The United Kingdom has launched a vulnerability scanning program that will monitor all of the country’s internet devices for potential unpatched issues, in a bid to both bolster national security and help individual organizations protect themselves.
The vulnerability scanning program is being conducted by the National Cyber Security Centre (NCSC) and will check all connected internet devices in the country for software versions, looking for outdated installations that have known vulnerabilities. The government says that it will only be logging these software versions along with date, time and IP address, but that if personal information is inadvertently captured it will be deleted.
Country-wide vulnerability scanning looks to create ongoing “snapshots” of cyber readiness
NSCS Technical Director Ian Levy has said that the vulnerability scanning is very similar to what private security firms often do to proactively discover potential vulnerabilities and warn impacted parties. In addition to providing a means to encourage potential victims to patch their internet devices before the bad guys get to them, the program provides a means of data-gathering for things such as the amount of time it takes most organizations to patch out a serious vulnerability once it is disclosed.
The new vulnerability scanning program will tie into the existing Early Warning Service, which was previously an opt-in program but did not do any active scanning of participants. Now all internet devices in the country will be scanned, but it is possible to opt out by emailing the agency with a list of IP addresses to be exempted.
Levy also said that the vulnerability scanning would become increasingly complex over time, and that further public explanations would be issued as new elements are added to the process in the interest of transparency. The agency has also promised regular audits and the ability to file abuse reports. Further detail on future developments has been promised at the CYBERUK conference in Belfast in April 2023.
Personal internet devices to be included in scans
Organizations and individuals should expect to see scans coming from the URL scanner.scanning.service.ncsc.gov.uk, and two IP addresses (18.171.7.246 and 35.177.10.231). The NCSC says that it is testing its tools and probes internally before scanning any internet devices, and that it has no “nefarious” purpose in mind. It says that the requests are designed to take up the minimum possible amount of information to serve the purpose of vulnerability scanning. However, some individuals may see alerts tied to these addresses if they have security software installed.
The vulnerability scanning is probably nothing that larger companies are not already doing (or contracting with a security firm to do). Smaller businesses that do not have a substantial IT budget and do not have people on hand to properly configure and secure internet devices will likely benefit the most from this program, so long as the government can find a way to make its notification system efficient.
While there may be some natural privacy concerns at the news, the vulnerability scanning does not appear to be any different than what numerous threat actors are doing on a regular basis to find exploitable holes wherever they might be. Shodan, a neutral tool that constantly scans the internet, performs essentially the same function and is available to anyone.
David Maynor, Senior Director of Threat Intelligence, Cybrary, sees this as a positive development: “Organizations doing wide scale internet scanning is commonplace now thanks to tools like Masscan. I think it is a positive sign that the U.K. government continues to increase their security posture.”
And Chris Vaughan (VP – Technical Account Management, EME, Tanium) agrees: “I expect the initiative will extend the government’s capabilities to report at a sector level which will help minimize the impact of vulnerabilities. It will also allow the NCSC to flag security issues to systems owners and keep them accountable for rolling out patches in a timely manner. Despite these benefits I know that some people will be concerned about the privacy aspects of the exercise, so I think the NCSC was right to state that scans are designed to collect a minimum amount of information required to check if the scanned asset is affected by a vulnerability.”
“I welcome this development and hope that it will achieve the same level of success as seen in other countries that have launched similar programs like Norway. If it proves to be popular then don’t be surprised if the complexity of initial scans is slowly increased,” added Maynor.
Natural concerns with government scanning activities
Nevertheless, the simple fact that the word “scanning” is involved could cause people who are not familiar with how vulnerability scanning is conducted (or the vast majority of the population) to errantly believe that this program is about scanning internet traffic and capturing things like private messages or location data. The issue is not helped by a plan that was proposed several months ago that called for the active scanning of all UK phones and internet devices on the client side for child abuse images, which was supported and promoted by the NCSC and GCHQ. This would have potentially required mobile OS or social media app providers to build in technology to actively scan devices, with any flagged images passed on to child protection NGOs for review. The plan met with heavy criticism as it essentially proposed breaking end-to-end encryption and is still being reviewed by the government. This was not the government’s first tilt at ending end-to-end encryption by using child abuse as a motivator, as it also took flak for the early 2022 “No Place to Hide” ad campaign run by the Home Office.
NCSC has been making other efforts as of late to assist UK organizations with vulnerability scanning and securing their internet devices, making NMAP Scripting Engine scripts available via Github that help users scan their own network for potential cracks for attackers to slip through. This is an ongoing program as well, and NCSC says it will release new NMAP scripts for critical security vulnerabilities that it believes threat actors will heavily target.