10 key insights into UK’s bullish new national cybersecurity strategy

"We will increasingly act upstream on behalf of all internet users in the UK”

10 key insights into UK’s bullish new national cybersecurity strategy

The UK’s 2022 National Cyber Security Strategy (NCSS) is a reminder that “cyber” does not exist in a vacuum. The policy paper, which sets desired outcomes to 2025 and which is backed by £2.6 billion, is an industrial strategy, a skills strategy, a national security strategy and a statement of increasingly active and interventionist intent by Her Majesty’s Government (HMG). Read closely – it deserves to be – it is in many ways a remarkable document.

The strategy includes plans for a “rapid and radical overhaul of government cyber security” including significant hardening of the government’s own critical functions; a “more ambitious and proactive approach” to maintaining a stake in critical technology (including by supporting the domestic industrial base); and bullish plans to “increasingly act upstream on behalf of all internet users in the UK” – both domestically and internationally.

The 30,000-word paper, published Dec. 15, 2021, promises to achieve 53 outcomes under five pillars by 2025.

Here are The Stack’s top 10 takeaways from the UK's 2022 National Cyber Security Strategy.

"Fix it!"

1: Government gets tough – internally and externally

Public sector cybersecurity is set for an overhaul.

The new UK national cybersecurity strategy vows a “rapid and radical overhaul of government cyber security, setting clear standards for departments and addressing legacy IT infrastructure.

That will include more walking of the talk internally, with HMG promising to "adopt the NCSC’s Cyber Assessment Framework (CAF) as the assurance framework for all government departments" and that "and critical systems and common suppliers will be mapped.  Government’s critical functions meanwhile "will be significantly hardened to cyber attack by 2025.”

Looking outward, the report details plans to be far more proactive “upstream”, including making “more routine use of the National Cyber Force (NCF)’s capabilities to disrupt threats from both state and non-state actors.” (The NCF was first revealed in 2020 and given a permanent physical location in 2021. It brings together personnel from GCHQ, the MOD, MI6 and the Defence Science and Technology Laboratory (DSTL), under one unified command.)

The threat to get aggressive with cybercriminals shines through the report, including a promise to make it more “costly and higher risk for state, criminal and other malicious cyber actors to target the UK” with “sustained and tailored deterrence campaigns that leverage the full range of UK capabilities (including diplomatic, economic, covert and overt levers)… a capability and willingness to impose meaningful costs.”

More and better...

2: Industrial partners

Industrial partners of HMG that provide sovereign cryptographic capabilities, including by providing hardened cryptographic key storage and distribution capabilities, have grown increasingly frustrated at their handling by government in the past.

With restrictions on their ability to export sensitive sovereign technology – but inconsistent public sector procurement and modernisation programmes, it’s been a bone of contention.

The UK’s 2022 National Cyber Security Strategy singles the sector out for attention, whilst also calling for a more “ambitious and proactive” industrial strategy/approach to ensuring UK Plc has a stake in critical technology. It pledges that by 2025 the UK will have a “more resilient and secure UK Crypt-Key enterprise with a more sustainable, world-leading industrial base”. This, it suggests, will happen by combining “the capabilities and expertise of government and industry more effectively, and take a more rigorous, national approach to managing the enterprise. This will ensure that we grow the distinct, specialist skills that we need.”

Get following The Stack on LinkedIn

In a recognition that those on the procurement side may need a kick up the bum and that private sector providers are itching to export more, it also promises that by 2025 the UK will have “stronger Crypt-Key capabilities and services in government [and the UK will have] “increased exports to our partners and allies.”

More broadly, although the UK cybersecurity sector has grown rapidly, "most companies are startups and building large scale domestic vendors remains challenging in the face of international consolidation" the NCSS notes, adding "countries that are able to establish a leading role in the technologies critical to cyber power will be better positioned to influence the way they are designed and deployed, more able to protect their security and economic advantage, and quicker to exploit opportunities for breakthroughs in cyber capabilities."

3 … and selected technologies

It’s not just the “crypt key” sector getting attention.

The report once again highlights the risk (which drew increased political attention amid the decision to strip Huawei kit from 5G networks) of becoming “overly dependent on competitors and adversaries” for core technologies, vowing that HMG will “strengthen our ability, led by the technical expertise of the NCSC and others across government, to identify the areas of technology most critical to our cyber power.”

