A Digital Dawn for Cyber Security Policy
In this bumper election year, NCC Group’s latest report - Digital Dawn: Cyber Security Policy in the Wake of Political Change – draws insights from government advisors, elected officials, public opinion and our own work and research to identify what actions incoming governments should prioritise to secure our digital future.
While our research was globally-focused, the message for political decision-makers – both here in the UK and abroad – was clear: governments must get on the front foot, reassessing how they think about digital resilience to set them up for long-term success.
We have identified five key policy areas we believe any incoming government must prioritise to achieve this:
1. Pass 21st century cyber laws
The UK must establish clear policy, legal and regulatory frameworks that:
a. Define roles within the UK’s whole of society response, setting out how the emerging consensus that responsibility for cyber security should be shifted away from end-users onto those most capable of making a difference will be delivered in practice.
b. Harmonises rules across industries and geographies.
c. Are enforced/enforceable. We urge governments to only introduce new rules where they can be effectively and meaningfully policed and administered.
In practice, this means:
- Progressing reforms to the NIS regulations that govern the cyber resilience of critical infrastructure.
- Implementing a new ‘Resilience Digital Future Act’ that embeds security standards in the services and products we all rely on.
- Updating the Computer Misuse Act 1990 to provide better legal protections for UK cyber professionals undertaking legitimate research.
2. Digital safety nets for smaller organisations
The contributors to our report old us that it is unrealistic to expect small and medium-sized organisations to adhere to – and invest in – the same cyber resilience standards as larger firms, leaving a significant part of the economy vulnerable to cyberattacks.
Instead, we recommend that governments:
- Work with technology providers to embed secure-by-design and secure-by-default principles in their products – particularly those most relied upon by small businesses.
- Support smaller organisations’ response and recovery to cyberattacks through ‘first responder’ services that provide proportionate (free-at-the-point-of-use) support to small businesses that have been victims of cyberattacks. This could include initial incident response services and triaging of further steps such as where victims could get the most effective help from. The Australian Government’s recently announced Small Business Cyber Security Resilience Service could trailblaze this sort of initiative.
NCC Group believes these steps would go some way toward meaningfully addressing the factors that have resulted in a general lack of cyber resilience across smaller firms – such as the lack of return on investment for cyber security consultancies to pitch their services to this end of the market, or the limited resources and capacity available to small firms.
3. Fortify public sector defences
Governments must practice what they preach when it comes to cyber security.
We acknowledge that running complex public services can draw attention and budgets away from cyber security. But failure to build digitally resilient government services risks eroding trust in both public institutions, as well as government leaders’ ability to set cyber rules for other sectors.
4. Forge a cyber resilient population
This isn’t just about addressing the cyber industry’s significant skills shortage (although that is a critical part of it). It is also about equipping individuals – across organisations of all sizes and at all levels of seniority – with the cyber literacy they need to make decisions about their personal, organisational and even national cyber resilience.
With responsibilities for cyber security more clearly defined under a ‘whole of society’ approach (see recommendation 1 above), and notwithstanding the expected shift of responsibility to those with the broadest shoulders, governments should take further steps to allow individuals and organisations to actively participate in the digital economy.
This should include innovative citizen engagement measures to mainstream cyber security across all levels of the population, and embedding cyber security hygiene measures into nations’ psyche, as well as making cyber competence (or safe and secure online behaviours) mandatory elements of education curriculums.
At the same time, we will continue to need both technical and non-technical cyber professionals to defend society and the economy in cyberspace.
On the basis of a more cyber-skilled population, even more needs to be done to encourage talent into the cyber profession, particularly those from diverse and underrepresented backgrounds, as well those with crosscutting skills (e.g. those which bridge cyber security and related disciplines like engineering and safety).
This should include commitments to measure trends in the proportion of candidates coming into the cyber profession from non-traditional backgrounds and through non-traditional routes, the creation of national further education institutes for the exceptionally cyber gifted to build national cadres of excellence, and the development of crosscutting educational programs.
5. Long-term, evidence-driven policymaking structures
There are many positives to be taken from cyber policymaking over the past few years including solid national strategies and tangible successes from global cooperation.
However, cyber policymaking can often be fragmented and siloed across government, struggles to keep pace with technological and societal changes, and can lose out to more consumer-friendly policy areas in terms of getting the attention it needs from politicians.
While it may not be a vote winner, a key way of tackling many of these problems will be to establish the right policymaking infrastructure.
Principally, we see three aspects to this:
- Leadership and cross-government coordination: While cyber security will continue to be a cross-cutting issue that requires the attention of multiple government leaders and departments, the new government should think about who will ultimately lead the delivery of their national cyber strategies and how that will be coordinated across institutions and departments.
- Measurability: Good policies are evidence-driven and measurable. However there is no one clear mechanism to measure the success or failure of cyber security policies, laws and regulations. We therefore support the concept of “cyber as a science”, developing cyber metrics and risk quantification, from an established baseline, to allow risk to be reliably measured and expressed in an informed way. A data and evidence-based approach would help governments to measure the efficacy of their policies in reducing cyber risk. In practice, this could include the formation of an Office for National Cyber Statistics, as proposed by Cyberspace Solarium Commission.
- Horizon-scanning: Centralised government horizon-scanning should collate the myriad of existing horizon-scanning initiatives across the public sector, private sector and academia, and formally feedback into policymaking processes.
Click here to download the report in full, where you can access the latest public perception and the drivers for policy change, key insights from government advisors and lawmakers, and access to your own digital cyber security priorities framework.