Professional Documents
Culture Documents
National Cybersecurity Strategy 2022 For UK
National Cybersecurity Strategy 2022 For UK
National Cybersecurity Strategy 2022 For UK
Cyber
Strategy 2022
Pioneering a cyber future with
the whole of the UK
National
Cyber
Strategy 2022
Pioneering a cyber future with
the whole of the UK
Contents
Foreword8
Introduction10
The opportunities and challenges of the digital age 10
Our vision: cyber power in support of national goals 11
The five pillars of our strategy 13
Part 1: Strategy 16
Strategic Context 17
Global Britain in a Competitive Age 17
The cyber landscape 17
Cyber power 20
The UK as a cyber power today 20
Drivers of change 29
Part 2: Implementation 46
Pillar 1: UK Cyber Ecosystem 48
Strengthening the UK’s cyber ecosystem 49
Objective 1: Support a whole-of-society approach50
Objective 2: Enhance skills and diversity54
Objective 3: Foster growth and innovation58
5
Pillar 2: Cyber Resilience 64
Building a resilient and prosperous digital UK 65
Objective 1: Understand cyber risk 68
Objective 2: Prevent and resist cyber attacks 70
Objective 3: Prepare, respond and recover 74
26
40
42
44
52
56
60
80
84
103
108
110
7
Foreword
The United Kingdom is an open and The new National Cyber Strategy is
democratic society, whose record our plan to ensure that the UK remains
in collaboration and innovation confident, capable and resilient in this
underpins our success as an outward- fast-moving digital world; and that we
looking global nation. We see this in continue to adapt, innovate and invest
our response to international health in order to protect and promote our
emergencies and in our promotion interests in cyberspace.
of Net Zero targets. But nowhere are
the advantages of this approach more Taking over where the pioneering
evident than in cyber. National Cyber Security Strategy of
2016 leaves off, this next chapter leads
Whether it’s realising the wide-ranging us into a future where the UK is even
benefits that cyber offers our citizens more resilient to cyber attack. As lead
and our economy as we level up and minister, I am clear about two of its core
unite the entire country; working with aims: first that we should strengthen
partners towards a cyberspace that our hand in technologies that are critical
reflects our national values or using to cyber; second, that we should limit
the full extent of our cyber capability to our reliance on individual suppliers or
influence global events, the UK sees technologies which are developed under
cyber as a way to protect and promote regimes that do not share our values.
our interests in a landscape being
reshaped by technology.
9
Introduction
The opportunities and 2. The scale and speed of this change –
often outpacing our social norms, laws,
challenges of the digital age and democratic institutions – is also
unleashing unprecedented complexity,
1. Exponential advances in technology
instability and risk. The past year has
combined with decreasing costs have
seen cyber attacks on hospitals and
made the world more connected
oil pipelines, schools and businesses,
than ever before, driving extraordinary
some brought to a standstill by
opportunity, innovation and progress.
ransomware, and commercial spyware
The coronavirus (COVID-19) pandemic
used to target activists, journalists
has accelerated this trend, but we
and politicians. The transnational
are likely still in the early stages of a
nature of cyberspace means these
long-term structural shift. The global
challenges cannot be addressed without
expansion of cyberspace is changing
international collaboration, but it is
the way we live, work and communicate,
also an increasingly important arena of
and transforming the critical systems
systemic competition and the clash of
we rely on in areas such as finance,
competing interests, values and visions
energy, food distribution, healthcare
of our global future.
and transport. In short, cyberspace is
now integral to our future security and
prosperity. This offers extraordinary
opportunities for technologically
advanced countries like the UK to
pursue their national goals in new ways.
