New ‘Gov Assure’ process aims to provide a government-wide overview of risk, minister tells PublicTechnology Cyber Security Summit
Whitehall departments will be required to go through an external audit of their cyber resilience to help ministers “understand cyber risk across government”.
Called ‘Gov Assure’, the regime will ask all government entities to undergo independent assessment of their cyber set-up and risk profile. This process will be based on the guidelines set out in the Cyber Assessment Framework of the National Cyber Security Centre (NCSC).
The measures were first unveiled as part of the Government Cyber Security Strategy, published earlier this year.
Cabinet Office minister and paymaster general Michael Ellis said: “This will create a single lens through which we can understand cyber risk across government and enable government departments to accurately assess their level of cyber assurance and highlight priority areas for improvement. Gov Assure will also help us to take a strategic view of government vulnerability – to help inform a strategic roadmap to truly defend as one.”
Ellis’s comments were made during PublicTechnology’s annual Cyber Security Summit event, held in London last week. Delivering the opening keynote presentation, the minister gave attendees an insight into the intent behind public sector cyber plan, and the plans for its implementation over the coming months and years.
The 84-page policy document sets out an ambition for the public sector’s “critical functions to be significantly hardened to cyberattack by 2025”.
By the end of this decade, the plan is for all public bodies to be “resilient to known vulnerabilities and attack methods”.
Date by which public sector bodies should be resilient to all current known vulnerabilities
Amount of money committed in the recent spending review to improve cyber resilience and address legacy IT across government
Number of incidents requiring a response from the NCSC in the year to the end of August 2021
Proportion of these incidents that were targeted at a public-sector entity
“To keep everyone safe online… the public sector must lead by example,” Ellis said. “If we are to continue to prevent public services coming under pressure, and protect them from the harmful consequences when they do, we need to act. Our core public sector functions – from the delivery of public services to the operation of national security apparatus – must be more resilient than ever before to cyberattack.”
One of the key strands of the strategy will be to develop and put in place a public sector-wide framework to ensure services, products and platforms are designed with security in mind. This will “ensure that appropriate and proportionate cybersecurity measures are embedded within the technology that we all use”, the minister said.
“This world-leading framework will allow all of us to take advantage of industry innovation by enhancing our ability to test, to pilot and to deploy commercial tools, services and capabilities,” he added. “This will be supported by robust measures to mitigate risk, including domestic regulation and international collaboration on standards.”
Cybersecurity becomes even more important in given government’s intention to “embrace the development of connected place technology” – such as sensors and digitally enabled public infrastructure.
“When properly secured, smart-city approaches have the opportunity to transform the interaction between government and citizen,” Ellis said. “Connected places provide tangible benefits to society, managing traffic, reducing pollution – and saving money and resources. We should take this opportunity to better serve our communities. But we must do this in a way that is mindful of risk – the interconnectivity that allows places to function more efficiently also creates cyber vulnerabilities, and the potential for cyberattacks.”
Government intends to boost the NCSC’s existing Connected Places Cyber Security Principles guidelines. It will also “strengthen the capability of local authorities and organisations such as ports, universities and hospitals to buy and use connected places technology securely”, Ellis told conference attendees.
Underpinning the rollout of the strategy will be a new Government Cyber Coordination Centre. The entity is a joint venture between the Government Security Group, the Central Digital and Data Office and the NCSC.
The minister claimed that the centre will “transform how we use cybersecurity data – by facilitating threat and vulnerability management at scale, and fostering partnerships across the public sector” and the country at large.
“If we are to continue to prevent public services coming under pressure, and protect them from the harmful consequences when they do, we need to act.”
Cabinet Office minister Michael Ellis
t will also lead government’s response to successful attacks.
“I am proud to say that when UK public services have suffered attacks, the government has acted fast to support getting key services back up and running, and also to manage any risks to stolen data,” Ellis said. “However, we should – inevitably – expect challenges.”
He added: “Where we cannot prevent them, we will rapidly identify, investigate and coordinate our response to cyberthreats, where criminals find weaknesses in our defences, we will learn and build them back stronger.”
To help combat the current threat from Russia, the NCSC is being supported by a newly created Government Information Cell, which has brought together about 35 staff from the Home Office, Cabinet Office, Department for Digital, Culture, Media and Sport, and the Foreign, Commonwealth and Development Office. The remit of the cell is to counteract the Kremlin’s narratives about the invasion of Ukraine.
“The NCSC has been liaising regularly with major social-media platforms to monitor and share information,” Ellis said. “Their work also aids our Government Information Cell, bringing together counter-disinformation expertise to identify and tackle Russian information aggression targeted at the UK.”