The UK’s National Cyber Security Centre (NCSC) has begun scanning all Internet-exposed devices hosted in the UK for vulnerabilities. As described on the NCSC Scanning information site:
As part of the NCSC’s mission to make the UK the safest place to live and do business online, we are building a data-driven view of “the vulnerability of the UK”. This directly supports the UK Government Cyber Security Strategy relating to Understanding UK Cyber risk (Objective 1) .
This will help us to:
- better understand the vulnerability and security of the UK
- help system owners understand their security posture on a day-to-day basis
- respond to shocks (like a widely exploited zero-day vulnerability)
The NCSC initiative is part of a comprehensive approach to securing external assets that are often overlooked in remediation plans dedicated to addressing vulnerabilities. Already in January, the NCSC made available on Github a bunch of NMAP scripts to help organisations identify their internal vulnerabilities on their own network. With these two tools combined, UK-based organisations have access to a first level of information, which they will then have to process in a prioritisation process in order to be efficient and focus their efforts on the important elements.
In its recently released annual review, the NCSC said that ‘in partnership with the government, industry, law enforcement and other agencies it continued to monitor, assess and prioritize multiple threats and risks’. The news that it will be scanning all of the UK’s internet-exposed devices for vulnerabilities follows this objective.
You can’t protect what you can’t see’ has become a commonly used idiom in the cybersecurity sector given how complex it can be to obtain a clear picture of where the most valuable data resides in an IT environment and what devices are connecting to the network. We usually talk about this in relation to businesses, but it also applies to the government. If they can gain a better view of what vulnerabilities exist, then the protection they can provide for the country will be strengthened.
I expect the initiative will extend the government’s capabilities to report at a sector level which will help minimize the impact of vulnerabilities. It will also allow the NCSC to flag security issues to systems owners and keep them accountable for rolling out patches in a timely manner. Despite these benefits I know that some people will be concerned about the privacy aspects of the exercise, so I think the NCSC was right to state that scans are designed to collect a minimum amount of information required to check if the scanned asset is affected by a vulnerability. If any sensitive or personal data is inadvertently collected, the NCSC says it will take steps to remove the data and prevent it from being captured again in the future.
I welcome this development and hope that it will achieve the same level of success as seen in other countries that have launched similar programs like Norway. If it proves to be popular then don’t be surprised if the complexity of initial scans is slowly increased.
Organizations doing wide scale internet scanning is commonplace now thanks to tools like Masscan. I think it is a positive sign that the U.K. government continues to increase their security posture.