The government today (25 November 2011) published its new cyber security strategy, setting out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
It heralds a new era of unprecedented cooperation between the government and the private sector on cyber security, working hand in hand to make the UK one of the most secure places in the world to do business.
Around 6% of the UK’s GDP is generated by the internet and is set to grow - making it a larger sector than either utilities or agriculture - with the internet boom predicted to create 365,000 jobs over the next 5 years . We want to create new opportunities for businesses and help build a thriving cyber security industry.
But our increasing dependence on digital technologies has given rise to new risks. For example, there are more than 20,000 malicious emails on government networks each month, 1,000 of which are deliberately targeted.
The government has already ranked cyber security as a tier 1 national security priority and committed £650 million over the next 4 years to bolster its cyber defences. The UK is also leading the way on the world stage, earlier this month hosting the London Conference on Cyberspace to drive forward international dialogue on building a secure digital world.
Prime Minister David Cameron said:
While the internet is undoubtedly a force for social and political good, as well as crucial to the growth of our economy, we need to protect against the threats to our security. This strategy not only deals with the threat from terrorists to our national security, but also with the criminals who threaten our prosperity as well as blight the lives of many ordinary people through cyber crime.
Cyber security is a top priority for government and we will continue to work closely with the police, security services, international partners and the private sector to ensure that the UK remains one of the most secure places in the world to do business.
Minister for Cyber Security Francis Maude said:
The growth of the internet has revolutionised our everyday lives and promises untold economic and social opportunities in years to come. This strategy sets out how we will realise the full benefits of a networked world by building a more trusted and resilient digital environment, from protecting the public from online fraud to securing critical infrastructure against cyber attacks.
The government cannot do this alone. Closer partnership between the public and private sector is crucial. The strategy heralds a new era of unprecedented cooperation between the government and industry on cyber security, working hand in hand to make the UK one of the most secure places in the world to do business.
Minister for Cyber Crime James Brokenshire said:
We want to ensure that everyone can make the most of the internet and online services while protecting themselves from crime. The new National Crime Agency will share knowledge and expertise across law enforcement agencies, building on the pioneering work done by the Metropolitan Police and SOCA.
We are also reaching out to industry and the public to get involved. We all have a role to play in keeping ourselves and our families safe while enjoying the huge opportunities and benefits of surfing the web.
Minister for Business and Enterprise, Mark Prisk said:
With one of the largest online economies in the world, valued at £100 billion a year, cyberspace is vital for the UK’s economic prosperity.
However as well as bringing opportunities for businesses and their customers, cyberspace also brings threats. That’s why it’s important that we help all companies, from big multi-nationals to our small businesses take some simple, practical measures to protect themselves and their customers online.
Summary of actions in the strategy
The strategy outlines how the government will take the opportunity to promote growth and minimise the economic impact of cyber attacks by cementing a new partnership with the private sector. We will do this by:
Pioneering a joint public/private sector cyber security ‘hub’: This will allow the government and the private sector to exchange actionable information on cyber threats and manage the response to cyber attacks. A pilot will begin in December with 5 business sectors - defence, telecoms, finance, pharmaceuticals and energy.
Exploring ways in which GCHQ expertise can benefit economic growth: GCHQ is home to world-class expertise in cyber security. The government will explore ways in which that expertise can more directly benefit economic growth and support the development of the UK cyber security sector without compromising the agency’s core security and intelligence mission. For example, options examined might include:
- working with private sector partners to explore the potential commercial applications for GCHQ’s unique expertise.
- working with BIS, the Technology Strategy Board and the Engineering and Physical Sciences Research Council (EPSRC) to explore strategic vehicles for bringing together industry, academia and government to exploit the latest innovations in cyber security in order to increase prosperity and security for the UK in cyberspace.
- a government-sponsored venture capital model to unlock innovation on cyber security in SMEs.
Supporting SMEs: We will ensure smaller companies can play their part as drivers of new ideas and innovation by bringing forward proposals as part of the Growth Review to help SMEs fully access the value of public procurement. This will include setting an expectation that at least 25% of the value of government cyber security contracts go to SMEs.
