Professional Documents
Culture Documents
ec ety
in t: A
cy
oc
os
p
ys
a
om
te
pr
Annual
Review
2023
Making the UK the safest place to live and work online
A note on our front cover, produced
with artificial intelligence (AI)
The front cover of this year’s Annual Generative AI tools pose ethical, legal,
Review, along with the illustrations and existential questions which society
included within, were created using an is grappling with, and will continue to
image generator, powered by artificial grapple with, for years to come. While AI
intelligence (AI). Working closely with a as an emerging technology presents a
design agency, we wanted to explore the huge opportunity for global governments
opportunities that AI presents as well as and wider society, in the context of
its limitations. increasing interest and intrigue from
This effort has been an iterative one, the UK public, it’s vital that those using
as initial prompts used included ‘cyber these technologies understand the cyber
security’, ‘future’ and ‘technology’. security risks, as our CEO Lindy Cameron
These prompts alone generated the warned earlier this year.
stylised green coding, dark quasi- It is incumbent on us all to use AI
dystopian images and men in hoodies responsibly and for us at the NCSC,
hunched over laptops which we have working with industry and governments
become accustomed to, reinforcing around the world to ensure that cyber
a stereotypical representation of security is thoroughly considered during
cyber security. the development of new AI technologies.
When asked to show people within these
Contents
2 39
Timeline Case study: Defending our
democracy in a new digital age
– at the ballot box and beyond
4
Ministerial foreword
43
Case study: The next generation
6 of UK cyber security services
Director GCHQ
47
8 Chapter 3 – Ecosystem
CEO NCSC
55
10 Chapter 4 – Technology
Chapter 1 – Threats and Risks
64
17 Case study: The cyber security
of artificial intelligence
Case study: Russia – an acute
and chronic cyber threat
71
22 Afterword
Chapter 2 – Resilience
33
Case study: Securing the UK’s
critical national infrastructure
1
NCSC Annual Review 2023
Timeline
2022 6 February
13 national teams claimed victory at the
7 September
2023 CyberFirst Girls Competition finals
Lindy Cameron discusses international
collaboration in deterring malign actors 27 February
with industry, at the 13th Billington Cyber Lindy Cameron speaks about the
Security Summit in Washington importance of good cyber hygiene
among the public sector at Cyber Security
8 September
Scotland
The NCSC mourns the death of Her Majesty
the Queen whom we will always fondly 14 March
remember for officially opening our doors The NCSC publishes thought leadership
in February 2017 piece on the security of large language
models, following the rise in popularity of
20 September
ChatGPT
The UK and our allies expose Iran’s Islamic
Revolutionary Guard Corps for exploiting 21 March
cyber vulnerabilities for ransomware The NCSC urges organisations to utilise its
operations Cyber Action Plan and Check Your Cyber
Security services as part of its Cyber Aware
12 October
campaign
The NCSC issues fresh guidance following
recent rise in supply chain cyber attacks 11 April
Anne Keast-Butler announced to succeed
14 November
Sir Jeremy Fleming as the Director of
Cyber Aware campaign launched to help Government Communications Head
keep online shoppers more secure in the Quarters (GCHQ)
run up to Christmas
13 April
9 December
The NCSC and international partners
The NCSC and DCMS publish code of share new advice to encourage software
practice for app store operators and app manufacturers to embed secure-by-
developers design and secure-by-default principles
into their products
2023
17 April
11 January
The NCSC’s Cyber Advisor launches
The NCSC provides support to Royal Mail
to support small and medium-sized
following a cyber attack
businesses without in-house cyber
19 January expertise
The NCSC hosts members of the national 19 – 20 April
Computer Emergency Response Team for
Ukraine (CERT-UA) to discuss Russia’s illegal
invasion and building cyber resilience The UK’s flagship cyber security conference
CYBERUK is held in Belfast for the first time
3 February
Lindy Cameron visits India for a series of 19 April
meetings with cyber security leaders on the New NCSC report assesses the threat to
shared opportunities and challenges the UK industry and society from the use of
UK and India face in cyberspace commercial cyber tools and services
2
NCSC Annual Review 2023
19 April 6 July
The NCSC issues warning of emerging The NCSC’s sixth annual Active Cyber
threat to critical national infrastructure Defence (ACD) report highlights success in
from a new class of state-aligned cyber preventing millions of cyber attacks from
adversary reaching the UK
20 April 23 July
UK and international partners publish joint New shadow IT guidance published to help
guidance to help communities create organisations manage rogue devices and
secure smart cities services within the enterprise
9 May 3 August
UK and international allies issue joint The NCSC and allies reveal most common
advisory exposing Snake malware and its cyber vulnerabilities exploited in 2022 in
