UK cybersecurity strategy explained

The UK’s cybersecurity strategy, Government Cyber Security Strategy – Building a cyber resilient public sector, was launched in January 2022. The strategy outlines five objectives intended to insulate the UK public sector from cyber threats over the course of this decade.

The political context under which the strategy was published has changed dramatically, with the strategy having been launched by then-Prime Minister Boris Johnson MP.

The strategy operates with two complementary strategic pillars, both of which are underpinned by five strategic objectives, which aim to deliver “a consistent framework and common language that can be applied across the whole of government”.

Then-Chancellor of the Duchy of Lancaster Steve Barclay MP, whose additional former role as Minister of the Cabinet Office gave him the job of overseeing the implementation of the strategy, stated in his ministerial foreword that there were 777 attempted cyber security attacks in the United Kingdom in 2021, 40 per cent of which were targeting public sector organisations.

As a result, the overarching aim of the strategy is “for government’s critical functions to be significantly hardened to cyberattack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030”.

Strategic pillars

The first of the two strategic pillars is the building of a strong foundation of organisational cyber resilience, with the UK Government aiming to ensure “that government organisations have the right structures, mechanisms, tools and support in place to manage their cybersecurity risks”.

To achieve this, the UK Government aims to adopt the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) as the assurance framework for government, with government specific CAF profiles that articulate the outcomes required by government organisations in order to proportionately respond to the varying threats to their most important functions.

The document further outlines that objective verification by independent auditors will be a requirement for central government departments, although it will be for lead government departments to adapt and apply such an approach in a way that is most appropriate for the public sector organisations within their scope.

The rationale for the implementation of this strategic pillar is that it will improve visibility of cybersecurity risks, with the adoption of the CAF providing a common framework for government to more effectively understand and manage them.

The second strategic pillar is a strategy to ‘defend as one’. “Recognising that the scale and pace of the threat demands a more comprehensive and joined up response, government will harness the value of sharing cybersecurity data, expertise and capabilities across its organisations to present a defensive force disproportionately more powerful than the sum of its parts.”

To achieve this, the Government outlines a vision to establish a government cyber coordination centre (GCCC), which will allow the Government Security Group, the Central Digital and Data Office, and the NCSC to pool resources with the ultimate aim of maximising efficiency, especially in a crisis situation where speed will be of utmost importance.

Five objectives

The five objectives outlined in the strategy document illustrate a whole-of-government approach which is to be taken in shoring up the United Kingdom’s cybersecurity defences across all government departments.

The five objectives outlined are: managing security risk; protecting against cyberattacks; detecting cybersecurity incidents; minimising the impacts of cybersecurity incidents; and developing the right cybersecurity skills, knowledge, and culture.

1. To manage the UK’s security risk, the strategy document states that information about all vulnerability to cybersecurity systems will be shared across all government departments to ensure that the entire public sector, as much as possible is prepared for any risk to which it may be exposed.
2. To protect the UK public sector from cyberattacks, the strategy document outlines a vision of constant assessment and consistent risk management. This will involve, to a large extent, the processing and management of data, potentially including personal data.
3. Regarding the detection of cybersecurity incidents, the strategy document states that this process will “build on the foundation of risk management”. The document does not explicitly state how this will be done, although it does state that the methodology behind this will be a constantly evolving with the aim of ensuring that risk is “mitigated before they crucially impact government functions and services”.
4. Minimising the impact of cybersecurity incidents is central to the strategy, although it is not explicitly stated how this will be implemented. However, it does state that government departments will be “fully equipped” to mitigate the impact of attacks on the UK’s public sector cybersecurity systems. It adds: “A critical component of this will be establishing the mechanisms to test and exercise incident response plans, both organisationally and across government, as well as the ability to learn lessons from incidents and ‘near misses’.”
5. The fifth and final objective is a cultural overhaul to the approach taken at government level to the UK’s cybersecurity system. The document acknowledges the scale of the challenge, and states that the necessary culture shift will require access to the right cybersecurity skills and knowledge, as well as a shift in culture across all government departments.