16. The NCSC – part of GCHQ – leads on protecting the UK from cyber attack and, as the authority on the UK's cyber security environment, sharing knowledge and addressing systemic vulnerabilities. It is the Government's interface with industry on cyber security and leads on incident response (for example, in the event of a cyber attack on the UK's CNI).
17. However, it is clear that cyber is a crowded domain – or a "complex landscape".[1] There are a number of agencies and organisations across the Intelligence Community which have a role in countering the Russian cyber threat, and it was not immediately apparent how these various agencies and organisations are co-ordinated and indeed complement each other. The next iteration of the National Cyber Security Strategy must address this need for greater cohesion.
18. Accountability is an issue in particular – whilst the Foreign Secretary has responsibility for the NCSC, which is responsible for incident response, the Home Secretary leads on the response to major cyber incidents. Indeed, there are a number of other Ministers with some form of responsibility for cyber – the Defence Secretary has overall responsibility for Offensive Cyber as a 'warfighting tool' and for the National Offensive Cyber Programme, while the Secretary of State for the Department for Digital, Culture, Media and Sport (DCMS) leads on digital matters, with the Chancellor of the Duchy of Lancaster being responsible for the National Cyber Security Strategy and the National Cyber Security Programme. It makes for an unnecessarily complicated wiring diagram of responsibilities; this should be kept under review by the National Security Council (NSC).
19. What is clear about the Government's response is that it has now begun to take a more assertive approach. Cyber attribution is the process of identifying and then laying blame on the perpetrator of a cyber attack. The UK has historically been reticent in attributing cyber attacks – as recently as 2010, this Committee was asked to redact mention of Russia as a perpetrator of cyber attacks, on diplomatic grounds.[2]
20. This new approach was indicated first by the response to the November 2017 WannaCry attack (with a statement by Foreign Office Minister Lord Ahmad condemning the attack) and the subsequent response to the February 2018 NotPetya attack, then more recently when the Foreign Secretary took the step, on 3 October 2018, of announcing publicly that the UK and its allies had identified a campaign by the GRU of indiscriminate and reckless cyber attacks targeting public institutions, businesses, media and sport[3] – including attribution of the attempted hacking of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague.[4] This must be the right approach; there has to now be a cost attached to such activity. When attacks can be traced back – and we accept
6
- ↑ Oral evidence – NSS, *** February 2019.
- ↑ The Committee did not accept this request, and published the information.
- ↑ NCSC, Reckless campaign of cyber attacks by Russian military intelligence service exposed, 3 October 2018, (www.ncsc gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed).
- ↑ A joint statement was made by the Prime Minister, the Rt Hon. Theresa May MP, and the Prime Minister of the Netherlands, Mr Mark Rutte, on 4 October 2018.
