Just in time for Christmas, on 15 Dec 2021 the UK Government released the latest incarnation of its National Cyber Strategy. This 130-page document paints a picture of how it would like the UK’s interaction with the Internet to develop over the next few years, faced with an increasing trend towards tighter regulation on the part of countries such as Russia and China.
Ken Holmes CISSP, CertiKit’s managing director and self-confessed cyber security enthusiast summarises the key points of the National Cyber Strategy in simple terms so your business can be in the know.
The strategy sets out five pillars, which are:
Each pillar is described in some detail in the strategy, but for now I wanted to highlight some interesting new developments that the document includes, and a few existing ones that perhaps deserve more recognition.
The first is the way in which cyber now fits within the UK’s overall defence strategy; the Integrated Operating Concept 2025 sets out the five operational domains related to modern warfare:
If you’re wondering what electromagnetic is, it’s basically the use and disrupting of signals, such as jamming the enemy’s radio (actually it’s so much more than that, but alas we lack the time here).
But the point is that cyber now has a seat at the table along with the (much) more established domains. In order to capitalise on this, the strategy describes the (relatively) new National Cyber Force (NCF), which will be based in Samlesbury in Lancashire (just East of Preston and handy for the M6). The NCF is staffed by experts from GCHQ, the Ministry of Defence, the Secret Intelligence Service (SIS, also known as MI6) and the Defence Science and Technology Laboratory, and is intended to have offensive as well as defensive capabilities.
A National Cyber Advisory Board will be formed, to invite “senior leaders from the private and third sectors to challenge, support and inform” the UK government’s approach to cyber issues. Details of this are pretty sketchy at the moment, including the number of members and how their advice will be captured and communicated to the decision makers in government.
The UK government has stated that it will widen the use within public bodies of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This establishes a set of 14 principles for cyber security, spread across four objectives and uses a maturity scoring method to assess success against a total of 39 outcomes. Whether this announcement will open the door to the CAF being used more within the private sector is open for debate. Only time will tell.
Action Fraud has been the default method of reporting cyber crime for some years, and there are mixed verdicts on its suitability and effectiveness for this purpose. The National Cyber Strategy calls time on Action Fraud, and commits to replacing it by 2025. Given the sheer volume of cyber-related fraud happening across the UK, we can only hope that a significant slice of funding is allocated for this replacement.
In order to be able to prevent and disrupt cyber crime, the strategy commits to reviewing one of the main pieces of cyber-related legislation in the UK, which is the Computer Misuse Act 1990. The feeling is that a law that is over thirty years old perhaps needs a bit of an update to reflect the massive changes in technology and society’s use of it during that time. In particular, a recognition that security researchers could benefit from more protection from prosecution whilst plying their trade (hopefully) for the benefit of the wider public and business.
The Cyber Essentials scheme gets three mentions in the National Cyber Strategy, but the tone is still very much about “promoting” the take-up of the standard, rather than using any additional pressure to get UK business to take cyber security more seriously. The number of certifications now stands at 30,000 which is a good number, but if you consider that over 800,000 new companies were formed in the UK last year alone, then it’s still a tiny percentage of the business community.
The National Cyber Strategy 2022 is a wide-ranging document that seeks to show that the UK is getting tougher on the international cyber scene, recognising the threats from Russia and China in particular. But it also aims to capitalise on the opportunity that cyber space represents for UK business and to skill the population up for a digital future. Whether this strategy will achieve its goal to support “the vision of the internet as a shared space that supports the exchange of knowledge and goods between open societies” in the face of opposition from more restrictive governments around the world, remains to be seen.