UK: Government publishes its first Government Cyber Security Strategy

The government has launched its first ‘Government Cyber Security Strategy – Building a Cyber Resilient Public Sector’ (“Strategy”), outlining how central government and the public sector will ensure that public services can function in the face of growing cyber threats. The Strategy aims to ‘step up the country’s cyber resilience by better sharing data, expertise and capabilities’.  This Strategy follows the recent publication of the National Cyber Security Strategy, which sets out the government’s aim to establish the UK as “a democratic and responsible cyber power”.

Summary of key takeaways:

  • The Strategy outlines two strategic pillars. The first pillar is to “build a strong foundation of organisational cyber security resilience”. The second is to ‘defend as one’ – which aims to implement a more comprehensive and joined up response by government, sharing cyber security data, expertise and capabilities across its organisations.
  • The government recognises that there is a “significant gap” in relation to its cyber resilience, apparent from the volume of cyber-attacks that the government sector experiences. The Strategy sets out the government’s vision to ensure that core government functions are resilient to cyber-attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.
  • The Strategy sets out the adoption of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). The purpose of the CAF is to set out an industry standard to ensure that government is assessing its cyber resilience in a consistent and comparable way to other organisations that operate the UK’s essential services. Government organisations’ assessment of cyber resilience against the relevant CAF profile will be verified by independent auditors. As well as providing an objective assessment of government cyber resilience, independent auditing will highlight critical areas for improvement.
  • The government will establish a cyber coordination centre (GCCC) to coordinate operational cyber security efforts across government organisations. The GCCC will aim to foster partnerships and share cyber security data and threat intelligence rapidly, to identify, investigate, and coordinate the response to incidents on public sector systems, alongside threat and vulnerability reporting.
  • The government will develop a cross-government vulnerability reporting service, which will allow security researchers and members of the public to report issues they identify with public sector digital services. This aim of this is to enable organisations to fix any issues identified more quickly.
  • The Strategy recognises that without comprehensive visibility of government’s IT, digital and data assets, as well as users, cyber security risks go unrecognised and unmanaged. The Strategy requires all government organisations to have an active and automated asset discovery and management method in place. In addition to  IT assets, government organisations must also understand what data assets they handle, how they are stored or hosted, and where they are shared, so they can adequately assess the risks they present and ensure that sufficient protections are put in place to manage them. The government is also developing security schedules to support government organisations in requesting proportionate cyber security measures in government contracts.
  • The Strategy recognises the importance of cultivating a cyber security culture and the government will therefore aim to improve cyber security awareness and knowledge across all public sector workers.

Please get in touch with any member of the UK data protection team if you have any questions.