The recently published Government Cyber Security Strategy set out a range of ambitions to make the public sector safer. PublicTechnology gathered a panel of experts to find out more about how it will do so.
“We had just published an Integrated review that set out Britain’s stall to be a cyber power, so we were keen to emphasise that you cannot be viewed in that way on the world stage unless your public sector is resilient, and you are leading from the front.”
This was the background against which the Government Cyber Security Strategy was published earlier this year, according to David Lovell, cyber strategy and policy lead at the Cabinet Office’s Government Security Group.
The strategy set out the ambition that the public sector’s defences should be “significantly hardened” to cyberthreats by 2025, on the way to becoming fully “resilient to known vulnerabilities and attack methods” by the end of the decade.
There are two main strand to the plan to achieve this target, Lovell says.
The first is a change in government’s approach to managing risk, including the introduction of Gov Assure – a new regime through which government entities will undergo independent audits of their cyber resilience.
“There is a tendency to say ‘legacy is bad, and we must eliminate it’. That is not a tenable position. We need to be clear that you can manage and mitigate legacy – as you would with all risk, including cyber risk. In the past we may have been guilty of having a bit of a maximalist approach.”
David Lovell, Cabinet Office
Supported by the National Cyber Security Centre, the “scale and common language” created by Gov Assure can deliver a complete a “complete revolution in how we provide assurance”, the strategy lead adds, during a recent webinar discussion hosted by PublicTechnology and Egress.
This universality will support the ambitious central tenet of the cyber plan: that the public sector should ‘defend as one’. This will be achieved by close coordination between agencies, including the sharing of information on vulnerabilities and threats.
Jack Chapman, vice president of threat intelligence at Egress, says that the current landscape facing public bodies remains dominated by familiar foes, including phishing, ransomware, and malware.
“The key thing that is changing in the threat landscape is the sophistication and automation of these attacks,” he says. “Especially through the rise of crime as a service, where attackers are collaborating like never before. You can go out and purchase pre-defined technical kits that reduce the barrier of entry for attackers. This worrying evolution what is really driving concerns from a defensive side.”
The Government Cyber Security Strategy will help public-sector entities take a “much more targeted” approach to understanding – and managing – the cyber risk created by this landscape, according to Lovell.
Chapman agrees that organisations should take a focused approach, beginning with the identification of the people, platforms, or products that are most valuable.
“You need a culture of understanding key assets, and understanding the routes in [to those for attackers],” he says. “And, from there, you can start drawing it out: where do I need to invest in order to protect first and foremost? And then having a layered approach – including people, process, and technology – for every avenue into an organisation.”
The ongoing prevalence of legacy IT systems is something that is often picked out as a major endemic cyber risk for government. Lovell recognises the issue as a significant challenge that agrees needs to be tackled.
“But legacy technology shows that you cannot treat cybersecurity as discrete from broader DDaT challenges – and, indeed, broader business challenges. Security, and tech in general, is just another enabler for business,” he says. So, when modernise technology, you not only get the security benefits – you get the greater benefit… in efficiencies, and inthe better outputs you get in, ultimately, delivering your business objectives.”
He adds: “There is a tendency to say ‘legacy is bad, and we must eliminate it’. That is not a tenable position. We need to be clear that you can manage and mitigate legacy – as you would with all risk, including cyber risk. In the past we may have been guilty of having a bit of a maximalist approach to legacy: which can be useful in making the argument. But, that said, we need to treat legacy as a component part of risk and manage it accordingly.”
Alongside legacy, the other big challenge facing those in charge of delivering the cyber strategy is the need for cyber skills across government. This can partly be met by looking to recruit from a broader talent pool, Lovell says, including more neurodiverse candidates, as well as people from other professional backgrounds or those arriving in the cyber world at a later stage of their career.
“The key thing that is changing in the threat landscape is the sophistication and automation of these attacks. Especially through the rise of crime as a service, where attackers are collaborating like never before.”
Jack Chapman, Egress
Steven Furnell, professor of cybersecurity at the University of Nottinham’s School of Computer Science, says that cyber skills are a big challenge for many UK organisations across both the public and private sectors.
It is also crucial that those outside cyber-specialised functions are aware of security issues and the role their implications, he adds/
“It starts at the top: you need to make sure that cybersecurity and risk is recognised from the very top of the organisation, and promoted from that level,” Furnell says. “You have then got to ensure that things are underpinned in a way that means staff can appreciate and understand how it relates to them. Having a policy is a good starting point – but that, in itself, is not going to be sufficient. You have got to accompany that, initially, with an appropriate level of awareness-raising, [addressing for staff]: ‘what is it? What is my role in it? What do I need to do about it and in what context?’
“But even that raising of awareness does not tell someone how they are supposed to do it. You then have to take that further, and go from awareness through to training and education, and engaging with the staff… this step seems to be slightly under-represented in terms of what organisations are doing in practice.”