This week saw the release of the 2024 NCSC Annual Review, encapsulating the achievements of the agency over the past year, its perspectives on the current threat landscape and future challenges to be overcome.

The 70+ page report is well worth a look and will be practical for future reference. To save the time, here are ten things we learned and took away from reading this year’s report.

1 - First talk by new NCSC CEO Richard Horne

New NCSC head got the chance to introduce himself to the global stage with his well-publicised talk warning of the severity of the level of attack facing the UK being ‘underestimated.’ In his address launching the report, and in the foreword of the report, he was clear in his statement that the role of the NCSC “is to make the UK the safest place to live and work online.”

Now though, there is a “contest for cyberspace” between those attacking, and “those of us who are using technology to conduct and improve our lives and prosperity.”

He also pointed at the fragility of critical systems and public services, but also that cybersecurity is both an essential foundation for operations and a driver for growth, and cybersecurity should not just be viewed as a ‘necessary evil’ or compliance function but as a business investment, a catalyst for innovation and an integral part of achieving their purpose.

2 - Post Quantum Cryptography

Quantum crypto was back in the headlines this year, and the NCSC addressed the future tech too. It claims its priority “ is to ensure that the UK’s migration to PQC is smooth and does not raise wider cyber risks to our central government systems and our CNI.”

The challenge is also on for NCSC to help system and risk owners across all sectors of the UK plan their PQC migrations, and probably explain a lot of the confusion away too.

“We can’t solve all the challenges in migration for every organisation; the scale is far too large,” it said. “So, our focus is on how we raise understanding, set examples of best practice and identify interventions the NCSC can make that have the most scalable impact.”

The more effort that is made to prepare now, the better we will be at this in the future.

3 - Moving to Cyber Resilience

The NCSC is keen not to be seen to be standing still, and said it is “driving a transformational journey” to move from “traditional, anecdotal, incomplete and slow approaches” to cyber resilience.

Instead it will focus on embracing data-driven methods, where insights inform decisions, and enables it to respond more effectively and more efficiently to emerging threats.

4 - Ransomware is Persistent

Never far from the headlines, ransomware was a consistent feature in the annual report, as the NCSC said these attacks “continue to pose the most immediate and disruptive threat to CNI”. This includes some state-linked groups now targeting the industrial control systems that infrastructure relies on.

The NCSC and ICO also co-authored guidance on ransowmare payments, which aims to reduce the number of ransomware payments being made. There was also fresh attention paid to the Cyber Essentials scheme - which marked its tenth anniversary this year - with the NCSC saying Cyber Essentials "has been proven to reduce an organisation’s vulnerability to cyber attacks (including ransomware)."

5 - State-Sponsored Attackers

Attackers from state-linked groups and powerful nations got plenty of air time in the review. As well as in-depth analyses of the major players on the cybercrime stage, the NCSC talked of its efforts "to work across government, and in partnership with international allies, industry and academic colleagues, to deter, degrade and detect the cyber threat" posed by the likes of China, Iran, Russia and North Korea.

From a technology perspective, the NCSC said these actors are able to use both AI and cyber operations to create more advanced cyber-attacks.

6 - Proliferation of Intrusion Tools and Services

There is also concern about an “expected increased demand” for commercial cyber tools and services for intrusions in the next five years. “The real-world effect of this will be an expanding range and number of victims to manage, with attacks coming from less-predictable types of threat actor” the report claimed.

As much as we’ve talked about AI lowering the barrier of entry to less skilled attackers, who could have access to commodity cyber tools that require low skill to weaponise, these attackers could also operate “from countries with scant regard for international norms and regulations.”

7 - Tasking the Incident Management team

The NCSC's Incident Management (IM) team responds to serious cyber incidents impacting UK organisations, and is responsible for triaging incidents, providing support to impacted organisations, and coordinating the NCSC and cross-government response.

This year the IM team received 1,957 reports of cyber-attacks, which included 430 incidents requiring support - an increase on the 371 last year. 

Of these incidents, 89 were described as “nationally significant” and 12 were “more severe in nature.” These numbers reflect a three-fold increase on last year statistics.

8 - Early Warnings

The IM team also issued 542 bespoke notifications by the IM team on a cyber incident impacting them and providing advice and guidance on how to mitigate it. This was more than double the 258 bespoke notifications issued last year.

Also approximately 12,000 alerts about vulnerable services were issued via the automated threat notification ‘Early Warning’ service.

9 - Zero Day Exploits

Known and unknown - zero-days - vulnerabilities continue to pose a cybersecurity risk to organisations. This year the exploitation of two specific zero-days was mentioned, which resulted in six “nationally significant incidents” for the IM team to manage. These were relevant to:

CVE-2023-20198 - a critical vulnerability which allows unauthenticated attackers to exploit the web UI feature in Cisco iOS XE Software and gain root access; and CVE-2024-3400, a vulnerability in the GlobalProtect feature of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall. 

10 - Securing the Election

The July 4th UK general election saw the NCSC work with the Cabinet Office’s Election Cell and deliver a safe and secure election.

The NCSC said there were no major information operations, or cyber or concurrent incidents that caused a notable impact on the election.

This was enabled by offering dedicated support and services to high-risk individuals and organisations targeted by nation-state actors aiming to disrupt the democratic process. Its Active Cyber Defence services were extended to political parties and electoral management service providers, and individual cyber defence services were made available to all parliamentary candidates.

Post-election, the NCSC worked with parliamentary security and the Cabinet Office to deliver cybersecurity briefs and facilitated the adoption of individual cyber defence services.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.