Ian Levy, technical director of the National Cyber Security Centre (NCSC), has laid out ways in which the agency will improve the nation's cyber security.
Chancellor Philip Hammond announced the government's £1.9bn National Cyber Security Strategy yesterday that aims to allow the UK to "defend ourselves in cyber space and to strike back when we are attacked", making it plain that the UK will develop offensive as well as defensive capabilities.
Part of this effort will be undertaken by the NCSC, which has previously said that the UK is subject to 200 serious cyber security incidents every month.
Levy said in a blog post that the NCSC, which is part of GCHQ, will approach the problems in its Advanced Cyber Defence (ACD) programme.
"There's a common complaint from industry to governments about cyber security. It's generally that governments tell them they're not doing enough and must do more, often without really understanding the real-world impacts or commercial implications of their demands," he said.
Levy explained that all recommendations by the NCSC will be tested on government agencies first.
"We'll be eating our own dog food to prove the efficacy (or otherwise) of the measures we're asking for, and to prove they scale sensibly before asking anyone else to implement anything," he said.
The ACD programme will use automation to tackle cyber threats as far as possible, and will focus on eight key areas.
The Border Gateway Protocol will be hardened and re-implemented to stop trivial re-routing of UK traffic, and make it harder for UK-based machines to be co-opted into botnets to take part in DDoS attacks.
Working with UK company Netcraft, the NCSC has been tracking phishing sites globally.
"When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space," Levy said.
Tackling email spoofing
Levy said that the NCSC will tackle the problem of email spoofing by introducing reputation systems for email domains and addresses.
"There exists already a number of internet standards that can help tackle spoofing, including SPF, DKIM and DMARC," he said.
"We've already published with GDS [Government Digital Service] an email security standard that includes, among lots of other things, DMARC and that's going to become mandatory soon for government."
The NCSC will build a system to filter domain name services for malware.
"With GDS, we've partnered with Nominet to build a big anycast recursive DNS service for the public sector. That's going to have a response policy zone on it that stops users of the service accessing things we know to be harmful," said Levy.
He denied that such a service could be used by the government for censorship.
"Let's be clear - this isn't about the nanny state or censorship. A DNS filtering service with an easy opt out for users is a pretty useless censorship tool to be honest," he said.
Improving UK software
The NCSC will look at the viability of denying some people access to certain services if the software they are running is out of date.
"There are certain services and groups of users who are so high risk that we think that service differentiation based on software age is appropriate," Levy said.
"We haven't got to exactly what this means yet, but as a hypothetical example tax accountants may not be able to submit new returns on their customers' behalf if they consistently use out-of-date software."
Advising government agencies
The NCSC will look at ways to help government agencies improve their IT security, starting with a 'WebCheck' service.
"This is a relatively simple web vulnerability scanning service that we'll provide for free to all public sector organisations," Levy said.
Encouraging innovation in identity and authentication
"Passwords are sub-optimal as an authentication mechanism, but there's not much incentive for industry to take the commercial risk in trying out new stuff," Levy wrote.
"We hope to stimulate research and development - and eventually a market - in novel ID&A techniques. We'll use government services to trial some new ID&A techniques once we've done the work to ensure the security."
Providing more for critical national infrastructure
The NCSC will look at the security of industrial control systems and how it might be tightened up. This is a long-term project that is likely to exceed the current funding round, said Levy.
Proactively tackling adversaries
There will be a focus on gathering evidence on the nature and methodology of attacks.
"Many of the active defence measures are intended to generate useful data that will help us all understand much better the reality of cyber attacks and the efficacy of the various defences we'll put in place over the coming years," Levy said.
"The intention is to be in a place where the skilled network defender community is free to tackle the really nasty stuff. That's what the UK's active defence programme is about."
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers