The new National Cyber Security Centre [NCSC] is pitching itself to CEOs as a friendly government organisation which won't get the regulators involved after data breaches.
Those gathered this morning on the 18th floor of 125 London Wall heard one of the NCSC's deputy directors address CEOs on how they should lead their businesses' recovery from cyber attacks—and it was primarily by contacting NCSC, a part of GCHQ. [Government Communications Headquarters]
Peter Yapp, the deputy director for the incident management directorate, explained how his role worked: "If something [regarding a cyber incident and your company] breaks in the press, I'll get a call from someone in government," he said, and he would be expected to explain what the incident meant.
"If you haven't phoned me and told me about it, I will phone you," stated Yapp.
"It is worth telling me about the most serious incidents," he told his audience, acknowledging that these were difficult to define, before comforting them: "We do not tell the ICO [Information Commissioner's Office] what you tell us."
If the government doesn't know, and the public doesn't know, there's no problem.
Related Stories
GCHQ are a bunch of over-achievers, save for one achievement: reporting the security flaws they discover in order to get them fixed. Instead, their hacking capabilities have substantially increased:
The UK has substantially increased its hacking capabilities in recent years, an official report says. This includes the ability to attack other country's communications, weapons systems and even infrastructure. The details were revealed in the annual report of the Intelligence and Security Committee, which oversees the work of intelligence agencies. It said GCHQ had "over-achieved", creating double the number of new offensive cyber-capabilities expected.
The report said GCHQ's allocation of effort to develop hacks had increased "very substantially" from 2014. The programme of developing the capabilities is divided into three tranches and GCHQ said that it had just finished the first. "We... actually over-achieved and delivered [almost double the number of] capabilities [we were aiming for," an official from the agency told the committee. The details of the successes are classified in the public version of the report.
GCHQ is also upgrading its supercomputers, an effort referred to as Project Golf:
Project GOLF (£***m over ten years) is a project to enhance the supercomputing capacity that supports much of GCHQ's work. GCHQ has told us that this project is particularly critical, as it predicts that "projected mission needs will exceed existing data centre capacity limits in ***". GCHQ noted that its relationship with the US brought significant benefits ***. GCHQ has reported that this project *** is on track to be fully operational in early 2018.
Here are the annual reports (2016-2017 PDF).
Related: How GCHQ Manipulates Online Opinion
UKs Cyber Emergency Response Unit to Launch
Court Rules UK-US Surveillance Data Sharing was Illegal
GCHQ Tried to Track Web Visits of "Every Visible User on Internet"
GCHQ Tells CEOs They Won't Rat Out Data Breaches
(Score: 0) by Anonymous Coward on Friday October 14 2016, @07:22AM
Use the Preview Button! Check those URLs!
(Score: 0) by Anonymous Coward on Friday October 14 2016, @12:26PM
We're onto you, mate.
(Score: 0) by Anonymous Coward on Friday October 14 2016, @02:07PM
The new National Cyber Security Centre [NCSC] is pitching itself to CEOs as a friendly government internal spying and espionage organisation which won't get the regulators involved after something that really isn't any of their business anyway.
Those gathered this morning on the expensive suite of a business neighborhood you can't afford heard one of the Government fuckwit lackeys address CEOs on something said lackey has never had any actual personal experience with but he stayed at a Holiday Inn Express last night—and it was primarily by contacting the Supposedly Good part of the group whose mandate is officially to Spy on Everything.
Peter Yapp, an underling for the group that spies on such things, explained how his role worked: "Bad things happen, people ask me what it was instead of asking the company, and if I can't tell them my ass would be in deep grass so I'll make shit up."
"This gives me a legal right to call the CEO and ask what happened, despite the fact that most CEOs and even CIOs wouldn't know a security breach from their rosy red assholes. And forget the whole trying to find out what happened from the actual operators dealing with the problem." stated Yapp.
"So if you don't want me making shit up to other government officials who will then leak the story to the press, you should call me," he told his audience, acknowledging that he really doesn't have a meaningful job, before comforting them: "We won't tell people who can regulate you, we'll just make sure the press gets the story that will depress your share prices further."
(Score: 1, Interesting) by Anonymous Coward on Friday October 14 2016, @04:01PM
If you could 100% trust them to not pull a "pray I do not alter the deal further," or for mysterious messages to show up at regulator's doors, this seems like a good idea. Having a highly competent technical clearing house for data breeches and security resolution would do much to improve national security of the private sector.
However, that is only with that 100% trust. There has been a long history of government changing its mind once the data is collected, such as gun registration lists in Australia. I'm also reminded of some academic survey in which terrorists (maybe the IRA during the Troubles in Northern Ireland) provided data under strict anonymity, but they were subsequently pressured to reveal identities... although I did 5 minutes of searching and couldn't find it so maybe I'm misremembering.