Looking back to secure the future: a review of the National Cyber Security Strategy 2016-21

Ahead of the UK Cabinet Office’s expected publication of the National Cyber Security Strategy (NCSS) 2016 – 21 progress report, NCC Group sets out what we believe the government will and should focus on when reporting on the achievements of the last two and a half years, and how we expect future priorities to take shape.

In his keynote speech to the UK National Cyber Security Centre’s CyberUK conference in April 2019, the Minister for the UK’s Cabinet Office, David Lidington, announced the planned publication of “an update on the effectiveness and impact of [the UK’s 2016-21 National Cyber Security Strategy]” at the end of May.

He did so “in an effort to boost transparency” after the UK Parliament’s Joint Committee on the National Security Strategy [1] lamented “the government’s unwillingness to publish even basic information” and warned that this made it “difficult for the private sector to understand the government’s priorities”.

The UK government’s commitment to greater transparency and information sharing is hugely welcome. And with the report expected to be published in due course, now is the time to reflect on the progress made to make the UK the safest place to live and do business online before setting our sights on the challenges that still lie ahead.

The NCSS so far…

We expect the government to emphasise the proactive role it has played in implementing transformative building blocks to improve the UK’s national cyber resilience. It will also acknowledge that reliance on market forces will not deliver the desired outcomes, and focus in particular on the world-leading role of the National Cyber Security Centre (NCSC) – which is surely the most visible and significant achievement to date.

Along with references to the Active Cyber Defence (ACD) programme, we also expect the NCSS progress report to focus on how else it has delivered measurable results in the fight against cyber crime. This includes investment in cyber innovation and skills initiatives to demystify cyber security, as well as equipping businesses and citizens with the knowledge and tools to tackle cyber risks.

This has been reinforced through the government’s promotion of Secure by Design principles targeted at device manufacturers, which helps to remove the onus from device owners.

We also expect the government to focus on the progress made to secure the country’s critical national infrastructure, and global supply chains, while acknowledging the importance of international engagement to lead the debate about rules in cyberspace.

At a time where we’re still struggling to address the security debt and legacy of the mistakes of the last 20 years, the fact that the current and future technological revolution could be delivered more securely is certainly something to celebrate. This has led to the concept of Secure by Design being embedded into more and more processes across several key markets.

From our perspective, significant progress has been made in the last few months alone, including the publication of two government strategies in two completely different sectors – one looking at urban mobility, and one on education technology or EdTech. Both of these very explicitly discuss the need to consider cyber security requirements in the design and development stages.

The private sector as a whole is also getting ever better at working in partnership with the public sector, and vice versa. As we jointly strive towards improving the cyber resilience of UK PLCs, it’s promising to see the trust between both sectors continuing to grow as we work towards a common goal of creating a safer society.

But of course, we cannot be complacent.

Looking to the future

When the National Audit Office published its progress report on the National Cyber Security Programme in March 2019 [2], it pointed to areas of improvement, such as ensuring the NCSC achieves a more outward culture and engages with businesses and citizens.

It was also highlighted that progress must be made towards assessing and quantifying cyber risk to allow organisations to effectively manage their cyber risk, and to offer certainty beyond 2021. To push this forward there needs to be a clear division of responsibility set out between the public and private sector regarding the part they play in securing the future cyber security landscape.

So, what would we like to see in the remaining two and a half years of the 2016 – 21 National Cyber Security Strategy?

In short, we would like to see a commitment to finding the solutions and mechanisms required to help cyber security evolve and mature further, and for this to facilitate trusted cross-sector and cross-border partnerships. This means:

1. Embracing cyber security as a science

Much has been said and written about the challenges in measuring cyber security and the return on investment – not least because, as the NAO concludes, “it is difficult to show what would have happened had investment not taken place”.

But giving up is not an option. Instead, we need to embrace the challenge, invest in establishing baselines and benchmarks so that ‘improving cyber resilience’ becomes a measurable rather than a woolly, high-level concept.

2. A lasting commitment to collaboration

We stand prepared to play our role by sharing knowledge, information and resources across the private and public sectors. But we need innovation and outside-the-box thinking to enable true and trusted partnerships fit for the 21st century.

This means removing institutional barriers, reforming legislation and developing new rules that aim to challenge “the old normal” and push the boundaries.

3. A global outlook

Yes, the UK is widely considered a world leader in cyber security. And yes, we have established that cyber security is a cross-border phenomenon that requires a global response. But that hasn’t solved challenges associated with a failure to communicate why our international allies should care about what happens within our borders, or pushed back the global trend towards technology nationalism.

As we approach the next decade, we need to accept our responsibility to remake the case for multilateral efforts, and for transferring best practice internationally. In a world where operations and activities are rarely limited to a single country anymore, we need to educate each other to ensure we stay alert to the frameworks we operate in and understand how they shape behaviours.

In light of the above, we look forward to celebrating the progress made to date. But we are even more excited about where we go next!

1. https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/1708/1708.pdf 

2. https://www.nao.org.uk/wp-content/uploads/2019/03/Progress-of-the-2016-2021-National-Cyber-Security-Programme.pdf