An updated strategy for the technical security of the public sector includes initiatives such as the creation of new governance and support offerings, as well as revamping government’s cyber profession
Ministers have unveiled a new Government Cyber Action Plan, including the establishment of a specialist unit supported by hundreds of millions of pounds of funding to deliver “secure public services [that] are trustworthy and resilient”.
The plan, which is intended to complement the upcoming roadmap for digital and technology use across govermment, sets out measures including revamping the civil service profession for cyber experts, asking departments to develop detailed and costed plans to improve security, and new centralised support and government measures.
The strategic framework was released this week by the Department for Science, Innovation and Technology – which is also the home of the new-look Government Cyber Unit. The unit will be “backed by over £210m of central investment [to] drive the plan forward, [by] setting much stronger central direction, backing departments with expert support whilst demanding measurable progress”, the document says.
The action plan takes the baton from the previous Government Cyber Security Strategy, which was published in 2022 and set a clear headline goal “for all government organisations to be resilient to known vulnerabilities and attack methods” by the end of this decade. The new strategy starts from the position that “we now recognise that [this] target… is not achievable by the original target date of 2030”.
“To protect our critical national infrastructure, defend public institutions and maintain public confidence in essential public services, we must achieve a radical shift in approach and a step change in pace,” the plan says.
DSIT’s revamped Government Cyber Unit – working hand-in-hand with Whitehall departments, devolved administrations, and the National Cyber Security Centre – will lead delivery of the plan across five defined strands, including: support; services; response and recovery; and skills. The final strand – accountability – will wrap around the other four, the plan indicates.
There will be three stages of delivery, the first of which is the ‘building’ phase, which will run until April 2027.
Work taking place between now and then will include “building critical functions to establish the Government Cyber Unit, establishing refreshed accountability and governance for government cyber risk, standing up prioritised central services and support functions… [and] launching a new cyber profession for government”.
Following on from this, the ‘scaling’ phase will run for two years. This stage will incorporate measures aimed at “using government-wide cyber risk visibility to make data-driven decisions and a compelling investment case for managing severe and complex cyber risks, delivering a pipeline of cyber support and services to help departments meet their responsibilities, [and] scaling and maturing response and recovery capability to address concurrent major cyber events”.
Related content
- GDS and Treasury monitor departments to prevent ‘diversion of funding earmarked for cyber and legacy’
- Cyberattacks cost UK firms £200k, government study finds
- Scottish Government unveils new cyber plan including threat early-warning system
The scaling period will also see the establishment of new “learning pathways for top high-risk cyber specialisms”, as well as ensuring that Whitehall “departments [are] fully operating within governance and reporting structures for themselves, their ALBs, and sectors”. These departments will also be expected to create “costed cyber-improvement plans in line with defined central and local cyber risk appetites”.
The final phase of ‘improving’, which will run from April 2029 onwards, is intended to support “enabling decision-making and prioritisation at all levels of government through sharing central cyber data insights, including evidence-based investment in cross-government platforms, services and infrastructure to address critical risks”. During this closing stage, DSIT will also be “offering central cyber support and services at scale based on identified needs and strategic fit in a sustainable pipeline and lifecycle [and] leveraging Government Cyber Profession as engine for transformation through career framework and sector recognised accreditation standards”.
Across the rest of government, there will be an expectation of “departments proactively assuring cyber risk across their supply chains, enabled by central management of strategic suppliers”.
Objectives and benefits
All these measures are intended to support the achievement of four main objectives: better visibility of cybersecurity and resilience risk; addressing severe and complex risks; improving responsiveness to fast-moving events; and rapidly increasing government-wide cyber-resilience.
“Achieving these objectives will deliver tangible benefits,” the plan says. “The public will see faster service recovery and better communication when things go wrong. Departments will get more hands-on support and practical guidance. This will include a central governance model, a wider services offer, routine cross-government exercises, and a clearer system for recruiting, attracting, and retaining cyber staff through career pathways, apprenticeships, secondments, and industry partnerships.”
In his foreword to the plan, digital government minister Ian Murray said that “we are not starting from scratch; we are scaling what works, learning from successes across the public sector and our international partners”.
“This plan will go further than we have before, prioritising cyber resilience and ensuring we have strong central leadership driving cross-government response,” he added. “It will enable departments, through central services and targeted support, and will see the launch of a new Government Cyber Profession which will not only ensure we continue to attract and retain the best talent but also support development skills throughout the UK. This is more than just a change; it is a steadfast commitment to defending the state and protecting the daily lives of working people. By fixing these foundations, we will build a government that is resilient, secure, and ready for national renewal.”
