UK Cyber Security Damaged by "Clumsy Home Office Political Censorship"

The National Cyber Security Centre (NCSC) has been accused of secretly censoring detailed public computer security guidance provided to barristers, solicitors, and legal firms without explanation or announcement. The guidance, a web page and a seven-page PDF report called Cyber security tips for barristers, solicitors, and legal professionals, was removed from the centre's public website two weeks ago, on 24 February.

The Guidance That Was Taken Down

The deleted web page and booklet warned that cyber criminals are not fussy about who they attack, which means law practices of all sizes are at risk. The booklet listed 37 steps lawyers and legal firms should take to help them reduce the likelihood of becoming victims of a cyber attack. It was published on 11 October 2024, following a special 2023 NCSC Cyber threat report for the UK legal sector.

The Warning Signs

The Bar Council noted that barristers in England and Wales face threats, harassment, and intimidation at the hands of state and non-state actors from around the world. The council is concerned by the rising reports from members who have faced different forms of attack and threats because of their international legal work.

The Home Office's Role

The removal of the guidance has sparked concerns that it may be related to the Home Office's ongoing battle with Apple over the use of end-to-end encryption. The UK government had instructed Apple to disable its high-security end-to-end encrypted "Advanced Data Protection" (ADP) system used on iCloud.

Clumsy Censorship?

Cyber security expert Ian Brown described the removal of the guidance as "clumsy Home Office political censorship." He warned that politicizing cyber security could lead to a lack of trust in the government's ability to protect citizens' data.

The National Security Notices

The escalating row between Apple and the Home Office has also flushed out more serious concerns about the use of far-reaching powers to impose controls on telecommunications companies. National Security Notices (NSNs) require telecommunications operators to take specific steps that the secretary of state considers necessary in the interests of national security.

Developing Vetting Checks

Industry sources say that since 2016, NSNs have been used to require telecommunications company boards to delegate board authority to secret Home Office-controlled and selected internal national security committees. This arrangement means that companies may be ordered to implement security breaches that directors and engineering staff do not know about.

The Response

The Bar Council has expressed surprise at the removal of the guidance and has vowed to contact the NCSC to find out why it was taken down. The council will also consider linking to a National Archive copy of the removed page and document "after speaking to our IT panel and raising it with the NCSC."

The Future

Until the secret takedown, the NCSC booklet included the instruction to lawyers to "turn on encryption." However, this advice has become impossible for UK users because of Apple's reaction to the Home Office notice. The future of cyber security guidance in the UK remains uncertain, but it is clear that more transparency and accountability are needed to ensure that citizens' data is protected.

* Apple Home Office row escalates over end-to-end encryption * National Security Notices: Guidance for telecommunications operators * Apple appeals against Home Office encryption demand in High Court

HACKER_BLOG

UK CYBER SECURITY DAMAGED BY “CLUMSY HOME OFFICE POLITICAL CENSORSHIP”