Coordinating public-private cooperation in UK cyber security strategy
Hugo Rosemont reviews current cyber security strategy, regulation and initiatives, calling for greater support for public-private engagement.
The UK Government’s Cyber Security Strategy of 2016 was an extremely welcome document because it recognised clearly, in line with other Government speeches and policy statements, that effective public-private cooperation is an essential component of tackling cyber attacks and crime conducted via digital means. Indeed, the emergence of such robust cooperation is arguably more essential in the area of cyber security than it is in any other field of security policy today, such is the level of dependency between the state and companies in protecting the digital commons.
The National Cyber Security Centre (NCSC)
Similarly, it was also a very welcome development that, flowing from the strategy, the National Cyber Security Centre (NCSC) established in October 2016 has been provided with a very clear mandate to ensure that all sectors of the economy – including but extending well beyond the Critical National Infrastructure (CNI) – are provided with additional support, advice and guidance to help realise the Government’s ambition that the UK should be the safest place to work and do business online.
More to do for optimum support structure
Despite these positive developments, there is more work to do to ensure that all sectors of the economy, including the CNI, receive greater support, and that public-private engagement on cyber security issues is improved: cooperation between Government departments and agencies (such as the NCSC) and different parts of the private sector is not yet optimally structured. In the same way that ‘Government’ is not a single entity, the structure of ‘industry’ in the UK is extremely disaggregated, not a homogeneous bloc. The UK’s cyber security strategy will therefore only be successful if it takes account of the diverse character of both Government and industry, and facilitates more effective coordination across different sectors and organisations.
Related directives and regulations
New regulations coming into force in the UK in May 2018 – specifically the security of Network and Information Systems (NIS) Directive and the General Data Protection Regulation (GDPR) – offer significant potential to strengthen cyber security across the CNI and the wider economy respectively. Whilst concerns exist around the late timing of the publication of practical guidance that can help companies implement their provisions, and clarity emerging only recently in the case of NIS around which organisations will regulate the cyber security arrangements of the relevant companies, they are important because they promise to place on a much more formalised footing the need to develop cyber security as a core part of any business’s operations.
Skilled individuals needed
It will be important to ensure against this backdrop, and in the context of rapid technological evolution, that regulators develop, or are able to draw upon, a sufficiently skilled cadre of individuals who can help them fulfil their responsibilities. More generally, it is imperative that the UK does not accidentally introduce a suboptimal system of compliance that diverges largely from arrangements elsewhere, or that resembles a superficial ‘box-ticking’ culture. Provided that in its implementation the Government and nominated regulators engage with the realities of business models operating across industry, the NIS Directive in particular offers an excellent opportunity to strengthen resilience across the UK’s essential services. Much will come down to how companies themselves choose to invest in, and implement their own security measures.
Limited resources are available in Government to help cover any cyber security costs bearing upon the private sector, with the £1.9bn UK cyber security budget largely allocated elsewhere, so it remains Government policy to see the costs ‘lie where they fall’. It is important for policymakers to understand, however, that industrial investment is also constrained. It is for this reason that there would be benefits in designing, developing and then delivering alongside this new regulatory framework a more agile, nimble and collegiate system of collaboration that can bring together in a more coordinated way the multiple stakeholders across both the public and private sectors that all play important roles in effective cyber security.
Enabling dialogue between key actors – including the private sector
In particular, there is now an opportunity to design a more structured system that can systemise dialogue between Government departments and agencies (such the NCSC), operational security actors (such as the CNI), the Regulators of Industries (such as Ofcom and Ofgem), and the UK cyber security industry – some of the world’s most innovative security suppliers. Historically, security industry engagement with technology innovators has mainly been conducted by Government for Government purposes; in its engagements with the CNI it has tended to decline to involve companies supplying technical solutions directly. The time is right to join this dialogue because the digital capabilities developed by suppliers are as relevant (if not more so) to protecting CNI operators and the wider economy as they are to Government and law enforcement agencies, yet there is a shortage of strategic dialogue between the respective communities.
Strengthening the framework under development for public-private cyber security cooperation in the UK is now an urgent priority in the context of the potential vulnerability of national infrastructure to attacks in this domain by state and non-state actors. Placing an emphasis on developing a more coordinated, whole-of-government and industry approach to the implementation of the UK’s cyber security strategy is the next logical step.
Dr Hugo Rosemont
Director of Security and Resilience, ADS Group