Carla Baker, senior director, government affairs UK&I at Palo Alto Networks, analyses what the latest iteration of the UK’s National Cyber Strategy means for organisations
The UK’s National Cyber Strategy 2022 was announced mid-December. It signifies a change in how the government views cyber security and solidifies its position as an international “cyber power”. This term is heavily used throughout the strategy, and emphasises the significant shift in how the government views cyber space. There will be a new focus on the “ability of a state to protect and promote its interests in and through cyber space” instead of just security.
The new strategy concentrates on elevating the cyber domain from purely a security issue to a “whole of society” concern, with prominent interest in how to harness cyber power for economic and social gain. There are three elements that are particularly noteworthy in the strategy: the whole of society approach; how the government plans on managing critical technologies and the digital ecosystem; as well as reinstated interest in the international environment.
Adopting a whole of society approach
At the core of the ‘whole of society’ approach is the ability to recognise that cyber security requires collaboration. It does not only involve businesses or the government, meaning that all levels of society (from citizens to the public sector) must take responsibility and action. This illustrates that everyone must engage and contribute towards helping the UK realise its full potential.
This inclusive, partnership-based approach will be key to the UK’s success, and the establishment of the National Cyber Advisory Board (NCAB) demonstrates this approach. It will comprise a team of leaders that will advise, challenge, and support the government in the strategy’s implementation. That said, the private sector has a pivotal role to play in supporting and securing the UK because it develops, owns, and operates the technology and digital infrastructure on which the nation leans on. The sector is developing solutions to protect against potential threats, as well as grappling with defending against adversaries. With this in mind, the government must include organisations from various sectors and of different sizes in its plan; it must be transparent in how it appoints the board’s members.
How the UK must respond to rising impersonation fraud
Cyber resilience and securing the digital ecosystem
Cyber resilience and digital security overlap different “pillars” of the strategy but share the same goal of enhancing the security posture of the UK, which requires a whole of society outlook. The government’s efforts in taking an active role in the development and adoption of technologies critical to cyber space is applaudable. To remain in sync with the pace of change, there needs to be collaborative and active engagement with experts that have a deep understanding of the threats in cyber space and how to secure the technologies required.
The National Cyber Strategy outlines the government’s vision to build on its influence and take on a leading role in promoting technologies and security best practices critical to cyber space globally. It must not wait until the telecommunications industry encounters problems with 5G deployments and organisations are left trying to retrospectively fix their security weaknesses. Organisations must build their networks securely from the start, and effective guidance will be key to supporting this development. To address this issue, the government has made excellent headway with the creation of the telecommunications security framework, to provide security guidance for the telecoms ecosystem. It must now look to develop specific 5G guidance and assess what other “technologies critical to cyber space” would benefit from such an approach.
In continuing efforts to secure the critical national infrastructure, the National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) to help parts of the CNI comply with the security measures in the Network & Information Security Regulations. The government is now extending the scope of the CAF, and has set out its intentions to require departments to use the assessment as a means of raising their cyber standards and manage risk more proactively. Any effort to improve the understanding of cyber risk and support more effective actions will always be beneficial. These approaches to assurance are perfect examples of how the UK government is swapping point-in-time assessments for more agile and risk-based approaches for all government and CNI functions nationwide. They should be endorsed internationally to build global consensus on necessary security guidance.
The global landscape
The strategy reaffirms the government’s aspirations to build on its global presence. There has been evident progress; the NCSC has driven international collaboration and the Department of Digital, Content, Media, and Sport (DCMS) has made critical advancements in the policy interventions it has been developing.
The UK will take on an even more prominent role in the international cyber dialogue and promote its vision for the internet via its engagement in multilateral organisations, including the Global Forum on Cyber Expertise, ITU and the Internet Governance Forum. The government must use its position and influence in these groups to develop and demonstrate best practices and standards, empower secure methods to technology developments, and nurture international collaborations on the development of the resources needed to tackle the risks posed in cyber space.
Five predictions that will shape the cyber security landscape in 2022
Looking ahead
The nation has witnessed a significant step forward in the government’s cyber security journey since the first National Cyber Security Strategy in 2010, which took a carrot approach to cyber security. The government developed guidance, hoping the industry would leverage it and strengthen their security posture. According to Robert Hannigan, the former head of GCHQ, this did not pan out as expected – market forces had failed. At the time, the demand for cyber security services was “patchy” and the government had to intervene to help boost cyber security standards. Its successor, the 2016-2021 National Cyber Security Strategy, placed greater emphasis on regulation and incentivisation, coupled with a significant and unprecedented government investment of £1.9 billion.
Fast forward to 2022, and the National Cyber Strategy is more assertive than ever before, it places greater concentration on the whole of society approach. This signals a new dawn; the UK can look forward to a more safe and secure world.