Prepare for a ‘Category One’ cyber-attack, warns NCSC


Britain should be readying itself for more damaging and large-scale security attacks than ever before, a senior security expert has warned.

Speaking at the Symantec Crystal Ball event in London today, National Cyber Security Centre (NCSC) technical director Ian Levy warned that a ‘Category One’ cyber-attack should be expected to hit soon.

Noting that the recent WannaCry attack was only a Category Two attack by NCSC standards, Levy said that a Category One attack would strike without warning, and require a government-level response. 

"Sometime in the next few years, we're going to have our first Category One cyber incident - one where you need a national response,” he said.

"The first thing that will happen is that it will come out that this is an unprecedented, sophisticated attack that couldn't possibly be defended against.”

The attack will probably be caused by “one or two” people at an organisation doing something small that subverts the existing cybersecurity protection, leaving the company open to attack.

"And once that had happened,” Levy says, “there was no way that the organisation could have protected itself, and they will be really, really sorry that this sort of thing will have happened."

"What will really come out is that (the attack) would have been entirely preventable...and that the things people were asked to do from a security perspective made (prevention) basically impossible."

Levy urged greater cooperation between businesses and their employees in order to negate the threats posed by cyber-attacks, noting that, contrary to popular opinion, people may not actually be the weakest link when it comes to security.

“Cyber security professionals have spent the last 25 years saying people are the weakest link - it's stupid!” he said, “They cannot possibly be the weakest link - they are people that do jobs, the people that create the value at these organisations.” 

“What that tells me is that the systems we've built, as technical systems, are not built for people. Techies build systems for techies - they don't built technical systems for normal people! We've started saying that people are the strongest link - and if you leverage people better, they can be the first and last line of defence for your organisation."

“Stop blaming the users - and start making the systems useful.”

Looking forward, Levy believes that it might not take a Category One attack to shake up wider beliefs when it comes to cybersecurity.

“What I hope we've shown over the last year is that relatively simple, small-scale interventions can have a disproportionately large effect,” he noted.

"As we start to scale these effects outside of government, I'm hoping that will start to extend the protection barrier around the UK. In the end, the majority of cyber attacks are about return on investment, or gain some kind of benefit - all you have to do is make it harder.”

*My concern is that unless we start to put some science, some data, behind cybersecurity, and start to demystify it - that's really going to happen. We could stop it happening, but...the militaristic analogies people put around it make people think they can't defend themselves, and that's actually really dangerous."