Re: Non-event for NCA
Yep, this is exactly the case.
I worked at SOCA on the comissioning of their pre-NCA website, this was around 2010/2011.
The simple fact of the matter is that the site was hosted externally, containing nothing but press releases and some blurb about how to apply for positions at SOCA. It didn't store any data that the organisation would consider to be personal, private or of any value to anyone, furthermore it wasn't the only copy of the data, so if it was lost, it didn't matter.
They picked the cheapest ISP and web development company that they could find. They knew when commissioning it that:
1. It would be trivially easy to take it down with a DoS attack
2. That probably it could be hacked and defaced fairly easily
3. That probably there would be some reputational embarressment when (not if) either of these eventualities occurred
They knew that the same risks would be present, however much money they threw at the problem and that even if they spent a lot of money today to make it difficult to disrupt the service, it could still be disrupted and that it would probably be easy for someone to disrupt it with technology available tomorrow, so in order to avoid reputational damage, it would require constant review and additional expenditure to ensure that they kept upgrading the counter measures.
They decided it wasn't worth it, so they went with the cheapest and prepared their press statements in advance of the inevitable 'hack'.
Just a few days after it went live, someone did a DoS on it, which for me was quite funny because the press were just informed about the new site a day or so before it was attacked, so whoever attacked it timed it perfectly.
SOCA decided to shut it down for a couple of days, mainly to protect the ISP's other customers, who were also affected by the attack, it was all quite amicable really. The press picked up on it almost immediately and the statement they gave at the time was pretty similar to what was issued today.