The modern world has a tricky relationship with technology. On the one hand, the rise of the internet creates new opportunities to drive efficiency and improve communication for businesses, private individuals and the public sector alike. On the other hand, reliance on electronic channels of communication creates new weaknesses in a country’s infrastructure, leaving it vulnerable to the risk of cyber-attack – which is currently ranked up there with international terrorism or a major disaster on the UK’s register of national security risks.
To make sure the advantages of 21st-century communications are realised while the risks are mitigated, the UK government launched the five-year National Cyber Security Programme (NCSP) in 2011. And, while its brief may not be straightforward or easy to realise, an £860m budget means ministers will be keen to see this project bear fruit.
Given the complexity of the threat – Calum Jeffray of the Royal United Services Institute (RUSI) calls it the “most diverse and rapidly evolving risk to national security” – the NCSP’s objectives inevitably cover a lot of ground. They include tackling cyber crime, increasing the country’s resilience to attack, and helping to shape the web in favour of “open societies”. The programme also acknowledges that delivering all of this will require better “cyber skills, knowledge and capability” on the part of British firms and individuals.
So how is the NCSP faring? The Major Projects Authority – the body set up to provide independent assurance on major projects – has given the programme an encouraging green rating, while a 2014 review by the National Audit Office found that it had made “good progress in improving its understanding of the most sophisticated threats to national security”.
“The programme’s financial management and governance mechanisms are strong, and the government is on track to spend the programme’s budget of £860m by March 2016,” the watchdog added.
However, the NAO’s praise was not without qualification. It warned that the changing nature of the cyber threat meant that government “must increase the pace of change in some areas to meet its objectives”. Specific points for improvement flagged up by the NAO included improving the government’s understanding of how a cyber attack might threaten key public services, as well doing more to encourage citizens and businesses to mitigate the risk of an attack.
This area of the NCSP’s work – communicating the nature of the threat in ways that do not frighten the public – is arguably one of the most challenging. The government wants to encourage more people to use digital services, but must also try to educate citizens and the business community about the risk of a data breach. That’s a difficult message to hold in tension, and explains why the programme has set so much store by education.
Notable examples include the “Ten Steps” guides issued to businesses by the government – first in 2012 and then refreshed earlier this year – offering information and advice on areas such as malware prevention, managing user privileges and network security. There is also a burgeoning range of educational opportunities in cyber security. Partly because of the NCSP, the discipline is now embedded into every level of academic study, from the GCSE computer science curriculum to doctoral research.
According to the NAO, the NCSP has “encouraged many education and training initiatives to stimulate the development of relevant skills”, although the watchdog says demand for such training “remains considerable”. At a more informal level, more than 24,000 people have now signed up to an introductory cyber security course provided by the Open University, and the government estimates that more than two million citizens have now adopted safer online behaviours as a result of its awareness-raising activities.
“Having enough people with the right skills to meet the increased demand for better cyber security is paramount,” explains Natalie Black, director of the Office of Cyber Security and Information Assurance at the Cabinet Office. “To this end we have put in place interventions across education and beyond, including apprenticeships and student placements. We sponsor cyber competitions in schools, technical apprenticeships and PhDs; we’re building cyber security into computer science and computing degrees; and have so far accredited six master’s degrees in cyber security, created two new Centres of Doctoral Training, three Research Institutes and 13 Academic Centres of Excellence in cyber security research.”
Educating and informing end users is clearly central to the NCSP’s approach, and the programme wants to see individuals and businesses take responsibility for their own online security, while also recognising that this will mean arming them with new skills. It is, programme officials argue, a more satisfactory approach than imposing regulatory requirements – something that they say would be very difficult to achieve given the complexity of the technology and the variety of user groups.
In a telling Public Accounts Committee session in 2013, Oliver Robbins – who was then the Cabinet Office’s deputy national security adviser and is now director general of civil service reform – said he did not believe regulation would work as a way to improve cyber security. He used the analogy of security in a person’s home, observing that it was down to individuals to judge the best way to protect their own property.
“The locks you put on your windows and doors are not mandated by regulation,” he told MPs. “The fact is that the decisions you make about how to secure your property in that context are made by a combination of pressure from insurers, advice from police, what other people do and learning as best you can how to protect yourself in that situation. What we fear is that trying to regulate too actively in this area would mean that we would embed 19th-century locks on the system as the technology is leaping forward geometrically every few years.”
Essentially, officials argue, the cyber security threat evolves so quickly that any regulation could be out of date by the time it hits the statute book. Better, therefore, to encourage citizens and businesses to keep up to date with the latest advice and technology, and to respond accordingly.
“This is nudge politics at its best,” explains Andrew Rogoyski, head of cyber security at technology company CGI, who was seconded until 2014 to work as a senior adviser on the NCSP for the Cabinet Office. “The programme is charged with influencing the decision making and behaviour of a wide constituency, the vast majority of which are commercial organisations or private individuals rather than public-sector bodies. So it’s a government programme that impacts far beyond government, and needs to engage with a variety of stakeholders.”
