The NCSC Annual Review 2023 And King’s Speech Reinforce The Importance Of Cybersecurity And Data Privacy
Table Of Contents:
Two of the most significant events in the UK cyber security industry calendar over the past few months were the release of the National Cyber Security Centre (NCSC) Annual Review 2023 and the King’s Speech.
The NCSC Annual Review 2023 sees the government agency reflect on the cybersecurity risk landscape, trends, and its work between September 2022 and August 2023. It discusses everything from the threat posed by nation-states to the impact of ransomware attacks on UK businesses and citizens.
Along with the release of this report, King Charles III’s first speech from the House of Lords was a historical moment and detailed two new upcoming cybersecurity and data privacy regulations. In this blog, we break down the NCSC Annual Review 2023 and the cybersecurity elements of the King’s Speech.
Nation-State Threats
In its 2023 annual review, the NCSC explores the cybersecurity threats that nefarious nation-states such as China, Russia, Iran, and North Korea pose to UK national security, businesses, organisations and citizens.
The NCSC sees China’s growing technical superpower status, in particular, as a significant threat to UK national security. The organisation describes China as an “epoch-defining challenge for UK security”, believing that the country will become the leading cyberspace power if Britain doesn’t improve its resilience and capabilities in this area.
It found that Chinese hackers continue using “sophisticated” cyber capabilities to “threaten the security and stability of UK interests” strategically. British startups, research, and innovation are prime targets. The NCSC called the cybersecurity challenges of China “global and systematic”, urging Britain, its allies, and industry partners to boost their understanding of these threats.
Another nation-state focusing its efforts on cyber warfare is Russia. Nearly two years after the invasion of Ukraine, the Russian government and affiliated hackers continue to launch cyber attacks on the Ukrainian government and Ukraine-based businesses. Their preferred tactics are distributed denial of service and data wiper attacks, although the NCSC claims the “impact on Ukraine has been less than expected”. It attributes this to the country’s “well-developed” cyber security capabilities and international support.
Two other nations with significant cybersecurity threats are Iran and North Korea. The NCSC described Iran as an “aggressive and capable cyber actor” that will “almost certainly use cyber for its objectives”, targeting everyone from politicians to journalists. Meanwhile, North Korea’s aim of its hacking activities is to aid its struggling economy via “illicit revenue generation and sanctions evasion”. North Korean hackers are launching cyber attacks on various international companies, governments, and institutions to gain access to valuable information.
Ransomware Leads The Way
The NCSC report also explores the evolving cybersecurity landscape. Ransomware is one of the biggest cybersecurity threats faced by UK-based businesses and organisations, with the NCSC warning that they should “take action to protect themselves from this pervasive threat”.
Although cyber criminals predominantly conduct ransomware attacks by “stealing and encrypting data”, the NCSC has warned organisations and businesses to stay vigilant of data extortion attacks. These see criminals steal but not encrypt data.
Ransomware victims made 297 reports to the NCSC from September 2022 to August 2023, with the most affected industries being academia (50), manufacturing (28), IT (22), finance (19) and engineering (18).
James Watts, managing director at Databarracks, expects ransomware attacks on UK targets to increase and urges them to take steps to mitigate this threat. He says: “Make a plan, test and exercise often, update it if necessary.
“If you experience a successful ransomware attack, the impact could be catastrophic if you’re unprepared. That risk increases if your organisation handles and stores sensitive data.”
Other Cyber Threats
Fraud is another significant threat impacting both British businesses and individuals, with a large proportion of it (80%) being cyber-enabled. To avoid falling victim to cyber fraud, the NCSC recommends using three random words for creating passwords and setting up two-factor authentication on all internet accounts.
2023 also saw state aligned-actors, in addition to state actors, pose “a new and emerging threat” to Britain’s critical national infrastructure (CNI). These groups are beginning to show “a desire to achieve a more disruptive and destructive impact against western CNI” alongside traditional cyber campaigns like DDoS attacks and online misinformation.
The advancement of artificial intelligence technology and large language models also allows cybercriminals to “enhance existing tradecraft. The NCSC says the short-term threat of this will be the amplification of current cyber threats. In particular, AI will allow cybercriminals to scale their hacking campaigns and make them faster.
Katie Barnett, director of cyber security at Toro, agrees with the NCSC’s findings that AI technology “amplifies attacks in terms of both speed and scale”. She says: “The number of attacks will continue to rise unless organisations start to put security at the forefront of their strategies.”
The increased availability of commercial cybersecurity tools and services will also allow threat actors, including state and non-state, to conduct cyber attacks more quickly. This will make it simpler for them to gain “cost-effective capability and intelligence” and conduct cyber crimes “in the absence of oversight or an understanding of how international norms apply”. The NCSC says it’s supporting the UK government and its allies in ensuring these tools are created, brought to market, and used legally and responsibly.
Between 2022 and 2023, the NCSC received 2,005 reports from businesses and individuals experiencing a cyber incident. That’s a 64% increase from the previous year when the organisation received 1,226 reports. Out of these 2,005 reports, the organisation’s incident management handled 371 cases and deemed 62 of them to be “nationally significant. Barnett added: “These figures need to act as a stark reminder to organisations that cybersecurity must be treated with equal value to commercial objectives.
King’s Speech
2023 also saw King Charles III open parliament for the first time in his reign and make a speech from the throne in the House of Lords, where he outlined the UK government’s agenda for the next few months.
The king discussed two new laws designed to improve the UK’s cybersecurity and data protection, the Data Protection and Digital Information (DPDI) Bill and the Investigatory Powers (Reform) Bill.
Robert Wassall, director of legal services NormCyber, explains how the government hopes to help businesses realise compliance cost savings in the billions and increase productivity by introducing an innovative, flexible data protection law in the form of DPDI.
This, so it is claimed, will primarily be by allowing businesses to protect personal data in more proportionate and practical ways than under the EU’s GDPR, making them more efficient by eliminating unnecessary paperwork and cutting red tape whilst maintaining high data protection standards,” he says.
However, introducing DPDI could worsen Britain’s already rocky relationship with the European Union. Wassall warns that the EU may view this law as the UK moving “too far away from the GDPR”.
Regarding the Investigatory Powers (Reform) Bill, Wassall says this legalisation will “force technology companies to inform the Home Office in advance of any security and privacy features they want to add”.
It’ll also compel them to “disable those that the government objects to” while increasing “the power of the Home Office to force non-UK companies to comply with changes it wants them to make to security features without the right to appeal”.
Barnett believes that while “legislative reform and a comprehensive joined-up approach to cyber regulation are needed”, this will unlikely decrease the number of cyber-attacks occurring. She concludes: “As with my response to the NCSC report, we all need to work together, with companies taking cyber security seriously to prevent their organisation from being attacked.”
