The goal is to harden national security against vulnerability exploitation and weaponized bugs.

The United Kingdom’s National Cyber Security Centre (NCSC) is now scanning all internet-exposed devices hosted in the UK for vulnerabilities, the agency announced. The NCSC leads and oversees the country’s cybersecurity efforts.

The goal, they say, is first to assess the UK’s vulnerability to cyberattacks. They also want to help the owners of internet-connected systems to better understand the risks involved and the importance of their own security posture.

The NCSC explained the campaign in a formal announcement on its website. “As part of the NCSC’s mission to make the UK the safest place to live and do business online, we are building a data-driven view of the vulnerability of the UK”, they explain.

The agency claims that the scanning program will help them to “better understand the vulnerability and security of the UK”, as well as “help system owners understand their security posture on a day-to-day basis”.

The project will also help system owners to “respond to shocks” such as a widely exploited zero-day vulnerability. The measure’s announcement follows a warning by Microsoft that state actors in China are preparing to exploit vulnerabilities on a large scale.

Who is subject to scanning?

The scanning activities cover any internet-accessible system that is hosted within the UK, the NCSC explains. They also target vulnerabilities that are common or particularly important due to their high impact. The NCSC say they will use the data they collect to create “an overview of the UK’s exposure to vulnerabilities following their disclosure, and track their remediation over time”.

The NCSC collects and stores any data that a service returns in response to a request. For web servers, they explain, this includes the full HTTP response (including headers) to a valid HTTP request. For other services, this includes data that is sent by the server immediately after a connection has been established or a valid protocol handshake has been completed.

They also record other useful information for each request and response, such as the time and date of the request and the IP addresses of the source and destination endpoints. Owners or operators of devices can opt out of future scanning campaigns by contacting the agency.