The Government Cybersecurity Strategy, launched earlier this year, was seen as a welcome step towards making the public sector more resilient. Attacks against local governments globally increased by 70 percent during 2021 and in the UK The National Cyber Security Centre (NCSC) noted that between Sept 2020-Aug 2021, 40 percent of attacks were aimed at the public sector.
The strategy aims to strengthen government resilience by ensuring critical functions are “hardened to cyberattack by 2025” and all public sector entities are “resilient to known vulnerabilities and attack methods” by 2030. Central to the strategy are two pillars: national resilience through the adoption of the NCSC Cyber Assessment Framework (CAF) and a ‘Defend as One’ mantra with partnerships and intel sharing coordinated via a Government Cyber Coordination Centre (GCCC).
While laudable, the strategy is highly ambitious and set within tight timeframes, leading some to question its achievability. A two phased approach is envisaged from 2022-25 and 2025-30, with the caveat that “development will begin as soon as practicable” if milestones haven’t been met by 2025.
Will local councils lose out?
The strategy will apply to over 300 local authorities and 450 central government departments but both it and the funding focuses very much on the higher echelons. Of the £2.6bn set aside, only £37.8m is earmarked for local councils even though these are the most susceptible to attack: over the course of the past year, 841 incidents were reported to the Information Commissioner’s Office (ICO) compared to the 225 reported by Central Government.
It’s not hard to see why. Local councils operate largely independently and policy is fragmented, with a recent ITV News Investigation observing that councils are using “outdated systems” and there is a “lack of consistency when it comes to defending against threats”. The government response to the investigation was that “councils are responsible for their own networks and systems, and it is up to each council to ensure appropriate security measures, governance and training are in place”: a statement that would seem to fly directly in the face of the ‘Defend as One’ premise.
The Strategy does admit that security across government remains inconsistent and that the size of the digital estate and legacy IT make things more complicated while complex governance, insufficient accountability and underdeveloped mechanisms hamper visibility of risk and are liable to make it difficult to drive change at scale/pace. To deal with the legacy IT issue it proposes to adopt a ‘secure by design’ methodology for future projects and to “manage, update and replace” while strategically it proposes to turn things around through the adoption of the CAF.
The NSCS CAF is well established, and mirrors industry best practice embodied in other security frameworks such as the National Institute of Standards and Technology (NIST) in the US and international standard ISO 27001. It’s already widely used by industries associated with governing our Critical National Infrastructure (CNI), for instance, and has since been adapted for other sectors, such as in aviation with the CAA CAF.
You might also like
Under the strategy there will various tiered versions, from the Basic CAF which must be complied with by 2030 to the Enhanced CAF applicable to high-risk central government departments by 2025, and each will have its own threat profiles. It also states “it will be for lead government departments to adapt and apply” the CAF for the organisations they oversee. While this will enable the CAF to be modified it equally runs the risk of diluting the requirements and diminishing controls.
To its credit, the strategy borrows heavily from advances made in the private sector. It’s five key objectives – to manage risk, protect against attack, improve detection, minimise impact, and to develop the right skills, knowledge and culture – could be lifted from any good security strategy. But there are also some surprises, too, such as the establishment of a cross-departmental vulnerability disclosure service that will encourage employees and the public alike to report potential issues.
The strategy aims to use the Cyber Essentials scheme to help bolster supply chain security and when it comes to detection, a threat hunting programme will be rolled out that will include deception tactics and honeypots. Simulated exercises will test the ability of departments to withstand a real-world attack, be that through red teaming, penetration testing or tabletop incident response exercises. However, such assessments will only be mandatory for central government, potentially seeing local government miss out.
Understandably, the strategy takes a top-down approach as it aims to centralise efforts and create greater visibility. It will prioritise the needs of departments handling the most sensitive data who will be able to use behavioural-based threat monitoring, for instance. But the danger again here is that this could prove divisive and create a two-tier system.
The strategy refers to a three-step assessment process whereby departments will need to show they have identified their critical systems, whether these have then been assessed against the CAF and if they have achieved the necessary outcomes. It then recommends periodic reviews but there is no indication of how regularly this should occur. It’s these grey areas that will give many cause for concern. What we don’t want is to see this opportunity to level-up cybersecurity in the public sector potentially frittered away.
Phil Robinson is principal consultant at Prism Infosec.