Can the new National Cyber Strategy make the UK a security leader?

Are the UK’s latest plans to develop the country’s cyber capabilities sufficient to deal with the latest digital threats?
Cybersecurity cover illo

An imminent cyber attack is an inevitability. Research by cybersecurity firm Trend Micro shows that more than three-quarters of global organisations expect to be successfully hacked in the next 12 months.

Changes to the way we work have increased the likelihood of cybersecurity breaches. Remote working and cloud computing are highlighted as two of the most high-risk factors. The current geopolitical climate is another significant factor. The Five Eyes intelligence alliance warned recently of increased malicious cyber activity from Russia, since the invasion of Ukraine. 

The revelation that details of UK government employees appeared on Russian sites makes the success of the UK government’s recently revised cybersecurity strategy even more crucial to secure the country and businesses within it.

In January, the UK government’s National Cyber Strategy set out its three-year vision to improve the country’s digital resilience. It focuses on five pillars: strengthening the cyber ecosystem, improving resilience, developing new technologies, international influence and countering threats. It lays out plans to expand the existing approach of 2016 to 2021, with the ambition of making the UK a global leader in cyber. 

Dan Patefield is head of the cyber and national security programme at TechUK. He believes the National Cyber Strategy continues “the robust leadership” the UK government has taken across the cyber domain over the past decade. “The UK has built strong foundations, enabling the industry to strengthen its cyber resilience in the face of the ever-growing threat landscape,” he says.

One of the key differences between the previous strategy and the revised one is the onus it places on the whole of society to improve the country’s cyber capabilities. Although it is a government-led strategy, there is a much greater emphasis on the responsibility of the private sector and citizens to manage cyber risks.

As Chancellor of the Duchy of Lancaster, Steve Barclay’s responsibilities include oversight of the Cabinet Office’s cyber security remit. At the strategy’s launch, he said: “The new National Cyber Strategy sets out a clear vision for building cyber expertise in all parts of the country, strengthening our offensive and defensive capabilities and ensuring the whole of society plays its part in the UK’s cyber future.”

This change in tack is one that David Woodfine, managing director of Cyber Security Associates, welcomes. “People mistakenly think cyber is all about technology,” he says. “But it isn’t. Cybersecurity involves people, processes, culture and society. By focusing on the cyber ecosystem of the UK, we’re not just relying on the big technology companies to protect us, we’re encouraging everyone to be more cyber secure and improve awareness.” 

Ransomware is malware that targets individuals and is “the most significant cyber threat” facing the UK, warned the National Cyber Security Centre in its 2021 review. Similarly, Verizon’s 2021 Data Breach Investigations Report showed that 85% of attacks involved a human element, highlighting the need for greater education in cybersecurity across the board and justifying the National Cyber Strategy’s society-wide approach.

By focusing on the cyber ecosystem of the UK, we’re not just relying on the big technology companies to protect us, we’re encouraging everyone to be more cyber secure

Woodfine was involved in the development of earlier iterations of the UK’s national cybersecurity strategies when he was at the Ministry of Defence. He says: “In some regards, people are our weakest points in cyber defence. But if we get it right, people can equally be our strongest defence mechanism.”

There is also an emphasis on resilience throughout the new strategy. Dayne Turbitt is senior vice president and UK general manager of Dell Technologies, which worked closely with the UK government to help devise its cyber strategy. He thinks resilience is “critical”. 

The foreword of the strategy references the importance of using technology suppliers that share the UK’s values. This provides an opening for UK-based technology companies to work across the country’s critical national infrastructure. “It gives a great opportunity for us here in the UK to serve our customers and help them through their cyber strategy,” he says.

Another important pillar of the new strategy is strengthening the UK’s cyber ecosystem, citing the need for a more “diverse and technically skilled workforce” to create a more internationally competitive sector. Currently, more than half (53%) of the UK’s 1,838 cyber security firms are registered in London and the South East, employ 45% of the country’s cyber professionals and account for 91% of external investment. To address this regional imbalance, cyber clusters – 12 government-funded organisations located across the length and breadth of the UK – are being instructed to strengthen their links between local business and academia and to encourage greater collaboration across the UK.

As chair of Gloucester’s Cyber Tech group, Woodfine has seen how closer interactions between schools, universities and businesses can improve pathways for people to get into the cyber industry. 

“The strategy provides a good building block but what I would like to see now is a more concrete plan,” Woodfine says. “We can see the strategies and the plan for the next 36 months but as a business owner, I’d like to know how I can influence it and understand how we’re going to protect the UK digital infrastructure of the future.”

There is also an emphasis on improving education and skills in this area. There has long been a digital skills gap in the UK; Turbitt describes cyber talent as “rare as hen’s teeth”.

The strategy document promises to “expand the nation’s cyber skills at every level” but there are few details on how this can be achieved, beyond upskilling teachers and encouraging more young people to take up cyber. 

“Arguably, the government hasn’t done enough to increase the take-up of STEM subjects. But it isn’t just the responsibility of the government,” he says. “It’s the responsibility of industry, in partnership with the government, to figure out how we address this and any spotlight on this topic is a great thing.” 

As an initial document, there seems to be wide agreement that the National Cyber Strategy addresses many of the key challenges currently facing the sector. Turbitt believes that it’s now up to the private sector to “step into the breach”. 

“What will follow from this is investment of public money in these areas, and it will then be beholden to UK industry to work within that framework to go and execute it,” he adds.