Three Goals of the UK's New Cyber Security Strategy
Recently, Dr. Ian Levy, director of the UK’s new National Cyber Security Centre (NCSC) provided a preview of key initiatives included in the government’s new cyber security strategy. This strategy comes one year after George Osborne’s announcement that the UK will invest £1.9 billion by 2020 on cybersecurity and suggests cyber defense is quickly emerging as a top priority for government agencies and businesses alike.
Below are the top three initiatives highlighted in the five year roadmap—and what they mean for UK organizations.
Replace Alarmist Rhetoric with Actionable Guidance
While the cybersecurity industry continues to innovate, the market is still saturated by unhelpful, alarmist and confusing rhetoric. “The biggest future threat we have is to keep talking about cyber security the way we do today,” Levy said last week.
Too often, we are distracted by the latest scam or fraudulent tactics when we should be focused on ensuring effective end-to-end security for enterprises and governments and communicating those solutions in a clear and helpful manner.
The primary goal of the center and of the strategy will be to provide “one place to go for everything,” Levy said, from “information...about how to design a system, through building it, operating it, to when you get pwned, how do we help.”
Increase Transparency Between Governments and the Private Sector
Another key goal of the strategy will be to break down walls between governments and private enterprises. The more information we share about current attack tactics and defense strategies, the better off we’ll all be.
“Let’s do this in public, let’s do this transparently, let’s publish data, let’s publish what we have done, what effect it’s had, and the cost,” Levy said. “I want people to really, really understand what the cyber security threat picture looks like. What their risks really are, and how better to protect themselves.”
This rings especially true for the public sector which traditionally has relied upon archaic systems that have been slow to respond. Breaking down these barriers will also help elevate the security story from an IT-focused problem to a universal initiative.
Shut Down Persistent and Addressable Threats
Email is still a primary threat vector for some of the worst data breaches in recent memory. The recent Democratic National Committee (DNC) and Office of Personnel Management (OPM) attacks in the U.S. were the direct result of a simple phishing email.
NCSC’s vision for robust protection does not include implementing shiny new and complex defense tactics. Instead, it involves tackling the low-hanging fruit by investing in best practices that have already proven value. Chief among them includes the pledge to implement email authentication standard DMARC (Domain-based Message Authentication Reporting & Conformance) on every government domain, all 5,700 of them.
By reclaiming control of its trusted domains, the government aims to "crack down on spoof email accounts used in fraud" and effectively make the UK harder to phish. DMARC can be difficult to implement across complex environments however it is a critical foundational step in the fight against domain spoofing for any organization.
HMRC, an early adopter of DMARC, has seen great results with an authentication-first approach. Ed Tucker, HMRC’s cybersecurity lead, said “Simply put, the DMARC standard works. In a blended approach to fighting email fraud, DMARC represents the cornerstone of technical controls that senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.”
With compromises are at an all-time high, with digital trust at an all-time low, the private and public sectors share a common enemy when it comes to cyber crime. What the UK government has outlined with their National Cyber Security Strategy is the disruption of the current cyber economics business model by making the UK an unyielding target and increasing the costs and risks to the criminals.
With every organization a potential victim, the private sector should focus on the Cyber Essentials outlined by the NCSC. Through a combination of people, process and technology controls, enterprises can reduce exposure to the most sophisticated cyber attacks by putting protection before detection and response.