Government launches its own cyber security strategy
For some time, Government has aspired to be an exemplar in terms of best practice in cyber security, but the Government Cyber Security Strategy – published today – is the first time it has set out how this might be achieved.
The Government Cyber Security Strategy builds on the National Cyber Strategy, which was launched last month, and aims to ensure that core government functions – from the delivery of public services to the operation of National Security apparatus and critical national infrastructure – are more resilient to cyber-attack, strengthening the UK as a sovereign nation and cementing its authority as a democratic and responsible cyber power.
Government remains an attractive target for a broad range of malicious cyber actors. Indeed, of the 777 incidents managed by the National Cyber Security Centre (NCSC) between 2020 and 2021, around 40% were aimed at the public sector. We also know that adversaries are increasingly capable; and a broad range of actors now have access to capabilities which, not so long ago, would have been the preserve of nation states. But while the threats are growing in severity and scale, techUK believes that the UK is well placed, as an international leader in cyber, to implement the ambition outlined in this strategy, and ensure Government strengthens resilience.
Key Objectives
The Government Cyber Security Strategy (the Strategy) follows the overarching strategic objectives as set out in the Integrated Review (UK Defence & NS Posture) and the National Cyber Strategy (UK approach to Cyber Domain) by outlining the UK Government’s approach to cyber across its own estate.
The Strategy is centred around two key pillars, which complement one another; they are:
(1) Build a strong foundation of organisational cyber security resilience – Government will introduce Cyber Security Standards aligned with the Cyber Assessment Framework (the CAF) in order to be able to look at risk through the same lens across Government – learning from the journey the NIS Directive has taken our CNI providers on, while also recognising the need to tailor it for the Government estate.
A new, more detailed assurance regime will be established for the whole of Government; and this will include robust assessment of departmental plans and vulnerabilities and give Central Government a detailed picture of Government’s cyber health for the first time. A new vulnerability reporting service will also be established to allow individuals to report weaknesses in digital service, as well as an accelerated work programme to manage the growing risk from the supply chains of commercially provided products in Government systems.
(2) Defend ‘as one’ – The Strategy recognises that the scale of threat demands a more comprehensive and joined-up response; and this coordination can produce a defensive force disproportionately more powerful than the sum of its parts. Government will establish a Government Cyber Security Coordination Centre (GCSCC), which will work to better coordinate operational cyber security efforts, transforming how cyber security data and threat intelligence is shared, consumed and actioned across Government
Underpinning the Strategy’s two pillars are 5 key strategic objectives:
- To manage cyber security risk. Government organisations will be able to identify, assess and understand them.
- To protect against cyber-attack, with the protective stance of Government organisations linked to assessment and management of risk.
- To detect cyber security events before they critically impact Government functions and services.
- To minimise the impact of cyber security incidents allowing the Government to be fully prepared and able to respond with minimal disruption.
- To develop the right cyber security skills, knowledge and culture as part of driving continuous improvement.
The Strategy makes clear that Government relies on its partnership with industry to strengthen its cyber resilience, as do all organisations across the public and private sectors. It is vital, therefore, that Government and industry continue to collaborate, given the fundamental role private sector plays across all parts of the UK in protecting organisations and citizens alike.
It is also important that Government continues the work it’s started around the Government Cyber Security Profession, ensuring this aligns with the wider efforts detailed in the National Cyber Strategy. The work of the UK Cyber Security Council, which techUK is a founding member of, is a critical element of ensuring the entire UK has a steady supply of cyber talent.
Julian David, Chief Executive Officer, techUK said:
“techUK, and in particular our 250 member companies actively engaged in defending UK organisations from cyber-attacks, welcome the ambition and objectives outlined in today’s Government Cyber Security Strategy. It has long been an ambition for Government to be an exemplar in cyber security best practice, but today’s Strategy is perhaps the first attempt to comprehensively document how we might achieve it.
“The announcement of the Government Cyber Security Coordination Centre will enable better coordination across Government cyber security efforts, transforming how intelligence is shared, consumed and actioned. The adoption of the Cyber Assessment Framework across Government, learning lessons from the rollout of the NIS Directive and recognising the need to tailor it for the Government estate, will enable a proactive and proportionate approach to managing cyber risk.
“The Strategy recognises the important role industry already plays in protecting Government; and techUK looks forward to engaging with Cabinet Office to further unite public and private sectors to ‘defend-as-one’ – both in terms of technological capability and in developing the skills we need to instill cyber resilience across the whole of the UK."
You can read the full Government Cyber Security Strategy here.