UK Cyber Incidents Categorised: Understanding NCSC and Law Enforcement Model

The National Cyber Security Centre (NCSC) plays a pivotal role in the UK’s cybersecurity landscape, orchestrating the categorisation of cyber incidents in collaboration with UK law enforcement. This strategic approach ensures that resources are effectively allocated to tackle the most critical cyber incidents affecting the UK.

The Incident Management (IM) team within the NCSC is tasked with triaging and categorising incidents. Their process involves evaluating the severity of the incident and its potential impact on the nation. This crucial assessment informs the response strategy, channeling efforts towards addressing the most impactful cyber incidents on a national scale.

Outside the NCSC, the authority to categorise cyber incidents lies with counterparts in UK law enforcement, including the National Crime Agency (NCA). This unified approach ensures a consistent and coordinated response across government, critical infrastructure, charities, universities, schools, small businesses, and individuals.

Established in 2018, the categorisation model encompasses six levels of severity, catering to a wide spectrum of incidents, ranging from national crises to cyber attacks targeting individuals.

Categories and Response:

  1. Category 1: National Cyber Emergency: This pertains to a cyber attack causing sustained disruption to essential services or threatening national security. Immediate cross-government coordination and technical leadership by NCSC are engaged, with law enforcement and government stakeholders working closely.
  2. Category 2: Highly Significant Incident: Targeting central government, essential services, or impacting a significant portion of the population or economy, this level triggers a response led by NCSC, potentially escalated to COBR. Law enforcement collaboration occurs as needed.
  3. Category 3: Significant Incident: Involving a large organization or local government, posing substantial risks, this category is met with a response led by NCSC and accompanied by law enforcement engagement.
  4. Category 4: Substantial Incident: Affecting medium-sized organizations or posing risks to larger entities, the response is led by NCSC or law enforcement. Tailored advice and support are provided to victims.
  5. Category 5: Moderate Incident: Targeting small organizations or posing risks to medium-sized entities, this category prompts law enforcement to lead, with NCA input. Victim support is extended as needed.
  6. Category 6: Localised Incident: Centered on individuals or small/medium-sized organizations, local police forces, with NCA input, oversee the response, providing guidance to affected parties.

The categorisation model ensures a harmonized approach to handling diverse cyber incidents, underpinned by the expertise of the NCSC and collaboration with law enforcement. This framework is a vital tool in safeguarding the digital landscape of the UK. If you’re unsure where to report a cyber incident, consult the UK government service for guidance on whether to report to the NCSC or another relevant organization.