Reluctant hero: How the NISCC came in from the cold

In a quiet, almost disarmingly discreet way, a new website was recently launched to an unsuspecting public. Its aim is to help them manage their computer systems more securely.

The site (www.itsafe.gov.uk) is the product of an equally quiet organisation, the National Infrastructure Security Co-ordination Centre, known as NISCC (pronounced "Nicey").

The fact that the website is aimed at the general public, but has had what Niscc likes to call a "soft launch" – that is, not really telling anyone about it – is symbolic of Niscc's uneasy attitude to publicity in general.

It wants to get its message out to the public and to business, but it is run by military and intelligence service personnel, who operate more comfortably behind a cloak of secrecy.

Therein lies the dilemma. Although they would prefer to act in secret, the critical national infrastructure (CNI) is no longer confined to military and intelligence installations. It now extends to all parts of our lives, including water and electricity networks, bank networks – even the growing population of computer users with a broadband connection to the internet.

The ITSafe site, officially launched by Home Office Minister Hazel Blears on 23 February, is intended to bring some order to those untutored broadband hordes, and to provide them with the basic knowledge they need to reduce the chance of outside forces compromising their systems.

This is new territory for NISCC director Roger Cumming. As the head of an organisation staffed by those with backgrounds in intelligence, he is unwilling to grab the glory for the new initiative. "One has to temper one's desire for publicity against the protocols of working in public service," he says.

Nevertheless, he has to get used to the attention. For those who know NISCC, which was founded in 1999, the organisation has proved to be a valuable clearing-house for alerts and security dangers. But few were aware it existed, such are its low-profile methods.

It took an American visitor last year to remind us Brits what a gem we had on our doorstep.

Alan Paller, head of the (rather more publicity-conscious) SANS Institute, appeared at a DTI event, heaping praise on NISCC's work researching and managing software vulnerabilities. He suggested we all make better use of NISCC's information.

"I was completely gobsmacked," says Cumming, with genuine modesty.

Nevertheless, this did raise the profile of an organisation whose work was largely unknown to business, let alone the general public. And its work is already considerable.

Visit the NISCC website and you will find a significant knowledge base for information security. You can sign up to receive vulnerability alerts from its Uniras service. If you want to set up a community of users to help each other with security questions, then click on WARP (for Warning, Advice and Reporting Points) to download a complete toolkit to enable you to do it.

Also, while Carnegie Mellon University in the US, and its Computer Emergency Response Team (CERT), is the best-known provider of vulnerability information, NISCC has been quietly gaining a reputation for doing an equally good, if not better, job. Several pentest companies, for example, have recently chosen to release vulnerabilities to NISCC rather than CERT.

As a spokesman for London-based Procheckup put it: "We got fed up waiting for CERT to handle the vulnerabilities. We found that many remained unpatched months after we had uncovered them. NISCC is much more responsive."

Part of the challenge lies in the fact that NISCC's role overlaps with many other areas of national security, such as GCHQ in Cheltenham and the National HiTech Crime Unit, which both work closely with NISCC.

"Our basic function is to minimise the risk of the United Kingdom to electronic attack," says Cumming, but that role is fulfilled by working with a range of other agencies in both the private and public sectors.

"No one organisation has the wherewithal to protect something as amorphous as the CNI. So NISCC works as an inter-departmental centre, pulling in expertise from other departments. We pull in expertise from intelligence services, defence and law enforcement, as and when we need them."

The aim, he says, is to get the best experts from the sectors most capable of countering the current threat profile.

The department now has more than 60 staff, plus the budget to buy in extra expertise to carry out its own research and development. "Some of the stuff is quite technical, and you buy in the expertise when you need it," he says.

One major contributor is CESG, a branch of GCHQ in Cheltenham, which also has a CNI-protection role, and which works closely with the NISCC teams in London.

With around 85 per cent of the CNI in the private sector, CESG staff's role increasingly involves interacting with industry at large, and bringing their special perspective on the potential threats facing different business sectors.

Outreach teams with specialist knowledge talk to the water industry, telecomms, finance and other sectors seen as crucial to the national interest.

"They produce an assurance report, a joint collaborative effort to assess threats," says Cumming. "This will be 30-40 pages long, and we get to know a lot about how the systems are operated and where the pinch-points are. We also offer advice on how to mitigate risks."

NISCC also helps to run Information Exchanges, where people from each industry can get together in confidence and exchange information about their security approaches. NISCC provides the premises and secretarial support, the members manage the groups.

So far, he says, they have been very successful in building up a body of knowledge in the various industry sectors, and in raising awareness of the potential threats.

"The Information Exchanges run by building up personal trust and work to a set of rules and regulations. Our experience is that institutions will share information for a common purpose and rise above the market," says Cumming.

Even in finance, notorious for its reluctance to admit security blunders, he says companies value the chance to (confidentially) discuss their problems.

"In the finance sector, they want the information to equip themselves to handle a fast-changing picture. They know the flash-to-bang time for vulnerabilities is getting shorter, for example," he explains.

He has created exchanges in telecomms, aviation, finance, scada (industrial systems), managed service providers (a euphemism for the government sector), and for users of government secure intranets.

An exchange for the water industry is also under consideration.

While many people have long pondered the effect of electronic warfare and, in the US at least, there is a growing fear of an "electronic Pearl Harbor," the evidence so far is that terrorists would rather fill a car with explosives or fly planes into buildings.

Hacking into the ATM network or the air traffic control network could cause a lot of trouble, but from the terrorists' point view of view it does not have the same visual impact on our TV screens.

So the real question is this – how real is the electronic threat to the CNI? Cumming chooses his words carefully.

"Questions like that are not easily answered in short, pithy soundbites. The fundamental philosophy that is at play here is that there is a balance to be struck between the richness of functionality of systems that enable businesses to conduct themselves and be efficient.

"At the same time, the richness of functionality can be used to undermine those systems unless people fully understand the risks they are under.

"I would say that, in virtually all cases, the people running these systems are highly responsible and understand the risks. We are not in a position where the nuclear control rods in a power station are available to a teenage hacker – that is not the case."

But we have to keep our guard up and maintain vigilance, he explains.

"We are dealing with a complexity of systems that is almost beyond human comprehension." he says.

"A decision to include a little bit of management information on to the desk of someone controlling an industrial process, could suddenly introduce vulnerabilities which connect the industrial processes to the internet in a way that had not been anticipated."

The role of NISCC, he says, is to get people to think about the risks they are taking, and make sure they have considered the potential risks, say, of opening up a system to the internet.

"It is vital to understand that it could be a point of weakness. Sometimes, the security aspects can be forgotten. NISCC tries to get them to make the right kind of decisions, to get the balance right between efficiency and security," he says.

As far as any direct terrorism threat is concerned, he makes the point that situations can change rapidly.

"If you are in the business of protecting people from attack, as we are, you need to think imaginatively, try to make a judgement on how likely any threat might be, and make sensible measures to stop it."

Which brings us back to the ITSafe website. Its aim is to bring some awareness and education to the growing population of broadband-connected PC users. As we know, they can easily become compromised by trojans and hijacked for spam, spyware and denial-of-service attacks.

As such, they could become the soft underbelly of our security systems.

How effective the new website will be is open to question. The low-level launch will have done nothing to spread the word to small businesses and home broadband users.

But its message is clearly essential, and it deserves to be more widely publicised, as should the rest of NISCC's work.