Is The UK Government’s Cybersecurity Strategy Fit For Purpose?
The UK, like every democracy in the world, faces increasing cybersecurity threats. The UK government is right to take action as these threats from state-sponsored adversaries and criminal groups continue to grow, annually. The government promises that Britain’s public services will be strengthened to further protect them from the risk of being shut down by hostile cyber threats.
The new strategy will be backed by £37.8 million to help local authorities boost their cyber resilience and will be implemented over the period of eight years from 2022 to 2030. Although the UK Cyber Security Strategy is a step in the right direction, especially with its emphasis on collecting events and identifying them before they become more serious incidents or breaches, eight years is far too long of a timeline. Why wait until 2030, when we can make far-reaching, impactful changes today?
we have the knowledge
In recent months, we have seen two different documents from the UK Government on Cyber Strategy, one for its UK-wide initiatives, the other focused on protecting the government itself. Both have an inherent key theme: education. Education not only provides the UK with the ability to protect against the ever-growing sophisticated threat landscape from the criminal or nation backed adversary, but it also makes sure we can continue our maturity and abilities for the future. The recent Government Cyber Security Strategy focuses on harnessing not only the knowledge and education, but also the cyber security culture within the Government sector.
When we speak about education, we forget that we already have a network of expertise and security domain knowledge within the UK. We are not starting from the beginning. Similar to other countries like the US, the UK has an opportunity to seek the real support of the private sector as not the ones stealing talent but the ones who can share talent, technology, and experience. That way, we don’t need to wait until 2030 but implement the security controls our country requires in a matter of months.
Choosing the right technology
A further key theme in the recent Government Cyber Security Strategy was the importance of Security Data, not only as a way to understand risk and identify vulnerabilities but, more importantly, to identify events before they become incidents. The private sector has successfully battled this issue for the last century, with the emergence of technologies like Endpoint Detection & Response (EDR) and Next-Generation Anti-Virus (NGAV) solutions becoming the core data solution. When the right solution is chosen, these tools allow organisations to focus on visibility and the ability to identify threats before they become a real issue to the enterprise. The combination of EDR and NGAV has allowed the private sector to automatically combine threat intelligence and modern technologies like AI and machine learning and other modern threat detection techniques such as behaviour to focus on the real threats to an organisation.
The private sector is now making its move into the new century of working, and the technology we need to secure our networks is evolving once again. The expedited use of the cloud, be it private, public or hybrid, with our extended digital workforce and complex networks, has meant purely host-based solutions do not cover all our needs.
The industry is now evolving its use to eXtended Detection & Response, allowing Security teams to protect all edges of our ever-evolving architectures from highly persistent and capable adversaries. XDR’s core focus is now to make sure we stop incidents before they become breaches by harnessing the data generated across our networks and not only being able to detect but also providing network-wide orchestration and remediation.
The UK government has an opportunity to take these learnings and make sure they are not implementing old ideas but the best-of-breed technologies for our future digital government.
Intelligence is the only way forward
For most, the idea of intelligence-sharing within the cyber security community is still focused around Indicators of Compromise (IOCs). IOCs, although useful in a very small window of time, do not provide the adequate information required for a modern network to defend against the modern adversary. To be truly prepared and able to understand the environment’s risk you need to have more in-depth data and knowledge. To do this, you need to have the right access to information and be able to interpret this intelligence not only back to your organisational needs but also technical needs.
This is something in which private-sector cybersecurity vendors have become extremely capable of taking raw intelligence reports or data and converting them into threat-hunting leads or identifying risks to security posture.
Being prepared for the worst
Hand-in-hand with increasing knowledge, intelligence and choosing the right technology is enhancing the UK’s detection abilities, which the government strategy also identifies. This is critical, as the faster there is visibility into the initial stages of an attack, the better chance there is to stop breaches. Best-practice is for the government to hold itself to the principle of 1:10:60 – 1 minute to detect, 10 minutes to triage, and 60 minutes to contain.
So, what next?
The reality is that, as much as the public sector can learn from the private, the private sector also has much to learn from the public. A better synergy ecosystem and sharing between the two will lead to a more secure country for us all to work, live, and grow in. The private sector is dealing with countless threat actors, regulations, and business complexities. The knowledge from these incidents and the agility of the private sector can be exponentially beneficial to the government when shaping tomorrow’s policies and defences.
Zeki Turedi is a cybersecurity technologist. He currently holds the role of Chief Technology Officer, EMEA at CrowdStrike. Zeki’s insights and subject matter expertise are frequently shared via media outlets such as the BBC, The Times, LBC, WIRED plus many others. He has also been published on several occasions including the journal on ‘Issues in Cybercrime, Security and Digital Forensics’.
