Data and securityCyber SecurityUK government to assess the cyber security capability landscape

UK government to assess the cyber security capability landscape

The UK government's aim is to be the world’s leading digital economy through the right level of cyber security capability

The UK government has defined a series of questions as they seek to validate their assessment of the cyber security capability landscape and identify where there may be additional or further challenges in specific parts of the economy.

Margot James, Minister for Digital and the Creative Industries announced a call for views to increase the UK’s cyber security capability through a policy paper: Initial National Cyber Security Skills Strategy.

Following the ten week period of engagement, the government will use the evidence received to develop and publish a comprehensive and final strategy document in 2019.

Apart from the questions which are to be formally responded to, the government intends to run a series of engagement events in early 2019 to explore these questions further. A series of questions about the proposals on interventions in the education and training ecosystem and how government and industry can work together to develop creative and innovative ideas to increase cyber security capability in the UK is also set.

Unmet demand for cyber security capability

Since the publication of the National Cyber Security Strategy (NCSS) in 2016, there has also been a significant increase in malicious cyber activity globally, from hostile nation states and from cyber criminals. Additionally, global and domestic market insight reports regularly refer to an unmet demand for cyber security capability.

The five year NCSS set out the government’s plans to make the UK secure and resilient in cyberspace, prosperous and confident in a digital world. It is backed with £1.9 billion of investment to help in defending systems and infrastructure, deterring adversaries, and developing a whole society capability.

The challenge is much more complex than simply a shortage of cyber security professionals for the government. There is a broader cyber security capability gap in the UK. The assessment aims to understand the level and blend of expertise and skills needed across the general workforce to help the UK become the world’s best secure digital economy.

The government also seek to understand whether or not the level of ambition articulated through the mission and objectives in the NCSS is sufficiently ambitious to meet the challenge.

Margot James said: “As our digitally connected world has expanded at an extraordinary rate, so too has the scale of vulnerabilities and the frequency of attacks that we face. The threat has developed significantly even since the publication of the National Cyber Security Strategy in 2016. Public and private sector organisations worldwide are falling victim to ransomware attacks, supply chains are being compromised and our critical national infrastructure continues to be a target for attack. We are also seeing threats to our democracies from attempted outside interference.”

Evolving nature of the threat

In the two years since the NCSC was created it has dealt with well over 1,000 cyber security incidents. In 2017, over 70% of large businesses, 64% of medium businesses and 42% of micro/small businesses in the UK suffered a cyber breach.

Majority of the incidents the NCSC dealt with in 2017 were perpetrated from within nation states in some way hostile to the UK. The threats were undertaken by groups of computer hackers directed, sponsored or tolerated by the governments of those countries. The commoditisation of small scale and less sophisticated attacks also means that even actors with low capability can have an impact.

The make-up of attackers is also varied – from state sponsored actors to cyber criminals, ‘hacktivists’, or the actions of employees, whether deliberate or accidental. Most common of all is from cyber criminals seeking to exploit UK organisations for financial gain – whether that be the sophisticated theft of intellectual property or a simple theft of cash from an account. The rise of ransomware is particularly notable and is having a significant impact both to private businesses and public bodies.

According to the Cyber Security Breaches Survey 2018 published by the Department for Digital, Culture, Media and Sport (DCMS), only 27% of UK businesses and 21% of charities have a formal policy or policies covering cyber security risks. Many organisations lack the knowledge, understanding and confidence around cyber security to implement appropriate measures. Risks are regularly downplayed and businesses too often only take protective action after their systems have been breached or they have suffered an attack.

The proliferation of the Internet of Things (IoT) means consumers are bringing more and more internet connected devices into their homes, such as smart TVs, smart music speakers, smart washing machines, and even internet connected toys. If internet connected devices sold to consumers lack even basic cyber security provisions, people’s privacy and safety is at risk of being undermined.

The DCMS is consulting on regulatory proposals regarding consumer Internet of Things (IoT) security on options including a mandatory new IoT security label.

A capability gap

According to an independent external research which explores the UK cyber skills labour market and cyber security skills gap, more than half (54%) of all businesses and the same proportion (54%) of charities have a basic technical cyber security skills gap. For public sector organisations, 18% have a basic technical skills gap.

For more high-level technical cyber security skills the skills gaps are higher in the private sector than in the public sector (31% of businesses have a high-level technical skills gap, 22% of charities and 27% of public sector organisations). It is estimated that 407,000 businesses have a high-level technical skills gap and 43,700 charities and 3,300 public sector organisations have a high-level technical skills gap. Technical skills gaps tend to be higher outside the finance or insurance sectors and the information and communications sectors, as well as outside of London.

The vast majority of those with cyber security responsibilities across businesses, charities and the public sector have absorbed them into their existing non-cyber security jobs. Notably, outside of the external cyber security providers, they are often not labelled as working in cyber roles – just 11% of businesses and 14% of charities on average have cyber security written formally into the job descriptions of one or more staff.

Many organisations choose to outsource their requirement for cyber security capability. Three in ten businesses (30%) and a similar proportion of charities (27%) outsource one or more aspects of their cyber security, while public sector organisations are more likely to outsource, with two thirds (65%) doing so. Among organisations that do outsource cyber security, most still handle at least some aspects in-house, and while public sector organisations are more likely to outsource some cyber security activities, their level of outsourcing is more likely to be light touch, with more aspects typically handled in-house than in businesses and charities.

While outsourcing is not in itself problematic, there still needs to be some capability in-house to set the requirements, make informed choices and ensure the contracted resource is effective.

Embedding cyber security capability

Based on the government’s close engagement with industry and partners across the cyber security community, and the ambition to address the broader capability gap, the government has developed four new, clear cyber security skills objectives:

  1. To ensure the UK has a well structured and easy to navigate profession which represents, supports and drives excellence in the different cyber security specialisms, and is sustainable and responsive to change.
  2. To ensure the UK has education and training systems that provide the right building blocks to help identify, train and place new and untapped cyber security talent.
  3. To ensure the UK’s general workforce has the right blend and level of skills needed to achieve a secure digital economy, with UK-based organisations across all sectors equipped to make informed decisions about their cyber security risk management.
  4. To ensure the UK remains a global leader in cyber security with access to the best talent, with a public sector that leads by example in developing cyber security capability.

The government’s mission is to increase cyber security capability across all sectors to ensure that the UK has the right level and blend of skills required to maintain resilience to cyber threat and be the world’s leading digital economy.

To achieve these, the policy paper has outlined 21 proposals for embedding cyber security across the whole of the economy, including basic cyber security hygiene of employees and citizens, informed cyber security risk management of those who operate businesses or services, and the embedding of cyber security within professional disciplines across every sector.

Related Articles

New capability to help organisations fight cyber threats

Cyber Security New capability to help organisations fight cyber threats

5m Jay Ashar
Cyber security starts with people and processes

Cyber Security Cyber security starts with people and processes

7m Austin Clark
MoD invites applications for the design phase of Cyber Risk Tooling

Cyber Security MoD invites applications for the design phase of Cyber Risk Tooling

8m Jay Ashar