11
12 National Cyber Strategy
The five pillars of • Pillar 4: Advancing UK global
leadership and influence for a
our strategy more secure, prosperous and
7. The Integrated Review set out five open international order, working
‘priority actions’ for this strategy and with government and industry
we will use these as the pillars of our partners and sharing the expertise
strategic framework, guiding and that underpins UK cyber power
organising the specific actions we will • Pillar 5: Detecting, disrupting
take and the outcomes we intend to and deterring our adversaries
achieve by 2025: to enhance UK security in and
through cyberspace, making more
• Pillar 1: Strengthening the UK
integrated, creative and routine use
cyber ecosystem, investing in our
of the UK’s full spectrum of levers
people and skills and deepening the
partnership between government, 8. Part 1 of this document sets out
academia and industry the strategic context we are operating
• Pillar 2: Building a resilient and in, the goals of our strategy, and the
prosperous digital UK, reducing strategic approach we will adopt over
cyber risks so businesses can the coming decade. Part 2 sets out the
maximise the economic benefits of specific actions we will take to deliver
digital technology and citizens are our goals to 2025, organised under
more secure online and confident these five pillars.
that their data is protected
13
Vision
The UK in 2030 will continue to be a
leading responsible and democratic
cyber power, able to protect and
promote our interests in and through
cyberspace in support of national goals.
15
Part 1:
Strategy
17
Layers of Cyberspace
What is cyberspace?
To many of us, cyberspace is the
virtual world we experience when
we go online to communicate, work
and conduct everyday tasks. In
technical terms, cyberspace is the
interdependent network of information • Email accounts
technology that includes the internet, • Gaming profiles
telecommunications networks, • Social Media account
computer systems and internet- • Bank account login
connected devices. For the military, Online • Contactless travel
and when considering our efforts to card ID
experience
counter threats in cyberspace, it is an • Fitness tracker profile
operational domain, along with land,
sea, air and space.
• Enterprise IT systems
How is cyberspace experienced?
• Databases, e.g.
Cyberspace is, by definition, a ‘shared’
HMRCs tax records
space and its scale and complexity
• Industrial control systems
means that every person’s experience of
it is unique. Citizens access cyberspace • Windows/OS
when they check their bank accounts • Apps, eg WhatsApp,
online or stream a film at home. Software, Facebook, TikTok
Businesses use cyberspace to connect systems • Programming
their staff with the resources they need, and data languages, Python,
whether this is access to information or C++
control over a manufacturing process.
Governments provide public services to
their citizens using online portals. Cyber • Routers, Hubs
professionals look ‘under the hood’ at • Servers
the technology, standards and protocols • WiFi, Ethernet
that make it all ‘just work’ for users. All • Radio Antennas
these groups use cyberspace in different • Smart fridges
ways and for different purposes, and we Physical • Contactless travel
are all making an ever-greater use of it. devices and card reader
communication • Phones, PCs and
other personal devices
Virtual
The part of cyberspace most people experience. It consists of
representations of people and organisations through a virtual identity
Logical
The part of cyberspace made up of code or data, such as
operating systems, protocols, applications and other software.
The logical layer cannot function without the physical layer and
information flows through wired networks or the electromagnetic
spectrum. The logical layer, along with the physical layer allow
virtual identities to communicate and act.
Physical
The physical layer of cyberspace includes all the hardware on which
data is transmitted, from the routers, wires and hubs that you have in
your home, to large complex telecommunications systems operated
by big tech companies. As well as physical infrastructure it includes
the electromagnetic spectrum on which data is transmitted, such as
WiFi and radio.
19
Cyber power 13. Cyber power is distinct from more
traditional forms of power. It involves
12. At the heart of our strategy is the seamlessly blending hard capabilities
concept of cyber power, which we and softer levers of influence. It is
define as the ability of a state to protect more distributed and governments
and promote its interests in and through must work with partners in order to
cyberspace. We identify five broad attain and exercise it. And the pace of
dimensions of cyber power which align technological change means that it can
to the pillars of this strategy: be gained and lost more quickly, as
previously cutting edge capabilities are
• The people, knowledge, skills, rendered obsolete by new advances.
structures and partnerships that
are the foundation of our cyber 14. Our strategy reflects this, describing
power, underpinning all the other how we will work with partners
components and integrating them wherever we can as part of a whole-
into a national approach of-society effort. We will do more to
address problems upstream and fix
• The ability to protect our assets
root causes, anticipate future trends
through cyber security and resilience,
and put in place long-term responses,
in order to realise the full benefits
and be more active in shaping rather
that cyberspace offers to our
than responding to the contested
citizens and economy
geopolitical environment.
