NCSC celebrates eight years as Horne blows in

The UK’s National Cyber Security Centre (NCSC) has this week celebrated eight years since opening its doors as the country’s national technical authority for cyber security, and interim CEO Felicity Oswald has been reflecting on the organisation’s work during that time.

First announced by then-chancellor George Osborne in November 2015 following a national security review, the NCSC was at first billed as a “cyber force” within intelligence agency GCHQ standing ready to handle major cyber incidents in the UK and serve as a unified, single source of security advice.

Looking back, Oswald said the past eight years has brought a “raft of technological changes” alongside a vastly more complex threat landscape, and a concurrent evolution in the remit and capabilities of, and services provided by, the NCSC.

“Eight years is not a long time, but this period has been transformational to the way we all live and work online. One thing that has remained constant, however, and will remain so in the years ahead, is the symbiotic relationship between cyber security and intelligence,” she said.

“The connections between these disciplines are not new. Bletchley Park’s pioneering work in cryptography and the long history of cryptologists working at GCHQ underline the foundational and interwoven role that security and intelligence has played over the past century. This has been essential to our safety and prosperity, with code-making (security) and code-breaking (intelligence) working hand in hand to protect and unlock critical information.”

This approach has since become relatively common among the UK’s international partners – the NCSC’s counterpart agencies in Australia, Canada and New Zealand also sit within signals intelligence agencies, and the Swedish government last week announced its own NCSC would evolve and operate within the Försvarets Radioanstalt (National Defence Radio Establishment or FRA), Stockholm’s signals intelligence bureau.

In her farewell blog post, Oswald said the NCSC’s combined approach to cyber security – protecting and safeguarding technology while maximising their potential for intelligence work – had been proven to deliver clear best value for British taxpayers by minimising duplication that would surely happen if its functions were still separate across multiple bodies

“This is a responsibility that we hold ourselves accountable for delivering, and one that we hold in trust for our successors. It demands top-tier technical expertise, from cutting-edge post-quantum cryptography to safeguarding the industrial control systems essential to the UK's critical national infrastructure (CNI), and produces world-leading security outcomes for the UK at scale,” she said.

“Configurations may differ from nation to nation, but the principle remains the same: collaboration between ‘poachers and gamekeepers’ strengthens both sides.”

Oswald said the interdependency between security and intelligence would become more critical, and the risks and opportunities of new technologies and more sophisticated threats meant the NCSC needed to get better at both at addressing the security of those technologies and how to use them for intelligence purposes.

As she prepares to hand over the captain’s chair to her successor Richard Horne, whose official first day in post is Monday 7 October, she said she was focused on ensuring the NCSC was well-positioned for another eight years.

“We must be ready to meet the challenges that will face us, backed by the might of world-class signals intelligence and the deep expertise and insights that come with this, in the mission to make the UK the safest place to live and work online,” she said.

Horne, a former PwC exec who held responsibility for the organisation’s UK cyber security practice, was announced as CEO in April 2024. Besides being tasked with continuing the work started by his predecessors Ciaran Martin and Lindy Cameron, Horne will inevitably play a key role in guiding the UK’s response to the cyber risks presented by emerging technologies.

Aside from his time at PwC, Horne’s CV already has a lengthy section devoted to cyber – he was previously managing director of cyber security at Barclays, and for a time was seconded to the Cabinet Office under David Cameron’s coalition government to help form an early version of the UK’s Cyber Security Strategy.

He is a graduate of the University of Exeter and holds a PhD in mathematics and cryptography from Royal Holloway at the University of London.