The UK government recently released its new National Cyber Security Strategy 2016-2021. Recognizing that cyberattacks on the UK are a top threat to the UK’s economic and national security, the strategy outlines a vision and goals to create a UK that is secure and resilient to cyberthreats, as well as prosperous and confident in the digital world. The UK has always been at the forefront of cybersecurity activities, and its new strategy is an important contribution to and model for global efforts.
The strategy lays out a substantive set of goals, actions and metrics mapped to three important pillars:
- Defend: The government will strengthen its own IT defenses and work with industry to ensure UK networks, data and systems are protected against evolving cyberthreats.
- Deter: The UK will strengthen law enforcement’s capabilities to increase the cost of cybercrime.
- Develop: The government will help to develop the UK’s critical capabilities, including cyber skills, as well as the country’s growing cybersecurity industry, to keep pace with cyberthreats.
The strategy includes an impressive set of plans, based extensively on working with the private sector. While all parts of the strategy are laudable, highlighted below are a number of its forward-looking approaches that will surely contribute to greater cybersecurity in the UK.
First, the strategy immediately puts into action its stated goal of partnering with industry. For example, as part of his strategy, the UK has created a new National Cyber Security Center (NCSC), which is a single, central government body bringing together many of the government’s cybersecurity functions, including CERT-UK. The NCSC will be the UK’s authoritative voice on cybersecurity and aims to build effective cybersecurity partnerships between government, industry and the public. The NCSC’s commitment to direct industry engagement will help to deliver many elements of the strategy. The NCSC will manage national cyber incidents, provide expertise and deliver tailored support and advice to government and industry.
Second, the strategy aims to prevent and reduce the impact of cyberattacks on the UK, reflected in a new “Active Cyber Defence” program. Described in a blog by Ian Levy, technical director of the NCSC, this effort aims to make a significant proportion of UK networks more robust through automated prevention, ensuring UK citizens are protected by default from the majority of large-scale commodity cyberattacks. For example, the government plans to provide automated protections to citizens accessing online government services and states that, where possible, “similar technologies should be offered to the private sector and the citizen.” Using automation to prevent successful cyberattacks is wise, given that attackers themselves deploy sophisticated, automated attacks. Responding with manual defenses just won’t scale: we won’t keep up and, in fact, will continue to fall behind. The UK’s prevention-focused calculus will change the dynamic that currently favors attackers, tilting the balance to help the UK government, businesses and individuals better protect their networks. The strategy envisions the development and deployment of automated cyber defense in partnership with industry.
Third, the strategy strongly endorses cyberthreat information sharing. In fact, one of the NCSC’s initial emphases will be on facilitating such sharing, including ensuring UK government organizations have easy access to cyberthreat information and improving government-industry sharing. The goal is to “ensure that citizens, businesses, public and private sector organizations and institutions have access to the right information to defend themselves.” Sharing threat intelligence on advanced cyberattacks, cybercriminal motivations, and the tactics of malicious actors is essential to defend networks and prevent successful attacks. The UK also plans to move toward automated cyberthreat information sharing to allow organizations to act swiftly on relevant information, an important measure that will support the aforementioned automated prevention goal.
Fourth, the strategy focuses heavily on helping industry to raise its cyber resilience. The government plans to work with critical national infrastructure (CNI) but also will expand outreach to many more firms: the “UK’s most successful” companies, companies that hold a large amount of data, high threat targets, digital service providers, insurers, and others. While the exact risks to these companies may differ, they all require cybersecurity for competitiveness and efficiency. Although the government plans to continue its practice of helping via investing in innovation and encouraging industry’s voluntary action, the strategy acknowledges a role for regulation, noting that the UK plans to use the forthcoming General Data Protection Regulation (GDPR) to drive standards of cybersecurity across the economy.
Fifth, augmenting the cyber resilience goals above, the strategy stresses that whether in industry or government, cybersecurity now needs to be viewed as a C-level or board-level concern, not simply an IT issue. The strategy notes responsibility for cybersecurity in the private sector lies with boards, owners and operators, while security of UK public sector organizations lies with Ministers, Permanent Secretaries and Management Boards. Palo Alto Networks agrees on the need for senior leadership involvement, and we are helping educate corporate directors and board members worldwide on these responsibilities through our recent book, Navigating the Digital Age. The UK version, including chapters by almost a dozen UK thought leaders, is slated for launch in early 2017. It is critical for modern corporations to have the capacity not just to understand the opportunities but also to understand and mitigate the risks inherent in our digital age, and we are pleased to contribute to that discussion in the UK.
Finally, the strategy stresses that the UK will work internationally. We wholeheartedly support this approach by all governments. Neither the global digital infrastructure nor the threats attacking it know national boundaries. We are only as strong as the weakest link. We appreciate that the UK will continue to play a strong role in global cybersecurity capacity building and use its influence in multilateral organizations, such as the European Union (EU), NATO and the G20.
These are only some of the many important activities in the UK’s new strategy, which also details plans to tackle cybercrime, develop cybersecurity skills across the population, and support a thriving UK cybersecurity sector. The UK’s National Cyber Security Strategy 2016-2021 sets out how the UK will become one of the most secure places in the world to do business in cyberspace. This framing is important. Cybersecurity must be viewed as an enabler, and the UK’s strategy, while acknowledging the growing threats, focuses on the benefits to the UK of better cyber resilience. As the sixth largest economy in the world, strong cybersecurity in the UK has multiplier effects around the globe. Palo Alto Networks looks forward to working with the UK government and private sector to realize the goals of its 2016-2021 Cyber Security Strategy and improve the UK’s – and hence the world’s – cybersecurity.
[Palo Alto Networks Research Center]