U.K. cybersecurity agency mounts transparency push

National Cyber Security Centre
The technical director of the National Cyber Security Centre, seen here, said the agency's new default position will be to disclose security vulnerabilities to the public after fixes have been made. Copyright Nick Ansell PA Wire via AP file
By Kennett Werner with NBC News Tech and Science News
Share this articleComments
Share this articleClose Button

The goal is to prevent cyberattacks like "WannaCry," which paralyzed computer systems around the world in May 2017.


The U.K. agency tasked with fighting cyberthreats on Thursday announced a new process for the public disclosure of potentially sensitive software flaws, introducing a new level of transparency to its work.

The National Cyber Security Centre laid out its new procedure, called the "Equities Process" in a blog post that details how it makes decisions on whether to make public the discovery of new flaws.

National security operations sometimes hold back from announcing the discovery of security flaws in part because the bugs can be used to gather intelligence.

"There's got to be a good reason not to disclose," said Ian Levy, technical director at the NCSC.

The default position, the NCSC said, is to disclose those vulnerabilities to the public after fixes have been made. The government will only keep them confidential in rare instances, such as if there's an overriding intelligence reason. Levy said withholding release of a bug will require high-level government sign-off.

The goal is to prevent cyberattacks like "WannaCry," which paralyzed computer systems around the world in May 2017. The attack, which the U.S. has blamed on North Korea, wrought havoc within the U.K.'s National Health Service (NHS) by exploiting vulnerabilities in an outdated version of Microsoft Windows. WannaCry underscored the dangers of not patching or updating software.

The NCSC's disclosure policy follows one implemented by the White House in 2017. The National Security Agency (NSA) had come under intense pressure from transparency advocates to disclose more about its work in the wake of WannaCry.

"The best defense against a cyberattack, whether it's by criminals or nation states, is to keep your box up to date," said Levy. "If you patch your software, a lot of the stuff that we've found goes away."

The vast majority of attacks are carried out by exploiting vulnerabilities already known to the vendors of the technology in question, Levy said. Such was the case when Russian cyberoperatives hacked into British telecoms companies in 2017.

Levy said the primary goal of more transparency is to "bang the drum" about basic cybersecurity, like patching and secure network setups.

Share this articleComments

You might also like

Apple launches faster chips, MacBook Pro laptops and cheaper Airpods - what are the upgrades?

What is the metaverse and why is Facebook betting big on it?

Euronews Debates | Profit vs public good: How can innovation benefit everyone?