Government departments should measure themselves against rigorous, evidence-based cybersecurity standards, the UK’s national academy of science has said.
Science academy asks government bodies to measure themselves against set of standards – Photo credit: Pixabay
In a report on cybersecurity, the Royal Society set out a number of recommendations for government to improve the UK’s resilience to cyber threats and increase public trust.
It said that the UK needed to “reinforce and build on [its] strong digital foundations”, but that in order to do so it needed to create a “trustworthy, resilient and self-improving digital environment”.
The society said that this resilient digital environment would need to be governed by “institutions that are transparent, expert and have a clear and widely-understood remit”.
One step towards this, it said, was to create a kitemark or certification mark for digital products and services, so that consumers can judge its trustworthiness.
This should be accompanied by stronger, evidence-based standards for cybersecurity, which all publicly listed companies and public bodies – including government departments – should be measured against.
There should also be better review processes for evaluating privacy presentation methods, and government should encourage organisations to report attacks and vulnerabilities to a coordinating body.
In addition, the report said that the government should work to create more incentives for improving security. However, it added that these should be light touch and fit in with commercial incentives so as to “preserve the agility and responsiveness” of the digital sector.
The society also called on the government to commission an independent review into the UK’s future cybersecurity needs, which must look at the institutional structures needed to support resilient and trustworthy digital systems.
This review will need to take into account the work and future of the National Cyber Security Centre, which was announced in November 2015 and will work with industry and academia.
The society said that the centre was a “helpful and important step” in improving the UK’s institutional arrangements for cybersecurity because it would make it more open and collaborative.
However, the report said that having the centre reporting to GCHQ is “unlikely to be ideal” in the long-run, arguing that digital systems will become increasingly embedded across society and an increasingly large proportion of uses will be commercial and personal in the future.
As such, the society said that the review should look five to 10 years into the future and aim to develop future governance arrangements that better reflect the distribution of cyber threat across society.