The National Cyber Security Centre (NCSC) in Britain has quietly pulled down public guidance aimed at barristers, solicitors, and legal firms without any notice. This guidance, titled “Cyber Security Tips for Barristers, Solicitors, and Legal Professionals,” included both a webpage and a detailed seven-page PDF. It disappeared on February 24, just two weeks ago.
When Computer Weekly asked NCSC about the removal, they didn’t respond to whether they were aware that the deleted materials were still available online through The National Archives. Now, if you try to access the legal advice webpage, it redirects you to a wrong page. The PDF link returns a “404” error, but interestingly, that error page suggests checking The National Archives for archived versions of the removed file.
The NCSC’s booklet stressed that “cyber criminals are not fussy about who they attack,” indicating that law practices, large or small, could be targeted. It detailed 37 actions that legal professionals should take to protect themselves from cyber threats. This guidance came out on October 11, 2024, after a 2023 Cyber Threat report that highlighted that by 2020, three-quarters of UK legal firms had experienced cyber incidents.
The Bar Council has expressed concern that barristers in England and Wales face various threats—from state and non-state actors alike—due to the nature of their work. Reports include not just cyber harassment but physical surveillance, hacking attempts, and threats to personal safety and family members. They noted that these threats undermine both the legal profession and access to justice.
NCSC’s removal of the guidance occurred a month after the Bar Council’s alarming warnings, coinciding with a notable incident involving Apple. The tech company announced it would not comply with a UK Home Office directive demanding they weaken security measures on their end-to-end encryption system, which is designed to safeguard legal data.
Dr. Ian Brown, a cybersecurity expert, sees this as troubling political censorship. He believes merging NCSC with GCHQ could jeopardize security by prioritizing surveillance over protection. Professor John Crowcroft from Cambridge also highlighted that this undermines the UK’s cybersecurity stance, making the country a prime target for cybercriminals.
Now, the NCSC has shifted its stance, moving away from promoting the essential need for end-to-end encryption, with only a brief mention in obscure documents. Meanwhile, CISA, the US’s cybersecurity agency, has emphasized that highly targeted individuals should consistently use end-to-end encryption due to the increased risk of cyber interception.
Despite the situation, NCSC has refused to answer questions about the withdrawal of their guidance, leaving inquiries about who ordered it and why unanswered. They also did not clarify if any efforts would be made to erase archived copies or to restore the removed pages. Before the guidance was taken down, it explicitly urged lawyers to activate encryption to protect sensitive data.
Further complicating matters, tensions between Apple and the Home Office around National Security Notices have raised alarms about wide-ranging powers imposed on telecom companies. The vague nature of these notices has led to companies being compelled to take actions that their boards may not fully understand or agree with.
Even after the 2016 Investigatory Powers Act came into play, the Home Office has utilized Developed Vetting processes to obstruct key figures in oversight, raising serious concerns over misuse of power.
The Bar Council confirmed they weren’t informed about the guidance removal and plans to reach out to the NCSC for clarification. They indicated they might link to an archived version of the guidance once they’ve consulted with their IT team.