The NCSC said the goal of the nationwide scan is to better understand existing security and vulnerabilities.
The UK government’s cybersecurity agency is scanning all internet-accessible systems that are hosted in the country for potential vulnerabilities.
The National Cyber Security Centre (NCSC) said the goal is to better understand the country’s existing security and vulnerabilities, while helping system owners understand their security posture on a day-to-day basis.
The UK scan covers “any internet-accessible system that is hosted within the UK” and is looking for vulnerabilities that are common or have a risk of high impact.
“The NCSC uses the data we have collected to create an overview of the UK’s exposure to vulnerabilities following their disclosure, and track their remediation over time,” the agency said in a statement.
It added that its probes are verified by senior technical professionals and tested in its own environment before use.
The NCSC also said it aims to collect the smallest amount of technical information needed to validate the existence of vulnerabilities, while limiting the amount of personal data collected.
“In the unlikely event that we do discover information that is personal or otherwise sensitive, we take steps to remove the data and prevent it from being captured again in the future.”
NCSC technical director Ian Levy said the agency is trying to be transparent about its scans and is allowing people to send simple opt-out requests if they don’t want their servers scanned.
“We’re not trying to find vulnerabilities in the UK for some other, nefarious purpose,” Levy said in a blogpost. “We’re beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we’re doing (and why we’re doing it).”
Sylvain Cortes, VP of strategy at cyber management company Hackuity, praised the initiative of the NCSC to provide vulnerability information to UK organisations.
Cortes said the NCSC made Nmap scripts available on GitHub in January to help organisations “identify their internal vulnerabilities on their own network”.
“With these two tools combined, UK-based organisations have access to a first level of information, which they will then have to process in a prioritisation process in order to be efficient and focus their efforts on the important elements,” Cortes said.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.