In December, the Government published its new National Cyber Strategy (the Strategy) which follows the publication of the Government’s Integrated Review 2021 and the £2.6 billion investment in cyber announced in the Spending Review.
The Strategy sets out how the UK will solidify its position as a global cyber power and calls on a whole-of-society approach to contribute to reinforcing the UK’s economic and strategic strengths in cyberspace. It defines ‘cyber power’ as "the ability to protect and promote national interests in and through cyberspace" and focusses on making the public sector more resilient by:
- expanding the UK’s offensive and defensive cyber capabilities and prioritising cybersecurity in the workplace, boardrooms and digital supply chains; and
- helping councils protect their systems and citizens’ personal data from ransomware and other cyber-attacks.
Five pillars of the Strategy
The Integrated Review 2021 set out five priority actions which now form the pillars of the Strategy, and organise the specific actions and the outcomes the Government intends to achieve by 2025.
Pillar 1: Strengthening the UK’s cyber ecosystem – adopting a whole-of-society approach, this pillar is targeted at ensuring cyber sector growth benefits the whole of the UK. It also aims to leverage the talent and skills of the whole population to ensure diversity of the cyber workforce, which has been recognised as critical for the UK’s national security. The Government will demonstrate this by establishing a new National Cyber Advisory Board inviting senior leaders from the private sector and third sectors to challenge, support and inform the Government’s approach to cyber.
Pillar 2: A resilient and prosperous digital UK – this aim focuses on "building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected".
The Strategy sets out three key aspects to the concept of cyber resilience: (i) cyber risk needs to be understood; (ii) action is taken to secure systems to prevent and resist cyber-attacks; and (iii) Government and organisations are prepared for and be resilient to minimise the impact of those attacks that do happen. The Strategy intends to drive behavioural change to encourage effective cyber security, and where necessary this may involve targeted legislation, primarily focusing around sectors where the potential of a cyber-attack is greatest.
The Government acknowledges that it should take the lead and aims to establish the UK’s public sector as an exemplar of best practice and in support of this aim will publish the first dedicated Government Cyber Security Strategy, which will focus on more effective risk management processes, governance and accountability; more comprehensive monitoring systems, networks and services; rapid and scaled incident response; and investment in skills, knowledge and a culture that promotes sustainable change. This will start with a consultation on reforms to the Network and Information Systems regulations, implementing the new security framework for UK telecommunications providers and developing a proportionate regulatory framework to ensure that the future smart and flexible energy system the UK requires to deliver Net Zero will be secure and resilient to cyber threats.
Pillar 3: Leading technologies vital to cyber power – the Strategy acknowledges that for the UK, pursuing strategic advantage through science and technology, and the data access it depends on, will be a precondition for achieving wider goals as a cyber power.
To build and sustain a competitive edge in cyber-related technologies, the Strategy aims to expand the UK’s (including the National Cyber Security Centre’s (NCSC)) research capabilities with a focus on emerging technologies in areas such as connected places and transport, and to promote approaches that build security into new technologies, making them “secure-by-design”. The Strategy mentions that the Product Security and Telecommunications Infrastructure Bill will be implemented to enforce minimum security standards in all new consumer connectable products sold in the UK.
Pillar 4: Global leadership – UK activity in cyberspace will be a key consideration of the Government’s foreign policy agenda. The Strategy commits to develop a more integrated, whole of government technical offer, with greater investment in law enforcement and defence expertise, drawing more on UK industry and academia. The focus will be on protecting critical international supply chains and infrastructure, advancing the secure use of digital technologies and working with industry partners to do so at scale. The UK will continue to work with multilateral organisations and partnerships including the United Nations, Five Eyes, NATO and the G7.
To improve protection of UK interests and citizens abroad, the Strategy aims to develop an international cyber hygiene campaign for UK overseas missions with the aim to raise the cost of malicious activity, such as hacking, data and IP theft and ransomware.
Pillar 5: Enhance UK security in and through cyberspace – this pillar involves concerns about threats in cyberspace (e.g. to online activities), threats to the UK and partners through cyberspace (e.g. to networked UK critical national infrastructure), and threats to the functioning of underpinning international cyber infrastructure.
The Government has invested in offensive cyber capabilities, through the National Offensive Cyber Programme and the new National Cyber Force, and has sought to disrupt and raise the cost of hostile criminal activity in cyberspace by creating world-class threat detection and assessment capabilities with the means to translate the resultant insight into impactful mitigations across the public and private sector. The NCSC are also investigating ways to track emerging threats and continue to work with the Alan Turing Institute to explore whether machine learning can be used to detect certain types of cyber-attack. The Strategy also discusses reviewing Government policies and operational approach to tackling ransomware.
Efforts to promote cyber security in the UK cannot be achieved in isolation
The outcomes of the Strategy intend to cement the UK’s position as a leading cyber power. The Government will be investing £2.6 billion in cyber and legacy IT over the next three years, in addition to significant investment in the National Cyber Force announced in Spending Review 2020 (SR2020).
The Strategy acknowledges that efforts to promote cyber resilience in the UK require government departments, the wider public sector and regulated operators of critical national infrastructure, to raise their standards and manage their risk more proactively. It is also stated that these efforts must form part of the UK’s international engagement, including deepening globalisation of supply chains, IT platforms, multinational businesses, and the internet itself.
The Strategy recognises that cyberspace will become more contested as state and non-state actors seek strategic advantage in and through cyberspace and that for the UK to act effectively it will require levels of cyber resilience in its defence capabilities.
This article was written by Laura Evans and Lucy Pegler.
The new National Cyber Strategy is our plan to ensure that the UK remains confident, capable and resilient in this fast-moving digital world; and that we continue to adapt, innovate and invest in order to protect and promote our interests in cyberspace. The Rt Hon Steve Barclay MP Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office