Government publishes National Cyber Security Strategy

The 2015 National Security Strategy ranked hostile attacks on UK cyber space and large scale cyber-crime to be amongst the highest priority threats to national security, and in 2015 the UK Government committed to establishing tough and innovative measures to bolster the UK's cyber security capabilities. On 1 November 2016, the Government published its National Cyber Security Strategy 2016 – 2021¹ (the 2016 Strategy) to deliver on this commitment. The 2016 Strategy sets out how the Government intends to manage cyber security threats in the UK over the next five years to ensure that Britain is a safe place for the digital economy to flourish.

The 2016 Strategy

The 2016 Strategy departs from the Government's previous 2011 National Cyber Security Strategy and National Cyber Security Programme, which sought to use market forces and commercial pressures to drive innovation in cyber security. The 2016 Strategy highlights the need for greater short term input from the state. The Government now plans to set the pace for meeting the UK’s cyber security needs itself and has identified three crucial objectives in the 2016 Strategy which are crucial to doing so:

1. Defence – ensuring that public, private and commercial actors in the UK can defend themselves against continually evolving cyber threats, that networks, data and IT infrastructure are resilient to attack, and that Britain can respond quickly to cyber security incidents
2. Deterrence – detecting and disrupting hostile cyber action taken against the UK, pursuing those who violate its cyber infrastructure, and having the ability to go on the "cyber offensive" should the situation require it - ultimately making the UK a harder target and raising the costs to an adversary
3. Development – nurturing the UK's growing cyber security industry to produce a constant supply of skills and talent in order to meet growing cyber security demands, plugging the gap between demand and supply for key cyber security roles, and developing education and training in the cyber security sector

Looking beyond its own borders in formulating the 2016 Strategy, the Government also intends to foster partnerships with other countries to encourage international cyber security co-operation.

The 2016 Strategy specifies four broad areas on which the Government will focus to achieve these outcomes:

1. Levers and incentives – supporting start-ups and investing in innovation; identifying talent earlier and developing defined career routes into the cyber security profession; and using regulation (for example, the upcoming General Data Protection Regulation) to drive up standards
2. Expanded intelligence – intelligence agencies will expand their efforts to identify and disrupt hostile cyber activity. The UK Armed Forces' platforms and networks will be properly defended from cyber-attack through close intelligence co-operation between the military Cyber Security Operations Centre and the National Cyber Security Centre
3. Development and deployment of technology – active cyber defence measures at a macro level such as filtering known bad IP addresses, blocking malicious online activity and minimising phishing attacks will strengthen the security of the public and private sectors and improve understanding of existing cyber security threats
4. Establishing the National Cyber Security Centre – a single central body for cyber security at a national level which manages cyber incidents, provides guidance and is a centre of expertise on cyber security (this became operational on 1 October 2016)

Conclusions

The 2016 Strategy confirms a budget of £1.9 billion pounds, over double that spent under the 2011 National Cyber Security Programme. However, it is questionable whether, spread over the five-year term of the 2016 Strategy, even this increase in funding will be sufficient to tackle the increasingly diverse and complex challenges cyber security poses to the UK.

While laudable in its aims, the 2016 Strategy may prove difficult to implement without underpinning legislation (for example, strict liability offences related to shipping internet enabled devices which fail to meet certain cyber security criteria or distribution of applications with known security flaws).

As the 2016 Strategy begins to take shape over the coming months and years, further questions and considerations will undoubtedly rise to the surface. For now, the clear message from the UK Government is that it is alive to cyber security threats. The new strategy is therefore a welcome addition to its broader efforts to turn the UK into a preferred location for digital economy businesses.

Notes

1. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf