On 7 November 2016, RUSI hosted a Roundtable event to discuss the UK National Cyber Security Strategy which had been launched the previous week.
The event was co-chaired by Paddy McGuiness the Deputy National Security Adviser (Intelligence, Security and Resilience) and Ewan Lawson, Senior Research Fellow at RUSI. The event was attended by senior individuals from the British Government, academia and the private sector and was part of an ongoing series of events held at RUSI to explore the Public-Private Relationship in cyber security. Discussion was held under ‘Chatham House Rules’ and so the following summary contains no direct attribution to individuals.
Overall, those present welcomed the publication of the Strategy and were impressed by its clarity, recognising that much of the document is actually an implementation plan. Indeed, in addition to introductory notes and an executive summary, the Strategy is delivered in three main parts: a context setting piece, the key points of the strategy and then the implementation plan. As the discussion at the roundtable was did not follow a fixed agenda, this construct of the Strategy will be used as the framework for this report.
In considering the context, it was agreed that the Strategy accurately identifies the main sources of threat including ‘script kiddies’, hacktivists, criminals, terrorists and states. However, there is a tendency for some incidents to immediately be blamed on big powerful state actors as this gives organisations an excuse that there is nothing they can do in the face of such a challenge. It was suggested that some 80% of malicious activity would be stopped by basic cyber hygiene such as patching and improving awareness amongst the public and that if this was achieved, it would then be possible to focus on the truly high-tech adversaries. Over the five year life of the Strategy, it was recognised that disruptive technologies were likely to be introduced and there would need to be constant adjustment of the desired outcomes identifies in its Annex 3. It was suggested that this would be a key role for the newly created National Cyber Security Centre (NCSC).
The key thrust of the strategy for greater direct public sector engagement was broadly welcomed although it was recognised that the Government is by choice broadly non-interventionist. There was a sense from some of the industry partners that HMG could be more joined up and that at present there are many ‘touch-points’ for cyber security issues across a number of Departments. Once again, it was suggested that the NCSC should provide this focal point in the future whilst the Departments would retain their necessary policy-making functions. To achieve this it needed to speak both publically and clearly on issues as they arise.
However, the majority of the discussion perhaps unsurprisingly focused on implementation of the Strategy. Aside from the need to continue momentum over the 5 year life of the Strategy, there was considerable discussion about how to support the different sectors of the economy. There was a sense that large companies were reasonably well placed or at least moving in a positive direction with regards to their own cyber security. However, concern was expressed about both SMEs, and the ‘big middle’ businesses. In both cases there was need to move them along a path from awareness through understanding and acceptance to commitment. It was felt that there needed to be encouragement to SMEs to do at least the cheap/free activities like patching and improving cyber hygiene and that Cyber Essentials still had a role to play albeit adoption was not currently as high as might be hoped. It was also felt that there was also a role for encouragement through the supply chain with the bigger businesses supporting those who supply them. It was also suggested that opportunities could be identified for partnerships and collaboration to further the agenda and the potential of organisations such as trade associations and chambers of commerce was highlighted.
Whilst there was still some scepticism about regulation and standardisation it is expected that the Government will adopt the General Data Protection Regulation. This will place responsibilities on businesses to secure data with substantial fines in place for those who have data breaches as a consequence of their failings. It was felt that this, along with the burgeoning cyber insurance market, had a significant role to play in driving up cyber hygiene standards. However, The Government’s commitment to Active Cyber Defence (ACD) which is emphasised in the Strategy was identified as being a key to helping business in a very practical way by seeking to stop threats before they enter UK networks. This concept has apparently resonated internationally but will need to demonstrate practical outcomes.
In summary, those involved with the Roundtable were broadly supportive of the HMG approach as evidenced through the Strategy. The main concern was how to ensure that momentum is maintained towards delivery of the desired outcomes through the life of the Strategy when HMG has so many other difficult challenges over that period. This will only be achieved through an effective public-private relationship.
This event was in support of the Cabinet Office launch of the UK National Cyber Security Strategy.