use in operations carried out by Centre 16 new advisory
of Russia’s Federal Security Service (FSB)
24 August
13 May The NCSC launches the research problem
The NCSC provides support to the book, laying out the areas of cyber security
Eurovision Song Contest to improve cyber that need cooperative research over the
security resilience next 5-10 years
24 May 31 August
UK and its allies issue new warning about UK and allies support Ukraine calling out
China state-sponsored cyber activity Russia’s GRU for new Infamous Chisel
targeting critical national infrastructure malware campaign
networks
7 June
The NCSC works with UK organisations to
respond to the MOVEit vulnerability and
data extortion incident and publishes
guidance
14 June
UK and international partners issue a new
joint advisory warning of the enduring
threat posed by the LockBit ransomware
operation
14 June
Lindy Cameron emphasises the
importance of building security into AI
technologies in a major speech at the
Chatham House Cyber 2023 conference
30 June
The NCSC marks 20th anniversary of first
response to state-sponsored cyber attack
3
NCSC Annual Review 2023
Ministerial foreword
We live in a dangerous, volatile The Government treats cyber security
with the same urgency and importance
world. The events of the last year
as we treat our traditional defences. The
have demonstrated the extent National Cyber Security Centre is on
to which geopolitical crises and that frontline, building and maintaining
technological change impact our resilience in the face of a rapidly
expanding array of threats. Indeed, this
us all, threatening not just our
year’s Annual Review demonstrates
traditional security but our how the NCSC continues to lead the
economic security. way, producing expert analysis of new
technologies and emerging risks and
The new front line is online. As this Annual opportunities. This technical expertise
Review shows, the methods of attack are underpins our collective efforts to tackle
proliferating. The number of hostile state threats from malicious cyber actors, and
and non-state actors with access to such demonstrates the NCSC’s world-class
tools is growing. The ways in which these advisory function.
countries, organisations and individuals
can do us harm – from bots undermining Given the pace of change, it is vital that
our democracy, to hacks disrupting our we get ahead of these fast-developing
public services, to ransomware attacking technologies to ensure the right
our businesses – is expanding. The rapid mitigations are in place before the risks
rise of artificial intelligence is accelerating emerge. That is why the UK hosted the
the pace of change, compounding the first ever AI Safety Summit in Bletchley
threats and lowering the barrier to entry. Park in November 2023. Through that
As a result, the cyber world is a more summit we started to spearhead a
dangerous place than ever before, and new form of multilateralism, one that
cyber security is rising up our risk register. brings together countries, companies,
academics and other experts in the field.
Because it is only by working together
that we will make AI safe for everyone.
4
That same approach is needed towards
cybersecurity more broadly. We need
a whole-of-society approach, where
Government and industry work in
partnership - to defend as one - to make
us all more resilient as a nation. And those
who can must work to shift the burden
away from end users and increase
protections for all of us, as we increasingly
live our lives and do our work in the virtual
world. As I said to CYBERUK in Belfast in
April, I urge businesses to look again at
their security and strengthen it where
they can. In turn the government will do
its bit, including through the National
Protective Security Authority.
This next year will come with new
challenges. But by working together in
partnership, underpinned by our values
and alliances, and by building on the
vital work of the NCSC to make the UK the
safest place to live and work online, we
will be ready for them.
Director GCHQ
Since my appointment as cyber security risks. The NCSC has
been championing the case for taking
Director GCHQ earlier this year I
a ‘secure by design’ approach to AI, by
have been hugely impressed by building cyber security into technology
the efforts of our cyber security solutions from the outset. Another vital
experts at the NCSC. The sheer consideration is to ensure diversity and
ethics are built into every stage of AI’s
breadth of our work is neatly
development. Potential limitations and
captured in this review’s timeline biases are cleverly demonstrated by the
of activities over the past 12 NCSC’s use of AI to create images for this
months. Joining international review.
partners in calling out the We can trace the roots of AI to GCHQ’s
activities of malicious actors, beginnings in Bletchley Park, where the
government’s 2023 AI Safety Summit took
producing timely guidance to
place. In Bletchley, as in GCHQ today,
help organisations stay secure our brilliant people, technology and
and delivering an outstanding tradecraft have always invented and
CYBERUK conference in Belfast mastered new technology to make sense
are just a few of the ways the of data and protect the UK from harm.
