Severity of the risk facing the UK is widely underestimated, NCSC annual review warns

The number of security threats in the UK that hit the country's National Cyber Security Centre's (NCSC) maximum severity threshold has tripled compared to the previous 12 months.

Published today, GCHQ's tech offshoot's 2024 review reveals that 12 incidents topped the NCSC's severity classification system out of a total 430 cases that required support from its Incident Management (IM) team between September 2023 and August 2024. The finding represents a 16 percent increase year-over-year.

The number of nationally significant incidents also rose from 62 last year to 89 in the latest data, six of which were caused by exploiting two Palo Alto and Cisco zero-days (CVE-2024-3400 and CVE-2023-20198). This number includes the 12 deemed maximally severe and an undetermined number of attacks on the UK's central government.

The most severe category of incidents is Category 1: National cyber emergency – an attack that causes sustained disruption of critical services and a Cabinet Office Briefing Rooms (COBR) meeting to be held.

The NCSC said that 347 reports involved some degree of data exfiltration and extortion and – surprise – 317 of these involved ransomware, another year-over-year increase from 297 in 2023's data.

The numbers demonstrate a growing cyber risk to the UK that NCSC board members feel is "widely underestimated" and outpacing the country's ability to defend against threats.

"What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defenses that are in place to protect us," the NCSC's new CEO Richard Horne will say later today.

"And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries."

Horne and others on the board at Nova South renewed their calls to the public and private sectors on Tuesday to continue building cyber resilience, citing the rise in headline-grabbing incidents such as the attacks on Synnovis and the British Library.

"The NCSC, as the National Technical Authority, has been publishing advice, guidance, and frameworks since our inception, in a bid to drive up the cybersecurity of the UK," Horne will add. "The reality is that advice, that guidance, those frameworks need to be put into practice much more across the board.

"We need all organizations, public and private, to see cybersecurity as both an essential foundation for their operations and a driver for growth. To view cybersecurity not just as a 'necessary evil' or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose."

When talking about cyber resilience, as the NCSC so often does, it refers to all organizations being able to detect, neutralize, and recover from attacks at pace, be it through their own technical implementations or with support from the likes of the NCSC's Active Cyber Defence services.

Of course, GCHQ's cyber arm also never misses an opportunity to remind the world that organizations that earn its Cyber Essentials certification are 92 percent less likely to make a claim on their cyber insurance policy.

Despite there being a 20 percent increase in organizations gaining that certification this year, and an equal increase in Cyber Essentials Plus recipients too, the NCSC still feels the basics aren't being deployed widely enough, or quickly enough.

A sense of doom drips from every page of its annual review. It goes on to explain how the volumetric increase in attacks and their complexity presents a dual threat that stokes a sense of fear in the reader.

By 2030, the NCSC predicts a full-scale cyber intrusion ecosystem will be established. It believes this ecosystem will make available highly capable tools to the most seasoned adversaries and unsophisticated up-and-comers alike, lowering the barrier to entry into the world of cybercrime.

This all follows the current state of affairs where we have lowly cybercriminals routinely reading about how their state-sponsored seniors are going about things from intel reports and copying their tactics for greater success, all while the global economy increasingly relies on tech propped up by an insecure supply chain.

There remains the inevitable impact of artificial intelligence (AI), which is slated to intensify this complex threat landscape and empower adversaries in their ventures too, not to mention the deeply broken market making any proposed improvement a challenge.

Further afield

In the same way that China has, for years now, occupied the attention of national security chiefs more than any other foreign adversary, the NCSC's latest annual review equally dedicates more attention to the Middle Kingdom than any other overseas threat.

• Another 'major cyber incident' at a UK hospital, outpatients asked to stay away
• Britain Putin up stronger AI defences to counter growing cyber threats
• UK councils bat away DDoS barrage from pro-Russia keyboard warriors
• US and UK govts warn: Russia scanning for your unpatched vulnerabilities

It was at the NCSC's annual conference earlier this year that GCHQ director Anne Keast-Butler emphasized the claim that dealing with China tops the UK's list of security priorities.

Likewise, Horne, who made his first major public speech as the NCSC's new top dog on Tuesday, echoed the sentiment once more, repeating the organization's stance on the UK's inadequate cyber resilience.

"Last week, the Chancellor of the Duchy of Lancaster warned about the aggression and recklessness of cyber activity we see coming from Russia," he said. "And with our partners, including at the NPSA, we can see how cyberattacks are increasingly important to Russian actors, along with sabotage threats to physical security, which the director general of MI5 spoke about recently.

"All the while, China remains a highly sophisticated cyber actor, with increasing ambition to project its influence beyond its borders.

"And yet, despite all this, we believe the severity of the risk facing the UK is being widely underestimated."

Horne referenced the speech made by the Chancellor of the Duchy of Lancaster, Pat McFadden, last week, which made some sensational claims that were later criticized by security thought leaders.

Dissecting McFadden's speech, the Hollywood verbiage used to describe Russia's cyber capabilities raised eyebrows among experts. Claims such as "with a cyberattack, Russia can turn off the lights for millions of people" and "it can shut down power grids" contain the type of language the industry has tried to rid itself of for years.

The speech came amid a backdrop of Russian aggression from what McFadden said was state-sponsored cybercriminals targeting NATO partner South Korea. Former MI6 director Sir Richard Dearlove also recently said he believed the current situation between Western Europe and Russia is tantamount to a full-blown war, all while Russia's efforts in Ukraine show no sign of relenting.

"Russia continues to act as a capable, motivated, and irresponsible threat actor in cyberspace," the review reads. "Russian threat actors almost certainly intensified their cyber operations against Ukraine and its allies in support of their military campaign and wider geopolitical objectives. 

"Through its activities in Ukraine, Russia is inspiring non-state threat actors to carry out cyber attacks against Western CNI. These threat actors are not subject to formal or overt state control, which makes their activities less predictable. However, this does not lessen the Russian state's responsibility for these ideologically driven attacks. 

"The NCSC continues to publicly expose Russian cyber activity, which makes it a more challenging environment for them to operate in." ®