News Hub

Govt should name and shame cybersecurity negligence, say academics

Written by Tue 22 Jan 2019

Kings College London academics say naming and shaming will incentivise private sector firms to combat cybercrime

In the UK almost half of businesses and one-fifth of charities were subject to a cybersecurity breach or attack in 2017, and official figures suggest a UK resident is more likely to be a victim of cybercrime or fraud than any other offence.

In order to combat the growing tide of cyber crime, the public should have access to the cybersecurity strategies of private sector firms, says a new report.

The Cyber Security Research Group and Policy Insitute at King’s College London have jointly penned a report arguing that naming and shaming firms with poor cybersecurity will incentivise them to shore up their defences and reduce national cybercrime.

The researchers also recommend that the UK’s Active Cyber Defence (ACD) programme is expanded to encompass businesses, charities, and other organisations beyond the public sector.

The ACD programme has been a key pillar of the National Cyber Security Centre’s (NCSC) work in improving public sector cybersecurity.

“We propose that firms and other stakeholders engage more actively with government through the NCSC in order to develop further how ACD might be deployed throughout UK networks as a means of countering cybercrime in the UK,” the report reads.

ACD is a government-funded programme first deployed in 2016. It is a defensive measure aimed at preventing cyber criminals from exploiting government networks and institutions, by using relatively automated processes that scale efficiently and at speed to tackle commodity attacks — unsophisticated but high-volume malware attacks that hit government networks on a daily basis.

ACD also includes protocol monitoring that improves how internet and telecommunications protocols handle internet traffic, to reduce the impact of distributed denial-of-service (DDOS) attacks.

In its first annual report on the programme, NCSC reported that ‘people in the UK are objectively safer in cyberspace because of the ACD programme.’

Today’s report goes further by arguing that ACD should be extended beyond the public sector.

“Our research indicates that promoting the lessons and elements of the ACD ecosystem beyond the public sector is technically feasible and is already underway. As much of it is automated, it has an inherent scalability that facilitates further deployment while preserving efficacy,” the report concludes.

However the report argues that if ACD expands, rational explanations for the classifications generated by its machine learning algorithms must be increasingly disclosed to justify courses of action, and its accompanying training data secured and validated to avoid malicious data ‘poisoning’. NCSC is currently working with researchers to address these issues.

Written by Tue 22 Jan 2019


cyber security cybersecurity ncsc
Send us a correction Send us a news tip