New Strategy Funds UK Public Services' Cyber ResilienceGovernment Cyber Coordination Center Being Established to Boost Information Sharing
U.K. local authorities are to receive 37.8 million pounds from the government to boost cyber resilience in essential public services and data in sectors such as housing benefits, voter registration, electoral management, school grants and the provision of social care. The move is part of the U.K.'s first Cyber Security Strategy, which was announced Tuesday as part of an over 2-billion-pound program of government investment in cyber, retiring legacy IT systems and stepping up skills and coordination.
Is It Enough?
While industry players broadly welcomed the move, Andrew Kays, CEO at security firm Socura, tells Information Security Media Group, "I would question whether 37.8 million pounds is enough to help local authorities improve cyber resilience, given their current level of resources and the threats they face. It may prove to be a drop in the ocean, but at 2 billion pounds, the investment overall is a significant sum."
A Government Cyber Coordination Center is also being established as part of the new strategy. Based in the Cabinet Office, the GCCC is tasked with rapidly identifying, investigating and coordinating the government’s response to attacks on public sector systems, and managing how data and cyber intelligence is shared by defenders. In addition, a new cross-government vulnerability reporting service is intended to enable security researchers and members of the public to easily report any issues with public sector digital services.
The new program will also work to understand the growing risk from the supply chains of commercially provided products in government systems.
Vincent Devine, government chief security officer, said in an official statement: "The strategy is centered around two core pillars, the first focusing on building a strong foundation of organizational cybersecurity resilience, and the second aimed at allowing government to "defend as one," harnessing the value of sharing data, expertise and capabilities."
Again, the moves are welcomed, but there were caveats regarding resources. Dr. Süleyman Özarslan, co-founder at security firm Picus Security, tells ISMG that while "defend as one" is a noble aim, "It’s no good improving knowledge sharing if councils aren’t also in a position to apply intelligence and take swift, defensive actions. The public sector increasingly needs to shift its approach from being reactive to proactive." He says that while it's important to improve collaboration and vulnerability disclosure across the sector, "we cannot pretend that we have not seen similar announcements before."
Kays adds that the formation of the GCCC and its "defend as one" approach are likely to result in improvements in how information and support are shared across public services. But he says: "How this is implemented is pivotal. Cybersecurity relies on fast action and response to protect services when they are under threat. Sadly, most governments are slow, weighed down by bureaucracy, and do not excel when it comes to quick information sharing and decision making."
Özarslan says: "Improving security in the public sector is a tough nut to crack and is only becoming harder as more urban centers become increasingly connected and authorities face funding pressures. It will take time for the 'defend as one' approach to be implemented since collaboration at this scale can be challenging and take time to obtain buy-in. For it to be a success, all organizations must participate."
UK Is Highly Targeted
While making the announcement, U.K. Cabinet Minister Steve Barclay, chancellor of the Duchy of Lancaster, highlighted the upsurge in attacks in recent years, which he said had made Britain third on the list of countries most targeted by hostile states in cyberspace.
Barclay said that some 40% of the 777 incidents managed by the National Cyber Security Center between September 2020 and August 2021 were aimed at the public sector. For example, in 2020, both the Redcar and Cleveland and Hackney councils were hit by ransomware attacks affecting council tax, benefits and housing waiting lists, and the Gloucester City Council fell victim to a cyberattack in 2021.
Transforming Intelligence Sharing
Julian David, chief executive officer at techUK, says: “The announcement of the Government Cyber Security Coordination Center will enable better coordination across government cybersecurity efforts, transforming how intelligence is shared, consumed and actioned. The adoption of the Cyber Assessment Framework across government, learning lessons from the rollout of the NIS Directive and recognizing the need to tailor it for the government estate, will enable a proactive and proportionate approach to managing cyber risk."
Unsurprisingly for the head of an industry umbrella group, David went on to highlight how the strategy recognizes the important role industry already plays in protecting government and said that "techUK looks forward to engaging with Cabinet Office to further unite public and private sectors to 'defend as one' - both in terms of technological capability and in developing the skills we need to instill cyber resilience across the whole of the U.K."
Last month, the U.K. National Cyber Security Strategy was introduced. It calls on all parts of society to play their part in reinforcing the U.K.’s economic strengths in cyberspace, through more diversity in the workforce, leveling up the cyber sector across all U.K. regions, expanding offensive and defensive cyber capabilities and prioritizing cybersecurity in the workplace, boardrooms and digital supply chains.