National defence requires much better cybersecurity advice for citizens – Resilience Media

National defence requires much better cybersecurity advice for citizens – Resilience Media

National defence requires much better cybersecurity advice for citizens – Resilience Media

https://resiliencemedia.co/national-defence-requires-much-better-cybersecurity-advice-for-citizens/

Publish Date: 2026-07-06 09:37:00

Source Domain: resiliencemedia.co

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
National security in Europe is being challenged daily by adversaries – mainly Russia – from cyber attacks and grey zone sabotage operations. Several high profile figures (politicians and military commanders) have commented that a “whole of society” effort will be required to defend our continent in the face of these kinds of conflicts.
That will include defending our nations in cyberspace, and it will not be limited to defending government agencies, military bases, critical national infrastructure and defence companies from malicious hackers. Cyber warfare is a highly effective economic weapon that can be used against all large enterprises, SMBs and every resident who uses the internet in our nations.
As recent high profile attacks on Jaguar Land Rover, Marks and Spencer and the British Library demonstrate, even large organisations remain highly vulnerable.
And the average person pays the price. The British tax payer was obliged to extend a £1.5 billion loan guarantee to support Jaguar Land Rover’s recovery.
If a future mass cyber attack were considered to be part of a war, cyber insurers might refuse to cover the costs of recovery, and the government would not be able to bail out every affected business. Many large organisations might shut down in such a scenario, with devastating economic and social consequences.
Meanwhile, small organisations (0-49 personnel) account for 99.2% of all UK businesses, but often have little or no cybersecurity. Towards the ‘micro’ end of this segment (1-9 personnel), there is often little or no differentiation between business and personal systems. Employees often use personal phones or even personal laptops, and even if they don’t, employees often have admin privileges on work devices, meaning they can install whatever software (or malware) they wish. Even the approved software and cloud solutions implemented by these organisations are often consumer-level tools with poor security.
For example, one of the authors here recently assisted a startup dealing with extremely sensitive client data. The firm was using free, consumer webmail and file sync and share solutions. It gave each employee the admin password for their work laptop, and each employee used a personal phone. For many cloud services, the company maintained only one account, which was shared by every employee. Passwords were insecure, often shared across several different cloud services, and stored in an unencrypted spreadsheet to which all employees had access.
Unsurprisingly, it was soon discovered that multiple machines were infected with malware.
Very obvious issues such as search redirects in browsers had gone unnoticed or, at least, unreported. Former employees retained access to sensitive company resources. Links to confidential folders were not password protected, and were accessible to anyone on the internet.
Such IT setups for very small companies are not exceptional: virtually all firms with under 10 employees will to some extent blur personal with work systems.
Which brings us to the personal devices and residential networks of the citizenry. While significant progress on securing mobile and desktop operating systems has been made over recent years, the application market remains the Wild West.
Some of the world’s most popular consumer apps are developed by firms based in adversarial countries. Malicious apps and browser extensions are frequently identified and removed from official marketplaces, despite a range of automated checks designed to prevent them from becoming available in the first place.
Often, these malicious apps and extensions tie back to a relatively small number of prolific cyber crime developers, usually shielded by, and under the ultimate control of, those same adversary countries, and some of them have hundreds of thousands or even millions of users by the time they are identified as malicious.
There is increasing evidence that hostile state-sponsored actors are developing and promoting apps and extensions that seemingly appear legitimate in order to build a substantial user base, waiting for the day when access to those devices and the traffic to and from them might be useful. State-sponsored actors are also now heavily targeting shared code libraries. These are integrated into many different applications, giving these supply chain attacks devastating potential.
But the uncontrolled nature of consumer and small business apps is only part of the story.
There is an ever-increasing array of Internet of Things (IoT) devices in every small business and home, from smart speakers, to washing machines, to security cameras. The shockingly insecure state of most of them means that a national-scale attack on small business and home networks could enable an adversary to wreak havoc at a time of their choosing.
