Cyber at a crossroad: Opportunities to shape the path ahead

By July 17, 2020 UK

By Alex Mather and Eleanor Kearney

As issues other than the health and economic impacts of COVID-19 return to the Government’s agenda, this final post as part of Political Intelligence’s Cyber Week outlines the numerous live and upcoming cyber security policy initiatives of this administration – away from the Huawei saga – and what we can expect to see as the policy landscape begins to return to something approaching normality. Only this week we saw cyber security receive top billing politically with reports of Russian hacking and election interference – as threats continue to grow and with a Government committed to the power of technology and data, this is only likely to become a more regular occurrence.

Despite the tumultuous nature of British politics since the EU referendum, the Government’s cyber security policy has been underpinned since 2016 by the National Cyber Security Strategy – a five-year plan to make the UK ‘confident, capable and resilient’ which was backed by £1.9bn of cash. The Strategy has had a mixed reception politically. Whilst the establishment of the National Cyber Security Centre has been near universally praised and there has been a more proactive policy approach, last year the Public Accounts Committee criticised the Strategy and the Cabinet Office’s implementation and highlighted that 11 of the 12 outcomes set out in the plan were “open ended”. The National Audit Office also criticised the failure of the Cabinet Office to produce a business plan for the Strategy before it was established. We can expect to see the current Strategy receive more scrutiny as it concludes in 2021. Work underway last year to inform the next strategy has been affected by the General Election and COVID-19, it remains unclear exactly this administration will approach the new strategy. Will there be more funding or less? Will there be continuation of a centralised approach?

Despite the lack of clarity regarding a future national cyber security strategy, the policy agenda remains active in this space. As Internet of Things (IoT) devices become more widespread, the Government has increasingly turned its attention to the security of such devices. Currently, ‘secure by design’ guidance is a code of practice for manufacturers to ensure that a device is secure from creation – with the importance of the cyber security equalling the importance of the physical security. However, the code of practice is not enforceable and is currently based on a system of trust that each manufacturer will follow it. The Department for Digital, Culture, Media and Sport (DCMS) is in the process of developing legislation and mandating the first three articles of these guidelines, which include requirements for no default passwords and to keep software updated.

Furthermore, despite the disruption caused by the pandemic, in May the Government published its ‘Post-Implementation Review of the Network & Information Systems Regulations’ – a set of regulations which provided legal measures to improve the security of network and information systems which are deemed critical for the provision of digital services and essential services. The Review found that organisations are making good progress in improving the resilience and security of their systems. Additionally, the Government has highlighted the importance of the findings at a time when the evolution of the UK’s cyber security policy is at a pivotal stage.

Away from pure cyber policy initiatives, following a pause in its work due to the pandemic it is understood that the Government has resumed its work on the Strategic Defence and Security Review 2020 and may be able to deliver an output this year around the time of the Comprehensive Spending Review in the autumn. Although the Review looks at the entirety of the armed forces and defence spending, given the interest of the Prime Minister’s adviser Dominic Cummings in cyber it will be interesting to see to what extent it features given the changing nature of the threats which the UK now faces.

These developments come at a time when cyber security has arguably never been a greater priority for businesses due to the new reliance on remote working around the world due to the COVID-19 pandemic and the expectation that tech will play a fundamental role in the recovery. Additionally, with the news this week that the Telecoms Security Bill will be introduced ‘at the earliest possible opportunity’ to introduce a ‘tough new telecoms security framework’ it is clear that the UK’s cyber security policy is in transition. As the previous national strategy reaches its conclusion, it is essential that the industry steps up its engagement with Government to ensure that the full extent of the challenges and opportunities in this area are understood by policymakers.