Cyberdefense presents a series of difficult problems for governments, not least that of deciding which branch of the state should lead the response. If an attack comes from sea, land or air, the response will be a matter for the military and its relevant domain-based branches. But if a cyber attack is launched on national infrastructure – very little of which is likely to be owned and operated centrally by the state – who should respond is not so clear.

In the UK, this question was resolved in October 2016 by the formation of the National Cyber Security Center (NCSC). The center is part of, and relies heavily on, Government Communications Headquarters (GCHQ), Britain’s signals-intelligence agency, but from the outset was conceived as being able to operate out from behind GCHQ’s necessary cloak of classification.

The establishment of the NCSC came not a moment too soon: the organization had to prove its mettle in a number of major incidents, including the WannaCry ransomware attacks that hit, among others, the National Health Service, as well as cyberattacks on Parliament.

“WannaCry was a key moment in the NCSC’s history,” the organization’s director of operations, Paul Chichester, told the Infosec Europe conference in London last month. “It was a huge test for us, and showed why we needed an NCSC. I think the UK, as a whole, responded better because we had a single point of coordination.”

The WannaCry incident provides a fine example of the difficulties cyberattacks pose to political leaders as well as to operators tasked with offering practical responses. The malware is generally believed to have originated in North Korea, and was not intentionally targeted at the NHS – but the disruption it caused when it hit NHS systems, encrypting data until a ransom was paid in Bitcoin, could have led to loss of life.

“It kicked off late on a Friday, and we stood up our incident-management processes that afternoon,” Chichester recalls. “We had guidance up on the website for people within a matter of a small number of hours. We talked about patching, and backups because it was ransomware, and to flag up antivirus as the three practical things we thought people could do.

“When you’re dealing with this on a weekend, you’re very conscious that what you’re trying to do is make sure that a million UK citizens can get access to the NHS when they turn up on Monday morning,” he adds. “That does focus the mind, it’s fair to say. It was a brilliant team effort across government, and particularly the NHS. I often get asked, what’s the value of organizing cybersecurity in the way the UK has? And I think there’s a lot of lessons to be learned from events like this.”

Robert Hannigan, who was director of GCHQ when the NCSC was created, underlined this point in a separate presentation to Infosec.

“At the time of the TalkTalk hack, we didn’t have an NCSC,” he says, referencing the October 2015 attack on the telecoms provider – by a 16-year-old boy – in which bank details for 21,000 customers were stolen, and which led to a £400,000 fine for the company.

“We didn’t have a place where it was easy for industry and government to share [information] outside the highly classified area…and [TalkTalk] didn’t know who to go to. It was very difficult to know who to get advice from. People had different roles in government. What we tried to do with the NCSC is put the whole lot in one place.

“The government can’t do cybersecurity for the nation,” he adds. “It can advise; it can concentrate on very, very small segments of our most critical infrastructure, and of course on government networks. But actually it’s up to industry – it certainly appears – to do the rest.”

And, Chichester argues, the starting point for industry, and for individuals, is to ensure that the simple stuff gets taken care of.

“We keep wanting to focus on the next thing, but [an attacker] doesn’t need to be that good a lot of the time to have a global impact,” he says. “Getting people to focus on the basic things they ought to be doing is far more important at the moment. There’ll always be innovation by the adversary, planned or unplanned – and we’ll respond to that. But from an NCSC point of view we’re still really, really keen that people do the basic cyber-hygiene things that’ll have huge impact and will improve things generally, across the UK and globally.”