Encouraging industry-led cyber security standards for private sector companies: UK businesses could use this as a competitive edge by promoting themselves as certifiably cyber secure. BIS will work with domestic, European, global and commercial standards organisations to accelerate this work.
Promoting the UK’s cyber security industry abroad: UK Trade and Investment (UKTI) will work with the security sector’s trade associations to ensure that this increasing domestic strength is leveraged to help UK firms sell abroad.
On tackling cyber crime, the strategy sets out commitments to:
Expand the use of ‘cyber-Specials’ to help the police tackle cyber crime: The Metropolitan Police’s Police Central e-crime Unit (PCeU) has made groundbreaking use of Police Specials with relevant specialist skills to help tackle cyber crime. We will encourage all police forces to make use of ‘cyber-Specials’. We will involve people from outside law enforcement to help tackle cyber crime as part of the NCA cyber crime unit.
Create a cyber crime unit within the National Crime Agency by 2013: The unit will help deal with the most serious national-level cyber crime and to be part of the response to major national incidents. It will draw together the work of the e-crime unit in SOCA and PCeU and provide support to all elements of the NCA, and all police forces.
Encourage the police and the courts to make more use of existing cyber sanctions for cyber offences: Additional powers are already available when there is strong reason to believe someone is likely to commit further serious cyber crime offences. For example, a range of terms - including restriction on access to the internet and prohibition from using instant messaging services - have been used to restrict the ability of organised criminals to commit online fraud. We will publish new guidance aimed at increasing the use of cyber sanctions for cyber offences.
Make it easier to report financially motivated cyber crime by establishing a single reporting system for businesses and the public: Action Fraud - the national fraud reporting and advice centre run by the National Fraud Authority - will become the central portal for reporting any financially motivated cyber crime.
In order to confront high-end threats, the strategy sets out commitments to:
Create a new Defence Cyber Operations Group in the MOD. This will include a Joint Cyber Unit hosted by GCHQ, which will develop new tactics, techniques and plans to deliver military cyber capabilities. We will also consider the future contribution of reservists in providing access to specialist cyber knowledge and skills. The new Joint Forces Command, led by a Four Star military officer, will take the lead in developing and integrating defence cyber capabilities from April 2012.
Protecting the Critical National Infrastructure (CNI): On behalf of government, the Centre for Protection of the National Infrastructure is already working with a network of CNI companies to ensure that they take the necessary steps to protect key systems and data. The government will now work to increase its reach to companies that would not ordinarily be considered part of the critical infrastructure, but collectively they represent and important part of our economy. For example, businesses that innovate and develop new intellectual property.
On prevention and raising public awareness, the strategy sets out commitments to:
Bolster the role of Get Safe Online: Everyone has a crucial role to play in keeping cyberspace safe, including the public. Get Safe Online already provides independent, trustworthy advice on staying safe on the internet. We are increasing our investment to make Get Safe Online the single, authoritative place to go for the public to get the latest information on internet threats and the simple steps they can take to protect themselves.
Work is already underway to improve Get Safe Online’s web presence in early 2012 with a new, more interactive website, drawing on user feedback on products to help inform consumer choices. The website will also use an NHS Direct ‘triage’ kind of system to guide people through a diagnosis and to give them direct guidance on how to solve their cyber security problems.
Develop ‘kitemarks’ for cyber security software: This will help consumers and businesses navigate the range of cyber security solutions available, allowing them to make more informed choices and avoid unnecessary ‘scareware’.
Seek to agree a set of voluntary ‘guiding principles’ with ISPs: This could include seeking agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems.
On research, education and training, the strategy sets out commitments to:
Identify centres of excellence in cyber security research and provide investment to plug any gaps: This will improve our research capabilities and expand the number of people with the highest levels of skills and knowledge in cyber security.
Improve cyber security at all levels of education: so that people are better equipped to go online safely.
Establish a scheme to certify cyber security specialists by March 2012: this will drive up the skill levels of information assurance and cyber security professionals.
Notes to editors
Copies of the strategy (PDF, 514KB) can be found on GOV.UK.