The UK National Cyber Strategy 2022: Does It Go Far Enough & What’s to Come?

By James Rees, Managing Director, Razorthorn Security

As any cybersecurity professional knows, situations change swiftly and often. This makes long-term forecasting a near impossible feat, but carving out a path forward for the years ahead is exactly what the UK government’s recently published Cyber Security Strategy 2022-2030 aims to do.

The strategy is intended to “set out the government’s ambition to firmly establish the UK as a democratic and responsible cyber power, able to protect and promote its interests as a sovereign nation in a world fundamentally shaped by technology.”  But how well does it accomplish this task? Have the right areas been addressed, or does the plan miss the mark?

What It Gets Right

There is a lot more to like about the government’s strategy than there is to criticise, which is a positive. The strategy is organised into the five pillars of ‘Managing Cybersecurity Risk,’ ‘Protecting Against Cyber Attack,’ ‘Detecting Cyber Events,’ ‘Developing Cybersecurity Skills, Knowledge and Culture,’ and ‘Minimising the Impact of Security Events.’  All of these are the standard priorities that constitute the ‘bread and butter’ of cybersecurity activities, but they do help to organise the plan and contextualise its key points. It is these focus points that make up the more interesting core of the plan and are worth examination.

Data-driven security is not just a valuable area of focus, it’s also a timely one. Over the past two years, we have seen a significant change in the types of attacks that are going on with many of these based around exfiltrating, ransoming and releasing data. As a result, a lot of cybersecurity efforts now are focused on keeping the data safe wherever it sits, and that’s why we’re seeing a big increase in encryption and multi-factor authentication. It’s good that the government has included recommendations within their strategy, because that’s really where things are going. With such a significant shift towards remote and hybrid working as organisations downsize their large offices, rather than securing a perimeter of sorts around a designated workplace, businesses will need to begin focusing inwards on the data that remote staff are accessing and creating from wherever they may be.

But how do you ensure that the systems you put in place truly work? The strategy answers that question with its focus on cyber assurance. Yes, you can build security into your platforms, solutions, or frameworks. You can undertake policies and procedures, and that’s all fantastic. However, you need to have an assurance that it’s working and the only way really to achieve that peace of mind is by having it checked out by somebody other than the people that created it. You don’t get the people who did the homework to mark their own work. We blind ourselves to potential vulnerabilities by allowing ourselves to believe that what we did was perfect the first time around. Therefore, following this strategy you can expect to see there is a lot more emphasis on making sure that the security providers have their work double-checked by third parties.

Having the right talent on hand to build and test these components is arguably one of the biggest cybersecurity challenges we face. A report published at the end of last year found that cybersecurity is the most sought-after tech skill in the UK, with nearly half (43%) of the 823 surveyed business leaders admitting they had a shortage in this area and 4 in 10 UK expressing difficulties with retaining talent in these roles. The fourth pillar, Developing Cybersecurity Skills, Knowledge and Culture, is both a necessary and critical inclusion within the strategy.

The fact of the matter is that we simply do not have enough talent in the security business at the moment. We’ve had a large number of senior people in the industry seize the opportunity to retire during the pandemic, while others have moved on to academia to try to train the next generation. There is a severe lack of new talent coming in to replace those experts who are moving out, and those still working in the industry who have the required skills and expertise are in high demand and slightly overworked. The inclusion of a pillar focused solely on talent and culture was an essential move.

The strategy is of course primarily focused on improving the cybersecurity profession as it relates to the government’s various organisations and departments, but the strategy does promise to benefit the private sector as well. Most notable are its pledges to diversity and its emphasis on supporting regional tech hubs. Boasting the highest number of tech unicorns in Europe, London has quickly cemented itself as a global tech hub. But to limit all of Britain’s prowess to its capital discredits all the amazing talent to be found nationwide. It is nice to see the government acknowledge this and focus their efforts further afield.

Having a talented, designated cybersecurity workforce is critical, but it’s only half the battle. As cyber pros, our work is primarily focused on building the defences and springing into action when a threat slips through. Yes, we maintain and improve in between, but the best support for a cyber infrastructure is a general workforce that understands the risks and does their part to mitigate them day to day. Endowing the UK workforce as a whole with some general security skills and knowledge can actually help to prevent some of the little slips that can happen in the workplace, like clicking a phishing link in an email. With such a lack of designated security talent, every little bit of support makes a difference.

What Needs Some Work

Despite being well thought out and thorough, even the best laid plans can have faults. This strategy is no different, and the main area needing improvement is its focus on the idea of solutions that are ‘secure by design.’ When going down the route of building any kind of security component, of course, everybody has the intention of making it secure by design. Why would anyone ever design something with hopes of it failing? At the point in time that that component is created, it will be secure by design. However, expecting it to stay that way is an unrealistic goal. When it comes to cyber, situations change rapidly and dramatically. Any sort of major shifts in the way that we consume technology can very quickly make the solution, product, or organisation’s framework change, and it won’t be secure by design anymore.

While ‘secure by design’ is a good focal point to put in the strategy, it needs more fleshing out. Once you reach a point of, ‘Yes, we’ve now got a secure design for the way that we’re going forward,’ that’s all well and good, but what then? What’s going to happen in a year, two years, or three years? Are you regularly reviewing it? Are you changing it? Security is an ongoing thing, not a set-it-and-forget-it solution. The way that ‘secure by design’ solutions are presented here paints a picture of cyber solutions being a one-off fix when they are not, nor should they be. Security is something you have to maintain consistently and regularly. It’s okay for the government to push for solutions that are secure by design, so long as they make it clear that they likely will not stay that way.

What Lies Ahead

The strategy outlines a promising approach for the future, but now the time has come to put it into practice. While the strategy is primarily aimed at benefitting and improving cybersecurity within government entities, the whole is only as strong as the sum of its parts. Having strong defences at the government level helps protect the interests of the industry as well.  Not only that, but the government’s plan of action helps enterprises form their own strategies for the years ahead.

It would be very easy for an SME or large organisation to adopt the same five pillars as the government’s strategies and adapt the objectives within them to suit their own needs. These pillars do a good job of covering all the general bases for security, and provide the right steer for getting more granular with the specific goals within them.

In terms of priorities for security professionals, the areas outlined in the strategy help to provide insight into where the focus will lie going forward. Expect to see more attention paid to things like data-driven security initiatives and assurance, as well as an uptake in advanced solutions that use quantum technologies, artificial intelligence (AI), or machine learning (ML).

Again, trying to predict what cyber threats will look like one, three, five, or eight years from now is a bit of a fool’s errand and maybe the strategy is a bit ambitious in that regard, but it remains general enough in its attention that it should have some long-term applicability. It’s similar to the ‘secure by design’ conundrum. The strategy goes far enough now in the context of the time period it was created, but cyber is volatile. Two years from now, we could have a whole new way of using technology that we never anticipated, or a major change could happen out of the blue which renders all of our plans obsolete overnight. The best we can hope for is that the plans in this strategy help to set us up to withstand those changes a bit better.


About the Author

James Rees is Managing Director of Razorthorn Security, expert security consulting and testing services provider based in Tunbridge Wells, Kent. James has worked in Information Security for over 20 years, and during that time he has advised some of the largest and most influential organisations in the world, including many in the Fortune 500.

He has fulfilled the CISO role in several organisations both in full time and interim capacities, as well as serving as both advisor and in some cases executive board member in multiple organisations across industries. He is knowledgeable in all areas of cybersecurity, and is especially passionate about PCI DSS, Cloud security, business and digital transformation, strategy, regulation, and cryptocurrency.

Cyber Security Review online – February 2022