tashatuvango - Fotolia
When the government launched the latest iteration of its National Cyber Security Strategy (NCSS), the media inevitably focused on the sexy bits (the Russians are coming!) and entirely ignored a much bigger story.
To be fair, this may have been the government’s intention all along. It was certainly surprising to see the chief of MI5 give an unprecedented interview to The Guardian, setting out his concern about Russian cyber attacks, just days before the new strategy was published.
Doubtless cyber security really is front of mind for senior ministers and Whitehall mandarins, especially as they roll out the Gov.uk Verify identity assurance system and move as many public services and procurement processes online as possible. However, the most significant thing about the new NCSS is not where the threat is coming from, but what the government intends to do about it.
The new strategy sets out dramatic policy changes in three areas.
First, the government wants suppliers to the public sector to be subject to much more stringent and far-reaching cyber-related regulation. For example, all services and equipment delivered to government will have to be “secure by default”, meaning high-level security features are installed automatically and have to be removed manually by the user if they do not want them.
Greig Baker, Guide
Similarly, all suppliers will be measured against a new cyber security rating system, which will be published so that public sector budget holders – and ordinary members of the public – can see which companies are rated highly and which are not.
More intrusively, the government also plans to actively test suppliers’ cyber security measures – and insist on enhancements where it thinks they are needed.
Swimming with sharks
These additional regulatory measures are seen as an unalloyed “good thing” by the government. It is said that you don’t have to be able to outswim a shark to avoid being eaten – you just have to be able to outswim your friend. In the same way, Whitehall believes there is a competitive advantage in the UK being more cyber secure than other European markets, even if we are not completely safe, especially in the light of Brexit. The government explicitly says that cyber security regulation here will be “as high as, or higher than, comparative advanced economies”.
Equally worrying for companies working with the public sector, the government insists that suppliers themselves will be liable for cyber breaches that affect public services. The government maintains it will tell businesses how to protect themselves and then it is up to suppliers to take necessary defensive measures.
Read more about government cyber security
- The objectives of the UK’s National Cyber Security Centre are to address systemic vulnerabilities, reduce risks, respond to serious incidents and nurture national cyber security capability.
- The UK government is thinking about becoming more interventionist to ensure the next five years yield a better return on investment in cyber security.
- The NCSC is piloting various cyber security initiatives with government departments such as Dmarc and other email security measures, and plans to name and shame those that fail to comply.
The new strategy paper makes clear that “businesses must understand that if they are the victim of a cyber attack, they are liable for the consequences”. The government says it will take over a supplier’s functions if they are not secure enough and pose a threat to national security, including the delivery of public services.
This makes early engagement with the National Cyber Security Centre an essential step for any company that wants to mitigate risk by demonstrating it has done everything it can to be cyber safe.
But the changes are certainly not all doom and gloom for suppliers working in the public sector. Indeed, there are significant commercial opportunities. Most legacy systems in the public sector will not meet the government’s own new cyber security standards, for example, so there will need to be very heavy investment in getting those systems up to scratch.
At the same time, the government needs to demonstrate major investment in cyber skills, so companies that can prove existing levels of staff expertise and the ability to train the next generation of talent will have an edge in any contract tender.
All of these changes have a political angle, too. It is especially notable that the Chancellor, Philip Hammond, has taken personal responsibility for announcing the NCSS. Whereas the government’s last set of cyber security plans were presented and managed from the Cabinet Office, this edition will be led directly by the Treasury. In other words, they really do matter to the government and it wants to see things getting done.
Given that the NCSS has such significant implications for every organisation in the public sector, as well as for very many private companies and charities, Hammond has put his political credibility on the line by promising to deliver the strategy.
Major initiatives like the NCSS inevitably come up against practical challenges, and the government will be ready for these. However, the complexity of the threat, combined with the extent of the reforms designed to keep us safe, means this will not be an easy ride for Whitehall. In fact, there is every chance that journalists will still be writing about the NCSS long after they have forgotten about Russian gangsters.
Greig Baker is chief executive of Guide – www.theguideconsultancy.co.uk