Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

National Cyber Security Strategy

National Audit Office raises cyber security concerns

960 640 Stuart O'Brien

The National Audit Office (NAO) has revealed failings in the way the Cabinet Office established its current cyber security programme, with the government unclear whether it will meet programme objectives along with issues surrounding its cyber-attack strategy after 2021.

The UK has one of the world’s leading digital economies, the report asserts, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks.

The National Cyber Security Strategy 2016 (the Strategy) outlines how the government aims to make the UK more secure online. The £1.9 billion Strategy includes £1.3 billion of funding for the National Cyber Security Programme 2016-21 (the Programme) and the NAO report assesses progress just beyond the mid-point of the five-year Programme.

The Programme provides a focal point for cyber activity across government and has already led to some notable innovation, such as the establishment of the National Cyber Security Centre (NCSC).

The Programme has also reduced the UK’s vulnerability to specific attacks. For example, the NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3% to 2.2% in two years.

However, despite agreeing an overall approach to cyber security as part of the 2015 Strategic Defence and Security Review and Spending Review, the NAO says the Cabinet Office did not produce a business case for the Programme before it was launched.

The NAO says it is unclear whether the Cabinet Office will achieve the Strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9 billion of funding was ever sufficient. It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved.

The NAO recommends that, going forward, the Cabinet Office establishes which areas of the Programme are having the greatest impact and are most important to address, and focuses its resources there until 2021. Building on existing work, it should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.

“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services,” said Amyas Morse, Head of the NAO. 

“The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”

Under lock and key: how can the public sector keep data safe?

960 638 Stuart O'Brien

Dan Panesar, VP EMEA, Certes Networks

The public sector faces intense public scrutiny, especially when it comes to cybersecurity.

However, the launch of the National Cyber Security Centre in (NCSC) in 2016 suggests that the sector is beginning to take the issue of cybersecurity seriously, marking the Government’s commitment to making the UK a safe place to live and work online.

And it’s not just public scrutiny the sector has to contend with, but the global digital revolution means that changes are happening rapidly, and technology adoption is not happening as quickly as it should.

On top of this, the public sector has numerous regulatory and Information Assurance (IA) based obligations they are required to fulfil, making some organisations within the sector too scared to make changes or enforce new policies for fear of breaking the rules. 

Restricted budgets, small teams and intense workloads can often make cybersecurity a low priority. Rather than enforcing and developing proactive, robust strategies to keep the organisation’s data safe, teams end up working reactively to mitigate threats as they arise. Not to mention the complex and wide-reaching nature of public sector organisations, making coordinating the array of essential services, stakeholders and functions a near impossible task. 

Keeping up with digital change 

The digital transformation means that traditional connectivity solutions are being replaced to reflect cloud deployments, network function virtualisation and the ability to deploy meaningful orchestration-based management. To reflect the update of digital and online services, public sector networks are expected to grow at 15-25% per year; in order to keep up with this demand, users are becoming increasingly reliant on both high-speed and high-availability transport networks, whether they are MPLS, SD-WAN or 5G or a combination of networks to deliver information when and where needed. 

In the not so distant future, dependency on traditional hardware will become more challenging as additional capacity means the user may have to continuously upgrade its network to reflect growth. However, current and conventional approaches to data protection create numerous challenges particularly around scalability, performance, complexity, key management and key rotation.

Don’t shy away from new technology

The public sector needs to start embracing new technology; the prospect of digital transformation should be exciting, rather than daunting. As a sector with a reputation for being slow to adopt mobile technology, potentially due to concerns over its lack of security, there is a tendency to instead lock down data and restrict the use of technology altogether. However, this just isn’t sustainable, and a lack of mobile technology won’t keep the hackers out. 

If changes don’t happen soon, the public sector will get left behind. To keep up, it needs to recognise that a digital network with a mix of connected users, devices and applications, does not need to make an organisation vulnerable; no matter how complex it may be. Flexibility and digital agility are undoubtedly at the top of every government’s agenda, making it essential for organisations to embrace the technology available. However, instead of putting adopting technology that attempts to secure each entity itself, or worse, layering technology on top of technology with a security solution tied into the network, organisations need to focus on what’s really important – and that’s Information Assurance (AI). In order for organisations in the public sector to really be secure, rather than securing the network, the focus needs to be on protecting the data.

An organisation’s biggest asset

Data is arguably an organisation’s biggest asset; it’s the crown jewels that must be protected, and what the hackers will inevitably set their sights on when planning an attack. In reality, a fine won’t be enforced under regulations such as the General Data Protection Regulation (GDPR) for a breach to an organisation’s network; the fine comes into play when a breach results in data being lost or stolen. That’s the difference in value between an organisation’s network and its data. 