This will include national-level strategic decisions about priorities under the “Own-Collaborate-Access” framework set out in the 2021 Integrated Review. Practically this will see HMG “select areas we will invest in the research and development activity [of] and strategic partnerships needed to develop the UK’s domestic capabilities”. Where the UK has the potential to “establish a leading position in key areas of cyber technology, or where reliance on non-allied sources of supply poses unacceptable security risks, we will seek to develop our domestic industrial base” the report says – WTO rules on subsidies have wriggle room.

See: UK vows “creative and routine” use of offensive cyber

The report highlights seven key technologies that will get attention:

  1. 5G and 6G technology, and other emerging forms of data transmission
  2. Artificial intelligence (AI), including the need to secure AI systems and the potential for the use of AI to enhance cyber security in a wide array of applications such as network monitoring
  3. Blockchain technology and its applications such as cryptocurrencies and decentralised finance
  4. Semiconductors, microprocessor chips, microprocessor architecture, and their supply chain, design, and manufacturing process
  5. Cryptographic authentication including for identity and access management and high assurance cryptographic products
  6. Internet of Things and technologies used in consumer, enterprise, industrial and physical environments such as connected places
  7. Quantum technologies, including quantum computing, quantum sensing and post-quantum cryptography
"Ello, ello, ello..."

Law enforcement have had some good success at pre-empting ransomware attacks and malicious campaigns, including via the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU, which is supported by a network of dedicated Regional Cyber Crime Units (RCCUs) in each of England and Wales’s nine police regions.

Dedicated Local Cyber Crime Units (LCCUs) meanwhile are embedded in each of the 43 police forces and synchronised through a regional coordinator.

(In earlier conversations with The Stack’s founder, one RCCU lead said this sometimes involved turning up at a company under attack and asking them to immediately isolate a specific server or desktop before a threat spread in a sign of just how deep law enforcement visibility can be into national internet traffic.)

"Systems are being joined up with transformed forensic, intelligence and data-sharing capabilities "

Centralised crime reporting, triage and analysis is provided through Action Fraud, hosted by the City of London Police, with most serious cases referred to the NCA and regional network to pursue. As the NCSS notes: “systems are being joined up with transformed forensic, intelligence and data-sharing capabilities to build a single platform so that national and regional units can access all the specialist high-end capabilities and tools.”

[Editor's note: we really hope this doesn't refer to the Home Office efforts detailed here...]

5: New organisations

The strategy establishes a range of new entities.

These include a new National Cyber Advisory Board (NCAB) to “bring together senior leaders from the private and third sectors to challenge, support and inform the government’s approach to cyber”.

(Despite numerous pronouncements about the need for a “more inclusive and strategic national cyber dialogue” and a “whole of society approach” there is no detail in the paper about how potentially interested parties can apply to be on the board. The Stack has asked the NCSC, GCHQ and the Cabinet Office for an appropriate email for any of our interested readers to note their interest to the board’s convenors.)

The government is also creating a new “National Laboratory for Operational Technology Security” which will bring government, industry and academia together for “testing, exercising and training on critical industrial technologies to build capability in this area” amid concern that increasing IT/OT convergence continues to open up threat vectors across critical national infrastructure and more broadly too.

(As the paper puts it: “We are increasingly seeing the interaction of established businesses in regulated sectors, such as telecoms and energy, with new and largely unregulated businesses, such as those providing microgeneration, electric vehicle charging or ‘connected places’ capabilities. Critical infrastructures will become much more distributed and diffuse... This change in environment will also affect products and services more widely outside of our traditional critical national infrastructure… Increased dependency on third party suppliers of managed services, which often have privileged access to IT systems, is creating new risks...”)

UK Cyber Security Council CEO Simon Hepburn

6: Skills, skills, skills...

We’ve all heard the public howling about the lack of cybersecurity skills (the flip-side of which is often companies that don’t want to invest in staff or in training.) The new NCSS, mentioning “skills” 48 times, promises “expansion post-16 training programmes in line with the needs of the cyber workforce, funding a range of skills bootcamps in cyber security, the national rollout of the Institutes of Technology programme, and continuing the CyberFirst bursaries scheme for undergraduates.

HMG will "transition from funding a range of largely bespoke and centrally-managed skills and innovation programmes, to a more sustainable, systemic and regional approach" it said of this approach.

See also: “It’s like a marriage…” SASIG’s Martin Smith MBE on the CISO and the board

It will also involve steering hackers going down the “wrong path”. Young black hats may find themselves, when caught, approached with the NCA’s Cyber Choices programme which is designed to help “people to make more informed choices, diverting them from criminality to use their cyber skills in a positive and legal way.”

Other concrete actions will include "expanding the Cyber Fast Stream and offering more cyber security apprenticeships, supporting specialist skills programmes within the NCA including graduate and intern placements, bespoke neurodiversity programmes and summer diversity programme."

The Queen approved the award of a Royal Charter to the UK Cyber Security Council in November 2021 meanwhile. This provides, for the first time, a bespoke chartered recognition specifically for cyber security, covering the range of specialisms that exist in the field. (The council is headed up by CEO Simon Hepburn.)

7: Businesses: Regulation looms

Among the clearly spelled out 53 desired outcomes by 2025 is for "UK businesses and organisations [to] have a better understanding of cyber risk and their responsibilities to manage them."

Some blunt tools may be used to enforce this. The UK's 2022 National Cyber Security Strategy vows that HMG will work with "procurers, financial institutions, investors, auditors and insurers to incentivise good cyber security practices across the economy."

Intriguingly, this will include proposals to mandate improved corporate reporting of resilience to risks, including cyber risks: "This will give investors and shareholders better insight into how companies are managing and mitigating material risks to their business." Watch this space; many have agitated for it.

(HMG plans to get more involved upstream too, cryptically saying it will be "testing a range of interventions to help organisations manage the cyber security risks posed by their suppliers" and work on "identifying where digital supply chains are too concentrated, and working with international partners to manage collective risks."

8: Alliances

Internationally, the 2022-2025 NCSS promises that the UK will build a "broader international alliance that is willing and able to impose more meaningful consequences on the UK’s adversaries."

This will include "greater diplomatic engagement, operational collaboration, information sharing and joint exercising".

The strategy paper also promises "more mutual understanding across key allied and partner countries’ cyber forces and better integrate cyber operations into allied operations across all domains: land, sea, air, space and cyberspace... including supporting the processes to integrate sovereign cyber effects provided voluntarily by the UK and some other allies, into NATO operations and missions."

Reporting back to the keepers of coin

The word "KPI" doesn't appear once in the report. And in terms of reporting on these aspirations, parliamentarians hoping for greater oversight are out of luck.

(Parliament's Public Accounts Committee and the National Audit Office both stuck the boot into reporting of the previous strategy's KPIs, with the NAO noting in 2019 that "the programme had done very little to measure its operation or how money was being allocated for individual" and adding, damningly, "the Strategy set out 48 measures of success but by July 2018 only 17 were being measured.”)

The 2022 UK National Cyber Security Strategy will be "governed by a continuously evolving performance framework that reports to senior responsible officials and the NSC" it notes.

"Consistent with the approach of the National Cyber Security Strategy 2016-2021, it will not be a public document due to the sensitive information contained but the government will publish annual progress reports."

Industry responds

The report drew positive industry responses.

Paul Baird, CTSO UK, Qualys was among those to send more thoughtful comments, noting: "The remit to ‘challenge, support and inform the Government’s approach to cyber’ in the NCAB is interesting – this organisation will have to be one where frank discussions are supported, so that we can all improve security. This has to be listened to, rather than being an organisation that exists to reflect back government thinking."

He added: "I really like the idea of focusing on schools to develop the next generation of cyber security professionals. We are in desperate need for more talent around IT security, and we can definitely benefit from higher diversity of viewpoints and experience too. I have seen far too many ‘cookie cutter’ Security Operations Centre teams where having that more diverse approach would help improve results. The most successful mature SOC teams have a wide spread of people with different backgrounds, approaches and ways of thinking and working on them, so they can counteract more potential problems. We need more of this in place..."

Former GCHQ Director Robert Hannigan. now Chairman of BlueVoyant, added: "[t's] good to see the new UK National Cyber Strategy highlighting supply chain security and developing skills, with a commitment 'to harness market expertise and ensure that everyone plays a role in securing the UK’s digital supply chains'. A very strong focus on embedding the Active Cyber Defence programme across government and more widely."

Made it this far? What are your views on the report? Let us know.