Freely subscribe to our NEWSLETTER

As the news of the British govt scanning all Internet devices hosted in the UK. Below is a rapid response comment responding to news about the news.

In its recently released annual review, the NCSC said that ‘in partnership with the government, industry, law enforcement and other agencies it continued to monitor, assess and prioritise multiple threats and risks’. The news that it will be scanning all of the UK’s internet-exposed devices for vulnerabilities follows this objective.

‘You can’t protect what you can’t see’ has become a commonly used idiom in the cybersecurity sector given how complex it can be to obtain a clear picture of where the most valuable data resides in an IT environment and what devices are connecting to the network. We usually talk about this in relation to businesses, but it also applies to the government. If they can gain a better view of what vulnerabilities exist then the protection they can provide for the country will be strengthened.

I expect the initiative will extend the government’s capabilities to report at a sector level which will help minimise the impact of vulnerabilities. It will also allow the NCSC to flag security issues to systems owners and keep them accountable for rolling out patches in a timely manner. Despite these benefits I know that some people will be concerned about the privacy aspects of the exercise, so I think the NCSC was right to state that scans are designed to collect a minimum amount of information required to check if the scanned asset is affected by a vulnerability. If any sensitive or personal data is inadvertently collected, the NCSC says it will take steps to remove the data and prevent it from being captured again in the future.

I welcome this development and hope that it will achieve the same level of success as seen in other countries that have launched similar programs like Norway. If it proves to be popular then don’t be surprised if the complexity of initial scans is slowly increased.