The National Cyber Security Centre has helped to fix “just short of 4,000” security vulnerabilities in local government over the last two years through its free Web Check scanning service, its chief executive Ciaran Martin has said.
Martin told the House of Commons’ Public Accounts Committee that the service is used by all local authorities in England and virtually all across the UK, as well as most NHS bodies. “Local authorities and NHS bodies, by and large, cannot afford the commercial technology to scan for those sorts of vulnerabilities, so we built a free service,” he told the committee on 1 April 2019.
Web Check is used by some 2,700 public sector website operators to look for common security issues. NCSC has been seeking partners which might take over the operation of part or all of the service and potentially open its use to groups such as small businesses.
Martin told the committee that more than 1.3 million public sector workers have automatic blocking technology on their devices designed by NCSC, which checks 4 billion internet queries every week and blocks more than one million. The centre is in discussions with the Internet Services Providers Association about making this the default option for all users, and some internet providers already make it freely available to small businesses and charities.
He provided more detail on its work with HMRC, which pioneered the blocking of spoof emails that appeared to come from its domain. The work blocked half a billion spoof emails supposedly from HMRC in its first full year, Martin said, and has led to the tax agency falling from the 16th most-spoofed brand in the world to 146th as of February this year. NCSC is testing its use with commercial providers.
Martin said that the centre, part of intelligence agency GCHQ, received around 40% to 55% of the annual funding for the National Cyber Security Programme, which has a budget of £1.3 billion for 2016-21. The centre spent around £65 million in the first year of the programme and plans to spend around £170 million next year, he said.
In its first two years, £69 million of the programme’s funding was diverted to Verify, the citizen authentication programme, and Foxhound, which provides ministers and senior policy makers with secret desktops and mobile devices. In a report based on this evidence published on 5 June, the committee criticised the fact that the Cabinet Office had not developed a business case for the programme or assess the size of its budget, making it hard to see if it is providing value for money. It has told the Cabinet Office to report on its progress in using evidence to prioritise its cyber-security work by November, as well as outline how it intends to help protect people using private sector online services.
“We welcome the National Cyber Security Strategy but are concerned that the programme designed to deliver it is insufficient. As it currently stands, the strategy is not supported by the robust evidence the department [Cabinet Office] needs to make informed decisions and accurately measure progress,” said committee chair Meg Hillier MP.
Image used under Open Government Licence v3.0