The UK is likely to be hit by a “category one” (C1) cyber-attack in the next couple of years, crippling key parts of its critical infrastructure, according to the National Cyber Security Centre (NCSC).
NCSC boss Ciaran Martin claimed the UK has been fortunate to escape the kind of attacks seen in the US and France in recent years, but warned that it was a case of “when, not if.”
Interference in the US presidential elections and the cyber-attack that took out French TV network TV5Monde — both attributed to Russia — were C1 attacks.
“I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack,” Martin told the Guardian.
“Some attacks will get through. What you need to do is cauterize the damage.”
In October, the NCSC claimed it tackled 1131 incident reports in its first year of operation, with 590 classed as “significant.”
A month later, both Martin and Prime Minister Theresa May warned about increasing Russian attempts to target UK media, telecoms and energy sectors as part of its bid to “undermine the international system.”
Much of the Kremlin’s work so far has been on reconnaissance, scouting for vulnerabilities which could be exploited at a later date, according to Martin.
This is in contrast to the more reckless activities of other nations like North Korea, which is increasingly focused on generating revenue through attacks on banks and spreading ransomware, he said.
Venafi chief cybersecurity strategist, Kevin Bocek, agreed with Martin’s assessment, claiming “escalation of hostilities … is one of the most basic rules of human history.”
“Much of the reason the UK is so vulnerable is that many organizations — both in the public and private sectors — are simply bad at doing the basics right,” he added. “With security teams being pulled from pillar to post by constant attacks, they don’t have the time to take care of a number of key precautions. It’s precisely these oversights which can let attackers in.”
Steve Malone, director of security product management at Mimecast, claimed the new NIS Directive could help CNI firms lead the way on cybersecurity.
“This EU-wide legislation needs to be harnessed quickly to foster a new culture of security for citizens,” he added.
“The defense of democracy requires ongoing scrutiny. We should be concerned that many of the UK political parties appear to be trusting their email security to Microsoft Office 365, essentially a homogeneous security environment. Security best practice on-premises dictated multiple layers of protection, and this remains when moving email to cloud.”