UK launches cyberstrategy with long-term relevance
2019-05-23T16:00:13
ID MSSECURE:864F9FFF41F9530C2C2C6898F9D13737 Type mssecure Reporter Todd VanderArk Modified 2019-05-23T16:00:13
Description
Like most major global economies, the United Kingdom continues to place cybersecurity issues front and center. The National Cyber Security Strategy: 2016-2021 document—published by the UK Government and released nearly two years ago—describes the plan to make the UK secure and resilient in cyberspace. It’s the most frequently referenced document and project in any cybersecurity discussion. After two years, and with recent updates, it’s worthwhile to revisit the document to assess its importance in securing digital transformation across the UK’s economy. Moreover, the National Security Capability Review (NSCR) March 2018 update to the National Cyber Security Strategy makes the timing for a review of this all the more relevant, as the 80-page document is well-written, thorough, and remains useful and relevant. The cyberstrategy’s core pillars—defend, deter, and develop—are described in detail and address a wide array of important topics, including education, international cooperation, and public-private collaboration.
Specifically, the cybersecurity document does an excellent job in the following areas:
Insider threats—This type of threat is highlighted throughout the document; something that is not always emphasized sufficiently. For example, “Insider threats remain a cyber risk to organizations in the UK. Malicious insiders, who are trusted employees of an organization and have access to critical systems and data, pose the greatest threat.” We continue to hear about this problem from customers in nearly all industries and in all countries. This bold and clear statement makes it clear that this problem is front and center for the UK strategy, as it should be.
Public incidents—It’s refreshing to see major incidents that impact companies and organizations in the UK highlighted rather than hidden from public view. The document includes several incidents, such as the 2015 TalkTalk breach, and the 2016 attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment system in Bangladesh, the Philippines, and the Ukrainian power grid incident. While these incidents did not all occur on UK soil or directly to UK organizations, their impact was still felt in the UK.
Diversity and inclusion—The UK is committed to increasing diversity while also addressing its cybersecurity skills shortage. The document states emphatically that “we will address the gender imbalance in cyber-focused professions, and reach people from more diverse backgrounds to make sure we are drawing from the widest available talent pool.” The need is so critical that cybersecurity has become known as a wonderful field for younger professionals to embark on a new career, even if it is not something that is well-known.
Public-private collaboration—Cybersecurity is a “team sport” and working together across private and public sectors is essential. Openly admitting this and accepting government responsibility is a key tenet of this strategy, described as, “Government has a clear leadership role, but we will also foster a wider commercial ecosystem, recognizing where industry can innovate faster than us.” The document also states, “We will set out more clearly the respective roles of government and industry, including how these might evolve over time.”
As we look at other areas that the strategy may wish to consider expanding into or elaborating upon in the coming years, three specific areas come to mind:
Links to money laundering and terrorist financing—While the initial 2016 version did not mention how the flow of money impacts and funds cybercrime, the NSCR March 2018 update did, with three specific references to money laundering and terrorist financing, explaining, “We will take a whole-of-government approach including with the Devolved Administrations to tackle serious and organized crime and publish an updated Serious and Organized Crime Strategy in 2018.” It also stated, “We remain a leading player in developing and applying economic sanctions [… and will] … continue using sanctions smartly to deliver national security outcomes after we have left the EU.”
Returning military veterans—Whether it be from armed conflicts or peace-keeping missions or other such activities, one way the UK could shrink the gap in cybersecurity skills would be to help military veterans transition into this field. The strategy states, “This skills gap represents a national vulnerability that must be resolved.” To that end, there are multiple paths that other countries have pursued that could be applied here.
Cloud computing—The terms “cloud” and “cloud computing” are not mentioned in the original 2016 strategy document or in the NSCR March 2018 update. Cloud-based security offerings are a mainstay of any cybersecurity strategy and bring with them enormous benefits, speed, operational efficiencies, and more.
Looking ahead, it is inspiring to see that in the NSCR March 2018 update to the National Cyber Security Strategy there is a real commitment to maintaining the course with the original 2016 strategy. The 2018 update states quite openly that “the NSCR cyber project confirms that our overarching strategic objectives still stand” and “We will continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.”
Clearly the UK will stay the course with its original cybersecurity strategy with additional changes and enhancements. Moreover, with all eyes on the UK transition out of the EU, it’s important to demonstrate to the world community that cybersecurity strategy can not only exist but in fact can thrive even amid a massive overhaul in international geopolitics.