6
NCSC Annual Review 2023
CEO NCSC
I am very proud to present To make sure that the NCSC continues to
focus our work where it is most needed,
the seventh Annual Review of and to deliver against the objectives
the National Cyber Security in the government’s National Cyber
Centre, a part of GCHQ. Today, Strategy, we will focus on three priorities
seven years on, our mission over the coming year.
remains to make the UK the First, we must improve the UK’s cyber
safest place to live and resilience to the most significant cyber
risks. We will continue to improve our
work online. understanding of the threats we face
We must continue to adapt to meet and use this knowledge to strengthen
ever-evolving cyber security challenges. resilience in the areas that carry the
Whether these come in the form of most risk for the UK, be that across
rapid development of technologies government or to the companies
such as Artificial Intelligence (AI) or state involved in delivering our critical national
adversaries seeking to gain advantage infrastructure. We have learned a lot
over us, we must ensure that the UK, about our resilience in light of the
as a responsible cyber actor, stays ongoing war between Russia and Ukraine,
(at least) one step ahead. which remains the most sustained and
intensive cyber campaign ever. But as the
In this year’s Annual Review, we reflect threat landscape evolves, we will need
on key developments, achievements to measure the impact we can have on
and trends from the last year. We’ve also resilience, as well as work with others to
included five areas of specific interest to maximise our success.
the cyber security community – setting
out the NCSC’s thinking on AI cyber Secondly, we must retain our edge.
security, on securing the UK’s Critical Technology is developing faster than ever,
National Infrastructure, on defending and, in an increasingly unpredictable world,
our democratic processes, the future our adversaries are seeking to use this
of UK cyber security services (including change for their own advantage. We must
the NCSC’s role in their provision), and ensure the UK retains its edge in the face of
reflecting back on what we have learned future cyber security challenges, including
from Russia’s further invasion of Ukraine. those emanating from China, which we
know poses an epoch-defining challenge
in the years to come, as well as those
posed by future technology shifts. We will
need to ensure that the technology we
deploy throughout our economy is secure
by design, and that we have the
technological capabilities and
partnerships for the future to enable us to
counter these threats as they evolve.
8
NCSC Annual Review 2023
Lindy Cameron
CEO of the National Cyber Security Centre
9
Chapter 1
> Threats and Risks
NCSC Annual Review 2023
1 https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest
11
NCSC Annual Review 2023
regime outside of Iran, including in the UK. 2 funds via cyber thefts is widely reported,
Iran remains an aggressive and capable and cyber attacks against a variety of
cyber actor and will almost certainly institutions, companies, and government
use cyber for its objectives. The NCSC organisations in search of information
continues to work closely with government and credentials is also prolific.
and industry partners to understand and
Ransomware
mitigate the cyber threat from Iran.
Ransomware remains one of the most
Democratic People’s Republic of Korea acute cyber threats facing the UK,
(DPRK) and all domestic organisations should
Cyber is one of the means through take action to protect themselves from
which the DPRK aims to improve their this pervasive threat. The now-normal
poor economic situation through illicit approach of stealing and encrypting
revenue generation and sanctions data continues to be the primary tactic
evasion, to further consolidate the cyber criminals use to maximise profits.
current regime, and to strengthen and However, data extortion attacks, in which
maintain its ability to defend itself data is stolen but not encrypted are a
against perceived hostile actors. Raising growing trend in the threat landscape.
2 https://www.gov.uk/government/news/uk-steps-up-action-to-tackle-rising-threat-posed-by‑iran
12
NCSC Annual Review 2023
13
NCSC Annual Review 2023
Incident management
14
prompt:
An image / illustration identifying and
analysing cyber security threats to
individuals and organisations and
making sure systems are secure to
stay one step ahead of adversaries
and cyber criminals.
commentary:
We wanted to show how cyber
attacks are a critical threat to our
national security and everyday lives
and how the NCSC is leading the UK’s
defence by supporting government,
critical national infrastructure and
citizens to help to reduce the harm
from cyber security incidents.