Unsecured devices can be hacked, of course, but that may not actually be necessary since recent research shows that even devices sold by major retailers now often come pre-loaded with malware, largely controlled, once again, by cyber crime groups based within adversary countries. Compromised IoT devices can be recruited to form part of so-called botnets; networks of devices controlled remotely by an adversary to do their bidding.
But what bidding? Well, that would be up to the adversary. Botnets are routinely used in Distributed Denial of Service (DDoS) attacks, and the trend towards ever larger DDoS incidents points to the scale of an attack that could be launched if the hybrid war escalates. In 2011-2013, attackers suspected to be linked to the Iranian state caused significant disruption to US financial institutions with a DDoS attack that peaked at around 140 gigabits per second.
Fast forward to 2026, and a private cyber crime group behind the Aisuru-Kimwolf botnet launched a DDoS attack that reached 31.4 terabits per second – nearly 230 times larger than a state-sponsored attack 15 years earlier.
But an adversary could also simply sabotage the IoT devices under its control en masse. In 2016, for example, the cyber crime group behind the Mirai botnet exploited vulnerabilities in a number of router models to disrupt the internet connections of 100,000 customers in the UK, and 900,000 in Germany.
In the future, our adversaries might simultaneously push malicious updates to the apps and extensions under their control to either temporarily brick or seriously decay the performance of the computers and phones that they are installed on.
This could lead to huge social and economic disruption. It would dramatically decay both the ability of the government to communicate with the populace, and the ability of individuals to cope with the wider crisis of a nationwide cyber attack. It would also likely have a severe psychological impact on the population as a whole.
Or the attackers could use control over apps, extensions, smart TVs and speakers to broadcast messages to intimidate the population and spread disinformation.
Western nations are reported to have carried out this exact type of attack. By some media accounts, in the opening days of the recent attack against Iran, the US and Israel took over a popular app with around 5 million users to convey a message to Iran’s population and its military. Similarly, our adversaries could use their control over many popular apps, extensions, smart TVs and smart speakers to broadcast messages to intimidate our populations and spread disinformation.
Another possibility is initiating widespread power-sapping activity on attacker-controlled devices to cause a power surge at an unexpected hour, indirectly attacking the power grid. Attacking critical national infrastructure may not require hacking CNI infrastructure itself.
If the UK’s population is to play its part in defending against these types of attacks, it’s going to need some help.
The NCSC – the UK government’s National Cyber Security Centre – has a mandate to play an essential role in defending against those attacks, as it lays out in its own mission statement: “Our mission is to make the UK the safest place to live and work online so that everyone – whether at work or at home – can navigate the cyber landscape safely and with confidence.”
Since its inception almost a decade ago, the NCSC has become a trusted source of cybersecurity advice in the UK. All EU nations have their equivalents; it is a very wise requirement of EU membership.
What the NCSC could do
The NCSC’s website is a well-designed, intuitive platform that guides concerned users through a structured assessment of their own cybersecurity requirements, pointing them towards remediation advice where it is needed.
But while this much needed advice is welcome, it often doesn’t go far enough. Scan through the pages of advice on the NCSC’s excellent website and you couldn’t fail to notice a couple of things. First, there is a lot of it. Far too much for even the keenest cyber nerd to want to read. Second, it often doesn’t tell the reader precisely what is required of them.
The NCSC does recommend that we use key pieces of technology to keep our personal data and small business or home networks secure. Anti-virus software, password managers, and VPNs are a few examples.
But the NCSC doesn’t tell us which products to use. Instead, it provides guidance on the technical features and specifications we should be judging a candidate piece of software against. This technical due diligence is beyond the expertise, and frankly interest, of most citizens. Will your elderly parents or grandparents be determining which vendor is a “trusted vendor”? Is it fair to expect a hard-pressed small business owner, acting as their own CMO, CFO and Head of HR, to work out how to block access to USB ports on company machines? Of course not.
So what do people do? They make ill-informed decisions. Or no decisions at all. Our governments should recognise that digital overload is real. It is too much to expect most people to devote the time needed to carefully select the right solutions.
If our government wants us to do our part in protecting networks and data, it should step up and tell us exactly how.
The NCSC should develop a national register of approved hardware, software and cloud services that follow secure by design principles, which are transparent about their ownership and that are based in safe jurisdictions.
