26.06.17
The impact of the cyber security strategy on the public sector
Source: PSE Jun/Jul 17
Six months on from the announcement of the government’s National Cyber Security Strategy, Talal Rajab, head of programme – cyber and national security at techUK, analyses its approach so far and the extent of its impact on the public sector.
With the modernisation of public services being the cornerstone of the UK’s digital strategy, and the wider public sector holding larger quantities of data, the cyber threat to services is a topic that is at the forefront of the government’s National Cyber Security Strategy.
Published in November 2016, the strategy aims to ensure that all levels of government have the appropriate cyber security measures in place to retain the trust of citizens in online public services. Underpinned by a £1.9bn investment, it sets out how the UK will defend its citizens and businesses against growing cyber threats whilst acknowledging that previous government policies on cyber security have not achieved the scale and pace of change required to keep the nation’s public services safe.
It is clear why such a strategy is needed. Citizens must be confident in their use of online public services and if they feel that services such as health and social care are under threat, their use of them will decline. That is why, through the strategy, public sector organisations are required to adhere to appropriate cyber security standards. It is also the reason why, since the strategy was published, Government Digital Service, the Crown Commercial Service and the National Cyber Security Centre (NCSC) have been working to ensure that all new digital services built and procured by government have security built in by design.
Such an approach faces a number of different challenges, however. For example, government, like other large organisations in the private sector, has highly complex and in many cases old networks and systems which make it harder to secure. These legacy systems, built decades ago, are difficult to defend against cyber-attacks as they run on unsupported software and unmanaged risks. We saw the danger that running such software can bring to public networks after the global ransomware attack that affected the NHS, with the continued use of Windows XP within the health sector highlighted as one of the key factors that enabled the ransomware to spread.
That is why government, through the NCSC, is working to ensure that there are no unmanaged risks from legacy systems and unsupported software. The NCSC, since its inception, has been influential in leading the post-incident response to cyber breaches to the public sector, co-ordinating cyber defences across Whitehall and within local government. As the details of the global ransomware attack became clearer earlier last month, it was the NCSC that led within government on providing immediate guidance and advice to public sector organisations. This not only helped companies affected by the ransomware attack, but also helped guide others that were susceptible to measures that would help keep them secure.
The key to the NCSC’s success will rest, however, on how effective it will be in providing pre-emptive, rather than reactive, guidance and services. A great example is the ‘Web Check’ service that is being trialled on both central and local government departments by the NCSC. This web vulnerability scanning service has been provided to all public sector organisations, enabling them to better understand any vulnerabilities or misconfigurations in their service and helping them manage what to do about it. Such innovative initiatives, trialled on public sector bodies first before being rolled out to the private sector, will help organisations focus on delivering digital public services that have been tested for secureness by the NCSC.
Six months on from the publication of the National Cyber Security Strategy, and a few months after the launch of the NCSC, it is clear that government remains committed to improving both public sector cyber resilience and the UK’s ability to effectively respond to cyber-attacks. It remains to be seen whether, five years on from the publication of the strategy, government digital services will be secure by default with legacy systems effectively managed. What we can say, however, is that the creation of the NCSC and the initial work that it has done has put us in the right direction and helped make the UK a safe place to deliver and consume public services online.
FOR MORE INFORMATION
W: www.techuk.org