{"id": "MSSECURE:864F9FFF41F9530C2C2C6898F9D13737", "type": "mssecure", "bulletinFamily": "blog", "title": "UK launches cyberstrategy with long-term relevance", "description": "Like most major global economies, the United Kingdom continues to place cybersecurity issues front and center. The [National Cyber Security Strategy: 2016-2021](<https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf>) document\u2014published by the UK Government and released nearly two years ago\u2014describes the plan to make the UK secure and resilient in cyberspace. It\u2019s the most frequently referenced document and project in any cybersecurity discussion. After two years, and with recent updates, it\u2019s worthwhile to revisit the document to assess its importance in securing digital transformation across the UK\u2019s economy. Moreover, the [National Security Capability Review (NSCR) March 2018](<https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/705347/6.4391_CO_National-Security-Review_web.pdf>) update to the National Cyber Security Strategy makes the timing for a review of this all the more relevant, as the 80-page document is well-written, thorough, and remains useful and relevant. The cyberstrategy\u2019s core pillars\u2014defend, deter, and develop\u2014are described in detail and address a wide array of important topics, including education, international cooperation, and public-private collaboration.\n\nSpecifically, the cybersecurity document does an excellent job in the following areas:\n\n * **Insider threats**\u2014This type of threat is highlighted throughout the document; something that is not always emphasized sufficiently. For example, \u201cInsider threats remain a cyber risk to organizations in the UK. Malicious insiders, who are trusted employees of an organization and have access to critical systems and data, pose the greatest threat.\u201d We continue to hear about this problem from customers in nearly all industries and in all countries. This bold and clear statement makes it clear that this problem is front and center for the UK strategy, as it should be.\n * **Public incidents**\u2014It\u2019s refreshing to see major incidents that impact companies and organizations in the UK highlighted rather than hidden from public view. The document includes several incidents, such as the 2015 TalkTalk breach, and the 2016 attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment system in Bangladesh, the Philippines, and the Ukrainian power grid incident. While these incidents did not all occur on UK soil or directly to UK organizations, their impact was still felt in the UK.\n * **Diversity and inclusion**\u2014The UK is committed to increasing diversity while also addressing its cybersecurity skills shortage. The document states emphatically that \u201cwe will address the gender imbalance in cyber-focused professions, and reach people from more diverse backgrounds to make sure we are drawing from the widest available talent pool.\u201d The need is so critical that cybersecurity has become known as a wonderful field for younger professionals to embark on a new career, even if it is not something that is well-known.\n * **Public-private collaboration**\u2014Cybersecurity is a \u201cteam sport\u201d and working together across private and public sectors is essential. Openly admitting this and accepting government responsibility is a key tenet of this strategy, described as, \u201cGovernment has a clear leadership role, but we will also foster a wider commercial ecosystem, recognizing where industry can innovate faster than us.\u201d The document also states, \u201cWe will set out more clearly the respective roles of government and industry, including how these might evolve over time.\u201d\n\nAs we look at other areas that the strategy may wish to consider expanding into or elaborating upon in the coming years, three specific areas come to mind:\n\n * **Links to money laundering and terrorist financing**\u2014While the initial 2016 version did not mention how the flow of money impacts and funds cybercrime, the NSCR March 2018 update did, with three specific references to money laundering and terrorist financing, explaining, \u201cWe will take a whole-of-government approach including with the Devolved Administrations to tackle serious and organized crime and publish an updated Serious and Organized Crime Strategy in 2018.\u201d It also stated, \u201cWe remain a leading player in developing and applying economic sanctions [\u2026 and will] \u2026 continue using sanctions smartly to deliver national security outcomes after we have left the EU.\u201d\n * **Returning military veterans**\u2014Whether it be from armed conflicts or peace-keeping missions or other such activities, one way the UK could shrink the gap in cybersecurity skills would be to help military veterans transition into this field. The strategy states, \u201cThis skills gap represents a national vulnerability that must be resolved.\u201d To that end, there are multiple paths that other countries have pursued that could be applied here.\n * **Cloud computing**\u2014The terms \u201ccloud\u201d and \u201ccloud computing\u201d are not mentioned in the original 2016 strategy document or in the NSCR March 2018 update. Cloud-based security offerings are a mainstay of any cybersecurity strategy and bring with them enormous benefits, speed, operational efficiencies, and more.\n\nLooking ahead, it is inspiring to see that in the [NSCR March 2018](<https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/705347/6.4391_CO_National-Security-Review_web.pdf>) update to the National Cyber Security Strategy there is a real commitment to maintaining the course with the original 2016 strategy. The 2018 update states quite openly that \u201cthe NSCR cyber project confirms that our overarching strategic objectives still stand\u201d and \u201cWe will continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.\u201d\n\nClearly the UK will stay the course with its original cybersecurity strategy with additional changes and enhancements. Moreover, with all eyes on the UK transition out of the EU, it\u2019s important to demonstrate to the world community that cybersecurity strategy can not only exist but in fact can thrive even amid a massive overhaul in international geopolitics.\n\nThe post [UK launches cyberstrategy with long-term relevance](<https://www.microsoft.com/security/blog/2019/05/23/uk-cyberstrategy-long-term-relevance/>) appeared first on [Microsoft Security.", "published": "2019-05-23T16:00:13", "modified": "2019-05-23T16:00:13", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.microsoft.com/security/blog/2019/05/23/uk-cyberstrategy-long-term-relevance/", "reporter": "Todd VanderArk", "references": [], "cvelist": [], "lastseen": "2019-05-23T16:01:02", "viewCount": 135, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2019-05-23T16:01:02", "rev": 2}, "dependencies": {"references": [], "modified": "2019-05-23T16:01:02", "rev": 2}, "vulnersScore": -0.2}}