NCSC Annual Review 2023
17
NCSC Annual Review 2023
Cyber espionage continues to be used The point here is to not assume you are
as an important tactical weapon, not important enough for Russian spies
strategically and operationally, in to take an interest, if it furthers their aims
supporting Russian political and and objectives.
economic objectives in Ukraine and An initial interaction with an individual or
around the world. organisation (in the form of an unsolicited
Since Russia’s further invasion of Ukraine, approach on LinkedIn or an email with a
their cyber operations have expanded malicious link) is all it could take to allow
to include anything or anyone with a hostile actors into your networks and
connection to Ukraine which seeks to find the information they want to use for
gain an information advantage on the their advantage.
battlefield and geopolitically. The risk of supply chain compromise
This has obviously included traditional also continues to loom large. In 2021,
military and government targets, we and our US partners attributed the
although cyber has provided Russia unauthorised access of SolarWinds Orion
with new means to achieve their software and subsequent targeting to
objectives. In August, along with the Russia’s Foreign Intelligence Service (SVR).
Security Service of Ukraine and Five These incidents are part of a wider
Eyes partners, we publicly revealed that pattern of cyber intrusions by the SVR who
Russian military intelligence service have previously attempted to gain access
(GRU) capabilities are targeting Ukrainian to governments across Europe and NATO
battlefield information, in this case from
members and who continue to exploit
Android devices. vulnerabilities to this day.
However, the reach of Russia’s cyber A chain is only as strong as its
operations has also stretched to weakest link.
academics, think tanks, logistics
and transport hubs, manufacturing Russian patriotic hackers
companies, supply chains, charities Over the past 18 months we have seen
and unassuming Internet of Things a new class of Russian cyber adversary
(IoT) devices. emerge. State-aligned actors (the
For example, as stated publicly by Rob favoured language used by the UK
Joyce, Director of Cybersecurity at the government to describe these groups)
NSA, Russia has targeted IoT surveillance are often sympathetic to Russia’s further
cameras to aid their warfighting efforts, invasion and are ideologically, rather than
and routinely target the transport sector. financially, motivated.
Microsoft warned in December 2022 of They have been emboldened to act with
Russia potentially targeting countries that impunity regardless of whether or not
provide vital supply chains of weaponry they have Russia’s backing.
and humanitarian aid.
18
NCSC Annual Review 2023
19
NCSC Annual Review 2023
20
Chapter 2
> Resilience
NCSC Annual Review 2023
Cyber Essentials
+
28,399 9,037 321 80%
certificates Cyber Certification fewer insurance
awarded Essentials Bodies right claims with Cyber
(21%) Plus across the UK Essentials in place
certificates (6%) (Insurers’ data)
awarded
(55%)
By business size
Cyber Essentials certificates Cyber Essentials Plus certificates
Micro 35% 36%
Small 34% 28%
Medium 20% 21%
Large 11% 15%
To generally
improve security
35% 28%
Required for
government contract
15%
22%
Required for
commercial contract
• The estimated fail rate for Cyber • This year saw an increase in the
Essentials across all organisation sizes proportion of Cyber Essentials
has dropped from 3.4% to 2.45% . (increase of 4%) and Cyber Essentials
Plus certificates (increase of 17%)
issued to micro-organisations
24
NCSC Annual Review 2023
369 80%
applications of organisations who have
approved in completed the programme
first cohort have stated an intention to
renew the certification next year.
78% 91%
Charities of these
organisations
claimed that
22% they feel more
confident about
Legal aid
cyber security
firms
after completing
the process
25
NCSC Annual Review 2023
26
NCSC Annual Review 2023
For all these reasons, we see ACD as a We also want to make it simple for users
core part of how the NCSC will improve to find, sign up to and manage our
the UK’s cyber resilience over the coming services, whilst reducing duplication and
years, as we continue to build services providing a smoother, more integrated
designed to protect UK citizens and user experience. We built the MyNCSC
organisations. platform to turn that vision into reality.
