United Kingdom’s national cyber security firm has announced and unveiled a new system to categorize cyber-attack and help law enforcement and intelligence operatives to formalize their response to hacks. As part of the inauguration CYBERUK security conference, National Cyber Security Center, NCSC, launched a new framework yesterday which comprises of 6 levels.
The levels start from a minor individual attack and led all the way up to a huge catastrophic attack on the infrastructure of United Kingdom. Once the attack is identified, the NCSC’s team will use the new framework to not only classify the attack but will also use the appropriate resources and deal with the attack based on its strength.
The NCSC director of operations, Paul Chichester says that, “This new joint approach, developed in partnership with UK law enforcement, will strengthen the UK’s ability to respond to the significant, growing and diverse cyber threats we face. The new system will offer an improved framework for dealing with incidents, especially as GDPR and the NIS Directive come into force shortly.”
The categories of the attack range from one to six and are based upon the impact and the strength.
During an attack such as level 6, NCSC will lead the response directly and will not only provide on-site support but will also provide remote analysis of the attack, The highest level of attack is level 1 and is a “National cyber emergency”- this type of attack will disrupt infrastructures such as the power grid, hospitals, utilities and according to NCSC head Ciaran Martin- UK will face such an attack sooner or later.
Ciaran Martin claims that the consequences of a category one attack will include “severe economic or social consequences or to loss of life.”
The framework made by the NCSC is as follows:
- Category 1
National cyber emergency
Defined as: A cyber-attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.
Who Responds? : Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement
What Do They Do: Coordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response.
- Category 2
Highly significant incident
Defined as: A cyber-attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.
Who Responds? : Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC.
What Do They Do: NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities.
- Category 3
Significant incident
Defines as: A cyber-attack which has a serious impact on a large organization or on wider / local government, or which poses a considerable risk to central government or UK essential services.
Who Responds? : Response typically led by NCSC, working with Law Enforcement (typically NCA) as required.
What Do They Do: NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided.
- Category 4
Substantial incident
Defines as: A cyber-attack which has a serious impact on a medium-sized organization, or which poses a considerable risk to a large organization or wider / local government.
Who Responds? :Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident.
What Do They Do: NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception.
- Category 5
Moderate incident
Defined as: A cyber-attack on a small organization, or which poses a considerable risk to a medium-sized organization, or preliminary indications of cyber activity against a large organization or the government.
Who Responds? : Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required.
What Do They Do: Law Enforcement will provide remote support and standard guidance, with on-site response by exception.
- Category 6
Localized incident
Defines as: A cyber-attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organization
Who Responds? : Automated Protect advice or local response led by Law Enforcement (likely local Police Force).
What Do They Do:Remote support and provision of standard advice. On-site response by exception.
The top law enforcements have welcomed this announcement and National Police Chief’s constable Peter Goodman, who is a part of a council that leads cyber-crime claims that, “”This is a hugely important step forward in joint working between law enforcement and the intelligence agencies.”
He further added saying, “Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response. This is good news for the safety of our communities, business and individuals.”
This framework will go into effect immediately.
Source: The Register