The intent to enforce… something quite significant actually.
A first read and review of the news coverage around the United Kingdom’s (U.K.) new Cybersecurity Strategy earlier this month left many believing that there is little to report on cybersecurity from their new government. The initiatives articulated and the funding levels had already been publically discussed throughout the year, while any new intentions expressed in the strategy lacked detail.
My initial reaction was disappointment that Teresa May’s government did not see fit to add new funds to the £1.9 billion committed by the previous Chancellor in November last year. Given that Ms. May had been Home Secretary and her new Chancellor, Philip Hammond, Secretary of State for Defence, they clearly bring an informed view of how threats are evolving. Mr. Hammond even highlighted the elevated level of threats coming from state actors and terrorism in particular in his speech.
I have since had the chance to spend time absorbing the new strategy, and looking back to what was said in the original five-year plan, the difference is astonishing. Today, we have a narrative that reflects a much clearer understanding of the scope of the task ahead, something (ISC)² as a professional body has been working to articulate for some time. The government has also clearly laid out what it believes its job should be, and what it expects of the rest of us as professionals, businesses, innovators, and individual citizens. It is interesting that Hammond chose a technology innovation event – Microsoft’s Future Decoded conference – to announce the strategy, clearly working to reach an audience that is to be held accountable.
“Technology companies – many of whom are represented here today – must take responsibility for incorporating the best possible security measures into the design of their products.
Getting this right will be crucial to keeping Britain at the forefront of digital technology security – itself a growing business sector,” he said on the day.
The report itself details far more and specific expectations:
“Organisations and company boards are responsible for ensuring their networks are secure. They must identify critical systems and regularly assess their vulnerability against an evolving technological landscape and threat. They must invest in technology and their staff to reduce vulnerabilities in current and future systems, and in their supply chain, to maintain a level of cybersecurity proportionate to the risk. They must also have tested capabilities in place to respond if an attack happens.”
With reference to incident response, expectation is repeated again:
“It is the responsibility of organisation and company management, in both the public and private sector, to ensure their networks are secure and to exercise incident response plans.”
And again with reference to skills:
“…. employers also have a significant responsibility to clearly articulate their needs, as well as train and develop employees and young people entering the profession.”
Perhaps most crucially, the government laid out an intent to enforce what is expected. The document states unequivocally that market forces have not been and will not be enough to ensure the action required, and that government will work “in partnership with departments and regulators, who will assure whether cyber risk is being managed in their sectors to the level demanded by the national interest.” Further, the EU General Data Protection Regulation (GDPR) to be in force by May 2018 is cited as an effective lever to drive up standards and there is an intent to ensure that the industry acts and becomes “outcome” rather than “compliance” focused.
Cyber and information security professionals have been asking organisations for such a mandate for over two decades. The U.K. government has now given it to us. I encourage our membership and the cybersecurity community in general, whether they are working within the U.K. or not, to take the time to read the new U.K. Strategy; understand its intent, and take on an active role in assuring their organisations can do their part.
As I read through the document, I stopped wondering whether the Government thinks their budget commitments to cybersecurity are adequate. I don’t believe that they do. I suspect we didn’t see more funding because the government doesn’t yet know how much it will cost; because much of what they are doing should come with the evolution of the economy in a digital age; and because we need to see greater value from what has been committed to date to justify any increases in budget: There seems little justification to add to the public investment before the private sector begins to assume its role more definitively. I suspect we will see more public funds to committed this strategy, but not before fines for lack of action fuel public coffers.
By Adrian Davis, CISSP, Managing Director EMEA, (ISC)²