UK Government Launches First Ever Cyber Security Strategy

The UK government on Tuesday officially launched its Cyber Security Strategy, as it seeks to increase protections for public services and British businesses.

The government announced strategy places reporting obligations on businesses, and a new Cyber Coordination Centre is to be established, which will “transform how data and cyber intelligence is shared.”

It comes after the British government last month published its National Cyber Strategy, designed to ensure the country has the necessary means to defend itself in cyberspace.

Cyber Security Strategy

That strategy aims to reinforce the UK’s economic and strategic strengths in cyberspace, including more diversity in the workforce.

Last week the government said it was proposing new laws to improve security standards in outsourced IT services used by almost all UK businesses.

The strategy proposes that any firms providing essential digital services should follow strict cyber security duties, with large fines for non-compliance. Other legislative proposals include improved incident reporting and driving up standards in the cyber security profession.

Another additional proposal concerns the independent UK Cyber Security Council, which regulates the cyber security profession.

The government believes the Cyber Security Council needs additional powers to raise the bar and create a set of agreed qualifications and certifications, so those working in cyber security can prove they are properly equipped to protect businesses online.

In a speech in central London on Tuesday, Steve Barclay the Chancellor of the Duchy of Lancaster outlined the cyber threat that government and wider public sector systems face, and he highlighted how the UK is now the third most targeted country in the world in cyberspace from hostile states.

The new government strategy will be backed by £37.8 million invested to help local authorities boost their cyber resilience – protecting the essential services and data on which citizens rely on including housing benefit, voter registration, electoral management, school grants and the provision of social care.

Precious public services

“Our public services are precious and without them individuals can’t access the support that they rely on,” said Steve Barclay. “If we want people to continue to access their pensions online, social care support from local government or health services, we need to step up our cyber defences.”

“The cyber threat is clear and growing,” said Barclay. “But government is acting – investing over £2 billion in cyber, retiring legacy IT systems and stepping up our skills and coordination.”

The new strategy outlines how central government and the public sector will continue to ensure that public services can function in the face of growing cyber threats.

It will step up the country’s cyber resilience by better sharing data, expertise and capabilities to allow government to ‘Defend As One’, meaning that government cyber defence is far greater than the sum of its parts.

Of the 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021, around 40 percent were aimed at the public sector.

In 2020, both Redcar & Cleveland and Hackney Councils were hit by ransomware attacks impacting council tax, benefits and housing waiting lists.

Gloucester City Council was then the subject of a further cyber attack in 2021.

The government strategy will also enable members of the public to contribute to the cyber security effort, with a new vulnerability reporting service allowing individuals to report weaknesses in digital services.

The strategy will make core government functions, such as the delivery of essential public services, more resilient than ever before to cyber attack from malicious actors.

Key points

It follows the recent publication of the National Cyber Security Strategy, which called on all parts of society to play their part in reinforcing the UK’s economic strengths in cyberspace, through more diversity in the workforce, levelling up the cyber sector across all UK regions, expanding offensive and defensive cyber capabilities and prioritising cyber security in the workplace, boardrooms and digital supply chains.

The key announcements in the strategy include:

• Establishing a new Government Cyber Coordination Centre (GCCC), to better co-ordinate cyber security efforts across the public sector. The centre will be based in the Cabinet Office and will ensure that data is rapidly shared, allowing us to ‘Defend As One’.
• A new cross-government vulnerability reporting service, which will allow security researchers and members of the public to easily report issues they identify with public sector digital services. This will enable organisations to more quickly fix any issues identified.
• A new, more detailed assurance regime for the whole of government, which will include robust assessment of departmental plans and vulnerabilities. This will give central government a more detailed picture of government’s cyber health for the first time.
• £37.8 million invested into local authorities for cyber resilience – protecting the essential services and data on which citizens rely on including housing benefit, voter registration, electoral management, school grants and the provision of social care.
• An innovative project to reduce government risk through culture change, in partnership with small businesses and academia.
• Stepped up work to understand the growing risk from the supply chains of commercially provided products in government systems, ensuring security is a key part of procurement and working with industry on cyber vulnerabilities.

Industry reaction

The launch of the the Government’s new Cyber Strategy has prompted a reaction from security experts, who applauded the government’s ‘whole of nation’ approach.

“The Government’s new Cyber Strategy sets out in no uncertain terms the importance of our collective cyber security to the safety and prosperity of the UK,” noted David Carroll, MD of Nominet Cyber.

“In an increasingly complex landscape where governments, businesses and society must react to understand the risks we face, we are pleased ‘defend as one’ will be central to the Government’s approach,” said Carroll. “A whole-of-nation strategy is key for establishing the UK as a responsible and democratic cyber power on the international stage.”

“At Nominet, we’re proud to deliver PDNS for the National Cyber Security Centre, a key component of the UK’s Active Cyber Defence,” added Carroll. “It has protected vital public services at a critical juncture of heightened threat and exposure.”

“By being able to block inadvertent access to domains or IPs that are known to contain malicious content, this simple and effective capability will remain critical as attackers adapt their tools, techniques and processes over time,” said Carroll. “Government’s backing for these kinds of innovative, scalable solutions will help to elevate not just the UK’s collective security, but will also strengthen the collective cyber resilience of our allies overseas.”