• The technical and industrial
capabilities to maintain a stake in the The UK as a cyber
evolution of key cyber technologies power today
and deploy new advances in the
interests of society 15. The UK is already a leading cyber
power.1 Over the past decade the
• The global influence, relationships
government has led a sustained national
and ethical standards to shape rules
effort to strengthen the UK’s cyber
and norms in cyberspace in line with
security, raise public awareness of cyber
our values and interests and promote
risks, grow the cyber security sector,
international security and stability
and develop a wide range of capabilities
• The ability to take action in and through cyberspace to respond to
through cyberspace to support threats from hostile actors. While we
national security, economic wellbeing have made great progress and put
and crime prevention. This includes ourselves in a strong position we still
cyber operations to deliver real world face significant challenges across the
effect, and to help achieve strategic five pillars of this strategy.
advantage, and law enforcement
operations and the application of
cyber sanctions to bring malicious
cyber actors criminals to justice and
disrupt their activities
1
Ranked second in the International Telecommunication Union’s Global Cyber Security Index, third in
the Harvard Belfer Center’s Cyber Power Index and in the second tier of the International Institute of
Strategic Studies’ Cyber Power capability assessment.
2
DCMS, Cyber security skills in the UK labour market 2021 (2021)
21
20. Our most innovative and made across the health sector,
groundbreaking efforts have been to including the implementation of the
take action at scale, including through NIS regulations.
the development and increasing roll-
out of the Active Cyber Defence (ACD) 22. We have provided comprehensive
programme. Last year it took down cyber security advice and guidance to
2.3 million malicious campaigns – organisations in the wider economy,
including 442 phishing campaigns using and tailored support to critical sectors
NHS branding and 80 illegitimate NHS during the coronavirus (COVID-19). For
apps hosted and available to download the public, our Cyber Aware campaign
outside of official app stores.3 We also has provided advice on the steps they
took the lead globally in pushing for can take to protect themselves online.
connectable consumer products to be When cyber attacks have got through
‘secure by design’, developing a UK we have used our world-leading incident
code of practice in 2018 that inspired response capabilities to provide direct
others to follow and informed the first support in the most serious cases and
globally-applicable industry standard on our investment in local law enforcement
internet-connected consumer devices.4 5 specialists means that every reported
incident now receives a response.
21. New regulation has had a positive
impact on cyber security, with 82% of 23. We have established specialist law
organisations saying the improvements enforcement cyber units the UK, and
they had made were influenced by the alongside this the cyber PROTECT
introduction of the UK General Data network, Economic Crime Victims Care
Protection Regulation in 2018.6 And Unit and regional Cyber Resilience
77% of businesses now see cyber Centres. These initiatives mean that
security as a high priority, an increase for citizens and small-to-medium-sized
of 12% since 2016.7 The introduction organisations there is someone nearby
of the Network & Information Systems or easily contactable who has the right
Regulations (‘NIS regulations’) in 2018 skills and local knowledge to provide
also led to designated organisations support and guidance to improve your
taking measures to better ensure cyber resilience.
