The government and top cyber agencies on Wednesday published the UK’s National Cyber Strategy, designed to help protect the country from growing online threats.
Those threats come from hostile nation states including Russia and China, but also from a wave on cyber criminality, which is stretching the resources of many organisations and businesses around the world.
Last month, the head of the UK’s Secret Intelligence Service (otherwise known as MI6) said the intelligence agency cannot enhance its capabilities solely “inhouse” anymore, and must open up to outside partners.
This includes partnering with technology firms to help MI6 deal with increasingly tech-savvy rivals such as China and Russia, as digital threats continue “growing exponentially.”
The government meanwhile continues to build up its cyber capabilities, utilising the UK expertise found within the intelligence agencies, the MoD, the National Cyber Security Centre, and the recently created National Cyber Force, located in Samlesbury, Lancashire.
And now in the last month of 2021, the government has published its National Cyber Strategy which sets out the steps the UK will undertake to solidify its position as a global cyber power.
And this has drawn quick from cybersecurity experts from a variety of firms.
Jamie Collier, cyber threat intelligence consultant at Mandiant for example pointed out that the UK led the world with the creation of the National Cyber Security Centre in 2016, and this new strategy is another positive the government is taking.
“The new National Cyber Strategy is a positive and assertive vision from the UK Government, outlining a strong intention that the UK intends to fully capitalise on its top tier cyber capabilities,” noted Jamie Collier, cyber threat intelligence consultant at Mandiant.
Collier pointed out that this latest strategy adopts a more encompassing view of cyber that extends beyond security to also connect with broader themes of diplomacy, national power, and statecraft.
“It presents a proactive vision in responding to both state-backed espionage and cyber criminal activity, recognising that public attribution and even cyber sanction regimes have not always been successful in fundamentally altering the actions of attackers,” said Collier. “The recently announced National Cyber Force indicates a new appetite to deter state operations more directly by disrupting adversary network infrastructure.”
“The strategy also sets out a firm approach to countering cybercrime, likely in response to the devastating impact of ransomware in the UK and around the world over the past two years,” said Collier. “There is a clear willingness to disrupt the cyber criminal ecosystem and the affiliated tools and services that empower criminal groups.”
Collier said that with £2.6 billion earmarked for cyber security over the coming five years, the Government clearly remains highly committed to its central vision to keeping the UK a secure and attractive digital economy.
“It is encouraging to see that spending plans are largely focused on maintaining existing initiatives, as this highlights that the UK Government has already established many of the foundational elements of its national cyber capability and can now build on this momentum,” said Collier.
“Putting the groundwork in establishing the National Cyber Security Centre (NCSC) five years ago really paid off for example, as the NCSC is now looked to as an exemplar from international counterparts and is a frequent destination when heads of state visit the UK,” said Collier.
Jude McCorry, CEO at the Scottish Business Resilience Centre (SBRC), meanwhile welcomed the ‘whole of society’ approach being taken with the strategy to improve the cyber resilience of the UK.
“The number of cyber attacks has been on the rise since the start of the pandemic, with both international and domestic cyber criminals taking advantage of our increased reliance on technology,” noted McCorry.
“We welcome the new National Cyber Strategy, particularly with its emphasis on a ‘whole of society’ approach said McCorry. “From a business perspective, the public and private sectors alone cannot drive the change needed to level up cyber security in the UK and keep us safe from cyber criminals both here and abroad; we must work in partnership.”
“The new strategy also strengthens law enforcement response to cyber crime, something which we fully support: our partnership with Police Scotland is built into the SBRC’s DNA and is a relationship which we are continuing to grow,” said McCorry. “Cyber crime can have a devastating impact on businesses and individuals alike, and it’s important to recognise a crime committed online is a crime like any other.”
“Ultimately, it is vital that the strategy also complements the significant work we’re seeing in each of the UK’s devolved nations, to ensure our public services and local businesses are best prepared to withstand cyber attacks, while working in partnership with the organisations already established to increase business and cyber resilience,” said McCorry.
“A focus on cyber strategy alone isn’t enough, however,” said McCorry. “While we must increase cyber security and reduce the number of associated attacks, we must also consider what comes next and prioritise cyber resilience – ensuring those organisations which do suffer an attack can quickly recover. Cyber resilience is essential not just for national security, but also for business continuity and therefore the overall UK economy.”
Support for the government’s ‘whole of society’ approach with the National Cyber Strategy was also welcomed by Darktrace CEO, Poppy Gustafsson.
