With the UK’s cyber security strategy due to finish at the end of 2015, Adam Morton takes a look at what the strategy has achieved so far.
The coalition Government first published its national cyber security strategy in 2011. The objectives the strategy hopes to achieve are as follows:
• to make the UK one of the most secure places in the world to do business in cyberspace;
• to make the UK more resilient to cyberattack and better able to protect our interest in cyberspace;
• to help shape an open, vibrant and stable cyberspace that supports open societies;
• to build the UK’s cyber security knowledge, skills and capability.
At the time of publication the latest data available covered 2013-14. The work on this strategy is supported by the National Cyber Security Programme. Dedicated funding of £860 million has supported a wide range of projects to develop cyber security capabilities and stimulate the UK’s cyber security market.
Throughout the lifetime of the strategy, the government has been working to raise businesses’ awareness of the threat from cyber-crime espionage. To tackle these threats the government wants to see businesses embed effective cyber security risk management practices and it will continue working with professional bodies, accountants and auditors to ensure its message reaches the largest possible audience.
The Department for Business, Innovation and Skills also launched Cyber Security Guidance for Non-Executive Directors in December 2014. The department believes that Non-Executive Directors are critical friends who can offer companies advice from an external perspective based on their own expertise. For small and medium sized businesses the government has developed and launched a free online training course called ‘Responsible for Information.’ The course is designed to help employees and small business owners understand information security and the associated risks.
Despite these and other initiatives, the report recognises that there is still more to do to spread the message to small firms that are hard to reach. To help smaller firms access the help they need the department has, in partnership with Innovate UK, offered £5,000 cyber security innovation vouchers to SMEs to invest in improving their cyber security and enhancing their grown potential.
While security is important, the government has also been addressing the issue of how to tackle cyber-crime. The National Cyber Crime Unit, part of the National Crime Agency, leads operations on serious cyber-crime and at the regional level the National Cyber Security Programme (NCSP) has funded the establishment of dedicated cyber units in each of the nine Regional Organised Crime Units across in England and Wales.
A significant proportion of NCSP funding has been invested in GCHQ’s ability to detect and defend against the increasingly sophisticated cyber threats facing the UK. This improved situational awareness has led to protection being provided at pace and scale to key networks of national security. Along with this funding, the government is also working with industry to ensure that critical services remain resilient to serious incidents and that public authorities and infrastructure providers are ready to respond.
In March 2014, CERT-UK, the UK’s national computer emergency response team was launched to oversee a programme of exercises to support critical sectors in preparing for the potential impact of a destructive cyber-attack. Similarly, the cyber security of the armed forces and the military supply chain has been continually strengthened. The Defence Cyber Protection Partnership (DCPP) which includes thirteen prime defence contractors and, representing smaller businesses, the trade association ADS and techUK, has developed a framework that clearly identifies expected cyber standards.
The report recognises that as cyberspace is borderless, efforts to make the UK safer cannot focus on the UK alone. The government works with other countries to raise capacity, bear down on cyber-crime havens and promote the UK as a leader in cyber technology and policy. There has also been an increased focus on expanding the UK’s bilateral and multilateral networks and developing international collaboration through the work of the EU, NATO and the Commonwealth and other bodies.
The report recognises the UK as a leading player in a broad range of cyber issues, particularly in international cyber security capacity building. The British Government also continues to take a key role in the development of norms of responsible state behaviour in cyberspace, in support of an open, resilient, secure and peaceful cyberspace. In addition to this, the report states that the UK will continue to take a leading role in the development of norms of responsible state behaviour in cyberspace, in support of an open resilient, secure and peaceful cyberspace.
The British Government has also funded the Global Cyber Security Capacity Centre, part of Oxford University’s Martin School. The centre is a global thought leader in cyber security. A new Oxford Portal will facilitate greater information exchange among researchers and consumers of research in cyber security.
As the need to expand the UK’s cyber security sector increases, more people with the right skills and education will be needed to work in it. The National Cyber Security Programme has provided resources to seed initiatives across academia and the education sector.
In schools the NCSP has funded the development of cyber security learning and teaching materials at GCSE and A-level with new Key Stage 3 materials to be released to schools in 2015. GCHQ already uses an apprenticeship scheme with success in its own business and at present is working with businesses and Tech Partnership to help build a scheme across the wider economy. For Higher Education the UK Government is working to define a framework for the required learning outcomes in cyber security within computing science and related courses.
At postgraduate level, GCHQ has certified six Master’s degrees in general cyber security and is viewed by the report as an important first step towards recognising academic centres of excellence in cyber security education. The programme is also funding two centres of doctoral training to provide an expanded pool of top-end skills at PhD level. The first cohort of students have entered their second year. The centres are expected to deliver 66 additional PhDs from 2017.
Ultimately, the report believes that the success of the strategy so far maintains the UK’s reputation as one of the best places in the world to do business online. A review of the strategy’s progress in 2015 will also ensure that the appropriate lessons have been learnt and that new threats have been responded to as necessary.