When ACD was launched in 2016, The platform brings several ACD products
we developed services with the and services together into a single,
protection of government organisations coherent experience tailored to show the
specifically in mind. However, at the core content, vulnerabilities, and alerts most
of the UK’s National Cyber Strategy is a pertinent to each user. These are currently
‘whole of society’ approach, which is why Mail Check and Web Check. We plan to
we’ve broadened the utility of ACD gradually increase the number of ACD
products and services to a wider range of products and services integrated with
users, from small business owners to the MyNCSC and have started migrating
education and charity sectors to citizens our customer organisations’ use of Early
being able to report scam emails to Warning to the platform.
the NCSC’s Suspicious Email Reporting This year’s ACD report noted the
Service (SERS). This conscious shift to challenges of developing new services,
designing and developing ‘radically which included improvements in levels
simple’ digital services, (with accessibility of defensive capability, the need for
and ease of use as core design a more dynamic commercial cyber
principles) can help provide the benefits security services market, and the growing
of vulnerability checking to those sophistication of commodity threats.
individuals and organisations that do not This has meant embracing different ways
have a dedicated security function. of ‘getting things done’, whether that’s
building services ourselves, contracting
with market-leading UK companies,
or engaging with collaborative projects.
27
NCSC Annual Review 2023
Mail Check
Helps public and third sector assess and improve
email security compliance to prevent criminals
spoofing email domains. 14,400
• Over 2,700 organisations are now using domains
Mail Check protected
by DMARC
• Over 24,000 domains, 60% of which are
protected by DMARC
Takedown
The number
Works with hosts to remove malicious sites and of fake UK
infrastructure from the internet. government
• The known share of global phishing dropped to phishing
1.19%, in 2016 the figure was over 5% scams
• Number of fake UK government phishing scams decreased
decreased from 6,300 the previous year to 5,300 by almost 19%
in this reporting period
• 1.8 million cyber-enabled commodity
campaigns removed
28
NCSC Annual Review 2023
Web Check
Helps users find and fix common security vulnerabilities in their websites.
Service
now has
2,999
organisations
using Web
Check
29
NCSC Annual Review 2023
30
NCSC Annual Review 2023
18,285 14,672
IP checks browser checks
completed since completed since
product launch product launch
in March 2023 in March 2023
2,526 2,876
users received at users were using
least one finding an out-of-date
browser
00/00/00
31
prompt:
The importance of cyber resilience for
UK critical national infrastructure
commentary:
We used a descriptive prompt to
generate an image we feel represents
CNI and how we can digitally
protect our national infrastructure
– the image includes an individual,
to highlight the societal element and
how CNI supports many different
parts of our lives.
NCSC Annual Review 2023
33
NCSC Annual Review 2023
Jen Easterly, Director CISA, noted that To counter the risk posed by these
such targeting “…wasn’t for espionage threats, we believe that it’s essential to
or data theft… it was more likely for understand the risks to our CNI before our
disruption and destruction” and CNI adversaries do, so that we can reduce
operators should be alert to this and the window where an attack could be
follow the actions in the advisory to hunt successful. Often critical services will rely
down this activity and mitigate. on complex supply chains to function
and so mapping supplier dependencies
Nation states and profit-oriented cyber and relationships plays a crucial part
criminals are not the whole picture, in gaining confidence in your security.
however. The NCSC published an alert to This enhanced situational awareness
operators of the UK’s CNI in April about the will be increasingly important in times of
emergence of state-aligned groups as heightened threat – but being mindful
an adversary, some of whom have stated about supply chain security from
a desire to achieve a more disruptive procurement through to deployment
and destructive impact against western should be a perennial consideration
CNI. Without external assistance, we for operators.
consider it unlikely that these groups have
the capability to deliberately cause a In addition to our work understanding the
destructive, rather than disruptive, impact UK’s CNI, we need to continue improving
in the short term. But they may become our aperture on CNI risk. For example,
more effective over time. it will be key to understand flaws in
the design of the UK’s CNI (such as
inadequate network segregation) which
adversaries may seek to exploit, as well
34
NCSC Annual Review 2023
35
NCSC Annual Review 2023
36
prompt:
An illustration of a historic ballot box
protected by multiple padlocks.
commentary:
We used a relatively simple prompt
to generate an image bringing to life
the need to secure our democratic
process – metaphorically represented
through a super-secured, physically
protected ballot box.
NCSC Annual Review 2023
39
NCSC Annual Review 2023
40
NCSC Annual Review 2023
4 https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest
41
commentary:
We used a very descriptive prompt to generate the image
we envisaged of how smartphones, computers and the
internet have become a fundamental part of modern life
and that it’s difficult to imagine how we’d function without
them. From living and working online, banking and
shopping, and email and social media the imagery talks
to our strategic objective of bolstering the cyber resilience
of individuals, families, businesses and organisations
across the world.
