The UK government has released a National Cybersecurity Strategy for the next five years. It will always be a difficult enterprise to try to predict changes to the threat landscape for the digital economy, even over as short a time span as five years. But there is clearly a pressing need here with cyberattacks regularly in the news. A recent example was an attack on a group of hospitals that put patients at risk for several days.
A great illustration of the rapid changes in technology came earlier this year: on the atomic scale, 5 is an impossibly small number – but the first "5-atom quantum computer" developed out of MIT has the potential to break most traditional encryption systems. Such developments will revise how we look at cybersecurity in the future, and being adaptive to changes will be extremely important.
Whilst quantum computing doesn’t get an explicit mention in the UK cybersecurity strategy, the strategy covers a great deal of emerging threats as well as more traditional security issues.
So what’s the basis of the UK’s strategy?
The report opens with a frank statement that “we are critically dependent on the Internet” and recognises that in general such a system is “inherently insecure”. The resulting strategy is principally about reducing security risks whilst highlighting the benefits of digital technologies. The tagline is laudable: to make the UK “secure and resilient to cyber threats, prosperous and confident in the digital world”.
What role are businesses to play in this strategy?
Some key points:
- The report places businesses at the forefront of the UK’s national response for the protection of personal data of individuals, and organisations’ general responsibility to “the citizen and consumer, and society at large”.
- The link between cybersecurity and privacy concerns is enhanced by the government’s proposal to “make use of all available levers, including the forthcoming General Data Protection Regulation, to drive up standards of cybersecurity across the economy.”
- "Security by default" is emphasised, going hand-in-hand with the GDPR’s focus on "privacy by design".
- It is clear that the UK government expects big improvements in the resilience of organisations’ systems and is prepared to hold to account those who do not comply. The message is explicit: “Businesses and organisations must understand that, if they are the victim of a cyber-attack, they are liable for the consequences”.
- The government also plans to support the creation of a UK cybersecurity sector through addressing funding gaps for SMEs to grow and expand, collaborating with the private sector to drive innovation, and working alongside academia to commercialise its science and technology innovations.
This is going to be an area of large-scale development, investment and opportunity. The UK government is taking an active approach to cybersecurity with the potential for new regulation and a commitment of £1.9bn to deliver on this strategy. The establishment of a new National Cyber Security Centre in October this year underscores the importance of this area.
Organisations wisely looking to enhance their cybersecurity measures will find the report a useful document to outline the UK’s cybersecurity "playbook".