Strategy document outlines eight core pillars covering personnel, infrastructure, risks, and culture, with the aim of ensuring all services are resilient to cyberattack and secure design processes are universally adopted
The Ministry of Justice has published a dedicated cybersecurity plan outlining its intent for secure design practices to underpin all the organisation’s operations while ensuring services across the justice system are well-defended against attack.
The strategy, which covers the 2023 to 2028 period, sets as its foundation an underlying Strategic Vision and Strategic aim for the five-year timeframe.
The vision is to ensure that “every critical Justice service is resilient to cyberattack” while the aim is to “embed ‘secure by design’ thinking into everything the department does, ensuring everyone working in justice can confidently perform their security responsibilities”.
The strategy sits alongside both an existing digital strategy for the MoJ and the wider Government Cyber Security Strategy.
“However, the unique nature of the MoJ’s role in government means there are more specific threats that need to be considered in some contexts,” the ministry’s cyber strategy says. “For example, the threats associated with deploying IT solutions into prison environments are ones that lack parallels in other departments. The In-Cell Technology programme, where prisoners have access to laptops, exemplifies this; it required careful consideration of layered defences, and operational security techniques to ensure a suitable security approach. This helps ensure that despite giving devices to those with the time, the motivation, and the capability to attack them, we have confidence in the overall solution.”
The plan adds that while, “as a government department, we are naturally a target for foreign state attackers seeking intelligence gains… our focus is preventing non-state actor-level attacks , as this will provide the best return on investment for the taxpayer”.
The cyber policy sets out eight “strategic pillars” covering various “strands of activity”:
- Establishing and developing the MoJ security profession
- Creating a positive security culture
- Ensuring secure by design services
- Continuing to harden our enterprise estates
- Effective security operations
- Having confidence in our security measures
- Effective management of cybersecurity risks
- Securing the justice community
The creation of a dedicated security profession will see the MoJ developing a framework “covering all related roles across the department [to] unlock a level of professional development support for all cyber security staff, to help one another with challenging tasks, establish a central pool of expertise for more serious incidents, and to help the department to create an effective and positive security culture”.
The implementation of secure-by-design approaches, meanwhile, will require the MoJ to “adopt existing common security patterns and establish automated guard rails to help teams develop and operate in a secure environment by design”.
Work to harden the ministry’s infrastructure will involve ongoing work to improve processes for those joining, leaving or moving roles within the department, with the aim to “significantly improve our identity and access management approach to ensure that the majority of staff access to critical systems will be through a single identity, enabled through strong passwordless technology”.
To help boost confidence in the department’s security measures, the MoJ aims to “improve supplier and partner assurance… [and] implement our assurance framework for the third-party organisations the department relies upon… [to] ensure our suppliers and partners, both existing and newly on-boarded, are clear on the security requirements they need to achieve to protect our information and systems”.
- MoJ signs £60m deal to maintain 35 ageing apps across courts system
- Courts service signs £30m deal for roving digital ‘squads’ to support reform programme
- MoJ’s adoption of digital pay framework has enabled £22m boost to salary offers
The pillar dedicated to the management of risks will see a senior responsible owner appointed to oversee the security of every IT system used across the department.
The MoJ will also “refresh our processes and guidance to ensure that all security risks are identified, analysed, prioritised and managed, including deployment of a central governance, risk and compliance solution [and] ensure that agency CEOs, functional leads, and SROs all have clear security accountabilities… accompanied with bespoke training for key roles to ensure those making decisions about security risks are equipped to make effective choices”.
The final pillar – securing the justice community – is perhaps the most complex, with the strategy acknowledging that “we will not solve the problem in the short term, but we will dedicate resource to begin working on how to address it”. This will begin with defining the problem and establishing a “roadmap that begins to address this issue over the lifetime of the strategy”.
Work in this area will be supported by a newly created “small cyber and justice policy team to collaborate with other government departments, the wider justice sector and academia”.
The strategy outlines that the MoJ has “over 1,000 IT services used to run large operational processes, [of which] under 100 are judged to be modern digital services”. Systems across the department are also home to more than 100 million files containing 350 terabytes of “unstructured digital data”.
“The legacy services have many different support models, commercial arrangements and rely on different underlying technology,” the strategy says. “Teams must make difficult priority decisions about operating existing systems, building required features, and undertaking security improvements; deferring investment in maintenance and support leads to vulnerabilities. A vast number of spreadsheets, databases and applications are used to manage the work of the department.”
In her foreword to the document, MoJ permanent secretary Antonia Romeo said that the strategy reflects the ministry’s duty to “protect sensitive data to deliver crucial work for citizens”.
“Our strategy is focused on threats we are most likely to face, and the most critical technology systems that the MoJ rely on,” she added. “The strategy is not just about technical security measures, it is also about having the right people and the right culture in place to embed security into everything the department does.”