New NCSC guidance – is it relevant?

Henry Harrison

By Henry Harrison

Commercial

Government

The UK’s National Cyber Security Centre (NCSC – a part of GCHQ) just published new guidance. Is this an important resource that the industry needs to sit up and take notice of, or is this niche government-specific stuff of no interest to anyone else? To decide, it’s worth understanding the context.

What is the guidance?

The guidance is called Security Principles for Cross Domain Solutions – https://www.ncsc.gov.uk/collection/cross-domain-solutions. It underpins the work Garrison’s been doing with NCSC for some time (the Cross Domain Industry Pilot – https://www.ncsc.gov.uk/blog-post/ncsc-cross-domain-industry-pilot-stage-2) so we’re pretty familiar with it. But for most people, the content is completely new.

Many people still think that the way governments protect their most sensitive systems is with an “air gap” – just not connecting those systems to anything else. In practice, that’s a decade or more out of date. How governments actually protect those most sensitive systems is using Cross Domain Solutions, or CDS. These are the solutions that are used to connect highly sensitive systems to less trusted systems.

So what NCSC is publishing here are the principles that underpin the way the UK protects its most sensitive systems.

Other countries also have guidance for CDS. In the USA for example, the NCDSMO organisation (part of the NSA) has its “Raise the Bar” guidance – but it’s marked “For Official Use Only”, and it’s very much aimed at a small community of specialists. What makes the NCSC’s initiative remarkable is that it’s published on the web for all to see (including the UK’s adversaries) and that real effort has gone into trying to make it readable by outsiders who don’t live in the world of UK classified systems.

So is it relevant to mainstream enterprises?

The critical message from the NCSC guidance is this: there is hope. It is possible to protect against even highly sophisticated cyber threats. That’s a really valuable counterpoint to the common argument that “you can’t protect against these things: the only option is to monitor, respond and recover”.

So the real question is: is it practical for mainstream organisations to adopt the NCSC’s guidance?

The answer today is mixed. We’re not yet in a position where mainstream organisations can adopt this guidance wholesale. The market simply hasn’t yet delivered a good enough portfolio of products to support this approach while continuing to enable all the services that modern business relies on.

However, the market is now starting to deliver products that follow these principles but, at the same time, really are good enough to support modern business practices. (Of course, Garrison is one of them). So for mainstream commercial enterprises I think the message is this: if you’re going to buy technology to protect your systems, measure it against these principles. It may be that nothing matches up – but if there’s a product that does, in NCSC’s view it’s likely to be more effective at keeping you safe than a product that doesn’t.

So – back to the day job: delivering a great product at a great price, while providing NCSC (and others) with the evidence that it really does follow the principles and can be trusted to protect even the most sensitive systems.