On 1st November 2016, the Chancellor of the Exchequer launched the latest UK Cyber Security Strategy. In a year that has seen rising international tensions around hacking, Philip Hammond commented that hostile “foreign actors” were developing techniques that threaten the country’s electrical grid and airports.
The £1.9bn new strategy will also help enlarge specialist police units that tackle organised online gangs – and contribute towards the education and training of cyber security experts. The programme is funded until the end of 2020.
“We will focus on raising the cost of mounting an attack against anyone in the UK, both through stronger defences and better cyber skills. This is no longer justan issue for the IT department.” The Rt Hon Philip Hammond MP
“Our adversaries are varied ‘organised criminal groups,’ ‘hacktivists’, untrained teenagers and foreign states.” The Rt Hon Ben Gummer, Paymaster General
The Government introduced the first UK Cyber Security Strategy in 2011. The strategy took forward the fact that cyber security was identified as one of the four Tier 1 threats to UK national interests as defined in the UK National Security Strategy .
The original cyber security strategy implemented a five-year plan to improve the country’s posture and started off a raft of projects that have been running to the present day covering action on fraud, the establishment of the Centre for Cyber Assessment and the UK’s Computer Emergency Response Team (CERT-UK) amongst many other things.
What will the new strategy do?
The new National Cyber Security Strategy 2016-2021 has a similar perspective to that of the 2011 version – it reflects the UK National Security Risk Assessment of November 2015, which confirmed that cyber security is a Tier 1 threat to UK interests.
The new strategy recognises not only the importance of digital technology and communications to modern businesses, the UK economy, government and citizens but also the vulnerability of those sectors to “cyber harms” arising from poor security on personal devices as well as increasingly interconnected systems.
The strategy notes that “In most cases, it continues to be the vulnerability of the victim, rather than the ingenuity of the attacker, that is the deciding factor in the success of a cyber attack.”
The strategy also has a vision statement for 2021 to ensure that “..the UK is secure and resilient to cyber threats, prosperous and confident in the digital world.”
The strategy is a five-year plan and has four primary objectives
DEFEND is about ensuring that the UK can be defended against cyber threats as they evolve. The critical elements of UK infrastructure, such as UK networks and information systems are both protected and resilient to the hopefully small number of attacks that will get through the defences. The significant aspect is that businesses, the public sector and individuals should be able to defend themselves.
DETER aims to make the UK a hard target for attackers. The Government aims to detect, understand, investigate and disrupt any hostile actions in cyberspace against the UK. It also proposes to improve the national cyber offensive capabilities. One of the principles of the strategy is that the government will “â”¦treat a cyber attack on the UK as seriously as we would an equivalent conventional attack, and we will defend ourselves as necessary.
DEVELOP is the Government expanding the skills base in a growing UK cyber security industry, supporting scientific research and using the National Cyber Security Centre as a centre of excellence that can both support industry in security product selection and advise on current threats and cyber security good practice. Education on cyber security will be part of IT training in schools and other educational establishments.
These three objectives are underpinned by INTERNATIONAL ACTION, which would see expanded relationships with existing international partners and engagement with new partners to improve collective security and to protect UK interests overseas. The action would include delivering: “â”¦clear messages about consequences to adversaries who threaten to harm our interests, or those of our allies, in cyberspace.
Progress against the previous strategy has been reported in annual reports and this will continue under the new five-year plan with metrics to show progress against the objectives.
The new sheriff
The Ascentor view is that the “new sheriff in town” comes from the change in approach signalled by the UK Government in the latest version of the strategy. Concerned that the previous approach of using market forces, education and awareness to change the UK’s security culture has not been effective quickly enough, the Government now plans to get tough.
The new, robust approach aims to ensure that individuals and organisations put measures in place to protect themselves. The Government plans to work with insurers, regulators and investors who can exert influence over companies to ensure they manage cyber risk. There is also the warning that it will use a regulatory framework for those risks that the market fails to address.
In its own words: “â”¦the UK Government intends to intervene more actively and use increased investment, while continuing to support market forces to raise cyber security standards across the UK. We will work with the private and public sectors to ensure that individuals, businesses and organisations adopt the behaviours required to stay safe on the Internet. We will have measures in place to intervene (where necessary and within the scope of our powers) to drive improvements that are in the national interest, particularly in relation to the cyber security of our critical national infrastructure.
How does it affect me?
If you haven’t read the new National Cyber Security Strategy, we suggest that you read at least the Executive Summary. In the meantime, if you are a business or organisation, you should take away from this blog that it will affect you.
There is a new determination to ensure that all areas of society become part of the solution, and the government is preparing to use more “stick” where the “carrot” doesn’t work. In the same way that the General Data Protection Regulations (GDPR) from the EU will require all organisations to demonstrate that they can comply with the requirements, our view is that increasing pressure on government supply chain companies to meet at least the Cyber Essentials standard of cyber security, will drive companies and organisations to demonstrate their capabilities in this area to a recognised level.
How Ascentor can help
Ascentor has considerable experience in helping organisations to implement an effective risk management regime that can meet the majority of current cyber security standards such as Cyber Essentials, IASME and ISO27001 .
If you would like us to carry out a gap analysis of your organisation to meet these standards, please contact Dave James using the details below.
For further information
If you have found this article interesting, the Ascentor blog regularly carries articles about information risk management and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss how our consultants could advise on any aspect of IA and cyber security, please contact Dave James, MD at Ascentor.