the security of their networks and
24. However, we have growing
information systems, leading to a
evidence of gaps in our national
reduction in the cyber risks posed
resilience, with levels of cyber crime
to essential services and important
and breaches affecting government,
digital services.8 A good example of
businesses and individuals continuing
collaboration across the four nations
to rise as well as cyber-enabled crime,
of the UK has been the improvements
3
NCSC, NCSC Annual Review 2021 (2021)
4
DCMS, Code of Practice for Consumer IoT Security (2018)
5
DCMS, ETSI industry standard based on the Code of Practice (2019)
6
DCMS/RSM, The impact of GDPR on cyber security outcomes (2020); The General Data Protection
Regulation (GDPR) that was introduced into UK law in 2018 has now been replaced by the UK GDPR)
7
DCMS, Cyber Security Breaches Survey 2021 (2021)
8
DCMS, Post-Implementation Review of the Network and Information Systems Regulations 2018
(2020)
9
Defined as Computer Misuse Act offences
10
ONS, Crime in England and Wales: year ending June 2021 (2021)
11
DCMS, Cyber Security Breaches Survey 2021 (2021)
23
Countering cyber threats 30. Government has taken steps
to the UK and deterring our to counter these growing threats.
Significant investment in our intelligence
adversaries
capabilities has increased our
29. The threats we face in and through understanding of the threat and enabled
cyberspace have grown in intensity, us to conduct more effective covert
complexity and severity in recent years. counter campaigns. We have developed
Cyber attacks against the UK are an integrated law enforcement response
conducted by an expanding range of to cyber crime, led by the National
state actors, criminal groups (sometimes Crime Agency (NCA) and dedicated
acting at the direction of states or with cyber teams within regional organised
their implicit approval) and activists for crime units and local police forces
the purpose of espionage, commercial across England, Wales, Northern Ireland
gain, sabotage and disinformation. Such and Scotland. This has enhanced our
attacks cause significant financial loss, operational and investigative edge over
intellectual property theft, psychological cyber criminals and other adversaries.
distress, disruption to services and The government is also strengthening
assets and risks to our critical national the security of the increasing number of
infrastructure, democratic institutions digital identity solutions, by developing
and media. They can also damage the UK digital identity and attributes trust
investor and consumer confidence and framework.13 This will also help to tackle
amplify existing inequalities and harms. crimes that involve misuse of identity
During the COVID-19 pandemic the data. And the NCA’s Cyber Choices
shadow pandemic of gender-based programme is helping people to make
violence was compounded by online more informed choices, diverting them
attacks. Ransomware attacks continue from criminality to use their cyber skills in
to become more sophisticated and a positive and legal way.
damaging. While the overall level of
31. We have invested significantly in
cyber threat from hostile actors during
our offensive cyber capabilities, first
the COVID-19 pandemic has remained
through the National Offensive Cyber
constant, they have exploited it as an
Programme, and more recently through
opportunity and shifted their cyber
the establishment of the National Cyber
operations to steal vaccine and medical
Force (NCF). The NCF draws together
research, and to undermine other
personnel from the Government
nations already hampered by the crisis.
Communications Headquarters (GCHQ),
The growing dependence on digital
the Ministry of Defence (MOD), the
technologies for remote working and
Secret Intelligence Service (SIS, also
online transactions has also increased
known as MI6) and the Defence Science
exposure to risks. Alongside this, digital
and Technology Laboratory, under one
divides have also created uneven
unified command for the first time. It is
access to online services and exposed
operating in and through cyberspace
people to online abuse and harms due
to keep the country safe and to protect
to limited digital literacy and awareness
and promote the UK’s interests at
of the cyber security measures we can
home and abroad.
