New UK Cyber Strategy Adopts Whole-of-Society ApproachTwin Focus on Safer Internet and UK Competitive Advantage in Cyber Power
The United Kingdom has released a new National Cyber Strategy that it says will deliver a whole-of-society approach to cybersecurity that solidifies the U.K.’s position as a global cyber power.
The plans detailed in the strategy for the U.K. cybersecurity industry - which reported revenues of 8.9 billion pounds last year - will be supported by a 2.6 billion-pound investment, announced in this year’s Spending Review, the statement says.
There are specific objectives and stated outcomes in the strategy, to be achieved by 2025, but this is not a repeat of U.S. President Biden’s cybersecurity executive order, which detailed a schedule of targets. It is more a strategic framing of how continued incremental steps will be taken to maximize the safety and openness of internet use in general, and for the U.K. in particular.
Acknowledging that the policy challenges in cyberspace are not solely technological, the report describes the cyber domain as a human-made environment that amplifies human behavior, but affects the physical world.
Cyberspace is owned and operated by private companies, governments, nonprofit organizations, individual citizens and even criminals, and governments must work with partners in order to attain and exercise power in this realm.
Alongside adversary states, some with technological leads in some areas, plus the growing capabilities of crime groups, growing areas of concern identified in the report included legacy IT systems, supply chain vulnerabilities, a shortage of cybersecurity professionals and a lack of commercial incentives to invest in cybersecurity.
Consequently the government says it is seeking to include "more diversity in the workforce, level up the cyber sector across all U.K. regions, expand offensive and defensive cyber capabilities, and prioritize cybersecurity in the workplace, boardrooms and digital supply chains."
The strategy "sets out a clear vision for building cyber expertise in all parts of the country, strengthening our offensive and defensive capabilities and ensuring the whole of society plays its part in the U.K.’s cyber future, and comes with record funding to match," Steve Barclay, chancellor of the Duchy of Lancaster and Cabinet Minister, says in the statement. Through the strategy, he says, "The government is doing more to protect U.K. citizens and companies, and its international partners - helping realize its vision of cyberspace as a reliable and resilient place for people and business to flourish."
An online training platform, dubbed Cyber Explorers, will teach young people cyber skills in classrooms, the statement says. It also says a new Royal Charter for the U.K. Cyber Security Council has been approved to "improve cyber careers and bring the cyber workforce into line with other professional occupations like engineering."
The program will also aim to boost diversity through a new "adult scheme, which will ensure that people from all backgrounds have access to these high-skill, high-priority jobs."
The U.K. Cabinet Office tells ISMG that the free Cyber Explorers course is aimed at 11 to 14-year-olds, while The Royal Charter is not a programme, but a recognition of the "expertise and credibility of the U.K. Cyber Security Council, which is working to improve the cybersecurity profession."
"The council’s status as the professional authority helps bring the cybersecurity profession in line with similar professional occupations, such as engineering, and complements the role of the national technical authority, NCSC," the statement says.
Details on the programme, implementation plans for the training and diversity schemes, will be announced in the New Year, the Cabinet Office tells ISMG.Financial Investment
The government will invest an undisclosed amount as part of the Cyber Runway scheme, which the statement says will help "107 innovators grow and develop their businesses, with the majority of member companies outside of London and the South East, 45% led by women and 52% run by founders from black and minority ethnic groups."
"Funding for these growth and skills programs will be reoriented away from large, often London-based initiatives to a regionally delivered model, which will mean more jobs and better opportunities for people across the U.K," the statement says.
The strategy also looks to:
- Bolster law enforcement agencies and significantly increase funding to deal with cybercrime;
- Create more integrated and sustained campaigns to disrupt and deter adversaries;
- Boost investment in the National Cyber Force, a military unit based in Samlesbury in Lancashire delivering the U.K’s offensive capabilities;
- Expand the Government Communications Headquarters' National Cyber Security Center’s research capabilities, including a new applied research hub in Manchester;
- Implement the Product Security and Telecommunications Infrastructure Bill to enforce minimum security standards in all new consumer smart products;
- Invest in public sector cybersecurity.
GCHQ Director Jeremy Fleming says the strategy "recognizes the vital role of the private sector in ensuring the U.K’s cyber future through the establishment of the new National Cyber Advisory Board," comprising senior leaders from the private and third sectors to challenge, support and inform the government’s approach.
In parallel, the government will also set up a National Laboratory for Operational Technology Security to bring together the government, industry and academia to "make sure that the U.K. economy is built on the highest level of cyber resilience," he says.
Today Govt launches the #UKCyberStrategy, our approach to cyber challenges for the next decade. I’ve been delighted to address our @G7 partners on tackling #ransomware, one of the fastest growing cyber threats. pic.twitter.com/JGi4ZhsWxH— Damian Hinds (@DamianHinds) December 15, 2021
Avoiding Technology Supply Risk
The document says: "Where the UK has the potential to establish a leading position or secure a competitive advantage in key areas of cyber technology, or where reliance on non-allied sources of supply poses unacceptable security risks, we will seek to develop our domestic industrial base," with both truly sovereign capability and collaboration with international partners depending on circumstances.
Phil Robinson, principal consultant and founder of cybersecurity consultancy Prism Infosec, tells ISMG: "The document implies sovereign capability will now be a key focus, so we can expect dependency on suppliers or technologies outside the U.K. that do not share our values to decrease." The document says threats are consistently "emanating from Russia and China." so Robinson suggests, "It’s safe to say we will continue to see any foreign investment in U.K. infrastructure subjected to real scrutiny."
"All organizations, both in the public sector and the private sector, should consider the risks of their supply chains, to include those of their digital capabilities," says Grant Schneider, former U.S. federal chief information security officer and White House National Security Council senior director for cybersecurity policy.
Schneider, now senior director for cybersecurity services at Venable and an ISMG global content contributor, drove the establishment of an authority and capability within the U.S. government to remove or exclude products that pose too great a risk. He says: "It is not surprising that the U.K. would state they too will make risk-based decisions around the technology suppliers upon which they rely. I have long supported that the U.S. needs to work internationally to ensure the availability of a trusted supply chain to support our digital ecosystems."
All of Society Working Together
The new cybersecurity strategy continues to build upon the foundations set by earlier strategies, says Brian Honan, a security expert based in Ireland, Honan says the strategy is detailed, unlike many cyberstrategies strategies at the corporate and national level, which outline goals but do not say how they will be reached.
The proposed engagement with industry and academia is welcome he says, as "cybersecurity is something that all parts of society need to work together to address." He adds, "The goal to reach out to people from many diverse backgrounds is good to see as they can help not only to bridge the skills gap and provide more resources to ensure the security of the U.K, but they can also bring in new and different ideas that can help achieve those goals."
Echoing Honan's statements, Carla Baker, a senior director for government affairs at cybersecurity firm Palo Alto Networks, tells ISMG that the new National Cyber Strategy marks a significant step in how the government is approaching the security of critical technology and digital environments. "We support the 'whole of country' approach to security, including the objectives of gaining a better understanding of the threat landscape and developing policy interventions that build resilience and secure the U.K’s tech ecosystem," she says.
Thread on cybersecurity and cyberwarfare. UK National Cyber Strategy. UK wants to become a cyber power. "Cyber power is distinct from more traditional forms of power" https://t.co/rJDbv2b5OB pic.twitter.com/AoHbnc10dI— Lukasz Olejnik (@lukOlejnik) December 15, 2021
Saj Huq, director of the London Office for Rapid Cybersecurity Advancement and head of innovation at Plexal, which delivers four government cyber innovation programs, including Cyber Runway, says, "The new National Cyber Strategy recognizes that horizontal technology areas such as cyber - with their potential to influence and shape the fabric of how our society interacts and engages with technology - require targeted government intervention."
"This strategy places cybersecurity at the heart of all future national decision-making on emerging technologies, with a specific focus on ... embedding security into the next-generation of breakthrough technologies that will shape our digital and physical worlds."
For John Bambenek, principal threat hunter at digital IT and security operations company Netenrich, the largest pain point in the strategy is that there are not enough cybersecurity professionals to go around. "You can require lots of standards but you either need experts to put those standards into the manufacturing process or you need off-the-shelf frameworks that allow companies to just implement already-hardened systems," he tells ISMG.
Bambenek also says that the underlying geopolitical reality, has not been addressed. "There are jurisdictions that look the other way when criminals run wild. We can identify all the cybercriminals in the world but if we can’t do anything besides put up their picture on a website, it will not change much."