CYBER SECURITY AND RESILIENCE – UK GOVERNMENT STRATEGY
By Yvonne Headington
02 May 11. Cyber security has emerged as a key concern for the UK’s National Security. The 2010 National Security Risk Assessment (NSRA) identified the threat as a Tier One Priority Risk, with military, security, economic and social implications.
The Government has developed a number of initiatives for articulating the threat and for meeting the challenge, including the launch of a National Cyber Security Programme. However, issues remain in areas such as co-ordination of effort, legal and doctrinal questions as well as compliance and reporting regimes; these may (or may not) be addressed by a new Cyber Security Strategy due to be published during May 2011.
Background
The UK’s first National Security Strategy (NSS), published in 2008, recognised the threats to cyberspace through terrorist, criminal and state-sponsored activities. A separate Cyber Security Strategy was produced in 2009, establishing: an Office of Cyber Security (now the Office of Cyber Security and Information Assurance (OSCIA)) within the Cabinet Office and a Cyber Security Operations Centre (CSOC) based at the Government Communications Headquarters (GCHQ).
Further initiatives on countering the risks from cyberspace were detailed in the Strategic Defence and Security Review (SDSR), published alongside a new NSS in October 2010. These include:-
* The launch of a ‘transformative’ National Cyber Security Programme (NCSP), funded by £650m new investment over four years.
* Establishment of a UK Defence Cyber Operations Group (DCOG) within the Ministry of Defence (MoD).
* A Cyber Security Challenge aimed at improving national cyber security skills (and to broaden awareness of the threat).
These measures are to be developed and brought together in the forthcoming Cyber Security Strategy document.
Government Responsibilities
Captain Ian McGhie (Deputy Director, Office of Cyber Security in the Cabinet Office) spoke during the recent Counter Terror Expo at London’s Olympia (19-20 Apr 11). Captain McGhie talks of a “new cyber dawn” with cyberspace issues “very much at the top of [the Government’s] agenda”.
Policy co-ordination is led by the OCSIA within the Cabinet Office. The OCSIA also works with the Office of the Government Chief Information Office (OGCIO) to ensure the resilience and security of Government information and communications structures (such as the Public Sector Network (PSN) and G-cloud).
As part of GCHQ the CSOC provides analysis of developments in cyberspace in order to enhance strategic decision-making and to ensure that information is distributed to Government, industry, international partners and the public. McGhie commented that GCHQ would be looking to “improve their real time understanding of the threat and be more agile in their response to incidents”. The Communications-Electronics Security Group (CESG), part of GCHQ, provides the national technical authority on information assurance (IA).
Advice and support on security threats (including cyber) is provided by the Centre for the Protection of National Infrastructure (CPNI). The CPNI is set to extend its advisory service beyond traditional critical sectors (such energy supply and transport) to include other industries like those involved in the life sciences and advanced manufacturing.
The Home Office is due to produce a Cyber Crime Strategy shortly. However, that strategy is likely to remain “flexible” until the planned National Crime Agency (due to be in place in 2013) takes shape. Other Ministries, such as HM Treasury and the Department for Business, Innovation and Skills (BIS), will have roles to play in ensuring the application of cyber measures within their sectors. Within BIS, for instance, a Cyber Infrastructure Team is to be established with responsibility for delivering regulatory oversight for industry.
Security Issues
According to the Director GCHQ, Iain Lobban,