On Tuesday 1st of November, the UK Government announced the publication of its National Cyber Security Strategy. Underpinned with a £1.9bn investment, it sets out how the UK will use automated defences to defend citizens and businesses against growing cyber threats, support the UK’s growing cyber security industry, develop a world-class cyber workforce and deter cyber-attacks from criminals and hostile actors.
The Government would be the first to admit that past policies on cyber security have not achieved the scale and pace of change required to stay ahead of the ever changing cyber threat. For many digital services and products emerging on the market today security has been an afterthought. Too many organisations are suffering basic breaches, too few investors are willing to risk supporting entrepreneurs in the sector and there is a lack of graduates and others with the right skills emerging from the education and training system.
To address these failures, the new £19.bn Strategy will therefore focus on three key themes:
This strand of the Strategy, focusing primarily on the UK’s critical national infrastructure, aims to ensure that the UK has the means to defend itself against evolving cyber threats, to respond effectively to incidents and to ensure UK networks, data and systems are protected and resilient. In this regard, the new National Cyber Security Centre (NCSC) will provide leadership to industry on key national cyber security issues, and work with the Ministry of Defence’s (MoD) Cyber Security Operations Centre to help the Armed Forces respond to a potential, significant national cyber attack through active cyber defence (ACD) measures.
The ‘Defend’ strand of the Strategy will also focus on ensuring that all government digital services built or procured have security ‘built in by design’, working closely with the Government Digital Service (GDS), the Crown Commercial Service (CCS) as well as NHS Digital in order to implement new data security standards. This is an area that techUK will look at increasingly in 2017, ensuring that the Government’s digital transformation agenda is underpinned with security.
The ‘Deter’ strand of the Strategy will be led by the intelligence agencies, the Ministry of Defence, law enforcement and the National Crime Agency, in coordination with international partner agencies. It will see the Government investing in detecting, understanding, investigating and disrupting hostile actions taken against businesses and the public sector, pursuing and prosecuting cyber criminals whilst reserving the right to take offensive action in cyberspace. One of the main objectives of this strand of the Strategy is to reduce cybercrime. Law enforcement has traditionally been underfunded in this regard, as highlighted by techUK’s recent ‘Partners Against Crime’ report, so it is good to see a commitment to enhancing law enforcement’s capabilities and skills at a national and local level, as well as establishing a new reporting system in order to share information across law enforcement in real time.
Interestingly, the strategy recognises the importance of encryption to the protection of the UK’s most sensitive information and stresses that the UK will continue to maintain its sovereign capability in this area, whilst working with industry to ensure that there are no ‘safe spaces for…criminals to operate beyond the reach of the law’.
This strand of the Strategy will focus on growing the UK’s cyber security industry, investing in accelerator programmes, scientific research and skills. As part of this, the Strategy highlights the creation of two new cyber innovation centres to drive the development of cutting-edge cyber products and dynamic new cyber security companies as well as allocating a proportion of the £165m Defence and Cyber Innovation Fund to support innovative procurement in defence and security.
The Government will also support the creation of a growing cyber security sector, helping UK companies and academics develop the commercial and entrepreneurial skills required to grow. The two new cyber innovation centres will sit at the heart of this section of the Strategy, giving companies the required assistance to get their first customers and attract further investment. A proportion of the £165m Defence and Cyber Innovation Fund will also be put towards this, as well as the provision of testing facilities for companies to test products. Reassuringly, the Strategy also makes reference to the collective expertise of the Cyber Growth Partnership (CGP) that techUK continues to provide the secretariat for in order to focus further growth and innovation interventions.
On the topic of cyber security skills, the strategy sets out a long term skills project that builds on existing work to integrate cyber security into the curriculum so that everyone studying computer science, technology or digital skills will learn the fundamentals of cyber security. This effort will also attempt to address the gender imbalance in cyber professions as well as people from more diverse backgrounds and will be spearheaded by a cyber skills advisory group made up of government, employers, professional bodies, and education providers.
Finally, the strategy recognises the importance of co-operation with international partners on cyber related issues. This includes an assurance that international law and human rights apply in cyberspace, a commitment to a multi-stakeholder model of internet governance, an opposition to data localisation and working towards the raising of cyber security capacity within partner countries. A large proportion of this section focuses on helping other countries develop and maintain their own cyber security, building their capacity to tackle cyber threats to the UK.
It is reassuring to see that, in its approach to cyber security standards within the digital economy, the Strategy takes an interventionist stance that aims to raise standards across the UK. The Government has admitted that a ’market approach’ to the promotion of basic cyber security hygiene has in the past not produced the required pace and scale of change, with take up of initiatives such as Cyber Essentials having been low. It is true that the market is not valuing and managing cyber risk correctly and techUK therefore welcomes the recognition that businesses need to ‘up their game’ in regards to cyber security. The Government has a role to ‘set the pace’ and lead the way by bringing its influence and resources to bear to address cyber threats, though it cannot do this alone. The strategy is also a lot clearer, for the first time, about the nation state cyber threats facing the UK and more confident and aggressive in its response to such threats.
Whilst it could be argued that the strategy is too broad in certain areas, it is still good to see the Government aiming high and trying to ensure that the UK is a safer place to conduct digital business (though it will be difficult to cover all of the initiatives announced in a five-year plan). One criticism, however, is the lack of recognition within the Strategy that much of the world’s innovation in cyberspace comes from the US and increasingly the Far East. The Government should commit more heavily to engaging with innovators around the world, which will in turn help UK companies grow.
Overall, the Strategy is a robust and comprehensive response from Government to the growing cyber threats that we face. It is now time for businesses across the country to step up and play their part in keeping their businesses and the UK as a whole secure.
This article originally appeared in the February 2017 edition of Cyber World.