The Cabinet Office last week published its Interim Cyber Security Science and Technology Strategy: Future-Proofing Cyber Security. Through the National Cyber Security Strategy (NCSS), the Government committed itself to publishing a detailed Cyber Science and Technology Strategy that would “(identify) areas of science and technology that the Government, industry and academia consider to be important and identify gaps in the UK’s current capacity to address them. This strategy therefore focuses on how the UK Government will integrate the identification of emerging technologies and future technologies into its cyber security policy making.
The strategy maps out a response based on the need for the UK to maintain the scientific and technological capability needed to stay ahead of the curve in terms risk factors, drive growth in the UK cyber security market and inform policymakers sufficiently to drive a sensible policy agenda in the cyber space.
The strategy has three key objectives, to:
- Identify the technology areas that will have the most impact on cyber security
- Develop the Government’s policy response to these technology areas and develop an expertise base in Government, academia and industry.
- Assess whether the UK is sufficiently responding to cyber security science and technology developments.
These objectives are designed to ensure that the UK maintains a sufficient level of expertise and capability needed to meet its security needs, producing a single authoritative voice on the current state of play and ensuring the right relationships between key stakeholders, such as the cyber security sector, support and drive improvements in UK capability within both the policy and technological frameworks.
The document does not form a research strategy, but focuses on how emerging and future technologies will affect and integrate within the UK Government’s approach to policymaking in the cyber security sector.
Obviously, these emerging technologies present great opportunities for the UK sector in terms of growth and innovation and the strategy seeks to balance and encourage these whilst mitigating against the threats posed, building trust amongst the general public and ensuring the UK skills gap is bridged significantly.
Part One of the strategy aims to identify a number of significant, developing technologies and trends most likely to affect the cyber security of the country. This include issues such as the decreasing costs of processing power, the growing use of cloud, the proliferation of devices with sensors and the convergence of enterprise systems with Operational Technology such as industrial control systems. The strategy then goes on to identify four key areas that are considered as game changers for cyber security;
- Internet of Things (IoT) and Smart Cities: the continued use of connected devices, and their growth in areas such as smart-clothing, medical devices and smart infrastructure present a number of cyber security challenges such as the building of these networks and devices with security by default in mind and the identity management, authentication and authorisation of end point devices
- Data and Information: The ubiquity of connected devices will generate reams of data, with associated risks and opportunities. How will this data be controlled, who has access to it and how will it be stored, protected and disposed of? All of these questions need to be addressed in order for the public to trust that their data is being handled correctly.
- Automation, Machine-learning and Artificial Intelligence (AI): AI has the potential to greatly improve productivity; and there will be opportunities to use AI as a key tool in identifying and responding to cyber security threat.
- Human Computer Interaction: Even with automation and augmentation, there will be a need for human decision making through interaction with machines, or Human Computer Interaction. Visual user interfaces are ubiquitous, in desktop computers, laptops, tablets and mobile phones as well as other electronic devices. For cyber security, this will have implications as human vulnerabilities will be increasingly introduced to networks and strong authentication will be critical.
The strategy also recognises other technological developments that have cyber security implications, for example the development of quantum technologies and fintech are dependent on cyber security. The strategy focuses on other areas to the exclusion of these since effective UK Government interventions are already ongoing (for example, the Quantum Technology Programme) or because they anticipate the market to deliver solutions (in the example of fintech).
The technologies outlines above offer real tangible opportunities for UK society in general and the UK economy. However, to achieve large scale adoption and world leading status in these areas, trust and confidence in these technologies must be fostered.
Part Two of the strategy pitches the Government’s initial thoughts on how to weave the emerging technologies highlighted in Part One into the UK policy framework, focusing on five key areas:
- Growth and Innovation: the Strategy recognises that a growing, innovative and thriving cyber security sector will help keep the UK a secure place to do business. It therefore commits the Government to be cognisant of these emerging technologies when delivering on the cyber security growth, research and innovation interventions outlined in the National Cyber Security Strategy. For example, they will look to include issues related to emerging technologies in the ‘challenge list’ that the Cyber Security Innovation Centres will address as well as ensuring that the cyber ‘Proving Ground’ initiative and Research Institutes address these emerging technology challenges by testing new solutions and helping prepare them for use across the economy
- Creating Secure, Trusted Technologies: this strand of the Strategy is focused on embedding security in technology and networks at the design stage rather than requiring people and organisations to take action once they are in use. This therefore includes the Department for Culture, Media and Sport’s (DCMS) ‘Secure by Default’ review, which examines how Government can work with industry to incentivise the adoption of ‘secure by default’ design in devices that could be hijacked or breached leading to data leaks or destabilised networks. Through this, DCMS will work with other departments (e.g. BEIS for the energy sector) and international partners as well as seeking guidance from the National Cyber Security Centre (NCSC). Focus areas include medical devices and Connected and Autonomous Vehicles.
