Last week the government revealed the National Cyber Security Strategy. In this document the government set out their agenda, along with the priorities and objectives that will direct policy, partnership and procurement for the next five years. This is the second such strategy that the government has come out with (the previous coming in 2011) and while elements between the two strategies remain constant there are a number of divergences from the previous strategy and over twice as much money to achieve its objectives given the continued status as a tier 1 security threat and the expanding role of government as outlined in the strategy (£860m between 2011-2016 rising to £1.9bn between 2016-2021). The strategy itself is broken down under a number of different headings each with important implications for the future direction of the UK’s approach to securing cyberspace. Below I outline the main sections within the report and offer some reflections on the government’s new direction.
The Strategic Context
The implications of rapid technological change are acknowledged at an early stage within the strategy and in fact the pace of this change is deemed to have accelerated markedly since the publication of the previous 2011 strategy. For the government this means a reminder to all that while such developments have ‘offered increasing opportunities for economic and social development’ (p. 17) they come hand-in-hand with issues of reliance and dependency upon the very same technologies and networks. Where there is reliance and dependency questions of vulnerability soon follow and the government outlines 6 predominant threatening actors: cyber-criminals, states and state sponsored groups, terrorist, hacktivists, insiders and script kiddies (less skilled individuals who use readily available programmes made by others).
The government’s assessment places cyber-criminals and states/state-sponsored groups at the top of the threat agenda while correctly recognising that actors such as terrorists, hacktivists and script kiddies have to date operated in a way that is best described as disruptive as opposed to genuinely destructive. Interestingly, where the 2011 strategy had no mention of the ‘insider threat’ the 2016 version identifies and highlights the security implications of those who have privileged access to systems and can cause damage (be it physical, financial or reputational) through either malicious or inadvertent action. While the threat of the insider is not exclusive to cyberspace it has been the topic of academic discussion in this context for at least the last 15 years (Cilluffo and Pattak, 2000; Hamin, 2000; Esen, 2002) and is presumably an acknowledgement by the government that malicious actors in cyberspace are not all externally positioned states, terrorists or criminals.
The National Response
In light of the strategic context that the strategy identifies the government introduces a threefold “defend, deter and develop” approach that seeks to respond to the breadth of the challenge facing the nation. Two elements that underpin this response are of particular note here: the need to conduct the strategy in accordance with a range of different principles and a commitment to push forward with the strategy in collaboration with other actors and institutions.
The first of these two elements refers to the government’s commitment to ensure that their strategy operates in accordance with principles such as national and international law, a rigorous promotion and protection of ‘core values’ (democracy, rule of law, liberty, etc.) and the perseverance and protection of privacy among many others (pp. 25 - 26). The commitment to these principles will likely be the focus of intense scrutiny over the next five years, especially given recent rulings such as those by the Investigatory Powers Tribunal over the security services’ operation of an ‘illegal regime’ in its collection of vast amounts of communication data (Travis, 2016).
The second element of national response reflects the government’s belief that this is not a strategy that it has to or indeed should be championing and implementing on its own. The strategy remarks how in 2011 the focus was on promoting cybersecurity primarily through the market but accepts that this approach had not brought change fast enough. Nevertheless, this has not prompted an about-turn that sees cybersecurity becoming consumed by the government but instead the strategy states that, ‘securing the national cyberspace will require a collective effort’; one that includes individuals, businesses, government, market forces and the intelligence community (pp. 24-28). Through newly created institutions such as the National Cyber Security Centre the government hopes to build genuine and effective partnership between the different parities it has identified as necessary partners in ensuring the nation’s cyber defence.
Achieving genuine collaboration internationally both across the public and private sector as well as educating the national population and the workforce on issues of cyber‑hygiene continues to prove difficult given different ideas around governance internationally and different priorities between the public and private sector. Focus will be on the ‘expanded role for the government’ to assess the extent to which it can achieve collaboration and education.
Implementing the Strategy: Defend, Deter and Develop
In implementing this strategy the government has set itself the goal of achieving a UK that is ‘secure and resilient to cyber threats’ by 2021 (p. 25). The first aspect of this is defence, and accepting that while ‘it will never be possible to stop every cyber-attack’ (p. 33) it is nevertheless possible to develop layers of defence that significantly reduce the UK’s exposure to cyberattacks. The UK should be far more difficult to attack and its networks, data and systems resilient. Deterrence is about increasing the cost and reducing the benefits of any attack on the UK. The UK should be a ‘hard target’ and the nation will have the means to respond effectively to attacks be it via international law, the criminal justice system or offensive cyber means of its own. Finally development refers to the drive to expand the cybersecurity industry and cultivate the necessary skills within our society to ensure the UK keeps pace with cyber-threats. This is a longer term aim with the government accepting that assessing success will require a longer timeframe than the next 5 years, for example, to ensure that cybersecurity is taught effectively and that more young people enter the profession.
This National Cyber Security Strategy 2016-2021 is a wide ranging and ambitious document that looks to respond to a diverse range of perceived threats and the various different stakeholders and interests that require attention. The government has set out clear objectives and looked to ensure that these objectives are measurable against a set of metrics that will provide a good benchmark for progress on cybersecurity over the course of the next five years. In a time of austerity cybersecurity has managed to secure £1.9bn of public money and it is of paramount importance therefore that these resources are distributed in a manner that offers good value for money and that serves the public interest.
The government has identified that doing this will require investment in defensive means, offensive means, and developing the necessary skills to keep pace with a domain that is rapidly transforming. Pursuing some of these will necessarily require secrecy on the part of the state but it remains integral that throughout the process of rolling out the strategy that the aforementioned principles of privacy, liberty and the rule of law etc. are front and centre and that the balance does not become skewed towards more offensive means ahead of securing public data and improving cyber-literacy. A long term approach to improve the security of networks and data needs to accept that collaboration, communication, diplomacy and the development and cultivation of expertise will be vital.
Dr Andrew Whiting is a lecturer in Security Studies at Birmingham City University and a member of the Cyberterrorism Project. You can follow him on Twitter @CTProject_AW.
Cilluffo, F. J. & Pattak, P. B. (2000) ‘Cyber threats: Ten issues for consideration’, Georgetown Journal of International Affairs, 1(1), pp. 41-50.
Esen, R. (2002) ‘Cybercrime a growing problem’, The Journal of Criminal Law, 66(3), pp. 269‑283.
Travis, A. (2016) ‘UK security agencies unlawfully collected data for 17 years, court rules’, The Guardian (17 October 2016), available at: https://www.theguardian.com/world/2016/oct/17/uk-security-agencies-unlawfully-collected-data-for-decade, accessed 10 November 2016.
Zaiton, H. (2000) ‘Insider Cyber-Threats: Problems and Perspectives’, International Review of Law, Computers & Technology, 14(1), pp. 105-113.