Why we need the new UK National Cyber Security Strategy
On 15th December 2021, the UK government published its new National Cyber Security strategy based around five strategic pillars, representing the goals that the government intends to achieve by 2025. While there is a lot of detail to digest, the below article outlines the most pressing parts of the strategy, exploring how and why this adds value to the UK’s cybersecurity posture.
As we kick-start 2022, it is clear that we live in a world where well-resourced, highly opportunistic adversaries are taking advantage of newly distributed technology environments, created as a result of the pandemic. They are ramping up campaigns on all fronts, from business email compromise and ransomware-as-a-service, to sophisticated multi-stage attacks originating in the supply chain. Until there is a coordinated, multinational effort to combat cybercrime and hold those parties that commit these acts accountable, these lucrative attack types will continue to escalate in frequency and severity, which is why this National Cyber Security strategy is so important.
But this is not a new initiative, over the past decade the government has led a sustained national effort to strengthen the UK's cybersecurity and raise public awareness of cyber. In 2016, it set out a government plan to make Britain more secure and resilient in cyberspace. A key development area and evolution since 2016 is the investment into a ‘Cyber Runway’ designed to support innovation and entrepreneurship in cybersecurity from the UK.
This is a positive step which demonstrates recognition that the private sector plays a key role in helping to keep the UK in its position as a cybersecurity superpower. The nation can’t purely rely on those in public service to ensure that we are aware of and able to harness the latest innovations in technology to strengthen the security posture of the UK.
A commitment to a ‘whole of society’ approach
Having read the new strategy, one key objective that jumped out was: “A commitment to a ‘whole of society’ approach in the UK”. This recognises that everyone in the UK has a part to play in the country’s cybersecurity posture and successful defence. By investing in cyber skills for young people through the “Cyber Explorers” programme, we are demonstrating that cybersecurity is relevant to everyone; it’s here to stay and will only become more closely woven into all aspects of our lives in the future. By investing in skills for young people in the UK, we are positioning the nation toward being a long-term leader in this space, just as it is in many other fields.
That and: “The highlighting of the UK’s offensive cyber capability” and establishment of the National Cyber Force (NCF) demonstrates a shift in posture on this topic. The strategy document makes it clear that the UK is now ready to publicly demonstrate and invest in offensive cyber capabilities, countering threats from hostile actors, through schemes such as those delivered by the Defence Cyber School and other government organisations.
Adding value to the country's cybersecurity posture
The new strategy sets to unify what has, until now, been an apparently fragmented (though well-meaning) approach to cybersecurity across the different government departments and organisations. To that end, it is extremely relevant, and the challenge for the different government stakeholders is driving through and supporting the initiatives that will need to evolve from the strategy.
That said, delivering the strategy will require sustained commitment and effort by this government and future governments. It sets out ambitious targets for protecting all parts of government and all public organisations from known vulnerabilities and known attack methods by 2030. And as mentioned above, that scale will only be deliverable in partnership with the cybersecurity industry.
Combatting the UK cybersecurity skills shortage
However, the UK, along with the rest of the world, has a skills shortage in relation to cybersecurity. The latest data from the 2021 (ISC)2 Cybersecurity Workforce Study estimates that an additional 700,000 professionals have joined the cybersecurity sector, but that the gap between the number of additional professionals needed to adequately defend organisations and the number currently available stands at 2.7 million. This is clearly a huge gulf between the people available and the quantity that is needed. Therefore, finding and retaining top talent across certain specialisms within cybersecurity has become increasingly difficult in the past few years, and demand is only set to increase.
The importance of training
This reinforces the importance and need for training. Training at all levels is arguably the most important part of the execution of the UK’s Cyber Strategy. Equally, building a well-trained pool of British cyber professionals that also represents the diversity of the nation (and the world) is vital if it is to truly succeed. To align effectively with allies and combat adversaries we need cyber professionals who represent all areas of society.
The strategy also talks about bringing in the private sector to "challenge, support and inform the government’s approach to cyber," and here I see both advantages and disadvantages. The government will need to align more with the private sector if the UK is to succeed in its strategy. The entrepreneurial talents and technical capabilities of people and organisations in the private sector must be harnessed to remain at the forefront of managing cyber risk as a nation.
With that in mind, the government must keep close oversight and hold to account those private sector organisations that play a part in delivering the strategy, as laid out in the report. Private sector technology and cybersecurity organisations should never be allowed to ‘mark their own homework’ or drive their own agenda. Cybersecurity standards cannot be set by industry – these need to be set and upheld by regulations and accompanying enforcement bodies.
In summary, the new strategy is a positive step forward for UK cyber resilience and sets out how the government expects to expand both offensive and defensive cyber capabilities in the country. It outlines how it is prioritising cybersecurity in the community, the workplace, boardrooms and digital supply chains, which will make the UK, as a nation, more competitive and resilient on the world stage.