The UK 'National Cyber Security Strategy 2016-2021' was published in November 2016. Its vision is to make the UK secure and resilient to cyber threats, prosperous and confident in the digital world by 2021. To achieve this vision, its objectives are:
Obj. 1 - DEFEND. Protect the UK against evolving cyber threats, respond effectively to incidents, ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves.
Obj. 2 - DETER. Become a hard target for all forms of aggression in cyberspace. Detect, understand, investigate and disrupt hostile action taken against the nation, pursuing and prosecuting offenders. Have the means to take offensive action in cyberspace, should the UK decide to do so.
Obj. 3 - DEVELOP. Create an innovative, growing cyber security industry, underpinned by world-leading scientific research and development. A self-sustaining pipeline of talent will provide the skills to meet national needs across the public and private sectors. Cutting-edge analysis and expertise will enable the UK to meet and overcome future threats and challenges.
INTERNATIONAL ACTION - Invest in partnerships that shape the global evolution of cyberspace in a way that advances wider economic and security interests. Deepen existing links with closest international partners to enhance collective security. Develop relationships with new partners to build their levels of cybersecurity and protect UK interests overseas - bilaterally and multi-laterally, including through the EU, NATO and the UN.
In August 2017, the UK government announced plans to implement the Network and Information Systems (NIS) and to replace existing data protection leglisation with the General Data Protection Regulation (GDPR). The GDPR is also considered a lever for improving cybersecurity within an organisation.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||
November 2011. The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world.
November 2016. 'National Cyber Security Strategy 2016-2021'
|Updates and revisions||
The first national strategy was published in 2011, covering the period 2011-2015: The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world. The National Cyber Security Programme received government funding of £860 million to deliver the strategy.
Annual reports on progress towards the defined objectives have been published since 2011. The last report was published in April 2016: The UK Cyber Security Strategy 2011-2016 - Annual Report.
For the new strategy 2016-2021, the Government will invest a total of £1.9 billion to achieve 13 strategic outcomes around the pillars of deter, defend, and develop. A proportion of the Defence and Cyber Innovation Fund will be allocated to support innovative procurement in defence and security. The strategy, which is government-led, includes two new cyber innovation centres as part of the drive towards an ecosystem through the development of cutting-edge cyber products and new, dynamic cyber security companies.
The National Cyber Security Centre operates as part of the UK Government Communications Headquarters and provides weekly and annual threat and vulnerability reports: https://www.ncsc.gov.uk/index/report
|Implementation and monitoring||
While the policies, institutions and initiatives established over this period have helped to establish the UK as a leading global player in cyber security, progress reports reveal the need for increased efforts to address the scale and dynamic nature of cyber threats in a more complex landscape:
The National Cyber Security Centre (NCSC, established on 1 October 2016) serves as the authority on the UK's cybersecurity environment, sharing knowledge, addressing systematic vulnerabilities and providing leadership on key national cybersecurity issues. The GCHQ (Government Communications Headquarters) is the parent body and can therefore draw on expertise and capabilities to improve the support to the economy and society more widely. Government departments are responsible for implementing cyber security advice.
Success metrics are provided for each of the major actions foreseen in the implementation plan (here we consider those related to capacity building as one of the pillars of the EU Cybersecurity Strategy).
|Operational Capacity Building||
Operational since October 2016, the UK National Cyber Security Centre (NCSC) provides cyber incident response, replacing CESG (the information security arm of the GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). Law enforcement works closely the NCSC and industry to share the latest criminal threat intelligence to help industry defend itself and mitigate impact.
Initial focus is on:
The NCSC is expected to adapt its focus and capabilities to new challenges and lessons learned.
The UK (HM) Government has announced plans to:
The overall objective is to make the UK the safest place in the world to live and be online. Special emphasis is placed on making sure essential services are prepared for the increasing risk of a cyber-attack. Thus essential services like water, energy, transport and health firms need to be safeguarded against hacking attempts. Firms will also be required to show they have a strategy to cover power failures and environmental disasters.
