Critical infrastructure
IT/OT Collaboration
News
Regulation, Standards and Compliance
Reports

New UK ‘Cyber Security Strategy’ focuses on building a cyber-resilient public sector

January 25, 2022
New UK ‘Cyber Security Strategy’ focuses on building a cyber-resilient public sector

The U.K. government announced Tuesday its initial ‘Cyber Security Strategy’ to step up Britain’s defense and resilience and set out the path for the government’s approach to building a cyber-resilient public sector. The move will work towards strengthening Britain’s public services to further protect them from the risk of being shut down by hostile cyber threats.

“To achieve its vision the strategy pursues a central aim – for government’s critical functions to be significantly hardened to cyber attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030,” the U.K government revealed in a document, titled ‘Government Cyber Security Strategy – Building a cyber resilient public sector.” 

Data released by the U.K. government said that of the 777 incidents managed by the National Cyber Security Centre (NCSC) between September 2020 and August 2021, around 40 percent were aimed at the public sector. NCSC is the U.K.’s technical authority on cybersecurity.

To achieve its vision the Cyber Security Strategy pursues a central aim – for the government’s critical functions to be significantly hardened to cyberattacks by 2025, with all government organizations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030, the document added.

“This commitment is reflected in the 2021 Comprehensive Spending Review, with £2.6 billion being invested in cyber and legacy IT, of which government cyber security is a critical component,” Steve Barclay, chancellor of the Duchy of Lancaster and Minister for the Cabinet Office, wrote in his message in the published document. “£37.8 million of additional funding is also being invested to tackle cyber security challenges facing local councils to protect vital services and data, alongside targeted investment in our most critical departments,” he added.

“We need this bold and ambitious strategy to ensure that government’s critical functions are significantly hardened to cyber attacks,” Vincent Devine, Government Chief Security Officer, said in a media statement. “The strategy is centred around two core pillars, the first focussing on building a strong foundation of organisational cyber security resilience; and the second aimed at allowing government to ‘defend as one’, harnessing the value of sharing data, expertise and capabilities,” he added.

The Cyber Security Strategy will include government cyber security assurance that provides the government with the visibility it needs to make effective decisions and the confidence that it has appropriate cyber security measures in place to manage the risks to its functions. Focusing on an organization’s most important functions, including critical national infrastructure, will provide an objective way of assessing whether an organization’s cyber security assessment and management of cyber security risk are proportionate and within accepted risk tolerances. 

“This assurance process will be further verified and augmented through real world testing and exercising, such as penetration testing and red teaming. Outcomes of assurance activities will be machine readable wherever possible, facilitating automated analysis of the impact on cyber security,” the document added. 

The government will adopt the Cyber Assessment Framework (CAF) as the assurance framework for the public sector, as the CAF has been developed by the NCSC and represents an industry standard that is used by operators of essential services under the network and information systems regulations, as well as more widely across the private sector, including critical national infrastructure (CNI) sectors. 

The Cyber Security Strategy said that while the CAF will be used as the framework to provide consistent cyber security assurance of government departments, individual departments may continue to use whatever framework they feel is most appropriate to best enable them to manage their cyber security risks. Prominent cyber security frameworks, such as the National Institute of Standards and Technology (NIST) cyber security framework and ISO 27001, are consistent with the CAF, ensuring that assurance reporting requirements do not disturb mature internal cyber security risk management structures and processes, it added.

The strategy also proposed the setting up of a Government Cyber Coordination Centre (GCCC), to better coordinate cyber security efforts across the public sector. Among other announcements, it announced a new cross-government vulnerability reporting service and stepped up work to understand the growing risk from the supply chains of commercially provided products in government systems, ensuring security is a key part of procurement and working with industry on cyber vulnerabilities.

The move by the U.K government comes at the same time as the issuance of a memo from the U.S. Department of Homeland Security (DHS) to critical infrastructure operators and local governments, warning of potential cyberattacks launched by the Russian government. The guidance comes in the midst of rising tensions between the U.S. and Russia over Ukraine.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base