Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

UK Cyber Security Strategy in a nutshell

Yesterday the UK government launched its National Cyber Security Strategy 2016-2021 so we thought we’d give you a quick heads-up on its main points together with the odd comment. This is the UK government’s reaction to the simple fact that the cyber threat is getting worse by the day and something needs to be done about it and quick. It’s also a recognition of the fact that the previous approach of asking UK companies nicely to sort themselves out just hasn’t worked. So there’s an element of “big brother taking over for your own good” in this document.

They’re throwing £1.9 billion at the problem and approaching it from four angles:

  1. DEFEND – try to stop it happening
  2. DETER – hunt down those that do it
  3. DEVELOP – nurture the talent for the future
  4. INTERNATIONAL ACTION – get other countries to help

Here’s what they’re doing in a nutshell:

national-cyber-security-strategy

DEFEND

  • Active Cyber Defence (ACD) involves working with the providers of the infrastructure of the Internet to trap attacks before they get to the end target. It’s not clear from the document exactly how that will be done and there have been some concerns raised previously by privacy campaigners about whether this means a big government firewall that just happens to read everything coming into the UK.
  • Building a more secure Internet – encouraging a “secure by default” approach by suppliers so that security becomes less of a user choice
  • Protecting Government – creation of the National Cyber Security Centre (NCSC) to improve security standards within government systems and a Cyber Security Operations Centre (CSOC) for the Armed Forces
  • Protecting our critical national infrastructure and other priority sectors – working closely with big companies via the NCSC to improve standards and make facilities and knowledge available for testing and education
  • Changing public and business behaviours – starting to play hard ball with companies that don’t get the hint via regulators, insurers, the new EU GDPR and other influencers. Re-emphasis of the existing Cyber Aware and Cyber Essentials schemes
  • Managing incidents and understanding the threat – joined-up approach to incident management via the NCSC and better incident information sharing, working towards the automation of alerts across systems

DETER

  • Cyber’s role in deterrence – the strategy is saying “we’re not going to take this lying down any more so watch out”
  • Reducing cyber crime – emphasis on law enforcement agencies, including the National Cyber Crime Unit (NCCU, part of the National Crime Agency, NCA) hunting down the cyber-bad guys and disrupting their business model so it’s no longer worth their while
  • Countering hostile foreign actors – focus on individual countries’ activities, including naming and shaming where appropriate
  • Preventing terrorism – the technical capability of terrorists is currently felt to be limited but effort needs to be made to keep it so
  • Enhancing sovereign capabilities – offensive cyber – a re-emphasis of the National Offensive Cyber Programme (NOCP), a partnership between GCHQ and the MoD, to further develop capabilities to attack rather than just defend
  • Enhancing sovereign capabilities – Cryptography – an interesting, if short, section that suggests that the UK may be going its own way on encryption, possibly developing methods unique to the UK

DEVELOP

  • Strengthening cyber security skills – addressing the skills gap, including cyber security into curriculums at various levels, achieving Royal Chartered status for the profession by 2020 and a Defence Cyber Academy for the MoD
  • Stimulating growth in the cyber security sector – helping cyber security startups, particularly in academia and setup of two new innovation centres
  • Promoting cyber security science and technology – working more with universities and research establishments to encourage innovation and a Cyber Science and Technology Strategy will be developed soon. Big data analytics, autonomous systems, trustworthy industrial control systems, cyber-physical systems and the Internet of Things, smart cities, automated system verification and the science of cyber security are highlighted as research areas
  • Effective horizon scanning – radar monitoring of what might be coming next, including consideration of cyber security by existing horizon scanning bodies such as the Emerging Technology and Innovation Analysis Cell (ETIAC)

INTERNATIONAL ACTION

The strategy sets out a variety of ways in which the UK will work with other countries to establish responsible behaviour principles, track down and prosecute criminals, help other countries improve their cyber security and equip NATO for cyber warfare.

In Conclusion

Although there are many new initiatives outlined in this strategy, the overwhelming tone is that of doing a lot of the same things as before, but with a greatly renewed sense of urgency. There is a general implication that the stakes have been raised since the last UK government cyber strategy came out in 2011 and that a lot of the advice is still being ignored with disastrous consequences. Whether or not you agree with everything that’s in there, there’s little doubt that it’s sorely needed.

Over 3000 businesses have purchased our toolkits

Testimonials

Starting the compliance process with the CertiKit Toolkit helped us more than we even expected. While we expected document templates and such, it quickly became the implementation process. Each template became an action item for meetings/discussions on how our business works within the regulation. Thanks!


eventPower

View all Testimonials