An Examination of the National Cyber Security Strategy: Part 1
To anyone within the United Kingdom, or even those interested in cyber (take a drink) matters affecting the UK, the latest National Cyber Security Strategy (NCSS) was published in November, covering 2016 to 2021. The strategy provides the government’s current posture, perceived cyber threats and plans to improve these issues and lists a set of metrics. Through this series of posts, I would like to examine the NCSS, expand on points made and later discuss the plans and metrics suggested by the document. Please be aware that any comments made are my personal opinion and I hope to engage in discussion wherever we might disagree.
Forward and Preface
Endorsed by Philip Hammond and Ben Gummer, Chancellor of the Exchequer and Paymaster General respectively. Given the strategy already contains quotes from experts such as Ciaran Martin, Director General for Cyber Security of GCHQ, I am disappointed to see no such endorsement from a government expert or independent expert in the field.
Hammond recognises that the nation’s prosperity is increasingly dependent upon technology, data and networking; three areas covering everything within the digital space. The understanding of our dependency on the Internet is well established, with the Office for National Statistics showing that 82% of adults use it daily.
Noting the increase of frequency and sophistication of cyber attacks, the NCSS aims to improve the UK security posture with a multifaceted approach; covering critical infrastructure, deterrence and funding of £1.9 billion until 2021. Encouragingly, Hammond appears to understand the futility of attempting to prevent all attacks and instead considers the value in raising the cost of an attack. Hammond ends by recognising the state’s privileged position to influence the private sector and education, an acknowledgement later emphasised as a means with which the government plans to improve cyber security.
“Cyber skills need to reach into every profession.” — The Rt Hon Philip Hammond MP, Chancellor of the Exchequer
Gummer discusses the need to keep the nation safe and deliver a “competent government”. The most valuable point from Gummer, however, is that the government will monitor success and report annually on what has been achieved.
Giving a brief overview of the document, 13 major points were outlined:
- The government must improve its resilience to threats; society must be equipped with the knowledge and power to manage risks. (Perhaps the government could improve its resistance to attack first, given the vast swathes of data they can hold.)
- The government believes the country is increasingly dependent on the Internet and claims it is inherently insecure; there will always be attempts to exploit weaknesses. (Yet why does the government push bills which further reduce the security and increase the cost of the Internet.)
- The 2011 NCSS provided a good foundation, but the government must take a more involved position in advancing cyber security. (This is the most exciting summarising point, it’s fantastic to see the government recognise areas of their previous initiative to be improved.)
- The 2021 vision is “The UK is secure and resilient to cyber threats, prosperous and confident in the digital world” (While it’s easy to criticize this vision, we must remember that the act of preparation for the inevitable attacks is not to stop them from happening but to deter the attacker initially, minimise any damage caused while responding in a meaningful and efficient manner.)
- To achieve this vision, the government will follow three objectives
5. a. Defend against evolving threats and respond effectively to incidents, ensuring protection and resilience.
5. b. Deter attacks by proactively investigating and disrupting malicious actors. The government will have the ability to respond in cyberspace should they choose to.
5. c. Develop an innovative cyber security industry backed by research. The government will promote and encourage new talent in order to produce a pipeline of security practitioners.
6. The government will pursue international action to develop suitable codes of conduct. By strengthening relationships with international partners (NSA, NATO) it will aim to improve security and deliver “clear messages about consequences to adversaries who threaten to harm our interests, or those of our allies, in cyberspace” (It is encouraging to see the government recognising the value of cooperation despite current politics, though it will be interesting to see how Brexit negotiations may affect this.)
7. The government will take a hands on approach over the next five years in order to reach these goals. (Similar to the third point, this is in response to the finding that their hands off methodology did not work as effectively as expected from 2011.)
8. The government will seek to apply basic security to the whole country including IP filtering and actively blocking malicious activity. (While not discussed how this will be achieved, it is likely that these methods will piggyback on the blocking of pornography and due to the rate of Internet Service Providers (ISPs) fulfilment of court orders this is likely to fall flat.)
9. The government has created the National Cyber Security Centre (NCSC) to be the authority on the UK cyber environment. (Clearly intending to follow on the influence of NIST in the US, this could create a lot of value but will largely depend on governmental support.)
10. The government will further improve the Armed Forces, ensuring resiliency and that strong defences are in place should they be needed. The Cyber Security Operations Centre will work with the NCSC to ensure the military can assist in the case of a significant cyber attack. (Depending on Brexit negotiations, this could see large support from ENISA; especially their Cyber Crisis Management good practices and possibly the Cyber Exercises Platform.)
11. The government will have the means to respond to cyber attacks the same way as any other attack, using whatever means possible, including having an offensive capability. (This could raise some ethical and legal questions, some of which were considered at Davos 2015 after banks called for the ability to actively defend themselves.)
12. The government will invest in education, from schools to universities and the workforce. A pair of centres to drive development will also be launched, allocating an additional £165 million to procurement. (The government has already made progress in this area, according to the 2016 report on the previous strategy, students are educated in areas of cyber security from age 11. As a student, I’m hopeful to see how graduate education will be improved through funding or deeper industrial partnerships.)
13. The government will invest £1.9 billion over the next five years to “significantly” transform the UK’s cyber security.