The UK Government has once again shifted the cyber discourse with the recent publication of the National Cyber Strategy 2022, marking a significant change in how the government views cybersecurity and solidifying its position as a global cyber power. In fact, the use of the term “cyber power” is used throughout the strategy and ultimately illustrates the change in how the government views cyberspace, centering on the “ability of a state to protect and promote its interests in and through cyberspace.” The focus is no longer solely about security, but more on how to harness cyber power for economic and social advantage, elevating the cyber domain from purely a security issue to a “whole of society” concern.
While many aspects of this strategy are laudable, three elements particularly stand out: its “whole of society” approach, how the government aims to tackle security of critical technologies and the digital environment, and the refocused attention on the international realm.
The “whole of society” approach recognises that cybersecurity is a team effort and requires all of society (citizens, businesses and the public sector) to take responsibility and action. This is a welcome approach and illustrates that tackling cybersecurity is not just the responsibility of businesses or the government. All of society must engage to help the UK realise its potential, and collaboration will be key to the UK’s success.
This inclusive, partnership-based approach is demonstrated by the proposed establishment of the new National Cyber Advisory Board, a group of leaders that will advise, challenge and support the government in the strategy’s implementation. This is a welcome development and once again recognises that the government cannot go it alone. The private sector has a key role to play in supporting and securing the UK because it develops, owns and operates the technology and digital infrastructure on which the nation depends. It is also a target of our cyber adversaries and develops the products and services to protect against the threats. As such, in constituting the board, the government must cast its net wide to include organisations from various sectors and of different sizes; all of which have different priorities, risks and views of the perceived challenges. In addition, the government must be transparent in how it appoints the board’s members.
The strategy centres around building resilience and securing the digital ecosystem. These themes cut across different “pillars” of the strategy, but are ultimately focused on the same thing: enhancing the security posture of the UK. These themes also necessitate a “whole of society” approach. We support the government’s efforts in taking an active role in the development and adoption of technologies critical to cyberspace, such as 5G, and it must work collaboratively with the industry. The pace of change requires active engagement with industry, which has a deep understanding and expertise of the threats in cyberspace as well as these technologies and how to secure them.
Per the strategy, the government wants to build on its influence and take a leading role internationally in promoting technologies critical to cyberspace. This should include steering the development of security best practices. In the case of telecommunications, we cannot wait until the 5G horse has bolted and organisations are left trying to retrospectively fix the security weaknesses in their 5G deployments. 5G deployments must be built securely from the start and organisations will need effective guidance in order to do this. The government has made excellent headway with the development of the telecommunications security framework – security guidance aimed at the telecoms ecosystem. It should leverage this approach to develop specific 5G guidance, as well as assess what other "technologies critical to cyberspace" would benefit from such an approach.
The UK Government has excellent experience in developing practical guidance for the industry. This includes the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) aimed at critical national infrastructure (CNI) organisations that must comply with the security measures in the Network & Information Security Regulations, and more recently, the telecommunications security framework. These approaches illustrate how the government is moving away from point-in-time assessments and adopting more agile and risk-based approaches for all government and CNI functions across the UK. The government should promulgate these approaches internationally and build global consensus on necessary security guidance.
In addition, the government expects UK public sector bodies to raise their cyber standards and manage risk more proactively. As a result, it is placing greater emphasis on the CAF, including setting out the government's intentions of requiring public sector bodies to use the assessment. Efforts to improve the understanding of cyber risk and supporting more effective actions can only be a good thing.
The strategy reaffirms the government’s vision of taking a leading international role in cyberspace and refocuses the approach. The government is already well-respected internationally. For example, the NCSC takes a leading role in international collaboration and in espousing its approach to cyberspace. In addition, the Department of Digital, Content, Media and Sport (DCMS) has made significant strides in recent years showcasing the policy interventions it has been developing.
The strategy sets out that the UK will take an even more prominent role in the international cyber dialogue and promote its vision for the internet via its engagement in multilateral organisations, such as the Global Forum on Cyber Expertise, ITU and the Internet Governance Forum. This is a welcome move. The government must use its position and influence in these groups to promulgate best practices and standards, drive secure approaches to tech developments and steer international collaborations on the development of the resources needed to tackle the risks posed in cyberspace.
The strategy marks a significant step in the evolution of the government’s cybersecurity journey since the first National Cyber Security Strategy in 2010. The 2010 Strategy took a carrot approach to cybersecurity – the government dangled guidance, hoping industry would implement it and strengthen their security posture. This did not happen to the necessary degree, and according to Robert Hannigan, the former head of GCHQ, market forces had failed. The demand for cybersecurity services was “patchy” and the government had to intervene to help raise cybersecurity standards. Fast forward to the next 2016-2021 National Cyber Security Strategy and the government placed greater emphasis on regulation and incentivisation, coupled with a significant and unprecedented investment of £1.9bn.
The National Cyber Strategy 2022 signals a new dawn. It is even more forceful and places greater emphasis on the whole of society, working towards creating a more safe and secure UK and the world. Palo Alto Networks looks forward to working with the UK Government to help realise its vision and support the implementation of this new strategy.