The UK has lost its top spot in the International Telecommunication Union’s (ITU) Global Cybersecurity Index to the US. While both countries have improved their cybersecurity capabilities since the previous version of the index, weaknesses in the UK’s security criteria for selecting systems prevented it from achieving a perfect score.
How good is the UK at cybersecurity?
The ITU Global Cybersecurity Index was introduced in 2015 to help UN member states identify areas of improvement in five pillars of cybersecurity; legal, technical, organisational, and operational measures, plus capacity development. The UK achieved a perfect score of 20 in four out of the five categories but missed out in the 'technical measures' segment by less than 0.5 points. The US scored 20 in all five categories.
The 'technical measures' category assesses the "existence of technical institutions and framework[s] dealing with cybersecurity", within a country. "Countries... need to build and install accepted minimum-security criteria and accreditation schemes for software applications and systems," the ITU's report explains. "These efforts need to be complemented by the implementation of a national body dealing with cyber incidents, an authoritative government entity and a national framework to watch, warn, and respond to incidents."
What are the UK's cybersecurity weaknesses?
The ITU report does not give detailed explanations for each country's score, but another recent study suggests where the UK's technical measures may have fallen down.
In its assessment of the 'cyber power' of 15 leading economies, global security think tank the International Institute for Strategic Studies (IISS) highlights that "the UK relies to a considerable extent on foreign manufacture of much of the equipment underpinning its telecommunications, from microchips to communications switches".
While Huawei has prompted the most concern in security circles, IISS notes that the UK applies greater scrutiny to the Chinese telecommunications equipment provider than any other foreign-owned supplier. "Huawei’s involvement (right down to the coding) is closely monitored by the UK government at a facility in the town of Banbury," it explains. "Other foreign suppliers used across the network include Cisco, Ericsson, Fujitsu, Nokia and Siena, with no equivalent oversight."
This fact reflects the openness of the UK's inward investment regime, the IISS notes: "There is no inward foreign direct investment regulatory regime in the UK and there is no policy distinction between foreign and domestic investors".
Applying greater restrictions could improve its security posture – and influence over digital infrastructure standards. "The UK’s weaker position in the global market for network infrastructure compared with the US or China means it has less influence in shaping the physical infrastructure of global cyberspace." The IISS ranks the UK in the second tier of global 'cyber powers'.
This tightening is already underway. The Telecommunications (Security) Bill, currently working its way through parliament, will require telcos to "identify and reduce the risks of security compromises" and allows the government to issue codes of practice and secondary legislation to ensure the security of the UK's telecommunications supply chain.
In the US, meanwhile, Joe Biden has made cybersecurity a policy priority for his presidency. His 2021 budget includes $18.1bn in cybersecurity funding to protect government systems and citizens. Meanwhile, the bipartisan USA Telecommunications Act provides "over $1bn to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE".