Updated UK cyber security strategy to narrow the gap between convenience and security

Cyber security global threat - Image credit: Pixabay

The Chancellor, Philip Hammond, launched the UK Government’s new National Cyber Security Strategy earlier this week.

The updated strategy, five years on from the last one, is underpinned by funding £1.9bn.

This investment in online security, which was announced last year to run the programme until 2020, is almost double the £860m dedicated to the first cyber security strategy from 2011.

Launching the new strategy, Philip Hammond referred to a “once-in-a-generation opportunity for the UK to cement our role as a leader in digital tech innovation, and to future-proof the economy of post-Brexit Britain”.

He said: “Britain is already an acknowledged global leader in cyber security thanks to our investment of over £860 million in the last Parliament, but we must now keep up with the scale and pace of the threats we face.

Last year’s National Security Strategy 2015 reaffirmed the cyber threat as a Tier One risk to UK interests and the new cyber security strategy notes that the “scale and dynamic nature of cyber threats, and our vulnerability and dependency, mean that maintaining the current approach will not in itself be sufficient to keep us safe”.

It says that a market based approach to the promotion of cyber hygiene has not produced the required pace and scale of change and the UK Government has to “lead the way and intervene more directly by bringing its influence and resources to bear to address cyber threats”.

RELATED CONTENT

Managing risk: a roundtable discussion on cybersecurity

The European Parliament adopts new EU-wide rules on cybersecurity

When the last National Cyber Security Strategy was published in 2011, cyber security mainly related to protecting devices such as desktop computers or laptops, the report notes, but since then the internet has become increasingly integrated into our daily lives.

“The ‘internet of things’ creates new opportunities for exploitation and increases the potential impact of attacks which have the potential to cause physical damage, injury to persons and, in a worst case scenario, death,” it says.

“The rapid implementation of connectivity in industrial control processes in critical systems, across a wide range of industries such as energy, mining, agriculture and aviation, has created the industrial internet of things.

“This is simultaneously opening up the possibility of devices and processes, which were never vulnerable to such interference in the past, being hacked and tampered with, with potentially disastrous consequences.”

The strategy says that much of the hardware and software originally developed to facilitate the interconnected digital environment has often prioritised efficiency, cost and the convenience over security.

“Malicious actors – hostile states, criminal or terrorist organisations and individuals – can exploit the gap between convenience and security. Narrowing that gap is a national priority,” it says.

It also notes poor cyber hygiene and compliance, insufficient training and legacy resources as problematic.

On a more positive note, much has been achieved since the last strategy, it says, with increased awareness of cyber risk in business and society in general over the last five years.

But it says the combination of market forces and government encouragement has not been enough to secure our long-term interests in cyberspace at the pace required.

“Too many networks, including in critical sectors, are still insecure. The market is not valuing, and therefore not managing, cyber risk correctly,” it says.

“Too many organisations are still suffering breaches at even the most basic level. Too few investors are willing to risk supporting entrepreneurs in the sector.

“Too few graduates and others with the right skills are emerging from the education and training system.”

In the 2016 strategy, the UK Government outlines the four key areas it will focus on.

The first, levers and incentives, will involve the Government supporting start-ups and investing in innovation, as well as seeking to bring on talent earlier in the education system and develop clearer routes into the profession.

The second area is expanding intelligence and law enforcement in the area, while the third involves developing and deploying technology in partnership with industry.

This includes active cyber defence measures to strengthen the security of the UK public and private sector systems and networks in the face of that threat and disrupt malicious activity.

The fourth area is the National Cyber Security Centre, which launched officially last month, and which the UK Government established to act as a single, central body for cyber security at a national level.

Hammond commented: “Our new strategy, underpinned by £1.9 billion of support over five years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked.”

Ben Gummer, Minister for the Cabinet Office, said: “No longer the stuff of spy thrillers and action movies, cyber-attacks are a reality and they are happening now.

“Our adversaries are varied - organised criminal groups, ‘hacktivists’, untrained teenagers and foreign states.

“The first duty of the government is to keep the nation safe. Any modern state cannot remain secure and prosperous without securing itself in cyberspace.

“That is why we are taking the decisive action needed to protect our country, our economy and our citizens.”