- Skills: the Strategy clearly recognises that growing the UK’s cyber skills base is crucial to ensuring that the UK is able to address emerging technology challenges and build the underlying research capability that it needs to identify and respond to the next wave of technological developments. A number of areas are therefore highlighted as examples of progress, such as the inclusion of modules that look at emerging technologies in the Government’s Cyber Schools Programme. Furthermore, the training content for the Government’s Apprenticeship Programme (and other cyber apprenticeships) will highlight sector specific needs related to key emerging technologies in relation to operating technology and human-machine interface. Lastly, DCMS is developing a Cyber Skills Strategy that will address the need to develop skills for emerging technologies at all levels of education
- Helping Individuals and Organisations Secure Themselves: this strand of the Strategy aims to ensure that the public and all organisations, large and small, can protect themselves against the cyber threats from emerging technologies. This will be achieved through initiatives like Cyber Aware, and further research on the human behavioural vulnerabilities that cyber criminals can exploit in emerging technologies.
- Government Security: Finally, the Strategy recognises the challenge of how to use innovation and experimental technologies whilst ensuring that security is built into the development of citizen facing products and services. As security is transformed and strengthened across all UK departments, the Strategy will aim to ensure that policies and processes are designed and delivered to take the security needs of emerging technologies into account. This ranges from IoT technologies, which could pave the way for more connected devices to securely share data from within government buildings, to updating policies in response to the increasing use of the cloud to store governmental data. A first step in achieving this is making sure that all UK Government issued IT and digital devices are secure by default and that any new technologies and digital services deployed by the UK Government will be secure by default. Government will also build cyber security into all services to a baseline minimum standard, whilst continuing to review cyber critical infrastructure to ensure that data of high levels of importance is secure.
These areas all chime significantly with the goal of the National Cyber Security Strategy to make the UK the safest place to business online and to grow the cyber security industry in the UK.
This section focuses on the National Cyber Security Centre (NCSC) becoming the single authoritative voice for cyber security science and technology in the UK. The NCSC will begin to publish regular advice on emerging technologies and will work with experts across the UK Government, industry and academia. In taking on this role, the UK Government aims to overcome the complex challenges which often pose real difficulties for government departments in integrating horizon scanning activities into policymaking due to a lack of technical expertise within their departments. In this, the NCSC will take advice from a range of experts, including industry and academia, to ensure that is has access to the very best minds.
The final section focuses again on the need for the UK to ensure it has a strong skills base in the cyber sector. Going forward, the NCSC will work with experts in industry and academia to regularly assess the sufficiency of the UK’s cyber security knowledge and expertise, identifying gaps that pose a risk to national security and working with DCMS to bring about the necessary new capabilities in the required timeframe. As part of this work, DCMS will develop a Cyber Security Research Plan, working with NCSC, academia, industry, and other Government departments, the Devolved Administrations, local government, UKRI and funding bodies. This will set out priority areas for Government supported research in the national interest. It will also ensure coordination of activity across the various bodies and determine the sufficiency of existing UK Government levers to achieve this, including how much Government funding should be allocated to cyber security research. This plan will be subject to regular review.
Part Four of the Strategy is focused on how the Government’s performance in this area will be assessed. It states that independent assurance will be designed in, making sure that the Government’s horizon scanning capabilities is truly comprehensive. NCSC will develop its views through public consultation and the conclusions will be reviewed by an independent panel of experts, to assure that both the process and substance is right. To make sure that the NCSC’s views are taken into account in policy making, Government departments will be required to account to a panel chaired by the Government Chief Scientific Adviser on the extent they have incorporated NCSC’s guidance and scientific best practice into their policy making.
The success of the Strategy will be measured against the following objectives:
- The NCSC regularly publishes high quality, authoritative advice on the emerging technology trends that will be impactful on cyber security
- Cyber security policy making within departments is timely and informed by science and technology horizon scanning, particularly the advice from NCSC regarding key emerging technologies
- The UK has access to the level of cyber security expertise necessary to be able to understand the emerging technology challenges and inform the UK Government’s policy response
The Strategy also promises to use independent technologists from industry and academia to assure the quality and comprehensiveness of NCSC advice regarding key emerging technologies. And we will use the established Science and Technology community in Whitehall, the NSC Sub Committee on Science and Technology and Chief Scientific Advisors to assure that policy making by UK Departments and Agencies is sufficiently influenced and informed by the NCSC’s technical advice. It will also regularly report on progress made as part of wider reporting on the UK Government’s performance in delivering the National Cyber Security Strategy.