16 May 2022

Ministry of Defence releases new Cyber Resilience Strategy for Defence

techUK has produced a summary of the Cyber Resilience Strategy for Defence, which was published in early May.

The risk of cyber-attack is amongst the highest that is managed by the Defence Board, and it requires a collective response to address it. Becoming cyber resilient is the first challenging milestone. Remaining resilient will require constant appraisal of the UK and its adversaries. The MOD is dedicated to developing and exploiting technologies and will work together with industry, wider government, allies, and partners to maximise collective capabilities.

Diagnosis: Where Defence is today

Defence’s purpose is the “protect the people of the United Kingdom, prevent conflict and be ready to fight out enemies”. Defence has a key role to play in underpinning the UK’s legitimacy and authority as a cyber power by contributing to the National Cyber Strategy and Government Cyber Security Strategy.

In a world fundamentally shaped by technology, maintaining Defence Purpose is dependent upon the UK’s resilience to cyber-attack. While Defence has made notable progress in recent years, there remains a significant gap between cyber resilience today and where it needs to be. This gap is brought into sharp focus by the sheer volume of cyber-attacks that the government sector experiences from a range of malicious threat actors.

The strategy’s vision is therefore to build a cyber resilient defence to ensure that Defence can continue to deliver its purpose and support the national effort of strengthening the UK in the cyber domain and cement its authority as a democratic and responsible cyber power.

To achieve its vision, the strategy pursues a central aim – for Defence’s critical functions to be significantly hardened to cyber-attack by 2026, with all Defence organisations resilient to known vulnerabilities and attack methods no later than 2030.

The funding provided through the Integrated Review will deliver core capabilities, but it will not fund the totality of the demand necessary to achieve the aim. Defence organisations will need to collaborate with Defence Digital to define the resilience required to deliver the defence outcomes before reviewing the resource options and balancing the cyber risks posed by the adapting threats.

Factors driving the need to change:

Developing threats

Evolving environments

Advancing technology

Factors that must be overcome:

Misaligned culture

Endemic obsolescence

Inadequate cyber resilience

Strategic Priorities: Where Defence needs to be

Defence’s approach to achieving the aim is centered around seven strategic priorities, each broken down into a serious of outcomes. The outcomes are divided between those that will be led by Defence Digital and those that contributors from across the Defence organisations will need to proactively address.

  1. Secure by Design: capabilities are inherently protected from the outset throughout their lifecycle, built to be resilient against cyber-attacks with pre-planned recovery measures in place.
  2. Governance, Risk and Compliance: risk management approaches provide good governance that drives change and achieves compliance.
  3. Rapidly Detect and Respond: integrated cyber defences cover critical functions providing the ability to detect and respond to cyber-attacks.
  4. People and Culture: the people in Defence are cyber aware, exhibiting the appropriate behaviours that form a positive culture and embeds cyber resilience across Defence’s outputs.
  5. Industry: MOD’s relationship with industry is enhanced, allowing it to achieve improved supply chain security and resilience outcomes.
  6. Secure Foundations: the entire digital enterprise incorporates security controls, supported by people and processes, that make it resilient to cyber-attacks.
  7. Experimentation, Research and Innovation: approaches seize upon experimentation, research and innovation opportunities to ensure the MOD can stay ahead of the developing cyber threat.

Ways: How to achieve the strategic priorities

The delivery of the strategy will adopt the following guiding principles:

  1. Adaptive in the approach: adaptable to changing threats, risks and able to manipulate technology using agile processes to assure Defence outcomes.
  2. Secure and resilient: every part of the digital environment will be built to incorporate inherent protection from, and resilience against, cyber-attack, routinely updated to maintain cyber security and designed to be interoperable with cyber defence capabilities through-life.
  3. Whole Force Effort: every person who interacts with the digital environment is responsible for protecting Defence against its adversaries. Every person is part of the UK’s cyber defences and has a role in protecting against malicious activity.
  4. Collaborative, integrated and cohesive: Defence must work ever closer with the National Cyber Security Centre, government, allies, partners and industry to counter emerging cyber threats together as a national effort.

Means: enablers and contributors to achieve the Ways

Enablers

  • Construction of the secure Digital Backbone
  • Successful delivery of the Defensive Cyber Programmes
  • Equipment capability programmes focusing on cyber security from the outset to make Defence capabilities secure by design
  • Embedding modern security ways of working and constructively challenging security preconceptions
  • Shift towards a new security relationship with industry
  • Acceleration of agile commercial constructs for the procurement of cyber capabilities
  • Development and employment of the cyber workforce with suitable cyber skills within Defence
  • Establishment of cyber defence organisations within the organisations of the contributors to the strategy
  • Creation and testing of operational resilience plans by the contributors to the strategy
  • Development of clear and agreed accountabilities for all aspects of cyber resilience

Contributors

  • Capability Sponsors, Senior Responsible Owners (SROs), Acquisition Organisations and Operating Authorities (OAs)
  • Leaders of functions and defence organisations
  • CIOs and security specialists of defence organisations
  • Operational commanders
  • Industry

The full strategy can be found here.