We’d been promised the UK’s new National Cyber Strategy in Q4 2021 and yesterday (15th December), just before the Christmas break, it arrived. It replaces the current strategy, and follows publication of the Government’s Integrated Review earlier this year and the £2.6 billion investment in cyber announced in this year’s Spending Review.
Government strategies can be big on goals but light on specifics. This one does contain some grand plans (one of the key pillars – below – is to advance the UK’s global leadership in cyber) and some useful general background regarding cyber risks. Importantly, part 2 of the Strategy also sets out specific actions which will be taken by 2025 to deliver against those grand plans. While some of these had been announced previously, there is still a fair bit of detail for businesses to consider, particularly around cyber resilience.
The Integrated Review set out five ‘priority actions’ which now form the pillars of this Strategy framework, and organise the specific outcomes the Government intends to achieve:
Pillar 1 - UK cyber ecosystem: ‘Strengthening the ecosystem, investing in our people and skills and deepening the partnership between government, academia and industry.’ This includes growing the UK’s cyber sector, developing more integrated and effective regional cyber networks and developing a highly skilled and diverse workforce supported by professional standards and pathways. The catch-phrase for this Strategy is that the UK needs ‘a whole-of-society approach’ to cyber. One way the Government intends to demonstrate this is through the new National Cyber Advisory Board, which will bring together senior leaders from the private and third sectors to challenge, support and inform the Government’s approach to cyber.
Pillar 2 – Cyber resilience: Building a ‘resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected.’ This focusses on reducing the burden on everyone by building in basic protections online and improving awareness, as well as building greater resilience for businesses, public services and critical national infrastructure. It is discussed further below.
Pillar 3 – Technology advantage: ‘Taking the lead in the technologies vital to cyber power, building our industrial capability and developing frameworks to secure future technologies.’ For example, it is important to expand the UK’s (and NCSC’s) research capabilities, acknowledge foreign direct investment risks (in line with the goals of the National Security and Investment Act 2021) and maintain the UK’s capabilities in key technologies such as AI, quantum, crypt-key (the cryptography used to protection the UK’s critical information and services) etc. The Strategy also discusses existing plans such as implementing the Product Security and Telecommunications Infrastructure Bill to improve security in consumer connectable products (see our blog) and developing standards (including AI standards, as set out in the AI strategy – see our blog). Interestingly, it mentions that seventy per cent of current cyber security vulnerabilities exploit a flaw in how microprocessors are designed that has been known about since the 1970s but by 2025 a new microprocessor design will be available (developed in the UK) for smartphones, and a growing list of other devices.
Pillar 4 - Global Leadership: ‘Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power.’ Cyber considerations will be a key feature in the UK’s foreign policy agenda and the UK will continue to work with other countries as well as multilateral organisations such as the UN, EU, Five Eyes and the G7.
Pillar 5 – Countering threats: ‘Detecting, disrupting and deterring adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers.’ Part of this involves investing in the UK’s cyber offensive capabilities, which the Government has done through both the National Offensive Cyber Programme and more recently through the establishment of the new National Cyber Force. The Strategy also discusses reviewing the government’s policy and operational approach to tackling ransomware as well as the Computer Misuse Act.
Cyber resilience for organisations
Pillar 2 (cyber resilience) is of particular interest to organisations. The strategy sets out a variety of actions the Government plans to take to ensure that: (i) cyber risk is properly understood; (ii) action is taken to secure systems and prevent attacks; and (ii) government and organisations are prepared for, and able to minimise the impact of, those attacks which do still get through. These actions range from identifying where digital supply chains are too concentrated, to improving the UK’s recording of Computer Misuse Act offences, and driving behavioural changes to ensure businesses proactively improve their cyber resilience. These behavioural changes may involve:
- targeted legislation, initially focusing on the Network and Information Systems regime and reform of data protection laws; and
- improvements to corporate reporting of resilience to risks, including cyber risks. This is aimed at giving investors and shareholders better insight into how companies are managing and mitigating material risks to their business.
The Government also acknowledges that it should lead by example (and it will publish a dedicated Government Cyber Security Strategy) and that more focus is needed from operators of critical national infrastructure. This will start with a consultation on reforms to the NIS regulations, implementing the new security framework for UK telecommunications providers and developing a ‘proportionate regulatory framework’ to ensure that the smart and flexible energy systems that the UK requires to deliver Net Zero will be secure and cyber resilient. It will also involve support regarding supply chain risk.
In addition, it should become easier for organisations and individuals to report cyber incidents. Action Fraud will be replaced with a new national fraud and cyber-crime reporting and analysis service, a new business reporting capability will be set up in the City of London police and regulators will be able to require the reporting of a broader range of incidents including 'near misses'.
We will be looking in more detail at action the Government intends to take to improve business resilience, particularly as further information will be set out in the Cyber Security Regulation and Incentives Review.
A strategy to cement the UK’s cyber power?
The Government argues that this Strategy builds on, but differs from, the 2016-2021 strategy as it is backed by increased investment, includes a more integrated and sustained campaign to disrupt and deter the UK’s adversaries and puts ‘cyber power’ at the heart of the UK’s foreign policy agenda. It defines cyber power as ‘the ability of a state to protect and promote its interests in and through cyberspace.’ Government support to improve both public and private sector cyber security is certainly to be welcomed. However, it appears that the effectiveness of the UK’s cyber power may depend to a degree on the actions of other nation states. Interestingly the strategy expressly calls out China and Russia, along with Iran and North Korea. It confirms that cyberspace will become more contested as state and non-state actors seek strategic advantage in and through cyberspace, and concludes that ‘how China evolves in the next decade will probably be the single biggest driver of the UK’s future cyber security.
“We require government departments, the wider public sector and regulated operators of critical national infrastructure, to raise their standards and manage their risk more proactively. We expect large businesses and organisations, including providers of digital services and platforms to be more accountable for protecting their systems, services and customers as a core part of running their business. In return, government will do more to secure the digital environment and tackle systemic risks and provide support through advice, tools, accreditation in the marketplace, and developing the skills that enable improvement.”