UK government launches internal cyber strategy

Westminster has launched its first ever Government Cyber Security Strategy, a multi-million pound plan to help better protect vital public services from the growing risk of disruptive and destructive cyber attacks.

In a speech delivered today (25 January) in London, Steve Barclay, chancellor of the Duchy of Lancaster, outlined the scale of the cyber threat facing government and public sector IT systems and revealed that the UK is now the third most targeted country in the world by malicious actors.

“Our public services are precious and without them individuals can’t access the support that they rely on,” he said. “If we want people to continue to access their pensions online, social care support from local government or health services, we need to step up our cyber defences.

“The cyber threat is clear and growing. But government is acting – investing over £2bn in cyber, retiring legacy IT systems and stepping up our skills and coordination.”

The strategy will be backed by £37.8m for local authorities to boost their cyber capabilities and protect essential services and data such as housing benefits, social care provision, voter registration and electoral management, as well as school grants.

Such services were among those disrupted in a number of high-profile cyber attacks against local authorities and councils across the UK in the past few years, with notable victims including Redcar and Cleveland in northeast England, Hackney in London, and Gloucester City Council.

All told, around 40% of the incidents managed by the National Cyber Security Centre (NCSC) in the most recent year for which figures are available were aimed at public sector targets.

Besides this, the strategy will see the establishment of a whole-of-government Cyber Coordination Centre (the GCCC), which will build on similar private sector models that have already proven their worth (such as the NCSC-hosted Financial Sector Cyber Collaboration Centre) to identify, investigate and coordinate government response to attacks. This entity will be based at the Cabinet Office.

A new, more detailed assurance regime will also be introduced to conduct more robust assessments of individual department cyber risk and response plans and vulnerabilities, giving central government an unprecedented picture of its overall cyber health. Alongside this, the government will step up its work to understand and mitigate the risks emanating from its technology supply chain, ensuring strict security checks are built into future procurements, and will embark on a new project to reduce cyber risk through changing internal cultures.

It will also establish a new vulnerability reporting service allowing anybody, from individual members of the public to ethical hackers, to report weaknesses they may find in digital services.

The government’s chief security officer, Vincent Devine, said the strategy would make both core government functions and wider public services more resilient than ever before to attack.

“We need this bold and ambitious strategy to ensure that government’s critical functions are significantly hardened to cyber attacks,” he said.

“The strategy is centred around two core pillars, the first focussing on building a strong foundation of organisational cyber security resilience; and the second aimed at allowing government to ‘defend as one’, harnessing the value of sharing data, expertise and capabilities.”