NCSC Annual Review 2023
43
NCSC Annual Review 2023
44
NCSC Annual Review 2023
We will continue to publish our findings The May 2023 Fraud Strategy emphasises
in line with the NCSC’s commitment to “tackling fraud at source and incentivising
transparency and responsible use of every part of the system to take fraud
artificial intelligence et al. seriously”. This reinforces the need for a
On partnerships: nearly everything that whole ecosystem of support across the
the NCSC does, we do with our partners in UK that builds on the unique strengths of
some form. The challenge of scaling cyber the NCSC as national technical authority
security means that we need to better in concert with the ability of the PROTECT
leverage our existing partnerships and network and Cyber Resilience Centres
develop new ones to make much more amplifying on the ground across the
out of them than we currently do where nation.
our services are concerned. We need to And beyond that?
do this in multiple areas: for example, we
It remains a strongly held NCSC view
are working closely with the UK Cyber
that the “team” extends well beyond
Security Council to develop and oversee
government when it comes to achieving
the specialist standards the UK needs to
cyber security success at the national
manage its cyber risk, enabling NCSC to
level. Over the past 12 months, the NCSC
focus on other areas.
has been working with industry to launch
How do we need government’s cyber new schemes, targeting a wider set of
security capabilities to develop? customers, and assuring industry to work
We often say that cyber security is a team in new and expanded areas on behalf of
sport. What might that mean for the way the NCSC – and there is more to come.
the NCSC needs to work with government But where do we see potential to drive
partners on the future of digital and systemic improvement?
assured industry services? Two recent
developments show us the way.
The first is the development of the
Government Cyber Coordination Centre
(GC3), announced in 2022, which will
coordinate cyber security efforts across
the public sector. The GC3 will start by
coordinating resilience response to
incidents and vulnerabilities”, transforming
how cyber security data and threat
intelligence is shared, consumed, and
actioned across government. This
presents a huge opportunity to galvanise
the way services are developed, delivered,
and used over the coming years, and to
build the foundations for an approach to
government cyber security that is driven
by data and rooted in evidence.
45
NCSC Annual Review 2023
46
Chapter 3
> Ecosystem
NCSC Annual Review 2023
48
NCSC Annual Review 2023
49
NCSC Annual Review 2023
56,000+
girls have taken part in the 125 students joined CyberFirst
bursary scheme
competition since inception in 2017
42%
589 schools of those awarded
and 13 regional bursaries were female
2,444 teams and national
took part finals
22% of those awarded
bursaries were from
2023 ethnic minority
backgrounds
2022
85%
Total 87%
number of
of those who
bursary
students have graduated
8,700+ girls 85% of schools
1,169 are now in cyber
entered, up from participating in the
security roles
7,000 last year Girls Competition
were state run
Nurturing skills
The CyberFirst Bursary programme Over the last year, a further 14
continues to support the next generation postgraduate and 5 undergraduate cyber
of cyber talent, offering undergraduates security focused degree courses have
a substantial bursary and paid training met the NCSC’s certification standard.
each summer. This year, 125 students Prospective students now have a choice
were offered new bursaries and of those of 75+ p ostgraduate or undergraduate
42% were female candidates. In addition, NCSC-certified degrees from just under
the programme is supported by over 50 universities nationwide. And our
240 industry, academic and government community of Academic Centres of
members. Excellence in Cyber Security Education
(ACEs-CSE) continued to expand with 15
universities now achieving recognition for
their high-quality teaching and impactful
outreach activities.
50
NCSC Annual Review 2023
Academia
51
NCSC Annual Review 2023
Highlights include:
NCSC For Startups
• the NCSC’s work to bring Fujitsu into
the i100 community was included in
the PM’s G7 announcement launching
the Japan-UK Cyber Partnership
• the scheme directly contributed
66 external expertise to NCSC’s work
to deliver:
companies are part
of NCSC For Startups − UK Legal Sector Cyber Threat report
− NCSC’s Cyber Security Toolkit
for Boards
52
NCSC Annual Review 2023
Held in Northern
Ireland for the Two
first time
thirds
of delegates are
£2.6m more likely to invest in,
boost to the support or engage with
local economy the Northern Ireland cyber security
sector as a result of attending
120+
companies sponsored
or exhibited at CYBERUK
53
Chapter 4
> Technology
NCSC Annual Review 2023
The National Quantum Strategy focuses Two problems worth specific mention are:
on investment in and development
Problem 1 – H ow can we build systems
of quantum technologies. Quantum
we can trust when we can’t trust any of
computing has substantial economic
the individual components within them?
