Blog The UK National Cyber Strategy 2022 Explained

The pillars of the strategy

The strategy sets out five pillars, which are:

1. Pillar 1: Strengthening the UK cyber ecosystem
2. Pillar 2: Building a resilient and prosperous digital UK
3. Pillar 3: Taking the lead in the technologies vital to cyber power
4. Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order
5. Pillar 5: Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace

Each pillar is described in some detail in the strategy, but for now I wanted to highlight some interesting new developments that the document includes, and a few existing ones that perhaps deserve more recognition.

The National Cyber Force

The first is the way in which cyber now fits within the UK’s overall defence strategy; the Integrated Operating Concept 2025 sets out the five operational domains related to modern warfare:

1. Space
2. Cyber and electromagnetic
3. Maritime
4. Air
5. Land

If you’re wondering what electromagnetic is, it’s basically the use and disrupting of signals, such as jamming the enemy’s radio (actually it’s so much more than that, but alas we lack the time here).

But the point is that cyber now has a seat at the table along with the (much) more established domains. In order to capitalise on this, the strategy describes the (relatively) new National Cyber Force (NCF), which will be based in Samlesbury in Lancashire (just East of Preston and handy for the M6). The NCF is staffed by experts from GCHQ, the Ministry of Defence, the Secret Intelligence Service (SIS, also known as MI6) and the Defence Science and Technology Laboratory, and is intended to have offensive as well as defensive capabilities.

Widening input from industry

A National Cyber Advisory Board will be formed, to invite “senior leaders from the private and third sectors to challenge, support and inform” the UK government’s approach to cyber issues. Details of this are pretty sketchy at the moment, including the number of members and how their advice will be captured and communicated to the decision makers in government.

The Cyber Assessment Framework

The UK government has stated that it will widen the use within public bodies of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This establishes a set of 14 principles for cyber security, spread across four objectives and uses a maturity scoring method to assess success against a total of 39 outcomes. Whether this announcement will open the door to the CAF being used more within the private sector is open for debate. Only time will tell.

Goodbye Action Fraud

Action Fraud has been the default method of reporting cyber crime for some years, and there are mixed verdicts on its suitability and effectiveness for this purpose. The National Cyber Strategy calls time on Action Fraud, and commits to replacing it by 2025. Given the sheer volume of cyber-related fraud happening across the UK, we can only hope that a significant slice of funding is allocated for this replacement.

The Computer Misuse Act is being misused

In order to be able to prevent and disrupt cyber crime, the strategy commits to reviewing one of the main pieces of cyber-related legislation in the UK, which is the Computer Misuse Act 1990. The feeling is that a law that is over thirty years old perhaps needs a bit of an update to reflect the massive changes in technology and society’s use of it during that time. In particular, a recognition that security researchers could benefit from more protection from prosecution whilst plying their trade (hopefully) for the benefit of the wider public and business.

Cyber Essentials is still not essential

The Cyber Essentials scheme gets three mentions in the National Cyber Strategy, but the tone is still very much about “promoting” the take-up of the standard, rather than using any additional pressure to get UK business to take cyber security more seriously. The number of certifications now stands at 30,000 which is a good number, but if you consider that over 800,000 new companies were formed in the UK last year alone, then it’s still a tiny percentage of the business community.

In summary

The National Cyber Strategy 2022 is a wide-ranging document that seeks to show that the UK is getting tougher on the international cyber scene, recognising the threats from Russia and China in particular. But it also aims to capitalise on the opportunity that cyber space represents for UK business and to skill the population up for a digital future. Whether this strategy will achieve its goal to support “the vision of the internet as a shared space that supports the exchange of knowledge and goods between open societies” in the face of opposition from more restrictive governments around the world, remains to be seen.

More Cyber Essentials Resources

CertiKit is a provider of document toolkits and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the Cyber Essentials scheme, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free Cyber Essentials Resources