all take to stay secure online.12
12
NCSC, CyberAware
13
DCMS, UK digital identity and attributes trust framework (2021)
25
Recent case studies of
cyber attacks
During 2021, the UK continued its Cyber criminals using
work with global partners to detect
and disrupt shared threats, the most ransomware to attack
consistent of these emanating from public services
Russia and China. In addition to the
direct cyber security threats posed by Ransomware became the most
the Russian state, it became clear that significant cyber threat facing the
many of the organised crime gangs UK in 2021. Due to the likely impact
launching ransomware attacks against of a successful attack on essential
Western targets were based in Russia. services or critical national infrastructure
China remained a highly sophisticated the NCSC assessed ransomware
actor in cyberspace with increasing as potentially as harmful as state-
ambition to project its influence beyond sponsored espionage.14
its borders and a proven interest in
In October 2020, Hackney Council
the UK’s commercial secrets. How
suffered a ransomware cyber attack
China evolves in the next decade will
which caused many months of
probably be the single biggest driver
disruption and cost millions of pounds
of the UK’s future cyber security. While
to rectify. At a critical time when it was
less sophisticated than Russia and
dealing with the impact of the COVID-19
China, Iran and North Korea continued
pandemic, the council was locked out
to use digital intrusions to achieve
of important data and many services
their objectives, including through
were disrupted, including council tax
theft and sabotage.
and benefit payments. Other local
authorities have suffered similar attacks,
as have a variety of organisations in the
education sector.
14
NCSC, Mitigating malware and ransomware attacks (2021)
15
FCDO, Russia: UK and US expose global campaign of malign activity by Russian intelligence
services (2021)
27
including US Government departments over a quarter of a million servers
were affected. This incident was part worldwide.16 The attack was highly
of a wider pattern of cyber intrusions likely to enable large-scale espionage,
by the SVR who have previously including acquiring personally identifiable
attempted to gain access to the IT information and intellectual property.
networks of NATO members and Compromising Microsoft Exchange
governments across Europe. gave the perpetrator a foothold to
pivot further into the IT networks of
On 2 March 2021, Microsoft made victims. At the time of the attack, the
public that sophisticated actors had government quickly provided advice and
attacked a number of Microsoft recommended actions to those affected
Exchange servers, which are used by and Microsoft said that by end of March
organisations worldwide to manage their that 92% of customers had patched
email, scheduling and collaboration. against the vulnerability.
Microsoft assessed that the initial
intrusions commenced as early as
January 2021 and were Chinese state-
sponsored. In response to this they
released multiple security updates for
affected servers. In July 2021, the UK
joined like-minded partners to confirm
that Chinese state-backed actors were
responsible for the attacks that affected
16
FCDO, UK and allies hold Chinese state responsible for a pervasive pattern of hacking (2021)
17
ONS, Crime in England and Wales: year ending June 2021 (2021)
29
This challenge will not be unique to the 39. This will be exacerbated by
UK, creating mutual vulnerability for all competition for control of a rapidly
those who rely on cyberspace. evolving technological landscape.
As digital technology is integrated
37. Cyberspace will become more into our everyday lives, businesses
contested as state and non-state and infrastructure, some technologies
actors seek strategic advantage in and are becoming genuinely critical to
through cyberspace. Cyber operations the functioning of society. Power will
will become increasingly important to increasingly be held by countries that
power projection below the threshold have a strategic advantage in science
of armed conflict and in pre-conflict and technology and access to the
situations. Future conflicts will also data that drives innovation, enabling
see an increase in the use of cyber them to exert influence over others
capabilities. For the UK to act effectively and to shape global standards in ways
we will require higher levels of cyber that best fit their own economic and
resilience in our defence capabilities. political interests.
Cyber operations will need to be
integrated with other force elements 40. Emerging technologies such as
to defeat threats and enable wider digital twins, quantum computing, and
defence activity. Space will increasingly large-scale autonomous systems – and
become a domain of activity, as set the information they generate – will
out in the National Space Strategy, create new opportunities and risks
opening up new areas of risk but also and open up new cyber capabilities
creating opportunities for the UK to for attackers and defenders, just as
exploit its cyber capabilities to achieve cryptocurrencies are being exploited
advantage in new ways.18 by ransomware gangs. Leadership
in technology is becoming more
38. Debates over the rules governing distributed, and the UK will not be able
cyberspace will increasingly become to develop sovereign capability in all
a site of systemic competition the technologies that matter. States
between great powers, with a clash and companies make use of technical
of values between countries that want standards to promote their own
to preserve a system based on open interests and we risk key technologies
societies and systemic competitors like being shaped by those who do not
China and Russia who are promoting share our values.
greater state control as the only way
to secure cyberspace. This will put 41. For over a decade the UK has
pressure on the free and open internet, pursued an ambitious national cyber
as nation states, big technology firms security strategy and sustained
and other actors promote competing a significant level of investment,
approaches to technical standards and establishing the country as a global
internet governance. leader in cyber. As evident from the
analysis above, significant challenges
and opportunities remain. The following
sections outline our national response.
