The UK Government’s Active Cyber Defence (ACD) could be taken up by business and charities, as a ‘public good’, the cyber equivalent of street lighting as used by all, according to a new report.
The Cyber Security Research Group and the Policy Institute at King’s College London (KCL) argues for ACD, free at the point of delivery, that should be scaled up nationally and that the UK cyber authorities should ‘deliver on the promise of a genuine public good’. The report also suggests ‘exporting’ ACD to as many countries as possible will, to make it like a cyber ‘neighbourhood watch’. The authors recommend that the UK authorities persist in their ‘interventionist cybersecurity posture’ and in sum praise ACD as ‘a promising addition to UK cyber security’.
For the 40-page report in full visit the KCL website.
The researchers recommend that businesses, charities and other organisations adopt measures included in the ACD, which has until recently only covered the public sector. The technology behind ACD has led to a fall in scam emails from fake government addresses and the removal of thousands of “phishing” sites which pose as government agencies to steal users’ personal information. And yet the report notes an ‘almost complete lack of public debate and discussion’ since ACD was launched in 2016.
On the role of the private sector, the report makes the point that ACD aims to eliminate connections between UK entities and malicious cyber tools sold on the Dark Web, and meanwhile tech companies such as Google, Facebook and Instagram, are doing the same. Cooperative ventures to achieve these joint goals would be worth considering by both government and private sector stakeholders, to their long-term mutual advantage, the report argues.
Dr Tim Stevens, Convenor of the Cyber Security Research Group at King’s, said: “The Active Cyber Defence programme has been a huge success in protecting government agencies – and those who use them – from cyber threats. Our research finds that it could be legally, cheaply and efficiently rolled out beyond the public sector, to further protect people online. Greater transparency around the level of cyber security employed by businesses and other organisations will motivate them to adopt ACD measures that will keep users and their data safe.”
The report concludes that there are no significant technical obstacles to extending ACD tools and techniques beyond the public sector, and says that some firms and trade bodies are already developing systems that use this and similar technology. The authors urge businesses to engage more with government’s National Cyber Security Centre (NCSC) to deploy ACD and better counter cyber crime in the UK. As for future threats, the report notes that email spoofing and website spoofing continue to evolve – and potentially become far more capable of ‘hiding in plain sight’; and criminal gangs and foreign governments will inevitably start using artificial intelligence (AI) and machine learning (ML).
Comment
Jake Moore, cyber security specialist at ESET, said: “Publicly shaming companies with poor cyber security is like setting up a hacker’s black book. This may sound like a good idea to make them improve their cyber security but the reality is that it will possibly do more harm than good. A better way to help those with the poorest security would be to direct them to such programs as Cyber Essentials and even ISO 27001.”
