The UK’s National Cyber Security Centre (NCSC), a part of GCHQ and the UK’s technical authority for cyber-security, released its 2023 annual review late last year, complete with an on-trend AI generated cover and illustrations. The review summarises NCSC's key achievements between 1 September 2022 and 31 August 2023 and also looks ahead to future challenges in the context of an ever-changing cyber landscape which will continue to test the UK government’s goal of making the UK “the safest place to live and work online”. Below is a summary of the key elements of the 2023 review.

Ransomware remains a top threat

Notably, ransomware remains one of the most acute cyber threats and the NCSC encourages all UK organisations to take proactive action to protect themselves from this pervasive threat. The now common-place approach of stealing and encrypting data continues to be the primary tactic cyber criminals use to maximise profits. However, data extortion attacks, in which data are stolen but not encrypted, are a growing trend. 

The NCSC was made aware of 327 reports that involved the exfiltration/extortion of data (up from the previous year) which is indicative of the value that both cyber criminals and nation state actors place in data. 

The NCSC has always advised businesses/individuals not to make ransomware payments. On 2 November 2023, the UK Government announced that it and more than 40 countries had signed a Joint Statement strongly discouraging the payment of ransomware demands and pledging that central government funds should not be used to pay ransoms to cyber criminals. However, the reality is that some businesses, whose entire IT systems and data may have been compromised, do decide to pay out, notwithstanding the potential complex legal, financial, reputational, practical and regulatory risks involved. 

Emerging CNI risks

2023 also saw the addition of state‑aligned actors to the ongoing threat from state actors, as a new and emerging cyber threat to the UK’s critical national infrastructure (CNI). Whilst the cyber activity of these groups often focuses on DDoS attacks, website defacements and/or the spread of misinformation, some have expressed a desire to achieve a more disruptive and destructive impact against western CNI. Consequently, CNI resilience remains a key focus for NCSC. 

Other key threats

Other threats identified include:

  • Bad actors seeking to exploit AI technology to enhance existing tradecraft. In the short term, AI technology is more likely to amplify existing cyber threats than create wholly new ones, but it will almost certainly sharply increase the speed and scale of some attacks.
  • The next UK general election will be the first to take place against the backdrop of significant advances in AI, which will enable and enhance existing dis/misinformation and cyber challenges. With the US and the EU also going to the polls this year, this is likely to be a topic that is at the forefront of policymakers’ minds globally.
  • Commercial proliferation of cyber tools and services will be transformational to the cyber threat landscape – such tools/services lower the barrier to entry to both state and non-state actors, enabling them to access cost-effective capability and intelligence they would not otherwise be able to acquire, which creates further opportunity for misuse.
  • Cyber-enabled fraud - fraud continues to be one of the most significant threats facing UK businesses and citizens. In 2021 more than 80% of all reported UK fraud was cyber-enabled.

Security by design

In its technology focus section, the NCSC emphasised the importance of ensuring that critical technologies must be ‘secure by design’ and cyber resilient, including AI, quantum computing, semiconductors and future telecoms. 

Incident Management (IM)

There was an increase in cyber-attacks reported to the NCSC but the volumes reaching the national significance threshold remained stable. However, there were more incidents at the top end of the scale, reflecting more high-level and damaging incidents against the UK. NCSC received 2005 reports (an increase of almost 64% from 2022); 371 incidents were deemed serious enough to be handled by the IM team; 62 incidents were nationally significant and 4 were among the most severe incidents the NCSC has yet had to manage (due to the sustained disruption caused and the victims’ links to critical infrastructure via supply chains).

The highest proportion of incidents handled by the NCSC resulted from the exploitation of applications (where a bad actor exploits a vulnerability in a public-facing application to gain unauthorised access to a target network). Incidents resulting from these vulnerabilities have the potential to be the most widespread (e.g. the NCSC was required to deal with 13 separate nationally significant incidents involving the exploitation of the Citrix vulnerability). 

UK NIS Reforms

In a case study that looks at securing the UK’s CNI, NCSC supports the UK Government’s plans to strengthen the UK NIS regulatory framework by expanding the NIS Regulations to apply to the providers of “digital managed services” (bringing the provision of many managed services in-scope). This work is part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online. See here for more information on these UK and similar EU reforms. The Review also highlights a new initiative to analyse data on the cyber resilience of UK CNI, to better understand how the NCSC can help ensure its resilience in the future in the context of new threats.

Multi-disciplinary approach required to cyber resilience 

Finally, the 2023 Review accentuates the need for a “whole-of-society approach” to cybersecurity, where government departments, wider sector partners, businesses and industry work together in partnership to make the UK more resilient on a national level as cyber-threats have the potential to harm and disrupt the most fundamental elements of our daily lives, from our water supply to our ability to access food and energy.  Watch this space for further cyber-security related updates.