UK government is scanning British internet space for zero-day threats

The U.K.’s National Cyber Security Centre has launched a new program that will continually scan every internet-connected device hosted in the United Kingdom for vulnerabilities to help the government respond to zero-day threats.

The NCSC, part of the Government Communications Headquarters that acts as the U.K.’s public-facing technical authority for cyber threats, says it launched the initiative to build a data-driven view of “the vulnerability and security of the U.K.”

It’s similar to efforts by Norway’s National Security Authority, which last year saw the agency look for evidence of exploitation of Microsoft Exchange vulnerabilities targeting internet users in the country. Slovenia’s cybersecurity response unit, known as SI-CERT, also said at the time that it was notifying potential victims of the Exchange zero-day bug in its internet space.

The NCSC’s scanning activity will cover any internet-accessible system that is hosted within the U.K., the agency explains, and will hunt for vulnerabilities that are common or particularly important due to widespread impact.

The NCSC says it will use the data collected to create “an overview of the U.K.’s exposure to vulnerabilities following their disclosure and track their remediation over time.” The agency also hopes the data will help to advise system owners about their security posture on a day-to-day basis and to help the U.K. respond faster to incidents, like zero-day vulnerabilities that are under active exploitation.

The agency explains that the information collected from these scans includes any data sent back when connecting to services and web servers, such as the full HTTP responses, along with information for each request and response, including the time and date of the request and the IP addresses of the source and destination endpoints.

It notes that requests are designed to collect the minimum amount of information required to check if the scanned asset is affected by a vulnerability. If any sensitive or personal data is inadvertently collected, the NCSC says it will “take steps to remove the data and prevent it from being captured again in the future.”

The scans are performed using tools running from inside the NCSC’s dedicated cloud-hosted environment, allowing network administrations to easily identify the agency in their logs. U.K.-based organizations can opt out of having their servers scanned by the government by emailing the NCSC a list of IP addresses they want excluded.

“We’re not trying to find vulnerabilities in the U.K. for some other, nefarious purpose,” explained Ian Levy, the NCSC’s outgoing technical director, in a blog post. “We’re beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we’re doing (and why we’re doing it).”