The UK’s long-awaited National Cyber Security Strategy (NCSS) 2016 to 2021 was released this month after a delay due to Britain’s EU referendum and change in government. What does it say and what does it leave unanswered?
The NCSS is a substantial document of more than 80 pages. However, the strategy itself arguably only occupies four of those pages. The rest of the document has introductory messages from the Chancellor Phillip Hammond and Cabinet Office Minister Ben Gummer; a useful description of the strategic context and an implementation plan make up around half of the content.
Some of the issues described were previously highlighted in the 2015 National Security Strategy to which this document is subordinate. Perhaps the most significant of these is the headline cyber security budget of £1.9 billion, which was originally promised despite the absence of a detailed plan or strategy. So is the NCSS simply a bit of detail to explain expenditure already allocated or is it novel and substantial?
The document has to be commended for being particularly accessible despite its length and complex topic. The strategic context effectively identifies the key threats, such as cyber criminals, states, terrorists, hacktivists and ‘script kiddies’ (a person who uses existing computer scripts or codes to hack into computers, while lacking the expertise to write their own). It then provides some useful illustrative case studies of some of these threats, as well as identifying some key vulnerabilities. These include the sheer range of connected devices, the lack of ‘cyber hygiene’, the shortage of sufficient skills, enduring legacy systems and the increasing availability of hacking tools.
While the document highlights the fact that the most skilled threat actors are constantly evolving to exploit these vulnerabilities, it could perhaps have noted the way in which these categories actually blur, with individuals engaged in malicious activity as hacktivists one day, stealing money from a bank the next and then acting (perhaps unknowingly) for a state on another occasion, having perhaps been recruited through the ‘dark web’. This blurring of roles and functions is important, as it contributes to the challenge of identifying whether malicious acts in cyberspace are a challenge for law enforcement or a larger national security problem.
The implementation plan contained in the document is also clear, being structured through the alliterative use of the three ‘Ds’ – ‘Defend, Deter and Develop’ – while also recognising the importance of international action in underpinning these efforts. The plan recognises the way that these three Ds support each other, with the development of a world-class workforce essential to the delivery of effective defence which, in turn, will deter malicious actors from attacking British citizens, businesses or the public sector.
One of the more interesting ideas is labelled ‘Active Cyber Defence’ – the commercial practice of proactively identifying threats and then implements measures to defend against those threats before they become real. In the NCSS document, the government has indicated its intent to expand this principle to the ‘entire UK cyberspace’ through the integration of activities conducted by the Communications Service Providers with support from GCHQ, the newly-established National Cyber Security Centre and others.
Indeed, the document goes further and indicates that government agencies will enhance the capabilities to disrupt serious state and criminal cyber activity that targets the UK. This more overtly aggressive posture was reflected in the announcement at a recent RUSI conference by Secretary of State for Defence Sir Michael Fallon that the UK had taken offensive action in cyberspace to disrupt the activities of Daesh (also known as the Islamic State of Iraq and Syria, ISIS or IS).
In contrast to the three Ds, however, the section on international action in the NCSS paper is disappointingly brief. However, this is perhaps understandable, given that the implications of Britain’s future links with the EU remain unclear, as is the relationship the UK has in cyber security with the bloc.
The strategy itself, ‘Our National Response’, includes a clear vision that by 2021 the UK has to reach the objective of being ‘secure and resilient to cyber threats; prosperous and confident in the digital world’. It then lays out how the government believes it can best do that and the roles to be played by individuals, businesses and organisations.
However, perhaps the most significant element is the recognition that the previous strategy’s reliance on the market to drive change and improve cyber security has not worked out as intended, and that the government will need to ‘set the pace in meeting the country’s national cyber security needs’.
While the NCSS seeks to emphasise that the market-led approach has delivered significant achievements, it recognises that the market is currently not valuing cyber risk appropriately and thus cyber security is not being given sufficient priority. It can be argued that this in turn contributes to the relatively poor levels of ‘cyber hygiene’ displayed by the public.
As well as highlighting a willingness to invest in improving the national level of cyber security, the NCSS document also contains an explicit threat that, should the business and corporate sector not take the investment decisions required to improve cyber security, ministers will be forced to introduce regulation. This marks a step change from the previous strategy.
Overall, the NCSS represents an invaluable statement of the government’s intention to keep the UK in the forefront of developments in cyber security. It is based on a sound understanding of the scale and urgency of the threat faced, and identifies a number of key approaches to delivering a cyber secure nation. British ministers have been bold in emphasising the need for a more interventionist approach – although, as always in this field, the devil will be not only in the detail, but also in the delivery.
Great hopes are being placed on the National Cyber Security Centre, but this will take time to establish itself and clarify the boundaries of its activities, since cyber security responsibilities remain split across a number of government departments. It is also important to recognise that the nature of the public–private relationship in cyber security remains unclear – an issue that RUSI’s research will be returning to in the coming months.