Computer Forensics Company: Computer Forensics Company: Britain’s National Cyber Security Centre secretly censors computer security guidance and drops references to encryption By Duncan Campbell , 2QQ Ltd, Sussex University Published: 06 Mar 2025 19:26 Britain’s National Cyber Security Centre (NCSC) has secretly censored detailed public computer security guidance provided to [...]
Computer Forensics Company:
Britain’s National Cyber Security Centre (NCSC) has secretly censored detailed public computer security guidance provided to barristers, solicitors and legal firms without explanation or announcement.
The guidance, a web page and a seven-page PDF report called Cyber security tips for barristers, solicitors, and legal professionals, was removed from the centre’s public website two weeks ago, on 24 February.
The NCSC refused to respond to questions from Computer Weekly asking if it knew that the deleted web page and booklet had automatically been archived by The National Archives, multiple times, and so were all still online.
On the NCSC website, requests for the legal advice web page are now redirected to an incorrect page on the same site. The deleted booklet link returns a “404” not found error page stating, “Sorry – the page you’re looking for isn’t here”. Embarrassingly for NCSC, the 404 error page message then suggests that The National Archive might have archived versions of the removed file. It does.
“Cyber criminals are not fussy about who they attack,” the censored NCSC booklet had warned, “which means law practices of all sizes are at risk.” The booklet listed 37 steps lawyers and legal firms should take “to help them to reduce the likelihood of becoming victims of a Cyber attack”.
The booklet was published on 11 October 2024, following a special 2023 NCSC Cyber threat report for the UK legal sector. The Cyber threat report, published with the assistance of the Bar Council, noted that by 2020, three-quarters of UK legal firms had reported cyber attacks.
The Bar Council said: “Barristers in England and Wales face threats, harassment, and intimidation at the hands of state and non-state actors from around the world. The Bar Council is concerned by the rising reports from members who have faced different forms of attack and threats because of their international legal work.”
Targeted attacks reported to the Bar Council have included physical, as well as cyber surveillance, cyber harassment including threatening or impersonating emails, repeated and sustained hacking attempts, death threats and rape threats, threats to family members via email or social media, and “privilege phishing”, which attempts to seek to persuade those who are targeted to divulge sensitive information.
“These threats are not just an attack on the legal profession, they also have a chilling effect on access to justice and the rule of law,” it said.
NCSC’s advice to lawyers was removed one month after these grave warnings from the Bar Council, and on the weekend after Apple had indicated it would refuse to comply with a UK Home Office Technical Capability Notice (TCN) requiring it to disable its high-security end-to-end encrypted “Advanced Data Protection” (ADP) system used on iCloud. The ADP system causes the encryption keys for users’ iCloud files to be stored only on devices, thereby improving security for legal data from outside attackers.
“This looks like clumsy Home Office political censorship,” claimed cyber security expert Ian Brown. “This kind of politicisation by GCHQ [which runs NCSC] is a hazard to security, because of the risk of subordinating protective security to surveillance,” he said. Brown and other security experts warned when NCSC was set up it should be run separately from GCHQ to avoid conflict and embarrassment.
Cambridge University professor of communications systems Jon Crowcroft, commenting on the move against Apple, said: “The UK now is in a weaker state of protection. The attraction to the bad guys is increased here massively above other countries. … Our government has painted a target on us, and explicitly on all the ‘us’ that are not engaged in anything other than everyday commerce and discourse.”
The UK weakened position now recommended by NCSC fails to refer to the critical need for end-to-end encryption, except for one isolated and obscure document. The incorrect page that lawyers are now linked to does not refer to encryption at all.
In contrast, and in the face of an onslaught of suspected China-led attacks against multiple high-value targets, the US equivalent cyber defence agency, CISA, recently stipulated that “highly targeted individuals [should] immediately review and apply the best practices provided … including consistent use of end-to-end encryption”.
“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices – and internet services are at risk of interception or manipulation,” CISA’s advice states.
NCSC refused this week to answer any questions from Computer Weekly, and instead referred enquiries to the Home Office, which also refused to respond. The still unanswered questions include who ordered the takedown, why, and why partner legal organisations were not notified or consulted in advance of the tampering? NCSC also refused to say whether it would now seek to have government archive copies erased and consigned to a “memory hole” – a reference to a technique adopted by the Ministry of Truth in Orwell’s 1984 – or whether they would put the censored pages back.
Until the secret takedown, the NCSC booklet included the instruction to lawyers to “turn on encryption”.
It advised: “Turn on the free encryption products included with your Windows or Apple devices, so cyber attackers can’t access your sensitive data if your device is lost or stolen. Make sure encryption is enabled on your mobile device (this is done automatically on modern Android/Apple devices).”
For iOS devices, users were told to enable Advanced Data Protection for iCloud. This advice has become impossible for UK users because of Apple’s reaction to the Home Office notice. All the other cyber security guidance in the booklet remains valid
The escalating row between Apple and the Home Office has also flushed out more serious concerns about the use of far-reaching powers to impose controls on telecommunications companies, by issuing National Security Notices.
The vague terms of National Security Notices require telecommunications operators to take specific steps that the secretary of state considers necessary in the interests of national security.
Parliament was led to believe that this power applied only to technical facilities, such as interception arrangements. Multiple industry sources say that since 2016, NSNs have been used to require telecommunications company boards, including Apple, to delegate board authority to secret Home Office controlled and selected internal national security committees, all of whose members and staff, and any lawyers they hire, must be approved for Developed Vetting (DV) checks. The arrangement means that companies may be ordered to implement security breaches that directors and engineering staff do not know about.
Notoriously, after the 2016 Investigatory Powers Act came into effect, the Home Office and intelligence agencies used the Developed Vetting process to block the newly appointed investigatory powers commissioner, Lord Justice Adrian Fulford, from appointing the Investigatory Powers Commission’s chosen head of investigations, lecturer in surveillance law Eric Kind.
Although initially approved by a vetting officer, Kind was told that Developed Vetting security clearance had been rejected after the intervention of the MI5 security service.
As reported earlier, Apple has now appealed against the ADP instruction to the Investigatory Powers Tribunal (IPT). All 11 members of the IPT are senior barristers who have served as judges.
After checking, the Bar Council told Computer Weekly that it “was not notified of the takedown of this document by the NCSC”, adding that it would “contact the NCSC and make enquiries about the status of the document and its removal”.
A Bar Counsel spokesperson added that it would consider linking to a National Archive copy of the removed page and document “after speaking to our IT panel and raising it with the NCSC”.
By: Bill Goodwin
By: Alex Scroxton
By: Alex Scroxton
By: Alex Scroxton
Computer Forensics Company: Computer Forensics Company: Britain’s National Cyber Security Centre secretly censors computer security guidance and drops references to encryption By Duncan Campbell , 2QQ Ltd, Sussex University Published: ...
Computer Forensics Company: Computer Forensics Company: Britain’s National Cyber Security Centre secretly censors computer security guidance and drops references to encryption By Duncan Campbell , 2QQ Ltd, Sussex University Published: [...]
Post comments (0)