“A ‘whole of society’ approach to cyber security, as set out in the Government’s new strategy, is absolutely critical for ensuring the nation is equipped to deal with the risks posed by today’s threat landscape,” said Gustafsson.
“The measures range from protecting the consumer through to improving the skills base to protecting our critical national infrastructure,” said Gustafsson. “We particularly welcome the added support for organisations to manage supply chain risk – one of the biggest challenges facing organisations today.”
“Darktrace research recently showed that the IT and Communications sector was the most targeted in 2021 – reflecting the fact that adversaries are using these platforms as an entry point to bigger targets, including governments and authorities,” said Gustafsson.
“We all have a part to play in building cyber resilience across the board – now is the time to mobilise so that we can defend against the increasingly sophisticated attackers of today and tomorrow,” Gustafsson concluded.
Another security expert, David Carroll, managing director of Nominet Cyber, noted that the government’s strategy was a notable departure from previous approach, mostly because of the breadth of its scope.
“The new National Cyber Security Strategy 2022 represents a step change in the UK’s approach,” said Carroll. “As the Minister for the Cabinet Office, Stephen Barclay, pointed out in his address today: we are at an inflexion point. The new strategy builds upon previous strategies, but what’s striking now is its breadth.”
“It is a comprehensive whole-of-Government and whole-of-nation strategy,” said Carroll. “It places cyber power at the heart of the UK’s foreign policy agenda, and recognises that every part of the strategy depends upon international engagement.”
“It puts a stake in the ground for the UK as a responsible and democratic cyber power on an international stage,” Carroll added. “There is a lot to unpack, but the implementation programme shows boldness in its ambition, which is to be welcomed.”
“Our economy is more digitalised than ever, and we are reliant on increasingly diffuse infrastructures to maintain essential services,” said Carroll. “The drivers of change in cyberspace are many and varied, as the strategy makes clear. This increasingly complex landscape will make it harder for states, businesses and society to understand the risks they face, and how they should protect themselves.”
“Increased dependency on third party suppliers of managed services is creating new risks, as witnessed this week as the world scrambles to deal with the LOG4J vulnerability,” said Carroll. “As the scale and speed of the changes to our digital landscape outpaces the frameworks, laws and institutions that govern the way we live and work, we must be prepared for a strategic competition. Governments around the world will be looking for capabilities at national scale, rather than piecemeal cyber security solutions.”
“Governments will search for solutions and capabilities to protect entire ecosystems and economies,” Carroll concluded. “It is this multi-level, whole-of-society approach, with strategic international collaboration, that will allow the UK to harness its ‘cyber power’, defend its citizens, and be a responsible global citizen.”
James Hadley, CEO at Immersive Labs welcomed how the government’s National Cyber Strategy is also focusing on increasing diversity in the workforce and wider industry, and it is time to hire on ability and not just university degrees or certifications.
“It’s encouraging to see that the Government’s new National Cyber Strategy will be focusing on diversity and prioritising cybersecurity in the workplace, boardrooms and supply chains,” said Hadley. “The time to elevate people to the same level as technology in the fight against growing cyber threats is now – and clearly, the Government recognises this. ”
“Remaining resilient in such a high-paced threat environment requires the optimisation of human cyber capabilities across entire organisations – and, indeed, entire nations,” said Hadley. “Cybersecurity is no longer just an issue for IT teams and technical people; the entire workforce has a role to play in preparing for, responding to, and remediating against cyber threats.
“I’m excited to see that the Government is addressing this by calling on ‘all parts of society’ to play their part in reinforcing the UK’s economic and strategic strengths in cyberspace,” said Hadley.
“This in turn encourages diversity in the workforce and wider industry,” he said. “In cybersecurity, where success often relies on doing the unexpected, diversity of thought is a valuable weapon. Our adversaries hire based on pure ability, not degrees and out-of-date certifications – so why don’t we copy them?”
“To optimise our defence, we need to move away from simply ticking off candidates’ certifications and start focusing on hiring those with the best practical skills for the job,” said Hadley.
“I hope this new National Cyber Strategy heralds a shift in mindset, putting the responsibility for cybersecurity on all of us and opening the door to a new pool of talent,” Hadley concluded. “At the end of the day, the more diversity and range of skills and knowledge we have in our armoury, the more we’ll increase our chance of successfully tackling what our adversaries throw at us next.”