And the fact is, the public sector is quickly becoming a prime target for hackers. But how can organisations ensure their data is really protected? Firstly, organisations need to move to a data-centric, IA security model underpinned by a robust and strategic security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure, making the network itself irrelevant. A software-defined security overlay enables a centralised orchestration of IA policy and by centrally enforcing capabilities such as software-defined application segmentation using cryptography, key management and rotation, data is protected in its entirety on its journey across whatever network or transport it goes across. 

For the public sector, this means organisations no longer need to fear technology; each application on the network and the data it holds will be kept secure, irrespective of any changes made. Furthermore, if a data breach does occur, as long as it’s encrypted it will be rendered useless to hackers, mitigating the potential damaging consequences of a breach. 

Quite simply, cybersecurity must be at the forefront of business strategy. Public sector organisations need to embrace technology, coupled with the right security architecture, or risk being left behind. 

UK begins cybersecurity diversity drive

960 640 Stuart O'Brien

Four new projects across England to encourage more women, BAME, and neurodiverse candidates into a career in cyber security have been announced by Digital Minister Margot James.

They will each jointly benefit from a total investment of at least £500,000 as part of the next round of the Cyber Skills Immediate Impact Fund (CSIIF).

The aim of the Fund is to boost not only the total number, but the diversity of those working in the UK’s cyber security industry. The government says the initiative will help organisations develop and sustain projects that identify, train and place untapped talent from a range of backgrounds into cyber security roles quickly.

The projects receiving funding are:

Crucial Academy: Diversity in Cyber Security – This initiative based in Brighton looks to retrain veterans in cyber security, in particular focusing on women, neurodiverse candidates and BAME individuals.

QA: Cyber Software Academy for Women – This project running in London, Bristol, and Manchester will train and place a cohort of women into cyber development job roles within industry. An additional cohort will also be trained in Birmingham as part of the West Midlands Combined Authority Skills Deal.

Blue Screen IT: HACKED – This Plymouth based initiative will scale up an already existing programme which identifies, trains, and places individuals, including neurodiverse candidates, those with special needs and those from disadvantaged backgrounds into a cyber security career.

Hacker House Ltd: Hands on Hacking, Training and Employer Portal – This project based online will develop a portal allowing for an increased number of people to be trained and then engage with employers.

The CSIIF pilot was launched in February 2018 and was open to initiatives delivered in England. The Fund is one of a range of initiatives designed in support of the National Cyber Security Strategy’s aim of developing a sustainable supply of home-grown cyber security talent in the UK.

Digital Minister Margot James said: “Our cyber security industry is thriving but to support this growing success we need a skilled and diverse workforce to match. These latest projects show that whatever your background, ethnicity or sex, there are opportunities to join the cyber security profession. We want to demonstrate that you can have a dynamic and exciting career in a sector that sits at the heart of our economy, and is a key part of our modern Industrial Strategy.”

UK universities recognised for excellence in cyber security research

960 640 Stuart O'Brien

Three UK universities have been recognised as Academic Centres of Excellence in Cyber Security Research (ACE-CSR).

The National Cyber Security Centre (NCSC) and the Engineering and Physical Sciences Research Council (ESPRC) have identified the University of Kent, King’s College London, and Cardiff University as having first-rate research with scale and impact.

The universities will now join 14 other institutions in a scheme forming part of the Government’s National Cyber Security Strategy, which is making the UK the safest place to be online and helping to support the country’s thriving digital economy.

The universities will now have the opportunity to bid for funding to develop cutting-edge research in cyber security, including at Doctoral level, as well as attend annual conferences and workshops.

The scheme aims to create a better understanding of the strength of the UK’s academic capability in cyber security and identify areas where there are research opportunities or technical gaps. It makes collaboration between academia, business and government easier, and helps make sure cutting-edge research is turned into practical products and services. This includes developing tools to tackle mass marketing fraud online and better understand cyber criminals.

Minister for Digital Margot James said: “These universities are doing fantastic research in cyber security and they are rightly being recognised for their pioneering work. We have some of the best minds in the world working in the field and thanks to this scheme they can now help shape our National Cyber Security Strategy and develop the talent and services of tomorrow.”

Chris Ensor, Deputy Director for Cyber Security Skills and Growth at the NCSC, said: “The UK has world-class universities carrying out cutting edge research into all areas of cyber security. It’s fantastic to see three more universities recognised as Academic Centres of Excellence and I’m especially pleased that we now have centres in all home nations. The NCSC looks forward to collaborating with these institutions to make the UK the safest place to live and work online.”

