The NCSC has today announced a new cyber incident prioritisation framework. The framework will be used by all law enforcement agencies in the UK.
With six detailed categories, it is a significant expansion of the existing three level framework. The expectation is that it will enable better focus of cyber security resources to deal with attacks.
Paul Chichester, the NCSC’s Director of Operations, said: “This new joint approach, developed in partnership with UK law enforcement, will strengthen the UK’s ability to respond to the significant, growing and diverse cyber threats we face.
“The new system will offer an improved framework for dealing with incidents, especially as GDPR and the NIS Directive come into force shortly. Individual judgements will of course still be applied to respond to incidents as necessary.”
What is the new cyber incident framework?
There are six levels in the new cyber incident framework. These are set out in detail at the bottom of the press release. They are:
- Category 1 – National cyber emergency
- Category 2 – Highly significant incident
- Category 3 – Significant incident
- Category 4 – Substantial incident
- Category 5 – Moderate incident
- Category 6 – Localised incident
What is interesting is who responds and what resources are deployed. In the case of the top category, NCSC will be fully engaged. It will take control and coordinate with other government agencies and send staff to site. While it talks about the involvement of law enforcement this is likely to only happen after the site is secured and the incident contained.
Categories two and three will see the NCSC lead the response. However, only category two is likely to see NCSC staff on-site to gather intelligence and manage the response. Category three will see NCSC work remotely unless there is a specific requirement for them to attend.
Category four and below are likely to see local police forces take control of the response and any on-site presence. NCSC may still provide some assistance but the level of that will tail off as incidents are declared less serious.
Who will determine the severity of the incident?
In the case of the top two categories the decision making about its severity will be almost certainly be led by NCSC. Below that is where it gets less clear. For example, category three covers serious attacks on local government and where there is a risk to central government. It’s reasonable that NCSC will step in immediately and even be the initial identifying body.
However, it also covers serious attacks on a large organisation. Will this be a FTSE 100 company or does it extend to the wider FTSE 250 companies? What about large private organisations that are not listed on the stock market? Will it include large organisations that have significant offices in the UK but are not UK companies? On top of this there is the question of who reports it and how is it escalated to the NCSC. None of this is clearly defined in the release and we have emailed the NCSC asking if there is a more detailed document that businesses should download and read.
For the lower four levels it is likely that the first point of contact from an affected entity will be their local police force. With the Home Secretary only just announcing funding to train and equip cyber teams in local police forces, making the right determination of the level of an incident will be tricky to say the least. There is a need for much more clarity here. The most important thing is to provide a clear understanding of the lines of control and reporting.
There is another case to be considered. The NCSC recently highlighted risks to the CNI supply chain. There are a lot of SMEs in that supply chain. If they come under attack do they get a free pass into the upper incident levels or do they have to wait for someone else to recognise the additional risk. This is important. There is a risk that an attack at this level could go under the radar when it has the potential for a far wider impact than a single firm.
Why does this matter
There is always going to be a finite amount of resources that can be deployed to deal with an incident. The civil service is no longer the empire building organisation it once was. Expanding from three to six categories also makes sense when you have limited resources.
The announcement that GCHQ is to open an office in Manchester also plays well into this announcement. It will mean that there are highly skilled teams in the region without having to rely on getting support from London or Cheltenham. This should speed up response times for the more serious incidents and provide much needed support for local police forces.
What is missing from this is evidence of an effective local force response team. Most local forces struggle to understand cyber incidents hence the announcement from the Home Secretary yesterday. It will take time to train and get those local police force units up to speed. Until then there needs to be a stop-gap measure put in place.
How companies report cyber incidents and how they escalate them needs to be addressed. It is likely that the NCSC will soon deliver a document detailing this.
Overall this is a reasonable breakdown of incidents when viewed from a national level. It will be interesting to see how well it works in practice. Only the next year will tell.