28 February 2018

Evaluating the U.K.'s ‘Active Cyber Defence’ Program

By Stuart Russell, Nadiya Kostyuk

In November 2016, the U.K. government launched its Active Cyber Defence (ACD) program with the intention of tackling “in a relatively automated [and transparent] way, a significant proportion of the cyber attacks that hit the U.K.” True to their word, a little over a year on, last week the U.K.’s National Cyber Security Centre (NCSC) published a full and frank account (over 60 pages long) of their progress to date. The report itself is full of technical implementation details. But it’s useful to cut through the specifics to explain exactly what ACD is and highlight its successes—how the program could benefit the United States as well.

There are three defining features of the ACD program: government-centered action, intervention, and transparency.

First, in a break from tradition, the U.K. government is testing its own security guidance to protect its networks from harm and from hackers using the government brand to cause harm to others. Rather than addressing the growing scale of cybercrime through issuing guidance, regulating industry, and criticizing users for poor cybersecurity practices, government is taking on a more active role. In the words of Ian Levy, the Technical Director for the NCSC, the U.K. is “eating our own dog food to prove the efficacy (or otherwise) of the measures we’re asking for, and to prove they scale sensibly before asking anyone else to implement anything.”

The second feature is an interventionist approach, which aims to fix systemic security failures at scale to benefit everyone. The NCSC is attempting to address the majority of cyber-attacks before they even reach users. Going beyond government networks, the NCSC provides “protection at the national scale for a good proportion of the commodity attacks.” Using automation in this way has the added benefit of freeing up the time of skilled network defenders to deal with more sophisticated attacks, for which automated protection is not yet easily implemented.

Finally, the NCSC’s focus on transparency extends not just to reporting progress, as the year-on report aims to do, but also to implementation. The NCSC aims to make most ACD initiatives publically available for people to see, tweak, or even adopt wholesale. Furthermore, wrapped into the concept of transparency is a scientific approach to cybersecurity. As a hidden danger from a silent attacker, the cyber threat often sparks fear—which can drive responses based more on anxiety than data-driven assessments of the threat. By being transparent about what’s happening in cyberspace, the NCSC aims to base its interventions on evidence, measure the effects and then adapt and improve as necessary.

What are the successes?

The review describes the success of NCSC’s interventions to date, providing statistics and evidence as a measure of the positive effect on U.K. cybersecurity. To demonstrate the impact of the NCSC interventions so far, we provide three illustrative examples of its work listed in the report.

Many cyber-attacks exploit the trust that exists between the government and its citizens. One approach is email spoofing, in which the cybercriminal send emails that appear to come from U.K. government systems. These illegitimate messages can trick victims into revealing sensitive personal information or downloading malware that enables the attacker to gain control of their computers. By implementing a technique called Domain-Based Message Authentication, Reporting and Conformance (DMARC), the NCSC set out to make it harder for the cybercriminals to exploit people in this way. Through DMARC, the NCSC was able to describe what a legitimate email from a government domain should look like—for example what IP addresses it could come from or what cryptographic key it will be signed with, and what email servers should do with emails that fail these basic checks.

By the end of 2017, the U.K. government had applied DMARC to 10 percent of its domains in regular use. Despite this modest implementation, the program is already making a difference. In June 2017 alone, the program blocked 30.3 million spoofed emails claiming to come from the U.K. government. On average, 4.5 million messages a month have been identified as illegitimate and thwarted before they reached their victim. When DMARC has been fully implemented, the public will be able to trust that an email reporting to be from a U.K. government department will truly be from that department.

Cybercriminals can also exploit trust by harvesting information or infecting computers through harmful websites that appear authentic. By identifying these sites and requesting the hosting providers remove the malicious content through a takedown service, the NCSC has successfully removed 18,067 sites globally that pretended to represent the U.K. government. Moreover, the intervention has gone further than that: By targeting any malicious site in the U.K., irrespective of whether it impersonates the government, the NCSC has successfully requested the removal of 121,479 sites that were physically located in the U.K. As a result of this cooperative intervention, the median time-before-takedown of these malicious sites in the U.K. dropped from 26 hours to three hours. The security benefit is simple: If the malicious sites are not online, they are not a threat.

The NCSC has worked to provide additional protection to government through the Domain Name System (DNS). Acting much like a telephone book for the internet, DNS translates human readable addresses, such as lawfareblog.com, into IP addresses readable by a computer, such as 104.25.3.33. Working with a commercial partner, the NCSC has established a Public Sector DNS, through which it can block access to sites known to host malicious content. Though still in its infancy and with a limited number of departments participating, the service has blocked millions of requests to over 134,825 unique malicious sites.

After only one year, the ACD program is already making a difference to cyberspace in the United Kingdom. It is improving trust in government emails, reducing threat from U.K.-hosted malicious sites, and blocking malicious content, all while building a program of work to mitigate future threats. But since commodity attacks do not respect national borders, other nations should consider following the NCSC lead and implement similar approaches.

Potential benefits for the U.S.?

The ACD program is only one part of a broader strategy and should not be seen as a panacea for cybersecurity. Whilst the first year review represents an impressive contribution to U.K. cybersecurity, it is worth adding a few notes of caution. There is much still to do and there will be inevitable failures to deal with along the way. The successes will also present challenges: As the number of initiatives grow, so too will the overheads needed to deliver the ACD program. Growing costs can stifle even the most productive programs.

To a large extent, the success of the ACD program should be measured not by how its first year has gone, but by how it transitions early success to sustained improvements in cybersecurity for the U.K. But you have to start with year one—and it’s clear that this government-centered, interventionist action is starting to make a tangible difference to U.K. cybersecurity. A similar approach would have several benefits for the United States.

First and foremost, the ACD program now has proven ability to better protect both the government and the general public from cybersecurity threats. The standard approach of simply telling people how best to protect themselves has not worked over the last twenty years. Since the nature and landscape of threats are changing quickly, successful approaches of how to deal with them are hard to find. The ACD program has brought some fruitful results, and the U.S. could deliver swift results by adopting something similar.

Second, the program can improve the government’s credibility and its relationships with the cybersecurity and technology sectors. By implementing solutions first within the government itself, as the U.K. did, the U.S. government could ensure its interventions are well grounded in reality and demonstrates its competence in cybersecurity. This credibility is vital for building relationships with the private sector, without whom national impact is virtually impossible.

Finally, the transparency integral to the ACD initiatives can help build trust with the public. Government involvement in cyberspace, which raises the specter of censorship and surveillance, is always met with public resistance. But successful government intervention can legitimize itself and build trust both by reducing the risk of cyber attack, and by acting transparently.

No comments: