Last week the government launched its inaugural Cyber Security Strategy to little fanfare.
Wrongly perceived as a somewhat dry and technical topic, this watershed moment for Britain’s digital defences was undoubtedly overshadowed by ongoing questions surrounding the prime minister’s alleged breach of Covid guidelines.
Yet far after Boris Johnson’s rumoured birthday cake ambush is consigned to the footnotes of GCSE history textbooks, the nature of the UK’s cyber security – or lack thereof – will define its domestic and international capabilities for generations to come.
Systems under siege
In a speech in central London on Wednesday, the Chancellor of the Duchy of Lancaster, Steve Barclay, laid out the UK’s first attempt at a comprehensive plan to sure-up its cyber security.
The plan arrives at a critical moment, with Britain now the third most cyber-targeted nation on the planet, as digital warfare by domestic criminals, along with threats from China, Russia, Iran and North Korea, rage on.
According to government figures a shocking 4 in 10 British businesses came under virtual fire last year, and just over a quarter of UK-based charities fell victim to cyber attacks. The National Cyber Security Centre dealt with 777 local incidents between September 2020 and August 2021, with around 40% targeting the public sector.
The UK, US and EU also recently confirmed that Chinese agents had executed a large-scale attack on Microsoft. GCHQ director Sir Jeremy Fleming has made two public warnings over China’s Intentions, claiming that Beijing was placed to “control the global operating system”.
A 2020 attack left Redcar & Cleveland Council staff working with pen and paper for almost a month as repairs costing up to £18 million were made. Data leaks and service outages plagued Hackney Council throughout late 2021, while Gloucester City Council experienced havoc with its systems, including those issuing benefits payments, at the hands of Russian hackers in the lead up to Christmas. Its systems are still not fully restored.
Back in 2017 ransomware attacks on the NHS resulted in 19,000 plus appointments having to be cancelled.
As state and non-state actors continue to wreak havoc, public and private organisations wrestle with their lack of local cyber expertise and slashed budgets. The failure of most employers to ensure a ’cyber-safe’ remote-working environment has also exacerbated the risks of attack throughout the Covid pandemic.
What’s new?
On Wednesday Barclay said the government aimed for its “critical functions to be significantly hardened to cyber attack by 2025,” and positioned the strategy as the latest chapter in a series of upgrades to its cyber programme.
While no foreign governments were namechecked in the speech or indeed the full report, their presence loomed; though even the initial press release’s reference to hostile states” was scrapped from the full speech.
The strategy lays out plans to encourage more people to enter public sector cybersecurity employment, better intradepartmental sharing of skills and intel, and continued investment in emerging technologies such as AI.
Given the current rough and tumble in Westminster, it is uncertain that a Conservative government will see through this 3-year strategy, however the stance of Labour’s frontbench since Sir Keir Starmer’s ascendancy suggests that such a strategy would be maintained by any incoming Labour government.
Barclay admitted that public service organisations are starting from a “very low level of maturity” when it comes to digital security, so it remains to be seen whether the issue is sufficiently fortified within 3 years, particularly as relations with China and Russia – who are responsible for well over half of all state-backed cyberattacks – seem on track to deteriorate sooner rather than later.
As the nature of warfare and crime continues to evolve, it goes without saying that Britain’s public services cannot afford to be left open to interference by hostile states. Achieving the aim of heightened security “is essential”, said Barclay, which leaves one wondering why it has taken the government so long to confront it in a comprehensive manner?
Money, Money, Money
The government will invest £2.6 billion in cyber before 2025. This outstrips the £1.9 billion allocated to cyber strategy between 2016 and 2020 by over 350 million, taking into account inflation.
This includes over £37.8 million for local authorities to “boost their cyber resilience” to protect the essential services and data currently at a high risk of compromise.
As security think tank the International Institute for Strategic Studies (IISS) outlined in its landmark report published last June, the initial investment of £1.9 billion over five years was “substantial in the context of overall UK government funding”, and thus the heightened figure has been welcomed by experts. However, the ISS highlighted that filling the labour force gap across departments ought to be prioritised.
The government’s chief security officer, Vincent Devine, outlined how the strategy was “ centred around two core pillars,” with the first focusing on “building a strong foundation of organisational cyber security resilience” – in other words by ensuring as many government and public sector employees have basic cybersecurity skills training.
The second pillar focuses on coordination between departments, “allowing the government to ‘defend as one’, harnessing the value of sharing data, expertise and capabilities.”
A key strand to this is the creation of the Cyber Coordination Centre, to be based in the Cabinet Office. The government says this centre “transform how data and cyber intelligence is shared.” The Times explained that this “will bring together the work carried out by officials, troops and spies…” and “be designed to ensure the government can “defend as one” by rapidly identifying, investigating and co-ordinating the government’s response to attacks on the public sector.”
Education, Education, Education
The strategy’s launch of a ‘Cyber Fast Stream’ to increase Britain’s ability to foster homegrown technical expertise is certainly a step in the right direction.
Barclay estimated that by the end of this year, there will be “130 cyber apprentices across 21 government departments, and we are going to carry on building on this great foundation.”
A public-focused scheme will also prove vital given the government’s ongoing struggle to compete with private industry for tech professionals amid ongoing shortages of suitable candidates.
Even within government there remains the challenge of internal competition, which can only be alleviated if all departments are equipped to attract and retain the best talent.
Beyond the Cabinet Office
The government’s telecommunications (security) bill, currently being considered by MPs, will require telecommunications firms to “identify and reduce the risks of security compromises”. It will permit the government to mandate codes of practice and secondary legislation to tighten the security of the sector’s notoriously shaky supply chains.
Yet the bill, like this strategy itself, is far from perfect. Back in November the government was defeated as the House of Lords narrowly backed an amendment demanding a review of telecoms firms that other members of the Five Eyes intelligence alliance have outlawed on security grounds.
However, as the IISS has highlighted, the UK’s expertise could be outweighed by the security risks arising from its heavy reliance on foreign manufacture for “much of the equipment underpinning its telecommunications, from microchips to communications switches”.
The UK’s relatively lax regulatory regime when it comes to foreign direct investment also means there has virtually been no distinction between foreign and domestic investors, including when it comes to tech. While this has contributed to a flourishing of international trade, it has also brought security into question. The most recent notable incident of course being the government U-turn on permitting Chinese-state-backed corporation Huawei to invest in the development of 5g infrastructure.
The passing of the National Security and Investment Act earlier this month means the business secretary now has the authority to review business transactions if it is suspected that they could be a risk to national security. However, the Act’s failure to pin down a useful definition of ‘a threat to national security’ means we do not yet know if it will take account of acknowledged cyberthreats.
The government may enjoy discussing its plans for injecting cash into the burgeoning tech industry, and talking tough when it comes to authoritarian regimes, but it is clear that a shift in attitudes will be just as critical as an uptick in funding.
As it stands, the UK is well-equipped to vastly improve its cyber defences. It continues to display many world-class strengths in its cyber-security ecosystem, despite lacking the human capital and more limited budgets than the US or China. Properly channelled, this investment could provide the country with a vastly superior cyber-security defence by 2025. But, to defend itself to the best of its abilities, the country must confront the difficult business of untangling itself from corporations linked to actors actively involved in cyber warfare against its government’s interests.