Government launches its own cyber security strategy

Published
25/01/2022

HMG has launched the first ever Government Cyber Security Strategy. The Strategy, which builds on the National Cyber Strategy, aims to make core Government functions more resilient to cyber attack.

As part of its aspiration to being exemplar in terms of best practice in cyber security, the UK Government has published its own Government Cyber Security Strategy – to set out how this might be achieved.

The Government Cyber Security Strategy builds on the National Cyber Strategy, which was launched last month, and aims to ensure that core government functions – from the delivery of public services to the operation of National Security apparatus and critical national infrastructure – are more resilient to cyber-attack, strengthening the UK as a sovereign nation and cementing its authority as a democratic and responsible cyber power.

Government remains an attractive target for a broad range of malicious cyber actors. Indeed, of the 777 incidents managed by the National Cyber Security Centre (NCSC) between 2020 and 2021, around 40% were aimed at the public sector. We also know that adversaries are increasingly capable; and a broad range of actors now have access to capabilities which, not so long ago, would have been the preserve of nation states. But while the threats are growing in severity and scale, techUK believes that the UK is well placed, as an international leader in cyber, to implement the ambition outlined in this strategy, and ensure Government strengthens resilience.

Key Objectives

The Government Cyber Security Strategy (the Strategy) follows the overarching strategic objectives as set out in the Integrated Review (UK Defence & NS Posture) and the National Cyber Strategy (UK approach to Cyber Domain) by outlining the UK Government’s approach to cyber across its own estate.

The Strategy is centred around two key pillars, which complement one another; they are:

(1) Build a strong foundation of organisational cyber security resilience – Government will introduce Cyber Security Standards aligned with the Cyber Assessment Framework (the CAF) in order to be able to look at risk through the same lens across Government – learning from the journey the NIS Directive has taken our CNI providers on, while also recognising the need to tailor it for the Government estate.

A new, more detailed assurance regime will be established for the whole of Government; and this will include robust assessment of departmental plans and vulnerabilities and give Central Government a detailed picture of Government’s cyber health for the first time. A new vulnerability reporting service will also be established to allow individuals to report weaknesses in digital service, as well as an accelerated work programme to manage the growing risk from the supply chains of commercially provided products in Government systems.

(2) Defend ‘as one’ – The Strategy recognises that the scale of threat demands a more comprehensive and joined-up response; and this coordination can produce a defensive force disproportionately more powerful than the sum of its parts. Government will establish a Government Cyber Security Coordination Centre (GCSCC), which will work to better coordinate operational cyber security efforts, transforming how cyber security data and threat intelligence is shared, consumed and actioned across Government

Underpinning the Strategy’s two pillars are 5 key strategic objectives:

  1. To manage cyber security risk. Government organisations will be able to identify, assess and understand them.
  2. To protect against cyber-attack, with the protective stance of Government organisations linked to assessment and management of risk.
  3. To detect cyber security events before they critically impact Government functions and services.
  4. To minimise the impact of cyber security incidents allowing the Government to be fully prepared and able to respond with minimal disruption.
  5. To develop the right cyber security skills, knowledge and culture as part of driving continuous improvement.

The Strategy makes clear that Government relies on its partnership with industry to strengthen its cyber resilience, as do all organisations across the public and private sectors. It is vital, therefore, that Government and industry continue to collaborate, given the fundamental role private sector plays across all parts of the UK in protecting organisations and citizens alike.

It is also important that Government continues the work it’s started around the Government Cyber Security Profession, ensuring this aligns with the wider efforts detailed in the National Cyber Strategy.

Chancellor of the Duchy of Lancaster, The Rt Hon Steve Barclay MP, said:

“This is an ambitious but necessary strategy that demands action across all of government. We must meet our responsibility to ensure that government’s functions and services are resilient to the cyber threats they face - creating a stronger, better-defended government that is the foundation of our status as a cyber power.”

Read the full report here Government Cyber Security Strategy