UK cyber security strategy making ‘good progress’

The National Cyber Security Strategy is making good progress, but there is much left to be done, according to a Cabinet Office official

One of biggest early successes of the National Cyber Security Strategy launched in 2016 is the establishment of the National Cyber Security Centre (NCSC), according to Mark Sayers, deputy director, National Cyber Security Strategy, at the Cabinet Office.

“That was about bringing together our very best intelligence and technical expertise into a single world-leading authority, which has undertaken some pretty pioneering work in its first two years,” Sayers told the information security track of the International Security Expo 2018 in London.  

Since the launch of the strategy, said Sayers, the government has continued to invest in, and build, the UK’s cyber capabilities across UK law enforcement to pursue those who carry out cyber attacks, wherever they are.

“We have developed some ground-breaking early-intervention programmes in an attempt to divert those we have identified as at risk of going down the wrong path [of cyber crime], we are inspiring more people to become cyber security experts and entrepreneurs, we have programmes in schools and universities, and we are even working with industry and the voluntary sector on retraining,” he said.

The past year has seen the introduction of the Cyber Discovery Programme for 14 to 18-year-olds, which has already engaged more than 23,000 students, said Sayers.

Another important element of the strategy is building on the UK’s cyber security research base, he said. “We are working to re-establish a proper pipeline of cyber security companies through a range of initiatives to incubate and accelerate these companies, including the new cyber accelerator in London.”

Under the strategy, Sayers said the UK has continued to build the strength of its collaboration around cyber security with its allies.

“We are looking to confront, expose and disrupt hostile activity, and the public attribution we have been doing in the past few months is our way of putting pressure on those who seem to feel that they can act with impunity, as well as promoting our shared vision for an open, peaceful and secure cyber space,” he said.

At the halfway point in delivering the strategy, the UK is “in a good place” in terms of putting in the building blocks necessary to transform the country’s cyber security and resilience, said Sayers.

“But as the threat from criminals and nation states continues to evolve, we must keep innovating and stepping up our game to rise to the challenge,” he said. “The key to achieving this lies in the strength of the partnerships that we create and our ability to demystify cyber security.”

Read more about UK cyber security innovation

  • Getting cyber security innovation to market is key, says NCSC.
  • Second GCHQ Cyber Accelerator kicks off.
  • Cyber security should not be seen as a necessary evil, but an economic opportunity, says UK government.
  • The NCSC aims to ensure the UK has the ability to take offensive action if necessary, while also growing an innovative cyber security industry.

However, translating a broad increased awareness into people taking action remains challenging, he said. “Often it is seen as too difficult, too technical or as someone else’s problem.”

As a result, the government is increasing its focus on helping company boards better understand the risks that they face and the action they can take, and provide leadership in their organisation to ingrain security in the company culture and mindset, said Sayers.

“We are using the Cyber Essentials scheme to influence organisations that provide products and services to government because we are specifying standards to improve their cyber security, but we are also specifying that they should enforce those standards right through their supply chains,” he said.

“So they are taking a much more active role in protecting the often much smaller businesses in their supply chain by helping them to improve their overall cyber security resilience.”

Sayers noted that there are now more than 550 private sector partners taking part in the government’s national Cyber Aware campaign, which is aimed at encouraging individuals and businesses to take basic steps that will prevent the majority of high-volume, unsophisticated cyber crime.

Looking to the future, Sayers said the focus of the government’s efforts in the next six months will be to address the cyber security skills gap, the government’s cyber security science and technology strategy, and the ambition to make all products and services secure by design.

In terms of reducing the skills shortage, he said the government continues to forge relationships with industry and academia to develop cyber security as a profession and create clear career pathways as well as a more diverse and inclusive workforce.

As part of these efforts, the government plans to publish a comprehensive cyber security skills strategy to set out what needs to be done by 2021 and beyond.

“But this will require the help of the security industry to validate that strategy and help ensure that we have the right approach, and then to realise that vision and make it happen,” said Sayers.

Maximise opportunities and minimise risks

He said the planned cyber security science and technology strategy demonstrates that the national strategy is not only about addressing the need to make the internet safer, but also about ensuring that the UK can maximise the opportunities and minimise the risks of new and emerging technology.

As the internet of things (IoT) expands, the challenge is to ensure that manufacturers can help consumers by building protections in from the design stage, said Sayers.

“We have developed what we think is a world-leading code of practice for consumer internet-connected devices in consultation with international partners and private sector organisations, because our commitment here is to help manufacturers understand how this code of practice will set in the broader standards landscape and make it as straightforward as possible for them to introduce the changes necessary to improve the security of their products,” he said.

The aim of government, said Sayers, is to demonstrate not only that it understands the challenge and the scale of that challenge, but that it is trying to cultivate the right environment for all stakeholders to be collaborative and agile as possible in their response.

“We do not have all the answers and we cannot do this alone, and whatever lies ahead, I want to make sure we are focused on reaching out across organisational, political and geographic boundaries, because to succeed, we need to be more than the sum of our individual parts,” he said.

“We need to harness the fact that we are safer and stronger together.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management