The Chancellor, Philip Hammond, has outlined plans to spend an additional £1.9 billion to assist Britain’s online defence against cyber-attacks.
The funding is designed to underpin the government's three key objectives:
- Defend: Ensuring that the means exist to defend the UK against rapidly evolving cyber threats, to respond to incidents, and to ensure that UK networks, data and systems are protected and resilient.
- Deter: Making the UK a tough target for cyber criminals through robust end-to-end management of cyber threats and ensuring that the UK is able to take offensive action if required.
- Develop: Investing in research and development and ensuring that the UK has a strong pipeline of talent to meet the increasing cyber security needs of the public and private sector.
In his statement, the Chancellor made clear that "trust in the internet and infrastructure on which it relies is fundamental to our economic future".
The budget, which was allocated in 2015 and will fund the strategy until the end of 2020, is double the amount of money that was assigned to a similar policy established in 2011. Ahead of the launch, the Chancellor noted that the increase in capital illustrates the government’s desire "to keep up with the scale and pace of the threats we face". Elaborating on this point at the launch of the strategy, Mr Hammond explained that if the UK were unable to respond to a cyber-attack in cyberspace then the nation "would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response."
The government outlined that part of the budget had already been spent on setting up automated systems that limit the amount of malware and spam that reaches the general public and impede emails that contain fraudulent tax campaigns.
The funding has also been earmarked for:
- the recruitment of more than 50 specialist cybercrime investigators
- the establishment of a Cyber Security Research Institute designed to improve cyber defences for smartphones, laptops and tablets
- an innovation fund to develop innovate technologies and provide support for security-based start-ups and academics
- a scheme to re-educate "high-aptitude professionals" as cybersecurity experts
- the expansion of specialist police units established to confront online gangs.
The strategy highlights the government’s assessment of the threats and vulnerabilities in the cyber context and particularly the developments since the last National Cyber Security Strategy was published in 2011. The strategy sets out the changing ways in which people now use technology and the rapid development of the internet of things as contributing factors to new opportunities for cyber attackers.
In addition, the strategy also sets out some of the key vulnerabilities faced by the UK including:
- Poor cyber hygiene and compliance: While acknowledging that this has improved over the past five years, the strategy highlights the needs for businesses to continually review the security of data and systems and balance this against investment in people, technology and governance to reduce exposure to cyber attacks.
- Insufficient training and skills: The government acknowledges the lack of skills and knowledge in both the public and private sectors to meet cyber security needs citing a lack of training. The strategy highlights the need to ensure the skills gap is closed ensuring that the UK has the specialist skills and capabilities required to manage cyber risks.
- Legacy systems: Continued use of out of date software which is often unpatched and in some cases, unsupported, is in itself a key vulnerability which is often exploited by cyber attackers.
What does this mean for you and your business?
Government statistics released earlier this year demonstrate the prevalence of cyber-attacks on big businesses in the UK, with two thirds of large UK businesses being hit by a cyber-breach or attack in the last year.
For businesses, the launch of the new strategy is about information security in a digital world. With the strategy highlighting that the majority of businesses are still not appropriately dealing with cyber risks, it is a timely reminder for businesses to play close attention to the cyber threats they face. Businesses should review (and if needed, put in place) cyber security strategies ensuring for example that:
- policies relating to security are regularly reviewed and spot-checked to ensure compliance (for example, computers are locked if unattended, devices are encrypted)
- systems and networks are regularly reviewed to ensure an appropriate level of security proportionate to the information held
- regular training is provided to employees recognising that an effective cyber security strategy will require all employees to be aware of cyber security and the risks posed by would-be attackers
- third party providers of systems and services to an organisation have appropriate obligations in relation to the security of their systems and networks.
The government has also noted its intention to make use of all available measures, including the General Data Protection Regulation, to improve the standards of cyber security. Ultimately, if the market fails to address risks the government has signalled its intent to put in place regulatory frameworks.