Professor Pete Burnap, Professor of Data Science & Cybersecurity, and Director of the Airbus Centre of Excellence in Cybersecurity Analytics at Cardiff University said: “We are delighted to receive this recognition as it evidences our long track-record of research excellence in cyber security. Our core identity is the interdisciplinary fusion of artificial intelligence and cybersecurity, a concept we call Cyber Security Analytics. AI is at the heart of the UK government’s industrial strategy and our aim is to innovate with AI to improve automated cyber threat intelligence and support decision making and policy responses to make the UK more secure for individuals, business and the government. We are proud to be the first Welsh university to be recognised by NCSC for our cyber research capability, and we hope to build on the impressive expertise that already exists across the region between academia, government and business.”

Dr Jose M. Such, Director of the Centre, and Senior Lecturer in the Department of Informatics at King’s College London said: “We are thrilled to be recognised for the high-quality socio-technical cyber security research we conduct at King’s College London. This recognition acknowledges the critical and diverse mass of researchers working on this area at King’s from different but complementary angles and points of view. Our research focuses on three main research themes and their interrelationship: the use of AI for cyber security together with the cyber security of AI itself, the theoretical aspects of cyber security like verification and testing, and the socio-political and strategic aspects of cyber security.”

Shujun Li, Professor of Cyber Security and Director of the Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) at the University of Kent, said: “We are excited to be given the ACE-CSR status as an acknowledgement of the excellent research in cyber security at the University of Kent. Our research is truly interdisciplinary drawing on the expertise of colleagues from computer science and engineering as well as wider disciplines such as psychology, law, business and sociology. Our ambition is to have one of the largest and most productive cyber security research centres in the UK by 2022 as well as helping to grow the next-generation cyber security researchers.”

The ACE-CSR programme is supported by Government’s £1.9 billion National Cyber Security Strategy (NCSS) 2016-2021.

List of institutions that are recognised as Academic Centres of Excellence in Cyber Security Research are:

  • University of Birmingham
  • University of Bristol
  • University of Cambridge
  • Cardiff University
  • University of Edinburgh
  • University of Kent
  • Imperial College London
  • King’s College London
  • Lancaster University
  • Newcastle University
  • University of Oxford
  • Queen’s University Belfast
  • Royal Holloway, University of London
  • University of Southampton
  • University of Surrey
  • University of Warwick
    University College London

Nine graduates pass through NCSC Cyber Accelerator

150 150 Stuart O'Brien

A group of tech start-ups have become the latest to graduate from a Government initiative to advance the next generation of cyber security systems.

The nine-month GCHQ Cyber Accelerator (now renamed the NCSC Cyber Accelerator), delivered in partnership with Wayra UK, part of Telefónica Open Future, saw nine companies develop cutting-edge products and services to help enhance the UK’s cyber defences.

Part of the UK Government’s £1.9bn National Cyber Security Strategy and the Cheltenham Innovation Centre, the Accelerator is a collaboration between the Department for Digital, Culture, Media and Sport (DCMS), GCHQ, National Cyber Security Centre (NCSC), and Wayra UK and aims to drive innovation in the cyber security sector.

Firms selected to take part in the second round had access to personnel and technical expertise at the NCSC and GCHQ, as well as the Telefónica global business network. They also received £25,000 in funding, high-quality mentoring and office space.

Innovations developed include a cloud service solution to connect Internet of Things devices with end-to-end authenticated, encrypted security and a service to solve the problem of age verification and parental consent for young adults and children in online transactions.

Companies who took part were Cybershield, Secure Code Warrior, RazorSecure, Elliptic, Intruder, Trust Elevate, Warden, Ioetec and ExactTrak.

NCSC, DCMS and Wayra UK will soon be calling for cyber start-ups to join the third round of the programme – now renamed to the NCSC Cyber Accelerator – to help address some of cyber space’s key challenges.

Innovative entrepreneurs and start-ups can now register interest in participating in the nine-month programme, which will include ten innovative, agile companies in 2018/19.

Secretary of State for Digital, Culture, Media and Sport, Matt Hancock, said: “With so much of our daily lives connected to the internet, it is vital the UK leads the way on cyber security to fulfil our ambition of making Britain the safest place to in the world to be online.

“The NCSC Cyber Accelerator programme is a great example of government, industry and tech start-ups coming together to benefit from the advice of world-class experts and tackle cyber crime.”

Chris Ensor, NCSC Deputy Director for Cyber Skills and Growth, said: “On behalf of the NCSC, I would like to congratulate the second cohort on their completion of the Accelerator.

“It has been exciting to collaborate with such innovative start-ups, tackling such a broad range of problems.

“I’m really pleased that Wayra UK will continue to be our partner. I look forward to working with them and meeting more pioneering entrepreneurs as we launch the next cohort.”

Gary Stewart, Director of Wayra UK, said: “We are really pleased to be continuing our partnership with GCHQ. It’s one of our most strategic and successful partnerships.

Indeed, our first two cohorts have raised more than £20 million in funding, have created 19 British jobs and have won 15 trials and contracts worth over £3 million. And this has been just in the last 18 months.”