New Classification System for Cyber Threats

NCSC Cyber Incident Classification

The UK’s National Cyber Security Centre and law enforcement are implementing a new framework for classifying and prioritising cyber ‘incidents’.

The National Cyber Security Centre (NCSC) has collaborated with law enforcement agencies to create a new national categorisation of ‘cyber incidents’ to enable a new alignment for addressing the growing and evolving range of threat vectors facing individuals, organisations, businesses and infrastructure in the UK.

The existing system of three categories, has been broadened to six more detailed classes, ranging from personal attacks to full national crises. It is hoped that the new classifications will improve consistency around incident response and enable a more effective use of resources, leading to more victims receiving support.

The incident category definitions give increased clarity on response mechanisms for incidents by identifying what factors activate a specific classification, which organisation(s) will respond and what actions should be undertaken.

Threat Landscape

Incidents classified within the new framework will be used to generate a new, comprehensive national picture of the cyber threat landscape facing the UK.

The new framework encompasses cyber incidents across all sectors of the economy, including central and local government, industry, charities, universities, schools, small businesses and individuals.

Any cyber attack which may have a national impact, which includes cyber attacks which are likely to harm UK national security, the economy, public confidence, or public health and safety, should be reported to the NCSC immediately.

People or businesses suffering from a cyber attack below the national impact threshold should contact Action Fraud, UK’s national fraud and cyber crime reporting centre, which will respond in accordance with the new incident categorisation.

UK Response

Paul Chichester, the NCSC’s Director of Operations, said: “This new joint approach, developed in partnership with UK law enforcement, will strengthen the UK’s ability to respond to the significant, growing and diverse cyber threats we face.

“The new system will offer an improved framework for dealing with incidents, especially as GDPR and the NIS Directive come into force shortly. Individual judgements will of course still be applied to respond to incidents as necessary.”

Intelligence and Law Enforcement

National Police Chiefs’ Council (NPCC) Lead for Cybercrime, Chief Constable Peter Goodman, said: “This is a hugely important step forward in joint working between law enforcement and the intelligence agencies.

“Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response. This is good news for the safety of our communities, business and individuals.”

Coordinated Response

Ollie Gower, Deputy Director at the National Crime Agency (NCA) said: “The NCA and wider law enforcement already work hand in hand with the NCSC to provide a strong, coordinated response to cyber incidents targeting the UK.

“This new framework will ensure we are using the same language to describe and prioritise cyber threats, helping us deliver an even more joined up response. I hope businesses and industry will be encouraged to report any cyber attacks they suffer, which in turn will increase our understanding of the cyber threat facing the UK.”

Professor Bill Buchanan, OBE, who leads Edinburgh Napier University’s Cyber Academy, told DIGIT: “This is a good starting point, but we need to better define incidents, especially as companies will need to respond to major data breaches within 72 hours.

“Overall recent data breaches, such as Equifax and Talk Talk, have been poorly reported on, and a great deal of vagueness has been left about the scope of the breach. Companies will thus have to have stronger investigation and reporting procedures, in which have they been well-drilled. They will then be able to report on the details of an incident in a way which both the media and citizens can understand.

“The NCSC classifications at least give a severity level so citizens can assess the severity of any data loss and its impact. Overall it will need stronger dissemination plans around incident reporting, especially to find the right channels, and for those who will assess a data breach to understand its impact.

“Important factors in reporting might be to define who the attackers were (such as hackers, spies, and nation states), the tools they have used, the access they had within the data breach, the scope of the hack, and what the possible objectives of the attack were. There is no standard way to report, but companies will have to increasingly focus on the impact on personal information, and deal with any issues within short time scales.”

The new classifications of Cyber incident are:

CategoriesCategory DefinitionAgency ResponsibleResponsibilities
Category 1:
National Cyber Emergency
A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law EnforcementCoordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response.
Category 2:
Highly significant incident
A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC.NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities.
Category 3:
Significant Incident
A cyber attack which has a serious impact on a large organisation or on wider / local government, or which poses a considerable risk to central government or UK essential services.Response typically led by NCSC, working with Law Enforcement (typically NCA) as required.NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided.
Category 4:
Substantial Incident
A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider / local government.Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident.NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception.
Category 5:
Moderate Incident
A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required.Law Enforcement will provide remote support and standard guidance, with on-site response by exception.
Category 6:
Localised Incident
A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation.Automated Protect advice or local response led by Law Enforcement (likely local Police Force).Remote support and provision of standard advice. On-site response by exception.

Latest News

Digital News
15th June 2019

DIGIT Tech News Roundup: 14th of June 2019

Business News
14th June 2019

Scottish EDGE Round 14 Winners Announced

Featured News Skills
14th June 2019

Demand for UK Tech Visas Grows for Fifth Year Running

13th June 2019

China Blamed for Massive Cyber Attack on Telegram