The new National Cyber Strategy was published on 15th December 2022 as a part of an ongoing effort to ensure that the United Kingdom continues to protect, promote and progress with the growth of technology.
The UK government has committed to spending £22 billion on research and development and putting technology at the heart of its plans for national security. The strategy includes making the public sector more resilient to cyber-attacks and protecting citizens' personal data. Overall, the government is working to ensure that cyberspace is a reliable and resilient place for people and businesses to flourish.
In this blog, we've looked at the strategy's aims, summarised the key points and looked at what the National Cyber Strategy means for you.
Jump ahead to read about:
Background & Aims of the Strategy
The UK acknowledges that the increasing connectivity and decreasing costs of technology have led to progress and innovation but also increased complexity and risk of cyber attacks. Therefore, the country aims to become a leading responsible and democratic cyber power by 2030 by taking advantage of cyberspace opportunities while mitigating risks, promoting national interests such as a more secure and resilient nation, and adopting a whole-of-society approach.
To achieve this vision, five strategic goals have been identified, each aimed at strengthening a dimension of cyber power and collectively enhancing the ability to maintain a cyberspace that reflects national values and interests. These goals are intended to be mutually reinforcing. Part 2 of the plan outlines the specific actions that will be taken under each of the five goals until 2025.
The pillars are:
-
Strengthening the UK cyber ecosystem
-
Building a resilient and prosperous digital UK
-
Taking the lead in the technologies vital to cyber power
-
Advancing UK global leadership and influence for a more secure, prosperous and open international order
-
Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace.
This new strategy will largely rely on the existing approach, but will aim to strengthen, broaden, or modify efforts as required, building on the previous National Cyber Security Strategy (2016-2021). The main differences are:
-
A commitment to keeping the UK at the cutting edge on cyber.
-
A more comprehensive National Cyber Strategy.
-
A whole-of-society effort - this approach will enable more effective collaboration with UK partners and globally.
-
A more proactive approach to fostering and protecting our competitive advantage in the technologies critical to cyberspace.
-
Boosting efforts to enhance cybersecurity. The government will invest a larger amount than ever before in the rapid and comprehensive modernisation of its cybersecurity, establishing explicit criteria for departments and addressing outdated IT systems. By 2025, critical government functions will be considerably fortified against cyberattacks, and all government organisations will be subjected to strict cybersecurity measures.
-
Conduct more cohesive and persistent campaigns to obstruct and discourage our adversaries while safeguarding and advancing the UK's interests in cyberspace. These campaigns will employ a broader array of diplomatic, policy, and operational tools across the government.
Key definitions:
The Strategy uses key terms and definitions:
Cyberspace - Cyberspace is a shared space with a unique experience for each person. Individuals use it to access bank accounts and stream films, while businesses use it to connect staff with resources. Governments use online portals to provide public services and cyber professionals work with the technology behind it. Cyberspace is used in different ways and for different purposes by various groups, and its usage is growing. Cyberspace has three layers: virtual, logical, and physical. The virtual layer is where people and organizations have a virtual identity in a shared virtual space. The logical layer is made up of code and data, and it can't function without the physical layer, which includes all the hardware and electromagnetic spectrum used for transmitting data. The physical layer ranges from home routers and hubs to complex telecommunications systems run by tech giants.
Cyberpower - The UK's cyber strategy centres around the concept of cyber power, defined as a state's ability to protect and promote its interests through cyberspace. The UK Cyber Strategy has defined these dimensions through 5 pillars: people, cyber security and resilience, technical and industrial capabilities, global influence and relationships, and the ability to take action through cyberspace. Cyber power differs from traditional power in its seamless blending of hard and soft capabilities, more distributed nature, and the need to work with partners.
Cyber resilience - Cyber resilience refers to an organisation's ability to prepare for, respond to, and recover from cyber threats or attacks. It involves having systems and processes in place to detect and prevent attacks, as well as strategies to minimize the impact of a successful attack and to recover from it. It includes measures such as regular backups, training employees on cybersecurity best practices, monitoring for potential threats, and having a response plan in place.
Roles & responsibilities:
Citizens - the strategy aims to reduce the burden of cyber security on citizens, but individuals still have a vital role to play such as taking steps to improve the security of their digital and physical assets. Charities and other civil society organizations play a crucial role in providing targeted support, advice, and raising awareness about cyber risks to vulnerable groups, to help individuals understand and protect themselves from these risks.
Businesses & Organisations - the strategy emphasises that they have a responsibility to manage their cyber risks, become cyber resilient and support their customers, with the NCSC (National Cyber Security Centre) and the ICO (Information Commissioner's Office) providing advice to businesses and organizations on their cyber security obligations. The UK cyber security sector has a critical role in responding to emerging cyber threats, and the government will support its growth and partnerships with academia, technical communities, and the private sector. Major technology companies also have a responsibility to ensure a secure environment for UK businesses and organisations to operate in.