potential, but also provides a threat to
Hardware is becoming more complex
cryptography. The NCSC’s role is clearly
all the time and it’s difficult to gain
defined within the strategy as the lead
confidence in long global supply chains.
organisation in government on advising
This in turn means diminished confidence
on mitigations to this threat. The strategy
in individual computers, circuit boards
also sets out our key technical messages,
and microchips. But to protect our critical
focusing on the need to prepare for
national infrastructure, defence and
a future transition to post-quantum
intelligence systems and more besides,
cryptography. Additionally, through
we need to build computer systems we
discussions as part of the strategy
can rely on.
development, and with the UK Quantum
Communications Hub, we have helped Problem 5 – H ow can we accelerate the
set a government vision for future adoption of modern security mitigations
quantum networking to share information into OT? Operational technology (OT),
between quantum devices. such as the industrial control systems
(ICS) that operate factories, smart cities
Building on the UK’s specific
and our energy infrastructure, often
semiconductor strengths, DSIT’s National
lack many of the security controls and
Semiconductor Strategy focuses on
mitigations that we take for granted in IT.
the resilience of systems on which we
This means that if threat actors manage
rely to combat cyber attacks. The UK’s
to reach OT systems, they may then be
leadership on chip design positions us
able to use relatively simple techniques
well to take a leading global role in this
to have a physical real-world impact.
area, supporting initiatives such as the
Research in the areas below could
‘Digital Security by Design’ programme
contribute to significantly improving the
led by UK Research and Innovation,
security of OT systems.
which offers a potential step change in
attack mitigation. Technology assurance
As technology, and the way it’s used,
The NCSC research problem book
continues to evolve at a rapid pace,
In August, we published the latest
the need to update the way we gain
iteration of the NCSC research problem
confidence in its cyber resilience
book with the aim of guiding cyber
came into sharper focus this year.
security research towards the most
Any new approach must raise the bar
critical security challenges that we
across a broad landscape and also
have identified as significant barriers to
enable new technology solutions to be
improving cyber security.
imagined, creating a thriving ecosystem
underpinned by cyber-resilient
technology. This year, in collaboration with
Adelard, we’ve formalised the method
that underpins our new approach to
technology assurance: Principles Based
Assurance (PBA). Key to the success
57
NCSC Annual Review 2023
58
NCSC Annual Review 2023
59
NCSC Annual Review 2023
200
150
100
50
0
2018 2019 2020 2021 2022 2023
We are proud of the fact that finders from reports. Working with our platform
across the world have taken an interest provider (HackerOne) we have seen the
in the security and resilience of the UK majority of finders who submit reports
government and submitted vulnerability originate from outside of the UK.
The vulnerabilities
Path traversal 7% Improper access control 5%
Privilege escalation 5%
Open redirect 10%
Code injection 4%
Information exposure
through directory
listing 3%
Information disclosure 21%
Cross-site scripting
(Generic) 3%
Cross-site scripting
(reflected) 40% SQL injection 3%
60
NCSC Annual Review 2023
Local 73%
Central 21%
Other 6%
Guidance
This year, our best-practice guidance As a reminder that some cyber threats
on cloud computing has scored well are evergreen, our phishing guidance
with NCSC stakeholders, aligning with an remains among our most popular
ever-increasing number of businesses content. We’re committed to keeping
adopting cloud computing. Since our content current, reflecting changes
ChatGPT secured global coverage earlier in threat and how to counter it.
this year and excitement around the
capabilities of AI has grown, the NCSC has
leveraged its technical knowledge into
practical guidance, to concentrate on the
real opportunities and potential risks for
the UK.
61
NCSC Annual Review 2023
Guidance
15 53
1.7 million
user visits
Capability
The NCSC and DCMS published the Code of Practice
for app store operators and developers. It will
encourage them to meet a minimum bar for security
and privacy.
The NCSC hosted an international workshop virtually
and in Manchester, focusing on the security of
compressed machine learning models, particularly in
the context of embedded or edge devices.
