NCSC advocates Security by Design at Launch of Third Annual Review today in London

The National Cyber Security Centre ("NCSC") emphasised the need for security by design at the launch of its Annual Review 2019 in London this morning. Many legacy systems are "accidentally insecure", noted NCSC CEO Ciaran Martin, but now we can see the major trends developing and plan strategically. The Secure by Design Code of Conduct (developed by the NCSC and the Department for Digital, Culture, Media and Sport) presents a clear set of thirteen guidelines for manufacturers of Internet of Things devices. The first globally applicable standard on the cyber security of internet connected consumer devices launched by ETSI in February builds on the Code. Consumers, who increasingly will be paying for goods and services, now have standards to inform their purchases.

The Right Hon Oliver Dowden, Minister for the Cabinet Office, this morning described the NCSC as "a world leading body for digital protection." The NCSC led on 658 incidents in the last year working closely with law enforcement, the UK intelligence community, wider government and the private sector. A significant proportion of its work took the form of defending against state actors, with Russia, China, Iran and North Korea continuing to pose strategic national security threats to the UK. The top sectors supported were, in order: government, academia, information technology, managed service providers, with transport and health tying for fifth place.

A key development in the last year has been the Indicator of Compromise (IOC) machine going live, which allows the NCSC quickly to share intelligence about an adversary attacking the UK. Indicators of compromise might be an understanding of how an adversary works (their tools, techniques and practices) or specifics such as the IP addresses an adversary uses frequently. In an average month more than 1,000 vital indicators are now being shared at the click of a button.

Mr Martin also reminded everyone of the importance of hard basics; "If everyone applies strong passwords and two factor authentication and backs up appropriately, a large percentage of problems go away, " he said.