Government - the UK government has a unique position to understand and counter sophisticated cyber threats, set national standards, and enforce the law. They also have a responsibility to advise and inform citizens, businesses, and organizations about how to protect themselves online. Devolved governments in Northern Ireland, Scotland, and Wales are also responsible for developing their own cyber strategies and plans, aligning them with the UK government's strategy to ensure coordination and cooperation across the UK.
Implementation
The Strategy outlines in detail how it intends to implement these 5 core pillars through a series of objectives for each pillar.
Pillar 1: UK Cyber Ecosystem
Objective 1 - 'Strengthen the structures, partnerships and networks necessary to support a whole-of-society approach to cyber.'
The UK government aims to take a collaborative approach to cyber power by nurturing and harnessing talent across the UK and working with the public sector, industry, and academia. They plan to establish a National Cyber Advisory Board and build more integrated and effective regional cyber networks across the UK to support sectoral growth and business resilience. These actions aim to strengthen the government's existing relationships with its stakeholders and the digital and technology sectors.
Objective 2 - 'Enhance and expand the nation’s cyber skills at every level, including through a world class and diverse cyber security profession that inspires and equips future talent.'
The UK's cybersecurity strategy includes a focus on developing a sustained and diverse supply of highly-skilled individuals for the cyber workforce. The government plans to increase the number of people with the necessary skills, establish a recognised and structured cybersecurity profession, promote diversity in the workforce, inspire and support young people to follow a technology pathway through education and upskill teachers. The government also aims to identify, recruit, train and retain cybersecurity professionals, particularly within the public sector, law enforcement, defence and security, including the National Cyber Force.
Objective 3 - 'Foster the growth of a sustainable, innovative and internationally competitive cyber and information security sector, delivering quality products and services, which meet the needs of government and the wider economy.'
The UK plans to support a vibrant cyber sector to enhance its national cyber power and drive digital growth and exports. The plan includes helping cyber businesses access new markets, increasing early-stage investment, levelling up the cyber economy outside of London, and increasing the number of companies offering independently verified quality standards for their cyber security technologies, products, and services. The UK also plans to establish the National Cyber Innovation Centre, a comprehensive directory of NCSC accredited providers, and the permanent headquarters of the NCF in Samlesbury, in the North West of England, to support innovators and entrepreneurs outside of London and the South East.
Pillar 2: Cyber Resilience
Objective 1 - 'Improve the understanding of cyber risk to drive more effective action on cyber security and resilience.'
The UK plans to partner with businesses and organisations to improve collective understanding of cyber risk and prioritisation. They aim to achieve this by 2025 through several outcomes, including updating the nation's understanding of cyber risk, adopting the NCSC's Cyber Assessment Framework, improving cross-cutting risk identification, and increasing adoption across Critical National Infrastructure sectors. The government will also share more research and data on cyber attacks.
Objective 2 - 'Prevent and resist cyber attacks more effectively by improving management of cyber risk within UK organisations, and providing greater protection to citizens.'
The UK's cybersecurity approach involves organisations taking responsibility for managing their own cyber risk, with the government working with industry to reduce risk at scale. The aim is to reduce harm, expand Active Cyber Defence measures, and establish the public sector as a cybersecurity best practice by 2030. The government plans to improve critical national infrastructure cybersecurity and incentivise businesses to manage cyber risks proactively through legislation and market incentives, with further details in the Cyber Security Regulation and Incentives Review.
Objective 3 - 'Strengthen resilience at national and organisational level to prepare for, respond to and recover from cyber attacks.'
By 2025, the government aims to improve its strategic management and coordination of the response to nationally significant cyber incidents, make it easier to report cyber incidents and ensure victims receive better support, and help UK government and Critical National Infrastructure (CNI) operators find the cyber exercising and incident management services they need from the marketplace. The government will set out clear requirements for exercising and testing or adversary simulation across CNI operators, establish a national laboratory for operational technology security, and improve access to training and exercising for businesses and organisations.
Pillar 3: Technology Advantage
Objective 1 - 'Improve our ability to anticipate, assess and act on the science and technology developments most vital to our cyber power.'
The UK government's goal is to gain a competitive advantage in cyber-related technologies by prioritizing national effort, expanding research capabilities, and utilising external expertise to understand new and developing science and technology. By 2025, the government aims to have a better understanding of science and technology advancements, inform decision-making, and take a proactive approach to exploit opportunities and mitigate risks.
Objective 2 - 'Foster and sustain sovereign and allied advantage in the security of technologies critical to cyberspace.'
