EXECUTIVE SUMMARY:
Just as hurricanes have a category system to convey the intensity or danger level of storms, so now do cyberattacks. The National Cyber Security Centre (NCSC) for the UK announced the new system at its CYBERUK conference last week. The goal of the category framework is to help law enforcement and intelligence operatives better prioritize their responses.
There are six categories of threats, according to IT Pro, distinguished by level of impact and severity. For instance, a category six attack would apply to an individual being hacked. A category one attack, at the other end of the spectrum, would qualify as a national cyber emergency. “This type of threat – which NCSC head Ciaran Martin has warned the UK will inevitably face sooner or later – is one which attacks critical infrastructure like power grids, utilities or hospitals and leads to ‘severe economic or social consequences or to loss of life,'” reports IT Pro.
The category system, as presented on the NCSC website:
| Category definition | Who responds? | What do they do? | |
| Category 1
National cyber emergency |
A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life. | Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement | Coordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response. |
| Category 2
Highly significant incident |
A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy. | Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC. | NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities. |
| Category 3
Significant incident |
A cyber attack which has a serious impact on a large organisation or on wider / local government, or which poses a considerable risk to central government or UK essential services. | Response typically led by NCSC, working with Law Enforcement (typically NCA) as required. | NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided. |
| Category 4
Substantial incident |
A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider / local government. | Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident. | NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception. |
| Category 5
Moderate incident |
A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government. | Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required. | Law Enforcement will provide remote support and standard guidance, with on-site response by exception. |
| Category 6
Localised incident |
A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation. | Automated Protect advice or local response led by Law Enforcement (likely local Police Force). | Remote support and provision of standard advice. On-site response by exception. |