One of the most ambitious strands of the NCSP has been the Cyber-Security Information Sharing Partnership (CiSP). This is a government-funded joint-industry initiative, bringing a variety of commercial organisations together to share information about the latest cyber threats. By joining CiSP, companies have access to a secure platform on which they can share cyber threat and vulnerability information. As a result, CiSP members are better informed about the current dangers, and can disseminate best practice ideas on how to respond.
The key aim of the partnership is to make UK industry more secure across the board. Partners include the likes of Virgin Media, BAE Systems, and BT. BT says that CiSP – which has over 500 member organisations – has “created a diverse community, encouraging members to share information outside of their traditional sectors and with people and organisations they would otherwise have no interaction with”.
As the Cabinet Office’s Black explains, encouraging innovation in cyber security can also appeal to firms’ desire for tangible bottom-line benefits. “Cyber security presents a huge opportunity for UK businesses,” she tells CSW. “Britain’s cyber security sector is already worth over £6bn and employs some 40,000 people. We are on track to double cyber security exports to £2bn by next year. Our aim is to increase to £4bn by 2020, and we will promote more regional clusters to support more British cyber businesses.”
For all the benefit that large companies have seen from the NCSP, however, the NAO says it has so far seen “limited impact” for small and medium-sized enterprises from the export-boosting side of the programme, which has given too much preference to “established companies” at the expense of SMEs.
It has also questioned the “slow” progress in encouraging cyberspace exports more broadly. This strand of the NCSP is led by UK Trade and Investments, with the Home Office, the Foreign and Commonwealth Office and the Department for Business, Innovation and Skills also chipping in from their own budgets.
As the NAO explains, there have been some setbacks. “The Cabinet Office originally intended that UKTI should have a cyber security marketing strategy in place by March 2012, but it wasn’t until May 2013 – 14 months after the deadline – that UKTI published this strategy,” the watchdog says. “UKTI has been slow to mobilise on the basis of this strategy and only began leading work to develop strategies for each target market from February 2014.”
Concerns about the export strand are also reflected in a snapshot survey carried out by the NAO, which asked respondents across academia, government and industry to rate progress against the key cyber challenges, with a score of five representing “excellent” progress. Scores on efforts to support trade and exports lagged behind the rest, with a 2.5 rating from industry, 3.0 from government, and 2.9 from academics.
In spite of this concern over exports, it’s clear that much of the feedback on the NCSP’s work so far has been encouraging. All other scores given in the NAO study were comfortably over the 2.5 mark, with a strong 4.0 ranking from industry on government’s understanding of the cyber threat. Government efforts to reduce the cyber skills gap were also viewed favourably by industry, achieving a score of 3.6.
Rogoyski puts these successes down to the “high-calibre individuals” from the public sector engaging “very effectively” with the private sector. He also suggests that it’s a reflection of the programme’s methodology, which involves “leveraging [insights from] the commercial world, where investment in technology is often much greater than in the public sector, and [from] the government in order to draw on expertise in both spheres”.
The role of the Cabinet Office in overseeing the programme has also been crucial. While the NCSP’s funding model is deceptively straightforward – with public, private and third sector bodies pitching for money that supports particular initiatives – the Cabinet Office holds these parties to account for delivery. And standards introduced under the NCSP are applied across the public sector – for instance, the Ministry of Defence now requires all its suppliers to meet the government’s “Cyber Essentials” security standards as a matter of course.
That’s not to say that the programme doesn’t still face big challenges. Newly published research by consultants at PWC – commissioned as part of the NCSP – found that security breaches were once again rising among both large and small organisations, reversing a fall seen in the previous year.
The study also found that 90% of large firms now reported suffering a breach – up from 81% – while 74% of small businesses reported the same, up from 60% in 2014. More broadly, the move towards cloud-computing will also throw up a fresh set of cyber-security concerns for industry, and it remains to be seen whether the programme will get a new lease of life in what is expected to be a tough Strategic Defence and Security Review.
But officials can certainly take heart from PWC’s findings showing a rising take-up of government initiatives directly launched as part of the NCSP. For example, 32% of respondents now say they’re using the “Ten Steps” guidance – a rise of 6% on last year – while nearly half of all organisations are now either accredited or on their way to being accredited under “Cyber Essentials” and “Cyber Essentials Plus”. Understanding, communication and awareness of security threats are also up on last year, according to the consultancy.
The NCSP is working in a fast-moving, high-stakes environment, making its successes to date especially noteworthy. It is already providing a strong example of how a central coordinating function – in this case the Cabinet Office – can encourage innovation from individual departments and build valuable relationships with the commercial sector, while also keeping a close eye on progress against a common set of objectives. And while it will need to keep pace with a changing threat and ensure that government support doesn’t leave SMEs lagging behind, the NCSP shows that complex projects involving a variety of stakeholders remain well within the grasp of government.
Dods, which publishes PublicTechnology.net, is organising a Cyber Security Summit on 15 July 2015, in London. The event will involve speakers from across the public and private sectors, including Commissioner Adrian Leppard from the City of London Police, Daniel Selman, cyber industry deputy head in the Ministry of Defence, and Stephanie Daman, CEO of Cyber Security Challenge UK.