Government Cyber Security Strategy - Policy brief

The government remains an attractive target for a broad range of cyber criminals, with approximately 40% of the 777 incidents managed by the NCSC between September 2020 and August 2021 affecting the public sector.

The Integrated Review of Security, Defence, Development and Foreign Policy and the National Cyber Strategy set out the government’s ambition to firmly establish the UK as a democratic and responsible cyber power. The government believes this depends on domestic cyber resilience, which ensures all public sector organisations are resilient to cyber threats.

This strategy considers all public sector organisations but recognises the breadth, complexity, and varying degrees of autonomy of these organisations, particularly those beyond central government. Therefore, the strategy sees lead government departments as best placed to understand the organisations’ unique characteristics within their purview.

For councils in England, this means that the Department for Levelling Up, Housing and Communities (DLUHC) will be responsible for assessing and articulating local government's cyber security and driving improvements as necessary.

An important transformational proposal within the strategy is that Government will adopt the Cyber Assessment Framework (CAF) as the assurance framework for the government. The aim is to ensure that the government assesses its cyber resilience consistently and comparably. This assurance process will be a requirement for government departments. It will be for lead government departments to adapt and apply such an approach appropriately for individual sectors.

DLUHC are now working with a small cohort of councils to explore how local authorities should use the National Cyber Security Centre’s (NCSC) CAF to assess and improve their cyber resilience. Alongside this, they have laid out their long-term plans to support councils.

Objectives:

• The Government Cyber Security Strategy: 2022 to 2030 explains how the government will ensure that all public sector organisations are resilient to cyber threats. 
• The central aim is for the government’s critical functions to be significantly hardened to cyber-attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030. This includes local government.

To achieve this vision and aim, this strategy centres around two core and complementary strategic pillars which define and drive the government’s approach to cyber resilience.

Build a strong foundation of organisational cyber security resilience: 

Centres on ensuring that government organisations have the suitable structures, mechanisms, tools, and support to manage their cyber security risks.

‘Defend as one’: 

Recognises that the scale and pace of the threat demand a more comprehensive and joined-up response. To respond to this, the government will establish a Cyber Coordination Centre. Central to this will be forming strong partnerships across government to transform how cyber security data and threat intelligence are used.

The two strategic pillars are supported by a set of objectives providing a consistent framework and common language that can be applied across the whole of government.

Manage cyber security risk:

The government aim to establish effective risk management processes, governance, and accountability to enable the identification, assessment, and management of cyber security risks. This involves:

• Building visibility and understanding of the government’s digital assets, the data it handles, and the risk emanating from commercial suppliers
• Setting out plans for understanding threats, information sharing, assurance, the private sector, and international partnerships.  

Protecting against cyber-attacks involves adopting:

Proportionate security measures informed by understanding risk. The strategy discusses a ‘secure by design’ framework for the government which includes:

• Cementing the discipline of embedding cyber security into digital systems and services at every step of their lifecycle
• Continuing to develop and scale-up shared capabilities, tools and services to tackle ‘common’ cyber security issues at scale, explicitly focusing investment in the National Cyber Security Centre’s Active Cyber Defence capabilities, which includes free tools already available to councils
• Updating the Security Classifications Policy to ensure government data is classified appropriately and is shared in a risk-appropriate way.

Detecting cyber events:

To respond to the changing threat landscape, the government has comprehensive detection capabilities to identify emerging risks so they can be managed. As such, the strategy sets out plans to monitor systems, networks, and services to detect cyber security events before they become incidents. This involves enhancing shared detection capabilities to provide detection at scale across the government.

Minimising the impact of cyber incidents:

It is stated that even with robust protection and detection measures, the government will be impacted by cyber security incidents. Therefore, the strategy sets out ambitions to ensure cyber security incidents are swiftly contained and assessed, enabling rapid response across the government. This includes providing organisational and cross-government cyber security incident response plans which set out:

• How the government will respond to an incident to minimise its impact
• How lessons will be learnt from cyber incidents to drive improvements in the government’s cyber security.

Government will develop the right cyber security skills, knowledge, and culture:

The government believe that achieving this strategy’s vision will not be possible without appropriately skilled people, including those working in technical, policy and procedure, risk management, and leadership roles. Therefore, they set out plans to build a skilled and knowledgeable workforce. This includes providing a framework for broader public sector organisations to understand and manage their cyber security skills requirement.