GCHQ tech leader's plan to secure an entire country

The UK's cyber defenders plan to make the country's government networks vastly more secure by strong, national enforcement of network protocols.
Written by Stilgherrian , Contributor

"This is weird, OK? This is not something you'll normally see at a cybersecurity conference. This is called data, and evidence," said Dr Ian Levy, technical director for cyber security and resilience at the UK's Government Communications Headquarters (GCHQ), and now technical director of the UK's new National Cyber Security Centre (NCSC).

Levy is responsible for implementing the technical aspects of the UK's 2016-2021 National Cyber Security Strategy, which is expected to be released within weeks.

The evidence in question demonstrates the effectiveness of DMARC, the Domain Message Authentication Reporting and Conformance protocol, designed to help eliminate spam and other email spoofing attacks.

DMARC is one of the strategies that Levy is using to harden .gov.uk domains and networks against cyber attack.

As an initial test, Levy implemented DMARC for the top-level .gov.uk domain. Any email alleging to be from an address @gov.uk but originating from outside their networks was then redirected to Levy's own account.

In the first 24 hours, he received around 58,000 emails, nearly all of them claiming to be from taxrefund@gov.uk. About the same number were received on the second day. On the third day, though, the number dropped to just four. After one more bulk attempt on the fourth day, the scammer was never seen again, presumably because he or she could see it wasn't working anymore.

The message to the national conference of the Australian Information Security Association (AISA) in Sydney on Wednesday was blunt.

"If anybody in this room, as a cybersecurity professional, has an email domain and doesn't have DMARC, you should be ashamed of yourselves," Levy said.

"Is that too harsh? Sorry."

Levy plans to roll out DMARC to all 5,738 sub-domains under .gov.uk, which includes local authorities as well as national government agencies.

Levy has also set up processes to quickly remove known phishing sites from the UK's domain name system (DNS).

The median uptime of phishing sites physically hosted in the UK has been reduced from 28 hours, to two hours. The median uptime of sites hosting web-injection malware has been reduced from 500 hours, to 27 hours. And the median uptime of sites anywhere in the world trying to use UK government brands to do phishing has been reduced from 49 hours, to five hours.

"And that's just the start. We haven't really started yet" Levy said.

"What I'm showing you is that we can have an effect. All of the things that we assume are axiomatic because we have the internet -- like DDoS [distributed denial of service], like phishing, like malware -- we can affect," he said.

"I'm in the process of building a single anycast DNS system for all of the UK public sector, and I'm going for force everyone to use it. All public sector will use my DNS. That gives me two things. It gives me a single point to filter the **** out of it. That's a technical term, sorry...

"The other thing it tells me is how pwned we are, because I get all the recursive [DNS] resolutions. So I know this department had 400 requests for this malware domain. We should probably go do something about that."

Levy's plans also include "fixing" the border gateway protocol (BGP) used for packet routing, so it becomes impossible to spoof IP address, and to eliminate the UK as a source of layer 3 DDoS attacks; provide guidance for the implementation of the SS7 protocol that routes cellphone connections through telcos; and make all local authorities route their website traffic through a single web application firewall (WAF) in the cloud.

The NCSC then plans to ask internet service providers (ISPs) use the DNS and routing techniques to protect their customers.

When first announced two months ago, this led to concerns that the UK was implementing the Great British Firewall, along the lines of the Chinese censorship system known as the Great Firewall of China.

However GCHQ has stressed that ISPs would have to opt in to the scheme, and that end customers could perhaps even opt out of their ISP's filtering.

The NCSC became operational on October 3 this year, nearly two years after the Australian Cyber Security Center (ACSC) in Canberra, but it has a different mission.

The ACSC includes staff from the Australian Signals Directorate (ASD), but also from the Australian Intelligence and Security Organisation (ASIO), the Australian Federal Police (AFP), and the Australian Criminal Intelligence Commission (ACIC), amongst others.

The NCSC does not include the UK equivalents from security and law enforcement, MI5 and the National Crime Agency (NCA), and it remains part of GCHQ rather than being a separate agency.

"The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI)," the NCSC website explains.

Instead, the NCA will work with GCHQ through a new unit called the Joint Operations Cell (JOC).

The NCSC will also be much bigger than the ACSC, with around 700 staff.

Editorial standards