UK publishes ‘comprehensive’ cyber security strategy

Plans to become a leading global cyber power in which both businesses and citizens can participate have been published by the UK government.

The new national cyber security strategy is based on balancing how to maximise the economic benefits of digital technology with the need for proactive management of cyber risks. It incorporates a programme of digital skills targeted at individuals and significant roles for the private sector and academia, and is backed by £2.6 billion investment set aside by the government in its autumn spending review.

Cyber risk expert Laura Gillespie of Pinsent Masons said that the government’s plans called for “a ‘whole society’ approach” to cyber security.

“The national cyber strategy sets out a comprehensive framework to enable the UK to protect and promote its interests in cyberspace,” she said. “Its vision is that, by 2030, the UK will continue to be a leading cyber power.”

“Success, it seems, will best be achieved when bringing together people, skills and technology to identify, manage and address the challenges we face,” she said.

The strategy is based around five ‘pillars’: investing in people and skills and closer collaboration between the government, academia and industry; building resilience and reducing cyber risk; building the UK’s industrial capacity on technologies vital to cyber power; global leadership and influence; and enhancing national cyber security and countering threats.

It proposes “more integrated, creative and routine” use of powers to tackle ransomware and cyber crime targeting the UK’s national security, including by expanding the cross-agency National Cyber Force. The unit, which brings together military and intelligence personnel under a single command structure, will shortly move to a custom-built headquarters in Samlesbury, Lancashire.

The strategy proposes the formation of a new ‘national cyber advisory board’ to the government, consisting of senior leaders from the private and third sectors; along with a new ‘national laboratory for operational technology security’ which will be charged with testing and providing training on critical industrial technologies. The government will also invest in expanding the research capabilities of the National Cyber Security Centre (NCSC), part of GCHQ, including its new applied research hub in Manchester.

The government will seek to build UK expertise in existing and emerging technologies “vital to cyber power”. It lists as potential priority areas 5G, 6G and other emerging forms of data transmission technology; artificial intelligence (AI), particularly the cyber security applications of AI; blockchain and its applications; semiconductors and microprocessor chips; cryptographic authentication; ‘internet of things’ and connected technologies; and quantum technologies. The strategy also proposes action to mitigate the cyber security risks of dependence on global markets, including through minimum security standards for all new consumer connectable products sold in the UK.

The government recognises that significant progress has been made in the last decade, including the establishment of the NCSC and the implementation of legislation, such as the Network & Information Systems Regulations (NIS regulations). However, due to the increasing number of cyber breaches that affect government, businesses, organisations and individuals, all UK businesses and organisations will be expected to develop a “better understanding” of cyber risks and their responsibilities to manage those risks as part of the strategy. The strategy places an emphasis on the requirement for businesses to scale up and work on prevention of attacks, through building in basic protections.

The government intends to work with “market influencers”, including insurers and investors, to incentivise good cyber security practices and promote take-up of accreditations and standards. The government also intends to toughen up corporate reporting requirements, aimed at giving investors and shareholders better insight into how companies are managing and mitigating material risks to their businesses, to include cyber risks.

Public sector cyber security will also be overhauled, with the government pledging to “significantly harden” its critical functions against cyber attacks by 2025. It intends to adopt the NCSC’s Cyber Assessment Framework as the assurance framework for all government departments, enabling it to “lead by example” in its understanding of cyber risk.

The strategy also devotes significant space to improving individual cyber skills, starting in classrooms with a new ‘Cyber Explorers’ online training platform for children. The government will also expand post-16 cyber security training opportunities, bootcamps and apprenticeships. In addition, the UK Cyber Security Council will be granted ‘Royal Charter’ status, bringing cyber security professionals into line with those in other professional occupations such as engineering.