For each security tool that the NCSC advises citizens to adopt, a list of approved solutions should be provided, and continuing the NCSC’s existing website design, an intuitive set of simple questions should be used to guide users to the solutions that best meet their needs. The register should be regularly refreshed to make sure that its recommendations remain current, because the level of security offered by any given vendor can change over time.
The UK has a free market, where vendors should in general be free to compete without the government preferencing one over another. Many in government will therefore be understandably reluctant to consider such a broad ranging register since it risks being perceived as tipping the commercial scale towards specific favoured vendors.
But while that is a sound principle in general, the scale of the cyber threat and the speed with which it is developing requires that we find a way to work around such qualms where that is necessary to secure the nation.
The NCSC, with the Department for Science, Innovation and Technology (DSIT), has already taken steps down this road by launching a Software Security Code of Practice and a small network of Cyber Resilience Test Facilities, which technology vendors can work with to get certified. These are valuable programmes, but they are pitched primarily at helping large organisations with IT and procurement teams make informed risk-based decisions about what solutions their organisations implement.
In contrast, the national register that we are proposing would be designed squarely to guide individual citizens and small business owners, not large organisations.
It would provide specific approved solutions in every major category of technology. Citizens would not need to digest a complex risk-based certification report. They would simply pick a solution from the register.
And the national register would not, in fact, be a certification programme as such, in which each vendor needed to sign up, devote considerable effort to compliance, and pay for expensive audits. That kind of programme works for vendors wanting to sell to government or highly regulated enterprises, but it would simply never scale in the way required.
Instead, our government should staff up a large team of full-time reviewers whose job is to proactively analyse existing commercial solutions. While reviewers could seek the cooperation of vendors, they would mainly assess vendors based on publicly available data.
For example, reviewers would consider the headquarters jurisdiction of each vendor, its ownership, whether it openly publishes its security policies and what those policies are, how many internal security personnel it employs, any documented history of breaches, the security features it offers, its data processors and infrastructure providers (where visible), and so on. To meet the challenge of our changing world, any vendor based in adversary countries should be automatically barred from the register, regardless of its other merits.
This kind of security review is far from perfect. But the same is true of even the most extensive and expensive certification audits. And our suggested approach has the very significant advantage of speed and scale. We no longer have time for lengthy consultation periods and incremental roll-outs that don’t genuinely move the needle on which solutions our citizens are actually buying. We need this national register quickly.
And the government should fund the NCSC to launch a national-level public safety campaign for this register so that individuals and small business decision makers up and down the country learn about it where they already are: in their social media feeds, in television advertising, on billboards, at events.
National-level public information campaigns around critical health or economic issues can serve as a useful model here. Current social divisions will mean that some people will be suspicious of any products recommended by the government. But many, many others, confused and worried about cybersecurity, will be grateful for simple guidance that cuts through the noise and allows them to choose secure solutions without the burden of doing their own research.
A large proportion of the populace is keen to do its bit to support national defence. But they are busy and often confused. Give them the clear guidance they need to play their part in this national effort.
Mark Philpott is a security specialist based in London. After spending the first half of his career working for the UK government, he moved into consultancy advising governments and commercial organisations globally on security matters.
Ed Hare started his career in the diplomatic corps. He then moved into consulting, initially training government agencies and then specialising in working with large international technology firms to improve their competitive strategies around AI, big data, cloud and cybersecurity products. Ed also led many cross-border due diligence projects and investigations.
As the cybersecurity threat worsened in the 2010s, Ed took charge of security for his small consulting firm. He founded Keosetech in 2022 to help small organisations in high threat sectors such as defence with cyber and physical security, due diligence and investigations. In 2026, Ed also launched SAFE (Security Assistance for Everyone), a pay what you can afford service for low income or vulnerable individuals and families.