Bigger than WannaCry: A giant cyber attack will happen unless we rethink security, says GCHQ

The UK should be prepared for an major cyber attack that will dwarf the chaos of the WannaCry ransomware incident, an expert from GCHQ's National Cyber Security Centre has warned.

The NCSC -- the arm of GCHQ responsible for helping to protect the UK from cyber attacks --categorizes cyber attacks using a series of levels. May's WannaCry outbreak which caused chaos particularly for the National Health Service, which saw some of its systems knocked offline for weeks was considered a 'category two' incident.

However, speaking at Symantec's Crystal Ball event in central London, NCSC technical director Ian Levy warned that it's only a matter of time before the UK needs to deal with its first 'category one' cyber attack.

In the year since it started operating, the NCSC has needed to deal with over 500 incidents, mostly attacks against a single target such as the cyber attack against UK parliament, but Levy believes that that a big attack will require coordinated national action to counteract.

"Predictions in cyber security are quite difficult, but I'm going to make one I'm reasonably confident about. Sometime in the next few years we're going to have out first 'category one' cyber incident. Category one is where you need a national response," he said.

And it's possible that the incident won't be the result of some sort of "an unprecedented, sophisticated attack that couldn't possibly be defended against," he said, but rather an error or a shortcut taken by someone who was just trying to do their job which gives attackers a way into an organisation.

"Because it'll be our first ever category one there'll be an independent investigation and what will really come out is that it was entirely preventable. Those two people who did something to subvert the 'awesome technical cyber security thing' were just doing their job. The thing they were being asked to do from a security point of view was basically impossible and they made a mistake," said Levy.

Part of the problem, he argued, is that cyber security professionals are all too willing to blame their users when things go wrong, when really it should be the security software and practices which should be more properly analysed - because you could have the most secure software in the world, but it isn't going to stop anything if people don't use it because they don't understand how it works or it makes their job more difficult.

But if security was made less mysterious, it could go a long way to protecting against a significant cyber attack.

"My concern is unless we start to put some science and some data into cyber security to demystify it, that's really going to happen. I think we could stop it happening," said Levy.

A big step towards that, he argued, is building security systems which people can actually use without wanting to subvert or get around them, boosting overall security.

"What that tells me is the systems we've built aren't built for people. Techies build systems for techies, they don't build systems for people," said Levy.

"We've started saying people are the strongest link; if you can leverage your people better they can be the first and last line of defence for an organisation. Stop blaming the users and make the systems usable," he added.

The NCSC will work closely with law enforcement and the wider public sector, including the National Crime Agency (NCA), to support cyber security awareness campaigns in an effort to protect against attacks.

READ MORE ON CYBER CRIME

• GCHQ tech leader's plan to secure an entire country
• UK Parliament gets hit by hackers [CNET]
• Fines for being hacked: If a breach is down to bad security it could cost you millions
• The internet of botnets and ransomware on your TV: Here come your next big security headaches
• Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse [TechRepublic]