Last week, the UK government launched its first cybersecurity strategy, which focuses on enhancing the security of the nation’s public services. The purpose is to reduce the risk of these systems being shut down by hostile threat actors.
Among a raft of initiatives announced was a new Government Cyber Coordination Centre (GCCC) to better coordinate responses to attacks on public sector systems, a cross-government vulnerability reporting service to allow security researchers and the public to easily report issues they identify with public sector digital services and a more detailed assurance regime to be implemented across central government departments. In addition, £37.8m will be invested into local authorities’ cybersecurity to help protect essential services and data, such as housing benefits, voter registration, electoral management, school grants and the provision of social care.
The government’s chief security officer, Vincent Devine, explained: “We need this bold and ambitious strategy to ensure that government’s critical functions are significantly hardened to cyber-attacks.
“The strategy is centered around two core pillars, the first focusing on building a strong foundation of organizational cybersecurity resilience; and the second aimed at allowing government to ‘defend as one,’ harnessing the value of sharing data, expertise and capabilities.”
Announcing the scheme, Chancellor of the Duchy of Lancaster Steve Barclay highlighted the significant threats the public sector faces, particularly from nation-state actors. For example, he stated that Britain is now the third most targeted country in cyberspace from hostile states. He also noted that of the 777 incidents managed by the National Cyber Security Centre (NCSC) between September 2020 and August 2021, around 40% targeted the public sector.
So, what are the threats the UK’s public sector is facing from nation-state actors, and will the government’s new strategy effectively combat them?
Sam Curry, chief security officer of Cybereason, has observed a significant rise in nation-state attacks targeting public sector organizations in recent years: “Cybereason's researchers have been tracking several state-sponsored threat groups from Iran, China and Russia that are deliberately attacking government agencies and departments. The recent attack on Canada's Foreign Affairs Department is a relevant example and destructive malware likely deployed by state-funded groups in Russia against more than 70 government agencies in Ukraine further proves the increase in targeted attacks on public sector organizations. Threat groups attack public sector organizations seeking to sabotage governments, military organizations and civilian groups of their opponents and enemies.”
"Threat groups attack public sector organizations seeking to sabotage governments, military organizations and civilian groups of their opponents and enemies”
As Curry alluded to, the current geopolitical tensions in Ukraine have put this issue firmly into the spotlight, with Russia linked to a number of cyber incidents impacting public services in Ukraine in recent weeks. Amid ongoing UK support for Ukraine, the NCSC recently warned UK organizations to prepare for attacks from Russian attackers in the coming months. Peter Yapp, partner at Schillings and former deputy director at the NCSC, explained: “There are three main reasons why nation states target the UK’s public sector systems: to gather intelligence; to disrupt services; and to gain access for later use.”
A Positive Step
Amid this landscape, the new strategy appears to have been broadly welcomed across the cybersecurity industry. Calvin Gan, senior manager, tactical defence, F-Secure, commented: “With the call for better security practices, controls and management in these institutions, the new strategy is a welcomed move, especially when dedicated budgets are being allocated to improve the cybersecurity posture. It is with the hope that lack of resources would no longer be the main blocker for better security improvements.”
The new strategy has followed a number of recent initiatives by the UK government to bolster the nation’s cybersecurity, particularly in relation to critical infrastructure and other essential services. This includes the creation of a National Cyber Force to increase the UK’s offensive cyber capabilities and a new “whole of nation” national cyber strategy.
Cybereason’s Curry is pleased about the attention the UK government is placing on this issue. “The UK is showing the right attention for cyber and putting the challenges of military-grade cyber risks front and center. Over the last 20 years, we’ve seen national strategies for the war on drugs and countering terrorism and violent extremism. 2022 and beyond demand national attention and coordination as a national security issue, in the United States and elsewhere, and the UK is setting the right example for all.”
Despite this, Yapp believes there has been a lack of emphasis on strengthening cybersecurity within the UK's public sector, forcing this new top-down approach. “The government’s new cyber strategy builds upon many years of the government trying to persuade central departments and local government to adopt a pre-emptive, rather than reactive approach to cybersecurity,” he explained. “Due to a lack of mandating and funding, this has not been as universally successful as it needed to be, although some good initiatives were developed, such as the NCSC’s ‘Web Check’ service (a web vulnerability scanning service offered to all public sector organizations, enabling them to understand vulnerabilities or misconfigurations in their service and manage them).”
Yapp was particularly pleased to see the inclusion of a GCCC, which will identify, investigate and coordinate the government’s response to attacks on public sector systems. He noted this “is modeled on the very successful version in the finance sector.”
"I expect to see improvements in how information and support are shared across public services"
Andrew Kays, Socura CEO, similarly views this as a positive development but cautioned its effectiveness will be determined by its practical application. "The formation of the GCCC and the ‘defend as one’ mantra is a sensible approach. It is always better to adopt a strategic approach to how public services are protected, so I expect to see improvements in how information and support are shared across public services. Of course, how this is implemented is pivotal. Cybersecurity relies on fast action and response to protect services when they are under threat. Sadly, most governments are slow, weighed down by bureaucracy and do not excel when it comes to quick information sharing and decision making,” he outlined.
Does it Go Far Enough?
Despite the positive steps outlined by this new strategy, many analysts are concerned it does not go far enough. This is particularly true for local authorities, which have suffered numerous highly damaging attacks in recent years. These include the ransomware attacks on Redcar & Cleveland and Hackney Councils in 2020, causing significant disruption and recovery costs. Kays commented: “I would question whether £37.8m is enough to help local authorities improve cyber reliance, given their current level of resources and the threats they face.”
Ian McShane, Field CTO, Arctic Wolf, added: “The UK government’s new national cyber strategy is well overdue and although it comes with a large budget, there’s likely to be a generational gap before we see meaningful changes. In particular, there are some promising policies laid out to bolster the cyber resilience of local authorities, but given the increased frequency of cyber-attacks on the public sector recently, I question whether this is actually going to be enough to properly bolster and sustain defenses against adversaries.”
Curry also believes the strategy could have been strengthened further by providing new funding for public sector monitoring and detection capabilities. “Don't underestimate the importance of proactive detection of cyber incidents and government-wide threat hunting. Anything that helps reduce the attack surface and options for attackers and makes monitoring simpler is a tremendous boon. Deploy endpoint detection and response (EDR) or extended detection and response (XDR) software on all endpoints,” he noted.
The UK’s new cybersecurity strategy for the public sector provides further evidence of the growing fears about the impact of cyber-attacks at government level. The initiative is undoubtedly a positive step, particularly the plans to coordinate responses across government agencies in the event of incidents impacting public sector bodies. Yet, doubts remain regarding its practical application in a sector not renowned for its flexibility, or whether the funding available for local authorities will prove to be enough given the sheer volume of attacks.