Why we need the new UK National Cyber Security Strategy

James Tamblin, President of BlueVoyant UK, shares his views on the planned initiatives to shape the direction of the UK’s cybersecurity industry this year

On 15th December 2021, the UK government published its new National Cyber Security strategy based around five strategic pillars, representing the goals that the government intends to achieve by 2025. While there is a lot of detail to digest, the below article outlines the most pressing parts of the strategy, exploring how and why this adds value to the UK’s cybersecurity posture.

As we kick-start 2022, it is clear that we live in a world where well-resourced, highly opportunistic adversaries are taking advantage of newly distributed technology environments, created as a result of the pandemic. They are ramping up campaigns on all fronts, from business email compromise and ransomware-as-a-service, to sophisticated multi-stage attacks originating in the supply chain. Until there is a coordinated, multinational effort to combat cybercrime and hold those parties that commit these acts accountable, these lucrative attack types will continue to escalate in frequency and severity, which is why this National Cyber Security strategy is so important.

But this is not a new initiative, over the past decade the government has led a sustained national effort to strengthen the UK's cybersecurity and raise public awareness of cyber. In 2016, it set out a government plan to make Britain more secure and resilient in cyberspace. A key development area and evolution since 2016 is the investment into a ‘Cyber Runway’ designed to support innovation and entrepreneurship in cybersecurity from the UK.

This is a positive step which demonstrates recognition that the private sector plays a key role in helping to keep the UK in its position as a cybersecurity superpower. The nation can’t purely rely on those in public service to ensure that we are aware of and able to harness the latest innovations in technology to strengthen the security posture of the UK. 

A commitment to a ‘whole of society’ approach

Having read the new strategy, one key objective that jumped out was: “A commitment to a ‘whole of society’ approach in the UK”. This recognises that everyone in the UK has a part to play in the country’s cybersecurity posture and successful defence. By investing in cyber skills for young people through the “Cyber Explorers” programme, we are demonstrating that cybersecurity is relevant to everyone; it’s here to stay and will only become more closely woven into all aspects of our lives in the future. By investing in skills for young people in the UK, we are positioning the nation toward being a long-term leader in this space, just as it is in many other fields. 

That and: “The highlighting of the UK’s offensive cyber capability” and establishment of the National Cyber Force (NCF) demonstrates a shift in posture on this topic. The strategy document makes it clear that the UK is now ready to publicly demonstrate and invest in offensive cyber capabilities, countering threats from hostile actors, through schemes such as those delivered by the Defence Cyber School and other government organisations.

Adding value to the country's cybersecurity posture

The new strategy sets to unify what has, until now, been an apparently fragmented (though well-meaning) approach to cybersecurity across the different government departments and organisations. To that end, it is extremely relevant, and the challenge for the different government stakeholders is driving through and supporting the initiatives that will need to evolve from the strategy. 

That said, delivering the strategy will require sustained commitment and effort by this government and future governments. It sets out ambitious targets for protecting all parts of government and all public organisations from known vulnerabilities and known attack methods by 2030. And as mentioned above, that scale will only be deliverable in partnership with the cybersecurity industry.

Combatting the UK cybersecurity skills shortage

However, the UK, along with the rest of the world, has a skills shortage in relation to cybersecurity. The latest data from the 2021 (ISC)2 Cybersecurity Workforce Study estimates that an additional 700,000 professionals have joined the cybersecurity sector, but that the gap between the number of additional professionals needed to adequately defend organisations and the number currently available stands at 2.7 million. This is clearly a huge gulf between the people available and the quantity that is needed. Therefore, finding and retaining top talent across certain specialisms within cybersecurity has become increasingly difficult in the past few years, and demand is only set to increase.

The importance of training

This reinforces the importance and need for training. Training at all levels is arguably the most important part of the execution of the UK’s Cyber Strategy. Equally, building a well-trained pool of British cyber professionals that also represents the diversity of the nation (and the world) is vital if it is to truly succeed. To align effectively with allies and combat adversaries we need cyber professionals who represent all areas of society. 

The strategy also talks about bringing in the private sector to "challenge, support and inform the government’s approach to cyber," and here I see both advantages and disadvantages. The government will need to align more with the private sector if the UK is to succeed in its strategy. The entrepreneurial talents and technical capabilities of people and organisations in the private sector must be harnessed to remain at the forefront of managing cyber risk as a nation.

With that in mind, the government must keep close oversight and hold to account those private sector organisations that play a part in delivering the strategy, as laid out in the report. Private sector technology and cybersecurity organisations should never be allowed to ‘mark their own homework’ or drive their own agenda. Cybersecurity standards cannot be set by industry – these need to be set and upheld by regulations and accompanying enforcement bodies.

In summary, the new strategy is a positive step forward for UK cyber resilience and sets out how the government expects to expand both offensive and defensive cyber capabilities in the country. It outlines how it is prioritising cybersecurity in the community, the workplace, boardrooms and digital supply chains, which will make the UK, as a nation, more competitive and resilient on the world stage.

Share

Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security