig. “Hopefully, our report adds something to that discussion.”
Marketing materials distributed with the King’s study said that the UK government should “name and shame companies whose cybersecurity measures fail to protect consumers’ data”.
Dr Stevens told The Daily Swig that naming and shaming should only be considered as a “last resort”.
Some firms and trade bodies are already developing systems that use ACD and similar technologies.
Gov scanning is good. M’kay
Academics at King’s College London acknowledge the potential privacy concerns in using technology developed by the British government outside the public sector – particularly in relation to the ACD ‘Web Check’ tool, which identifies basic vulnerabilities in website design.
To prevent application of the technology being perceived as the government “scanning” and collecting data on private organizations’ websites, computer scientists recommend creating a buffer between the intelligence community and third parties by assigning responsibility for such tools to regulatory authorities in each sector, such as the Charity Commission for charities.
ACD – even though it is not a “silver bullet” capable of slaying all cybersecurity monsters in one fell swoop – shows great promise and should be expanded and given time to mature.
The methodology can extend the UK’s cybersecurity influence abroad by providing a model of best practice and helping to shape global security norms, the academics conclude.
“Greater transparency around the level of cybersecurity employed by businesses and other organizations will motivate them to adopt ACD measures that will keep users and their data safe,” said Dr Stevens.
The Cyber Security Research Group at King’s College London is an intra-disciplinary group featuring experts in international relations, public policy, and computer science (among other disciplines) that promotes research into cybersecurity.