The UK government plans to develop its domestic industrial base in key areas of cyber technology to establish a competitive advantage and maintain a truly sovereign capability. They aim to stimulate innovation and R&D in collaboration with industry and academia and achieve outcomes such as translating research into innovation, building secure microprocessors, establishing a national laboratory for operational technology security, and protecting UK innovation and intellectual property. The government will invest in resources and expertise to provide technical leadership on the security of critical cyber technologies and prevent the theft of data and intellectual property.
Objective 2a - 'Preserve a robust and resilient national Crypt-Key enterprise which meets the needs of HMG customers, our partners and allies, and has appropriately mitigated our most significant risks including the threat from our most capable of adversaries'.
The UK government relies on Crypt-Key for protecting critical information and services from adversaries and aims to maintain its world-leading position by investing in skills and technologies, with the goal of achieving a more resilient and secure Crypt-Key enterprise by 2025.
Objective 3 - 'Secure the next generation of connected technologies, mitigating the cyber security risks of dependence on global markets and ensuring UK users have access to trustworthy and diverse supply.'
The UK government plans to embed computing power, internet connectivity, and automation into physical objects and infrastructure while ensuring security and resilience are at the forefront of decision-making, including implementing minimum security standards for consumer connectable products, requiring major providers of digital services to follow better cyber security standards, and identifying emerging technology applications that have potential cyber risks.
Objective 4 - 'Work with the multistakeholder community to shape the development of global digital technical standards in the priority areas that matter most for upholding our democratic values, ensuring our cyber security, and advancing UK strategic interests through science and technology.'
The UK aims to achieve more inclusive and effective global digital technical standards by 2025. The UK plans to increase multistakeholder participation, shape standards with democratic values, cyber security considerations, and UK research and innovation, and use strategic coordination mechanisms to promote standards that enable innovation and growth.
Pillar 4: Global Leadership
Objective 1 - 'Strengthen the cyber security and resilience of international partners and increase collective action to disrupt and deter adversaries.'
The UK plans to reduce cyber threats by improving the capabilities and resilience of international partners, prioritising cyber capacity building in specific regions, investing in law enforcement and defence expertise, protecting critical international supply chains and infrastructure, and building civil society organisations' capacity. They will also develop an international cyber hygiene campaign, enhance diplomatic engagement, and support NATO's cyber security capabilities to create a stronger international alliance that can impose more significant consequences on cyber threat actors.
Objective 2 - 'Shape global governance to promote a free, open, peaceful and secure cyberspace.'
The UK will work with allies to ensure that international cyberspace rules and frameworks align with democratic values, promote global economic growth and security, and take a proactive approach to shaping cyberspace governance frameworks. They will engage with organisations and promote the Budapest Convention on cybercrime, and support countries in building legal and strategic communications expertise, exposing irresponsible use of cyber capabilities, demonstrate an open and transparent approach to their use of offensive cyber capabilities, and address challenges in cyberspace.
Objective 3 - 'Leverage and export UK cyber capabilities and expertise to boost our strategic advantage and promote our broader foreign policy and prosperity interests.'
The UK plans to integrate its cyber capabilities with other sources of national power to promote foreign policy and prosperity goals. By 2025, the UK aims to enhance global stability, protect democratic systems, and champion human rights in cyberspace. The UK plans to invest in its network of cyber officers and use strategic communications to promote UK research collaboration and academic exchange programs. The UK also aims to maintain its position as one of the top three global exporters of cyber solutions and cyber expertise by developing a new Cyber Capability Campaign Office to provide structured support to major export campaigns.
Pillar 5: Countering Threats
Objective 1 - 'Detect, investigate and share information on state, criminal and other malicious cyber actors and activities in order to protect the UK, its interests and its citizens.'
The UK government aims to increase investments in intelligence agencies and law enforcement to combat cyber threats from state, criminal, and other actors. They plan to enhance law enforcement's capabilities, invest in the National Crime Agency's cyber intelligence capability, and build up the skills and capabilities of law enforcement. The NCSC will expand initiatives to build communities of network defenders and investigate the use of machine learning to detect cyber attacks.
Objective 2 - 'Deter and disrupt state, criminal and other malicious cyber actors and activities against the UK, its interests, and its citizens.'
By 2025, the UK aims to deter cyber criminals from targeting the country by implementing sustained deterrence campaigns using various capabilities such as diplomatic, economic, and covert levers. They plan to divert potential cyber criminals through initiatives, such as the Cyber Choices program. The UK will provide law enforcement and intelligence agencies with the necessary tools and powers, update legislation, and introduce new offences to address state threats.
Objective 3 - 'Take action in and through cyberspace to support our national security and the prevention and detection of serious crime.'
The UK plans to increase cyber capabilities to deter non-cyber threats by developing the National Cyber Force (NCF), conducting responsible offensive cyber operations, and enhancing law enforcement technical capabilities. They aim to integrate cyber capabilities across defence operations to maintain a competitive edge and collaborate with allies and partners.
What does this all mean for you?
