The growth of the internet has transformed our everyday lives and is an important part of our economy. The World Economic Forum’s (WEF) Global Technology Report 2014 cites the UK as having the best developed e-commerce in the world.
But with greater openness, interconnection and dependency comes greater vulnerability. The National Security Strategy categorised cyber attacks as a Tier One threat to our national security, alongside international terrorism. The threat to our national security from cyber attacks is real and growing. Terrorists, hostile states and cyber criminals are among those targeting computer systems in the UK.
81% of large corporations and 60% of small businesses reported a cyber breach in 2014. With the cost for the worst cyber-security breach estimated between £600,000 to £1.15 million for large businesses and £65,000 to £115,000 for smaller ones, the government must look at new ways to protect businesses and make the UK more resilient to cyber attacks and crime.
The government has allocated £860 million until 2016 to establish a National Cyber Security Programme. The vision of the government is to ensure that a vibrant, strong and secure cyberspace can enhance the UK’s prosperity, national security and society.
This vision is set out in the UK Cyber Security Strategy, published in November 2011. The strategy has 4 objectives:
- making the UK one of the most secure places in the world to do business online and tackling cyber crime
- making the UK more resilient to cyber attack and better able to protect our interests in cyberspace
- helping to shape an open, vibrant and stable cyberspace that supports open societies
- building cyber skills, knowledge and capability the UK needs
Making the UK a safer place to do business and preventing cyber crime
To improve businesses’ cyber security, we:
- are providing cyber security advice to businesses such as the 10 Steps to Cyber Security Booklet and tailored guidance for small businesses, as well as further guidance and training for those sectors or roles particularly at risk
- have built a Cyber Security Information Sharing Partnership with businesses to allow the government and industry to exchange information on cyber threats in a trusted environment
- have reached agreement with industry on a series of guiding principles for internet service providers, setting out a best practice approach to help inform, educate and protect customers from online threats
- have developed a Cyber Essentials scheme to give organisations a clear baseline to aim for to protect themselves against the most common cyber security threats and to advertise that they meet this standard: this is one of the ways we are working with industry on cyber security standards and principles
- set up a National Cyber Crime Unit within the National Crime Agency in 2013 and dedicated cyber units in each of the 9 regional organised crime units (ROCUs)
- have introduced a single reporting system for people to report financially motivated cyber crime through Action Fraud, the UK’s national 24/7 fraud and internet crime reporting centre - recording incidents of fraud centrally enables intelligence being gathered about crimes to be shared and analysed, resulting in more targeted enforcement action
- investing £3 billion over 9 years into developing the next stage of national cyber capabilities, working with small businesses in the South West region and recruiting cyber specialists
- working with industry through a joint ‘Cyber Growth Partnership’ with technology industry representatives techUK (formerly Intellect)
- publishing a Cyber Exports Strategy to set out the scope of opportunities and actions and set a target for future export growth
- providing a Cyber Security Suppliers’ scheme for businesses that supply cyber security products and services to the UK government
Making the UK more resilient to cyber attack
The government is strengthening its ability to detect cyber attacks on UK interests. This means it can quickly and effectively protect nationally significant networks.To make the UK more resilient to cyber attacks, we:
- established CERT-UK on 31 March 2014, a new organisation to lead on national impact cyber incidents and share technical information between countries; CERT-UK has helped protect the Commonwealth Games and the 2014 NATO Summit from cyber threats
- have set up a new Cyber Incident Response scheme to help organisations recover from a cyber security attack
- have extended the role of the Centre for the Protection of National Infrastructure (CPNI) to work with all organisations that may have a role in protecting the UK’s critical systems and intellectual property
- have agreed a set of actions with regulators in essential services to make sure that important data and systems in our critical national infrastructure continue to be safe and resilient
Shaping a safe and stable cyberspace
- work with other countries to identify and manage cyber risks and develop principles to guide the behaviour of governments and others in cyberspace
- have hosted and supported the ‘London Process’ series of cyber conferences
Building cyber skills, knowledge and capability
Our ability to defend ourselves in cyberspace depends upon a strong skills and knowledge base. We need to ensure that there is a sustained supply of competent cyber security professionals who have achieved the necessary standards and certification. To develop the knowledge, skills and capabilities needed to defend the UK against cyber crime, we are:
- providing cyber security advice for business and the public, including through our ‘Be Cyber Streetwise’ campaign
- working to improve cyber skills, education and professional opportunities
- challenging the UK public to find ways of defending the government from cyber attacks as part of the Cyber Security Challenge UK competition, sponsored by the National Cyber Security Programme
Our National Security Strategy classed cyber security as one of our top priorities alongside international terrorism, international military crises and natural disasters.
We published the UK Cyber Security Strategy on 25 November 2011. It sets out how the UK will support economic prosperity and protect our national security by building a more trusted and resilient digital environment.
The Office of Cyber Security and Information Assurance (OCSIA) in the Cabinet Office coordinates work carried out under the National Cyber Security Programme across government departments and agencies.
OCSIA distributes the £860 million funding to government departments, agencies and some other non-governmental organisations. These include the intelligence agencies, Ministry of Defence (MoD), Foreign and Commonwealth Office (FCO), Department for Business, Innovation and Skills (BIS) and the Centre for the Protection of National Infrastructure (CPNI). The CPNI supports the organisations that provide our essential services, or critical national infrastructure, covering defence, finance, pharmaceuticals, energy and telecommunications. The UK Cyber Security Strategy sets out which departments are responsible for specific actions: eg Home Office leads on cyber crime and FCO on international cyber security.
Francis Maude, Minister for the Cabinet Office, made a written ministerial statement to Parliament about progress against the objectives of the strategy on 11 December 2014, and on previous years since the strategy was published. Read the government’s achievements so far and forward plans.
Who we’re working with
The UK Cyber Security Strategy sets out how the government will promote growth and minimise the economic impact of cyber attacks by working closely with the private sector. Our approach depends on building effective partnerships between and within government, the private sector and academia.
The private sector runs the infrastructure that cyberspace depends on, as well as the systems that support our critical national infrastructure. It is also the largest economic victim of crime and economic espionage done through cyberspace. We work closely with industry to raise awareness of the threat to reputation, revenues and intellectual property from cyber attack and the measures that businesses can take to address these.
This includes working with large and small firms from the growing cyber security sector; internet service providers and their representative groups (such as the Telecommunications Industry Security Advisory Committee (TISAC)) and tech-UK, which represents 850 mostly small- and medium-sized businesses in the cyber-security sector. We work with regulators, owners and operators of the UK’s essential services such as the Bank of England, the Financial Conduct Authority, Ofcom, Ofgem and Ofwat.
As the internet supports sectors across the board, government also works with a diverse range of businesses and their representative or professional bodies, including FTSE 350 companies, the Federation of Small Businesses, the insurance industry, the Institute of Chartered Accountants of England and Wales and the Law Society.
Cyber security is a global issue. The government’s interests in this area are represented in international forums, eg the United Nations, the Organisation for Security and Cooperation in Europe, the EU and the World Economic Forum. The UK also works with global partners and with other countries to build up their capacity and strengthen trans-border law enforcement co-operation on cyber crime.