The UK has been heavily targeted by hostile state actors (HSAs) in cyberspace throughout the COVID-19 pandemic. Initiatives need to be introduced which further strengthen the UK’s ability to defend itself. These include introducing a quantitative, public “Cyber Hygiene” rating scheme for UK organisations, as well as additional obligations for British cloud service providers (CSPs) to tackle the increasing malicious use of their services.
Firstly, HMG should explore complementing the 2018 NIS directive by introducing a grass-roots, compulsory baseline of cyber security for UK organisations. This would be a system which measures a company’s cyber security against a common set of standards to result in a public, tiered, quantitative rating. This is similar to the way the Food Standards Agency uses the Food Hygiene Rating system to influence consumer choice and thus, the rigour with which restaurants uphold a satisfactory level of cleanliness. The Cyber Hygiene scheme would have the same effect online: influencing potential customers’ (both civilians and other organisations) decisions as to whether they would trust the organisation in question with their data, encouraging those with lower ratings to improve their security.
The Cyber Hygiene scheme should be separate from the National Cyber Security Centre’s (NCSC) existing Cyber Essentials scheme, which provides an optional cyber security control framework for small and medium sized enterprises (SMEs). The Cyber Hygiene scheme should complement this and become mandatory for every UK organisation which operates online in any capacity.
In 2021, nigh on everything is done over interconnected networks: from discussing government policy, military doctrine and economic data, to storing intellectual property (such as vaccine research and development) and trade secrets. If the defence of those assets are sub-par, even the least sophisticated hackers can compromise them, causing preventable consumption of law enforcement and security resources. Hence, during a global pandemic, a base level of cyber security should be high priority for British organisations involved in the response. The consequences of overlooking basic measures are stark, as evidenced in 2017 when a failure to patch vulnerable Windows computers allowed the infamous WannaCry ransomware to significantly disrupt the NHS’ operations. The protection of healthcare institutions and the vaccine supply chain has never been more important, and a second WannaCry-esque incident in the current climate could be catastrophic.
Mandatory public display of an organisation’s Cyber Hygiene rating would act as deterrence for both senior management and hostile actors: in the former’s case, by ensuring the appropriate amount of investment is piped into cost-effective security solutions, and in the latter’s by making highly rated organisations less attractive targets for hostile actors. Effective implementation of the scheme could have an added benefit of lessening the burden on the UK’s security and law enforcement agencies well beyond the pandemic.
Implementing this scheme does however present a risk by possibly highlighting organisations with lower ratings and increasing their attractiveness as targets in the eyes of malicious actors. In these (likely few) cases, HMG could provide limited monetary incentives to smaller organisations, point them to the Cyber Essentials control framework and provide the advice of pre-existing consultants from the NCSC to “fast-track” them to an acceptable rating.
The second measure would be to explore levying requirements on British cloud service providers (CSPs) to more robustly track foreign malicious usage of their services and improve UK law enforcement and security investigations.
Cloud computing has revolutionised the way organisations work with data. Organisations can pay cloud providers a fee to use segments of their data centres to store intellectual property rather than storing it on premise. This cuts a lot of overhead and maintenance costs for companies, but also effectively outsources the security of the company’s proprietary data to the cloud provider. This presents a vast, expansive threat surface which foreign cyber actors are exploiting as vectors into organisations of interest. This is evidenced by the significant hostile supply chain cyber campaign identified in December 2020 which used access to U.S. software vendor, SolarWinds, to penetrate its customers such as U.S. government departments. The direction of travel towards cloud computing means that organisations working in the fields of vaccine research and development and healthcare will likely follow suit, presenting heightened risk.
Complicating matters is the fact that CSPs can offer access to their cloud environments via foreign resellers with limited requirements for tracking the identities of those setting up accounts. This makes it easier for hackers to conduct cyber attacks against UK interests or leverage UK CSP access to launch attacks against other nations, causing UK reputational damage. It makes it difficult for investigators to obtain accurate evidence to prosecute those responsible as actors can easily obfuscate their identities and dispose of malicious infrastructure. Hence, legislation mandating CSPs to maintain robust record-keeping is needed to help improve national security and law enforcement investigations and protect the UK’s reputation.
Care should be taken to avoid being too draconian – any action must be in line with the UK’s values as a liberal democracy and focus on promoting a peaceful cyberspace. Indeed, one of the previous U.S. administration’s final Executive Orders (EO) in January 2021 sought to levy similar responsibilities on U.S. CSPs and the UK should explore following suit even if the EO is rescinded by the new administration.
The UK will continue attracting the attention of sophisticated cyber actors from across the spectrum while it remains a world-leading cyber, science and technology power. HMG can and must keep ahead of the threat by taking reasonable steps at home to harden its cyber environment. This will impose costs on those who seek to steal the UK’s intellectual property or degrade its critical infrastructure.
1061-11