For suppliers:
The UK government will invest £2.6 billion in cyber and legacy IT over the next three years, including a £114 million increase in the National Cyber Security Programme. The investment also includes delivering international programs to assist partner countries in building their cyber resilience and counter cyber threats. Additionally, there will be increases in investment in R&D, intelligence, defence, innovation, infrastructure, and skills to contribute to the UK's cyber power.
Showing that you understand the aims of this strategy and are on board with the ideals within it could make you a more favourable supplier when bidding for cyber-related contracts, as it shows that you are in-tune with the government's broader strategic priorities.
The UK government aims to ensure the country has the cyber skills and infrastructure necessary to advance British interests globally and secure the UK's cyberspace. The strategy has two key planks: strengthening national capabilities in critical technologies and limiting reliance on individual suppliers or technologies from regimes that do not share UK values. This will create opportunities for suppliers to do more business with government by providing these skills. The skills gap is not a new phenomenon in this area but has yet to be solved - if the governemnt introduces this strategy's aims as they have set out, the skills gap will increase.
The UK government emphasises the importance of the cyber security sector and plans to strengthen partnerships with academia, the technical community, and the private sector to capitalise on the country's expertise - this is will contract the need for new contracts thus creating more opportunities for suppliers to work with government.
You can find out more about how to do more business with government in our new webinar "learn how to scale your business with government".
For Local Government:
The UK government's cyber strategy includes plans to ensure that all public sector organisations, including local government, are resilient to cyber threats. The Department for Levelling Up, Housing and Communities (DLUHC) will be responsible for assessing and driving improvements in cyber security for councils in England. The strategy proposes adopting the Cyber Assessment Framework (CAF) as the assurance framework for the government and aims to significantly harden critical functions against cyber-attack by 2025, with all public sector organisations being resilient to known vulnerabilities and attack methods by 2030.
The government aims to establish effective risk management processes and proportionate security measures, informed by understanding risk. The strategy also sets out plans to monitor systems and networks to detect cyber security events before they become incidents and to swiftly contain and assess any incidents that do occur. The government will also develop the necessary cyber security skills, knowledge, and culture to achieve the strategy's vision.
You can find out more about what the National Cyber Strategy means for Local Government on the Local Government Association website here.
For SMEs:
The COVID-19 pandemic forced SMEs to adapt to digital transformation and remote working, but also exposed them to cyber security risks. With limited budgets and cyber-skills, SMEs need to take action to secure their business against growing cyber threats.
The National Cyber Security Centre’s Suspicious Email Reporting Service received almost 6 million reports last year, leading to the removal of 53,000 scams and 96,500 URLs but still 39% of businesses reported cyber security breaches within the last 12 months. On average, the cost of cyber-attacks was £4,200 for SMEs.
The National Cyber Resilience Centres are focused on strengthening national cyber resilience and providing support to SMEs and the charity sector. The London Cyber Resilience Centre (LCRC) offers free services to small businesses to help with cyber resilience, including access to risk information, free tools such as "cyber-essentials" and "exercise in a box", which allows organizations to test and practice their response to cyber-attacks.
This strategy plans to support SMEs through a new Export Faculty (an online learning and development hub for SMEs in the defence and security sector) and develop a new Cyber Capability Campaign Office to provide more structured and coordinated support to SMEs through the Cyber Growth Partnership and other efforts outlined in the UK Cyber Ecosystem chapter (Pillar 1).
Pillar 3, objective 4 will enable SMEs further. The development and deployment of global digital technical standards can impact cyber security, economic prosperity, and norms and values. Historically, those with the most market power shaped these standards, and important stakeholders such as SMEs, academics, and other experts faced barriers to entry. The National Cyber Strategy will change this.
The Future
The UK government's cyber strategy is meant to guide action for those interested in the country's national cyber effort, not just those in government. The aim is to start a conversation to ensure the objectives and priorities remain relevant in the next five to ten years.
The UK's cyber power strategy aims to promote a free, open, peaceful, and secure cyberspace and work with like-minded countries to pursue a responsible and democratic approach. The strategy prioritises the safety and security of citizens and businesses, upholds an open and interoperable internet, takes lawful and proportionate use of cyber capabilities, fights criminal use of cyberspace, and promotes an inclusive approach to debates about the future of cyberspace and digital technology.
It is important to keep this strategy, and its aims, in your mind whilst drafting cyber-related bids, as government will be looking out for suppliers who will help them to achieve their cyber aims.
Keep your eyes peeled for new opportunities to work with government in the public sector cyber market and watch out for further government documentation & advice on how to prevent and respond to cyber threats to your company and on a national level.
*
With the National Cyber Strategy creating so many more opportunities within the public sector market, you don't want to miss out on new opportunities - Tussell can help you with this. Book a personalised demo of the platform now to uncover the insights our data provides and how it can help you do more business with government.