Britain’s National Cyber Security Centre (NCSC) has secretly censored detailed public computer security guidance provided to barristers, solicitors and legal firms without explanation or announcement.
The guidance, a web page and a seven-page PDF report called “Cyber Security Tips for barristers, solicitors, and legal professionals”, was removed from the Centre’s public website two weeks ago on 24 February.
NCSC refused to respond to questions from CW asking if they knew that the deleted web page and booklet had automatically been archived by The National Archives, multiple times, and so were all still online.
On the NCSC website, requests for the legal advice web page are now redirected to an incorrect page on the same site. The deleted booklet link returns a “404” http not found error page stating “sorry – the page you’re looking for isn’t here”. Embarrassingly for NCSC, the not found error page then suggests that The National Archive might have archived versions of the removed file. It does.
“Cyber criminals are not fussy about who they attack”, the censored NCSC booklet had warned, “which means law practices of all sizes are at risk.” The booklet lists 37 steps lawyers and legal firms should take “to help them to reduce the likelihood of becoming victims of a cyber-attack.”
The booklet was published on 11 October 2024, following a special 2023 NSCS Cyber Threat report for the UK legal sector. The Cyber Threat report, published with the assistance of the Bar Council, noted that by 2020 three quarters of UK legal firms had reported cyber-attacks.
According to the Bar Council, “barristers in England and Wales face threats, harassment, and intimidation at the hands of state and non-state actors from around the world. The Bar Council is concerned by the rising reports from members who have faced different forms of attack and threats because of their international legal work.”
Targeted attacks reported to the Bar Council have included physical as well as cyber surveillance, cyber harassment including threatening or impersonating emails, repeated and sustained hacking attempts, death threats and rape threats, threats to family members via email or social media, and ‘privilege phishing’ which attempts to seek to persuade those who are targeted to divulge sensitive information.
“These threats are not just an attack on the legal profession, they also have a chilling effect on access to justice and the rule of law,” it said.
‘Political Censorship’
NCSC’s advice to lawyers was removed one month after these grave warnings from the Bar Council’s and on the weekend after Apple had indicated it would refuse to comply with a UK Home Office “Technical Capability Notice” (TCN) requiring it to disable its high security end-to-end encrypted “Advance Data Protection” (ADP) system used on iCloud. The ADP system causes the encryption keys for users’ iCloud files to be stored only on devices, so improving security for legal data from outside attackers.
“This looks like clumsy Home Office political censorship”, according to cybersecurity expert Dr Ian Brown. “This kind of politicisation by GCHQ [which runs NCSC] is a hazard to security, because of the risk of subordinating protective security to surveillance,” he said. Brown and other security experts warned when NCSC was set up it should be run separately from GCHQ to avoid conflict and embarrassment.
Cambridge University Professor of Communications Systems John Crowcroft, commenting on the move against Apple, said “The UK now is in a weaker state of protection. The attraction to the bad guys is increased here massively above other countries…Our government has painted a target on us, and explicitly on all the “us” that are not engaged in anything other than everyday commerce and discourse.”
NCSC drops references to encryption
The UK weakened position now recommended by NCSC now fails to refer to the critical need for end-to-end encryption, except for one isolated and obscure document. The incorrect page that lawyers are now linked to does not refer to encryption at all.
In contrast, and in the face of an onslaught of suspected Chinese led attacks against multiple high-value targets, the US equivalent cyber defence agency, CISA, has recently stipulated that “highly targeted individuals [should] immediately review and apply the best practices provided … including consistent use of end-to-end encryption.”
“Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation,” CISA’s advice states.
NCSC refused this week to answer any questions from CW and referred enquiries to the Home Office, who also refuse to respond. The still unanswered questions included who ordered the takedown, why, and why partner legal organisations were not notified or consulted in advance of the tampering. NCSC also refused to say whether it would now seek to have government archive copies erased and consigned to a “memory hole” – a reference to technique adopted by the Ministry of Truth in Orwell’s 1984; or whether they would put the censored pages back.
Until the secret takedown, the NCSC booklet included the instruction to lawyers to “turn on encryption”.
It advised, “Turn on the free encryption products included with your Windows or Apple devices, so cyber attackers can’t access your sensitive data if your device is lost or stolen. Make sure encryption is enabled on your mobile device (this is done automatically on modern Android/Apple devices)”.
For iOS devices, users were told to enable Advanced Data Protection for iCloud. This advice had become impossible for UK users because of Apple’s reaction to the Home Office notice. All the other cybersecurity guidance in the booklet remained valid
New concerns over National Security Notices
The escalating row between Apple and the Home Office has also flushed out more serious concerns about the use of far-reaching powers to impose controls on telecommunications companies, by issuing “National Security Notices”.
The vague terms of National Security Notices require telecommunications operators “to take specific steps that the Secretary of State considers necessary in the interests of national security.
Parliament was led to believe that this power applied only to technical facilities such as interception arrangements. Multiple industry sources say that since 2016, NSNs have been used to require telecommunications company boards, including Apple, to delegate Board authority to secret Home Office controlled and selected internal National Security Committees, all of whose members and staff, and any lawyers they hire, must be approved for Developed Vetting (DV) checks. The arrangement means that companies may be ordered to implement security breaches that directors and engineering staff do now know about.
Misuse of Developed Vetting
Notoriously, after the 2016 Investigatory Powers Act came into effect, the Home Office and intelligence agencies used the Developed Vetting Process to block the newly appointed Investigatory Powers Commissioner, Lord Justice Adrian Fulford, from appointing the Commissions chosen Head of Investigations, lecturer in surveillance law Eric Kind.
Although initially approved by a Vetting Offices, Kind was told that DV security clearance had been rejected after the intervention of the Security Service, MI5.
As reported earlier, Apple has now appealed against the ADP instruction to the Investigatory Powers Tribunal. All eleven members of the IPT are senior barristers who have serves as Judges.
After checking, the Bar Council told Computer Weekly that it “was not notified of the takedown of this document by the NCSC. We will contact the NCSC and make enquiries about the status of the document and its removal.”
A Bar Counsel Spokesperson added that the Council would consider linking to a National Archive copy of the removed page and document “after speaking to our IT panel and raising it with the NCSC.”