The UK government has released a new cybersecurity strategy for public sector bodies, focused on organisational cyber resilience and the sharing of data and expertise. Though this open approach has been praised by some in the security community as pioneering, others fear issues of interoperability and data privacy may arise.
The new strategy, released on Tuesday by the Cabinet Office, is part of a £2.6bn investment in cybersecurity and legacy IT announced in the 2021 spending review, with an additional £37.8m now being allocated to help local authorities beef up their security provisions. Of the 777 incidents managed by the National Cyber Security Centre (NCSC) between September 2020 and August 2021, approximately 40% were aimed at the public sector. The new strategy aims to help cut this number.
UK public sector cyber security strategy: ‘defending as one’
The strategy is structured around two pillars. The first is building organisational cyber resilience, helping public sector organisations to organise the right structures, tools, mechanisms and support for managing their cybersecurity risk. Steve Barclay, Chancellor of the Duchy of Lancaster and minister of the Cabinet Office notes in the strategy that the government cannot continue to dismiss cyberattacks as “one-offs”, stating: “This is a growing trend – one whose pace shows no sign of slowing.”
The second pillar is focused on the idea of ‘defending as one’, presenting an interdepartmental, data, expertise and information-sharing approach to shoring up governmental cyber resilience.
Underpinning this approach will be the Government Cyber Coordination Centre (GCCC), built on private sector models such as the Financial Sector Cyber Collaboration Centre. “The GCCC will foster partnerships to rapidly investigate and coordinate the response to incidents” states the strategy. “Ensuring that such data can be rapidly shared, consumed and actioned will dramatically improve the government’s ability to ‘defend as one'”.
But this approach must also extend to coordination with the private sector, argues Dan Patefield, head of the Cyber and Nation security program at techUK. “This ‘defend as one’ approach needs to extend beyond just the public sector and continue to involve industry for it to remain viable,” Patefield says. “Only together will levels of resilience improve and cybersecurity threats become more manageable.” He adds: “The cybersecurity threat we face is so significant and complex, that individual public sector bodies will struggle to face the challenges alone.”
Patefield says the government already utilises private sector expertise as part of its cyber defence strategy, and Whitehall now hopes to extend this culture of data and information sharing overseas. “Sharing knowledge and expertise with international allies will increase collective ability to understand and defend against common adversaries, in turn strengthening collective and global cyber resilience,” the strategy says.
This kind of international approach makes sense, says David Carroll, managing director of Nominet Cyber. “In an increasingly complex landscape where governments, businesses and society must react to understand the risks we face, we are pleased ‘defend as one’ will be central to the Government’s approach,” he says.
The security challenges of more data sharing
While a more fluid data-sharing approach could help different government departments unify their cybersecurity approaches, this approach brings with it substantial risk. It could present “a major privacy issue,” says Raj Sharma, founder of cybersecurity consultancy Cyberpulse. “There are privacy enhancement techniques when sharing data across different departments,” Sharma explains. “But I think there is definitely a lot of work that has to be done in that area.”
Streamlining and standardising data will be an important challenge if information is to be shared between organisations, Sharma adds. “Every organisation has a different way of onboarding data, a different system, different legacy systems, which will all want data in different formats,” he warns.
Automation and the UK public sector cybersecurity strategy
Automation is at the heart of the new UK public sector cyber security strategy. It outlines plans to automatically generate threat information and analysis, as well as sharing data and “tackling cyberattacks that impact government systems” autonomously.
This approach will work, Sharma says, as long as there are humans at every step to monitor it. Automated decision making “doesn’t mean the making of a decision”, he argues. Rather it is there to “provide alternatives” to help human analysts. “These tools cannot completely replace trained staff,” Sharma says. “Somebody should be there to make sense of them.”