The GDPR will considerably strengthen the existing rules and responsibilities around how businesses process and safeguard consumer data. The GDPR will also force organisations to comply with a mandatory breach notification by disclosing a breach within 72 hours. This necessitates understanding and monitoring of threats, making risk management a top priority.
The current bill will effectively transfer the European Union's General Data Protection Regulation (GDPR) into UK law.
The motivation for the UK government is giving the country one of the most robust, yet dynamic, set of data laws in the world, giving people more control over their data, and requiring more consent for its use.
Proposals included in the bill will:
Heavy fines will be imposed on organisations failing to comply with the legislation: up to £17m or 4% of global turnover.
Business and public-private partnerships
The 2016-2021 strategy provides for levers and incentives for the UK private sector with government investments aimed at maximising the potential of an innovative UK cyber sector. It also gives more emphasis on the role of government in advising businesses and establishing partnerships to achieve objectives. Specifically, the strategy will:
Campaigns and Schemes:
The strategy also places greater emphasis on critical infrastructures, particularly the telecommunications sector. The objectives for this sector include:
The Government will also undertake specific actions, such as:
|Other capacity-building measures: research and education||
The NCSC works with industry, government and academia to build cybersecurity capacity for the next generation of researchers, students and innovation.
Cyber security training in schools: The government Department for Digital, Culture, Media and Sport is investing £20 million to fund cyber security training in schools with the intention of providing nearly 6,000 teenagers with the skills needed not just to protect themselves online, but also to build a future career in the cyber security industry.
Cyber Security Innovation Centre (July 2017): The London-based Centre will be tasked with conducting world-leading research and development into the next generation of security technology. It will receive investments of £14.5 million over a period of 3 years.The government has launched a competition to develop and design the unit. The new centre will bring together both established industry players and new start-ups to collaborate on the development of future security technologies. Through the unit, newly-formed businesses will get access to mentoring services, business support and early-stage growth advice. One of the aims is therefore also to give UK firms access to the latest cyber technology and allow start-ups to get the support they need to develop.
Cyber Security Centre for defence procurement (July 2017): Other capacity-building measures include the establishment of a Cyber Security Centre for defence procurement by the UK Ministry of Defence with an investment cost of £3 million. The centre's objectives are to:
According to UK government spokespeople, this is another example of co-developing solutions to national security risks, where the national strategy helps drive partnerships with industry, including an investment of £10m in a new Cyber Innovation Fund to give start-ups the boost and partners they need.
|Risk assessment plan||
The 2016-2021 national strategy places much emphasis on risk assessment and management at national level, within the business community and across the public sector. Strategic outcomes at government level include:
Strategic outcomes for the business community and among citizens:
The 2016-2021 strategy provides for 13 strategic outcomes, each with a set of indicative success metrics to 2021. The strategic outcomes and some of the indicative metrics are summarised below.
|Overall assessment/best practices||The NCSC offers a unified source of advice for the Government's cyber security threat intelligence and information assurance. It provides a strong public face against cyber threats, working hand in hand with industry, academia and international partners and acts as a public-facing organisation with reach back to the GCHQ to draw on secret intelligence and world-class technical expertise.|
|Date of last WISER analysis||August 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
In the event of a cyber security incident, it is important for organisations to check their reporting obligations under data protection legislation and other applicable legislation.
|Guidance and Updates||
The NCSC provides guidance for UK industry, government departments, the critical national infrastructure and private SMEs. Guidance includes topic-specific reports, infographics and a (regularly updated) glossary: https://www.ncsc.gov.uk/guidance. Alerts and advisories to address cybersecurity issues detected in the UK. In-depth analysis on cyber threats and vulnerabilities: https://www.ncsc.gov.uk/threats.
The information is very easy to find.
|Date of last WISER analysis||August 2017|