News reaction: UK NCSC’s Annual Review 2023 – key themes and takeaways

Key themes, takeaways and a mention for NCC Group’s Adelard team’s contribution to NCSC’s new approach to technology assurance

The UK’s National Cyber Security Centre (NCSC) has this week released its annual review for 2023, summarising the organisation’s achievements over the last year, and looking ahead to future priorities and challenges to ensuring the UK is the safest place to live and work online. Here, CTO, Siân John shares her thoughts on the release.

Improving the UK’s cyber resilience, ensuring the UK retains its edge and committing to be the strongest organisation it can be, are confirmed as the three key priorities for the NCSC in the coming year according to CEO Lindy Cameron.

As well as outlining the key focuses for the future the review also highlights the key threats and risks that the UK has faced over the last 12 months, and that will continue to challenge in the new year, including, amongst others:

• Critical national infrastructure (CNI) continuing to face an 'enduring and significant’ threat, in part due to a rise of state-aligned groups and an increase in aggressive cyber activity.
• Adversaries seeking to exploit AI technology to enhance existing tradecraft. In the short term, AI technology is more likely to amplify existing cyber threats than create wholly new ones, but it will almost certainly sharply increase the speed and scale of some attacks.
• The next UK general election – due to take place before January 2025 - will be the first to take place against the backdrop of significant advances in artificial intelligence, which will enable and enhance existing dis/misinformation and cyber challenges. With the US and the EU also going to the polls next year, this is likely to be a topic that is front and centre of policymakers’ minds globally.
• Ransomware remains one of the most acute cyber threats facing the UK. The now-normal approach of stealing and encrypting data continues to be the primary tactic cyber criminals use to maximise profits. However, data extortion attacks, in which data is stolen but not encrypted are a growing trend in the threat landscape.
• Commercial proliferation of cyber tools and services will almost certainly be transformational to the cyber threat landscape.

In its focus on technology, the review considers those critical technologies that must be ‘secure by design’ and cyber resilient, including not only AI, but also quantum, semiconductors, and future telecoms. Critical to this will be assurance and as such – as the Review highlights – NCSC, in collaboration with NCC Group’s Adelard team, has formalised the method that underpins its new approach to technology assurance: Principles Based Assurance (PBA).

In a case study that looks at securing the UK’s critical national infrastructure, NCSC backs the UK Government’s plans to strengthen the NIS regulatory framework and highlights a new initiative to analyse data on the cyber resilience of UK CNI, to better understand how we can help ensure its resilience. Having advocated for an enhanced evidence base and the expansion of the Cyber Assessment Framework in our recent evidence to the UK Parliament, NCC Group welcomes these moves.

The highlights from this year’s review demonstrate how NCSC is driving a “whole of society” approach, recognising that “the “team” extends well beyond government when it comes to achieving cyber security success” and embracing a true public-private partnership to “get things done” in support of national cyber resilience.

This includes many initiatives that NCC Group is proud to have supported over the years, including Active Cyber Defence which aims to address enduring cyber security challenges, the world-leading secondment initiative Industry100, the UK Government’s Vulnerability Reporting Service, and NCSC’s flagship annual event CYBERUK