The NCSC provided support to AUKUS in establishing
best-practice security culture.
The NCSC vulnerability management team responded
to significant vulnerabilities including those affecting
the MOVEit managed file transfer software and a
critical vulnerability affecting Fortinet devices.
7 https://www.gov.uk/government/publications/code-of-practice-for-app-store-operators-
and-app-developers/code-of-practice-for-app-store-operators-and-app-developers-new-
updated-version#implement-a-vulnerability-disclosure-process
62
prompt:
A photo realistic black and white
image of Alan Turing witnessing
artificial intelligence become a vivid
colourful reality in the background.
commentary:
To visualise AI in the present day we took inspiration from the past and wondered
what the great Alan Turing would think about the developments in AI since he
first proposed an experiment to define a standard for a machine to be called
“intelligent”, known as “ The Turing Test”, over 70 years ago.
A founding father of AI, who worked for the forerunner to GCHQ, Turing represents
the values that the NCSC strive to uphold to this day.
NCSC Annual Review 2023
64
NCSC Annual Review 2023
65
NCSC Annual Review 2023
66
NCSC Annual Review 2023
attacks, where the attacker attempts this sector in a way that is diverse and
to contaminate the data used in the ML inclusive. We also need to ensure that
process. where AI is used to enhance cyber
security that we are doing all we can
Cyber security opportunities of AI
as a community to avoid introducing
While there is significant focus on the risks and reinforcing bias into cyber security
of AI, we must also ensure that we take analysis and threat monitoring. That is
advantage of the significant opportunities why the NCSC is working closely with the
that AI brings to cyber defenders. Alan Turing Institute to both help develop
Already, AI is already being used to and benefit from research on AI and
detect known types of fraud, through the cyber security across a range of topics.
detection of anomalies in user actions.
Challenges around the
In consumer banking, this can be applied
fundamentals of AI
to improved monitoring of card usage,
more quickly blocking fraudsters from As we have already highlighted, AI
using another user’s credit card by models have new, inherent weaknesses
identifying strange individual transactions. and vulnerabilities – which need to be
AI will be able to improve detection and understood by those developing them.
triage of cyber attacks. As AI detects Some cutting-edge AI models can be
patterns and relationships between data, it incredibly complex – often even their
can be used to recognise malicious emails creators don’t fully understand exactly
and cluster them to identify phishing how they work or what happens inside the
campaigns, which are then more easily model. This lack of ‘explain-ability’ is one
mitigated. of the key safety and security challenges.
68
NCSC Annual Review 2023
69
NCSC Annual Review 2023
Afterword
This year’s review demonstrates the sheer Our heartfelt thanks to all those
scale and breadth of the NCSC’s work to working inside and alongside the
inform, influence and equip audiences organisation, this year and every year.
with the tools, motivation and confidence Our sector‑leading whole of society
they need to live and work safely online in approach hinges on strong collaboration
the UK. with industry, businesses, government
2024 will bring considerable challenges departments and wider sector partners,
and more opportunities. As has been critical to the success of our collective
set out in this review, the protection of aim to ensure the UK is the safest place to
democratic processes will be a focus for live and work online.
the NCSC in the UK, as well as for global We can all be proud of our collective
partners, as key elections shape the teams’ achievements, ensuring the online
coming year. The NCSC is determined to security of individuals and organisations,
remain agile in its approach, to ensure and we remain united in our pledge to
the UK is competitive and proactive ensuring cyber security remains a top
aiming to sharpen its focus on emerging priority for the UK and around the world.
technologies, like artificial intelligence As NCSC CEO Lindy Cameron outlined
and quantum computing. We’ll prioritise in her Foreword, we must be focused
our collaboration with sector partners, on the future if we are to deliver a more
nationally and globally to reach our resilient UK.
organisational aims. And 2024 will
see CYBERUK move from Belfast to
Birmingham, building on our commitment
to ensure the NCSC’s presence and
guidance is felt across the UK.
71
To request the information in this
document in an alternative format
please email enquiries@ncsc.gov.uk
© Crown copyright 2023. Photographs
produced with permission f rom third parties.
NCSC information licensed for re-use
under Open Government Licence
(www.nationalarchives.gov.uk/doc/open-
government-licence).
Designed and created by Design102
hello@design102.co.uk
Follow us:
@NCSC
@cyberhq
National Cyber
Security Centre