Gajus -

What will succeed the National Cyber Security Strategy?

As the National Cyber Security Strategy nears the end of its working life, the government is considering what comes next, and is asking probing questions of its successes and failures

The Department for Culture, Media and Sport (DCMS) has begun to consider what will succeed the National Cyber Security Strategy when the programme reaches the end of its life in the next year or so, taking into account the successes and failures of the project as it works towards its ultimate goals of making the UK the safest place to live and work online.

Launched in 2016, the National Cyber Security Strategy 2016-2021 set out the government’s plan to make the UK more secure and resilient in cyber space.

While this has resulted in some successes, such as the establishment of the National Cyber Security Centre (NCSC), sources differ as to whether or not the National Cyber Security Strategy has truly been a success.

Earlier in 2019, the Public Accounts Committee (PAC) said the programme was failing after having achieved only one of its original 12 aims, whereas in April, the then cabinet office minister David Lidington said the strategy had “revolutionised” the UK’s stance against cyber threats.

However, at the launch of Atos whitepaper Vision for cyber security 2, hosted alongside IT sector association TechUK in London, DCMS deputy director of cyber security and digital identity Andrew Elliott said that the government was looking towards what comes next, asking itself questions such as, “Has it been worth it?”, “Have we actually tackled any market failures?” and “Have our interventions been sustainable?”.

Elliott said the government had great power as a convenor of experts, making connections and driving policy, increasing access to education and building a skilled workforce, and that as a big customer itself it also had the ability to build markets.

“We need to pull those levers appropriately, and that doesn’t always mean funding large programmes,” said Elliott.

Two examples of interventions that brought people together and has been sustainable, according to Elliot, are the establishment of various cyber security clusters around the UK, and the establishment of the UK Cyber Security Council.

The council, which is being delivered by the Institution of Engineering and Technology (IET), will essentially form a new Royal Charter body for cyber security professionals, establishing formal professional standards and career pathways in security.

Elliott said the government would also continue to look for new ways to bring people together with the intelligence community, and develop its work with GCHQ through its innovation and cyber accelerator.

“But will we continue to fund many of the programmes? We do not know yet. What is certain is just because we do it now does not mean we will do it for another five years. Throwing government money at this is not the sustainable answer,” said Elliott.

Although the elements of the future security strategy will likely look different, Elliott said the government stuck by its goal to work more closely with private sector investors to make the UK both an attractive destination to base security technology companies, and the safest place to live and work online.

Talal Rajab, head of TechUK’s cyber and national security programme, said: “As public services are increasingly digitalised, they must be inherently cyber secure. It is vital that the government continues to work with private sector partners to build capacity and protect the public sector.

“With the current strategy, the UK’s growing cyber security capabilities have yielded results and this should continue with further investment.”

The Atos whitepaper, which like many other industry publications will help inform the UK’s future security strategy, was published against a background of deep and dynamic change in the cyber landscape. Phil Aitchison, Atos UK and Ireland COO of big data and security, outlined some of the key trends driving this change.

“There are three main things that have happened. First, GDPR [General Data Protection Regulation] – the regulations are all out there and we’ve seen that they have been understood by industry, although we’ve also seen some fines started to be levied,” said Aitchison.

“Second, the threat landscape has fundamentally changed. Third, the tools to address these threats have also changed. We see a lot more innovation, particularly around machine learning and artificial intelligence,” he said.

Read more about security strategy

  • At the launch of its third annual review, NCSC head Ciaran Martin appealed for individuals and businesses to address the fundamentals of cyber security hygiene to help lighten the load.
  • The government has announced a second phase of research to help understand the UK's cyber security labour market.
  • The Cyber Security Agency of Singapore has developed a blueprint to secure operational technology systems in critical sectors, among other measures to secure cyber-physical systems and the IoT.

Read more on Security policy and user awareness

Data Center
Data Management