The Cabinet Office has published the first cyber security strategy specifically for the public sector.
It involves a number of measures based on two core pillars: focusing on building a strong foundation of organisational cyber security resilience, underpinned by adoption of the National Cyber Security Centre’s Cyber Assessment Framework (CAF); and allowing government to ‘defend as one’ by sharing data, expertise and capabilities.
The release follows the recent publication of the National Cyber Strategy, which takes in the whole economy and sets out an ambition for a ‘whole of society’ effort between public, private and third sectors.
The Cabinet Office highlighted a number of measures within the public sector strategy, including the setting up of new Government Cyber Coordination Center this year to co-ordinate cyber security efforts across the public sector. The plan is based on private sector models such as the Financial Sector Cyber Collaboration Centre and the centre will be based inside the Cabinet Office.
Defend as one
Its prime aim – related to the ‘defend as one’ pillar in the strategy – will be to quickly identify and investigate attacks on public sector systems and co-ordinate the response, ensuring the relevant data is shared.
It will be accompanied by the creation of a cross-government reporting service, enabling security researchers and the public to report issues they identify with public sector services. This is intended to help organisations quickly fix any issues identified.
There will also be a new, more detailed assurance regime for government, including assessment of departmental plans and vulnerabilities, aimed at providing a more detailed picture of cyber health.
Adoption of the CAF is to take place this year, with tiered profiles to respond to varying threats to government functions.
Efforts to support local government will involve the provision of £37.8 million for cyber security in council services.
In addition, there will be a focus on reducing risk through a project in partnership with small businesses and academia to provide a culture change, and work on understanding the risk to government systems from supply chains. The latter is related to the development of security schedules that can be applied to government procurement, aimed at ensuring there are proportionate measures included in contracts.
The strategy also identifies five objectives to provide a consistent framework and common language: manage cyber security and risk; protect against cyber attack; detect cyber security events; minimise the impact of incidents; and develop the right cyber security skills, knowledge and culture.
It will all be underpinned by a series of key performance indicators, still to be developed but which should place a minimum burden on organisations and demonstrate genuine impacts and benefits.
Speaking at the launch, Barclay (pictured) said: “Our core government functions, from the delivery of public services, to the operation of national security apparatus, must be more resilient than ever before to cyber attacks. And we are setting out the clear aim for government’s critical functions to be significantly hardened to cyber attack by 2025.
“This aim accounts for all public service organisations – including across local government, and the health and education sectors – which in many cases are starting from a very low level of maturity.
“Achieving our aim is essential. Not only to protect government functions and public services but also to realise the ambitions set out in the Integrated Review and the National Cyber Strategy It will also help cement the UK as a democratic and responsible ‘cyber power’.
“Only by ensuring that cyber attacks neither disrupt our core functions, nor erode vital trust and public confidence can we use the full potential of cyber as a lever to protect and promote our interests in a world that is being fundamentally and rapidly reshaped by technology.”
Image by Chris McAndrew, CC BY 3.0