The “3D” National Cyber Security Strategy
In light of the Public Accounts Committee casting a critical eye over the UK’s approach to cyber security last week, I thought it was a good time to reflect on the new National Cyber Security Strategy (2016-2021), since its launch three months ago.
When we look at the strategy, it is important to be clear about its main objectives, which are split into three main areas, the three “D”s:
- Defence against the evolving cyber threat, and having the ability to respond to cyber incidents;
- Ensure citizens, businesses and the public sector have the knowledge and ability to defend themselves.
- Acknowledgement that the UK is a target for aggression in cyberspace;
- Detect, understand, investigate and disrupt hostile action against the nation;
- Importantly, have the capability to take offensive action, if required, to tackle this threat.
- Innovate and grow the cyber security industry;
- Develop world-leading scientific research and development;
- Support the talent pipeline to provide the skills needed for the future.
In essence, the strategy is from the ground-up to develop the capability and skills needed to support and grow the UK’s cyber security capability, and to make the UK the safest place to do business online.
The strategy makes it clear that the world has changed since the previous 2011 strategy was published. The geopolitical landscape has radically changed, and the strategy acknowledges that cyber does not respect the conventional country borders.
State actors are increasingly building offensive cyber capabilities, and the UK is not immune to their interest, in fact the opposite is true. The UK, with its highly developed, digital economy, has the potential to be rich pickings for state nations, and cyber criminals alike.
In terms of overall national security, there are only a few countries that have the capability to pose a significant threat to the UK’s overall security, but the UK needs to ensure it continues investing in ways to combat these actions. It will also become increasingly easy for less-capable threat actors to purchase ‘off the shelf’ exploitation tools.
Nexor is acutely aware that traditional methods of protection in the cyber realm will not be effective against this continually evolving threat, and Nexor recognises the need for a continually developing cyber defence capability to protect the nation.
National Cyber Security Centre (NCSC)
A key focal point of the strategy is the formation of the NCSC, which was launched on 1st October 2016, with the aim of bringing together Government, Industry, Academia and the Public to ensure the UK is a safer place online. The NCSC will be the UK’s authoritative voice on cyber security.
We see this as an extremely positive move. The NCSC is acting as a focal point for cyber security and will bring together the disparate parts of government and provide uniform advice and guidance. It will give a clear answer to the public and industry on who they need to speak to for cyber security.
This can only be a good thing, and we have already seen this happening.
As part of its engagement strategy, NCSC will be hosting an annual conference, known as CYBERUK. It is a great event and opportunity to share a lot of its vision and advice, as well as a great opportunity to network with likeminded individuals. Nexor exhibited last year, and will be there again this year.
Defend – UK Government and CNI
Nexor’s core markets are Defence, Intelligence, wider Government and Critical National Infrastructure (CNI). As the strategy highlights, maintaining the trust of citizens is paramount when using digital services, and the provision of the critical functions of government and utilities. We take very seriously our role in helping achieve this by providing the capability to allow information to flow securely between different entities and therefore for government to become truly ‘digital’.
As the strategy discusses, government will continue its ‘Digital by default’ policy, and move all its services online, therefore this information flow will only increase. It’s also imperative that as a nation we continue to minimise the risk by implementing best practice as set out by the NCSC. This is a core part of the Nexor strategy, and we closely align ourselves to this advice, and its ways of working.
As the strategy discusses, organisations must continue to invest in the technology and skills to reduce vulnerabilities in their current and future systems, and of course their supply chain, to maintain a level of cyber security proportional to the risk. This is something we still only see in the most progressive of organisations, but this needs to change.
Deter – Offensive Action
One very different aspect of the strategy is the concept of offensive action in cyberspace. Rarely has this topic been discussed openly by the UK government, but taking an offensive position in this arena to halt, minimise and deter cyber-attacks is a very welcome addition.
Quite often defence alone is not enough to protect the UK, and by taking a stronger pro-active position we stand a much better chance of protecting ourselves and securing our online presence.
Develop – supporting the sector
One of the key aspects of the strategy is building the capability of the future. Building the solid foundation of skills for the future is key, and the strategy looks to support this with two initiatives.
The first of which is CyberFirst. This is a government-backed scheme with the aim of nurturing the next generation of cyber security talent. The scheme offers a bursary and potentially the offer of a role in national security when you complete the programme.
CyberInvest, is the second scheme, and this has been designed to promote industry investment in cyber security research within the UK’s universities, and to create a community of government, academic and industry research.
What lies ahead?
Although it’s still early days, we see the cyber security strategy progressing well. It is well funded at £1.9 billion, and it needs to be, due to its ambition of making the UK the safest place to do business online.
With the more determined, and well-sponsored attackers, the NCSC, supported by the strong capabilities of GCHQ, will provide a stronger barrier to the UK’s digital economy and infrastructure.
The overall strategy and the formation of the NCSC is key in terms of raising the cyber security bar for the UK. We all know that basic hygiene will hinder a considerable amount of attacks, and more specialised capability, such as Nexor’s, can help secure the most important aspects of the digital economy.
If the UK as whole can raise its game, we might just end up as the safest country in the world to do business online!
Author Bio - Andrew Kays
Andrew was the Managing Director at Nexor from 2014-17. He has extensive experience in project management and the development of secure solutions across a number of industries including defence, logistics and finance. Andrew is a Certified Secure Software Lifecycle Professional (CSSLP). In April 2017, Andrew will be setting up his own business to help the UK tackle the cyber skills shortage.
Be the first to know about developments in secure information exchange