18
HMG, National Space Strategy (2021)
33
• We will work to uphold an open and 49. A commitment to keeping the
interoperable internet as the best UK at the cutting edge on cyber.
model to support global prosperity The government will be investing
and wellbeing, resisting the pressure £2.6 billion in cyber and legacy IT
of authoritarian states towards over the next three years. This is in
fragmentation and their idea of addition to significant investment in
internet sovereignty the National Cyber Force announced
in Spending Review 2020 (SR20). It
• We will make lawful, proportionate includes a £114 million increase in the
and responsible use of our cyber National Cyber Security Programme;
capabilities, supported by clear and is alongside increases in investment
oversight and engagement with also announced in research and
the public and our allies, and development (R&D), intelligence,
we will hold others to account defence, innovation, infrastructure and
for reckless or indiscriminate skills, all of which will contribute in part
behaviour in cyberspace to UK cyber power. Investment in cyber
• We will take action against the announced in SR20 and Spending
criminal use of cyberspace by Review 2021 (SR21) far exceeds the
all means available, calling out £1.9 billion over five years committed to
those who use criminal proxies or the previous strategy.19
harbour criminal groups in their 50. A more comprehensive National
territories and working to prevent Cyber Strategy. Cyber security
the proliferation of high-end cyber remains at the heart of this strategy,
capabilities to criminals but it now draws together the full range
• We will champion an inclusive, multi- of the UK’s capabilities inside and
stakeholder approach to debates outside government. It gives greater
about the future of cyberspace weight to the critical technologies and
and digital technology, upholding infrastructure that underpin cyberspace,
human rights in cyberspace and supports UK cyber companies both
countering moves towards digital to grow domestically and compete
authoritarianism and state control internationally, steps up international
action to shape and influence the future
Key shifts in our approach of cyberspace, and integrates offensive
cyber as a lever of power. It calls for
48. In many areas our strategy will a truly joined up, national strategic
build on our current approach, seeking approach. The strategy distributes
to enhance, expand or adapt our responsibilities for leadership and
efforts where necessary. The main coordination across Secretaries of State,
distinctions from the National Cyber and much more closely involves the
Security Strategy 2016-2021 are set out devolved administrations. This builds on
below and reflect our broader ambition our success at coordinating effort across
to cement the UK’s position as a government, which is a key UK strength.
leading cyber power.
19
HM Treasury, Autumn Budget and Spending Review 2021 (2021)
35
and providing more support. We will partner countries, helping build their
also focus more on supply chain risks, resilience and enhancing their abilities to
testing a range of interventions to help counter cyber threats. And we will better
organisations manage the cyber security leverage the full range of our domestic
risks posed by their suppliers, and strengths, including operational and
ensure that best practice filters down strategic communications expertise,
through the supply chain. thought leadership, trading relationships
and industrial partnerships to support
54. More integrated and sustained our international goals.
campaigns to disrupt and deter our
adversaries and protect and promote Roles and responsibilities
the UK’s interests in cyberspace.
These campaigns will draw on a across the UK
fuller range of diplomatic, policy and
56. Central to our strategy will be a
operational levers across government.
whole-of-society approach to cyber. We
They will be significantly underpinned by
need to build an enduring and balanced
the establishment and expansion of the
partnership across the public, private
National Cyber Force (NCF), which will
and third sectors, with each playing an
be based in Samlesbury in Lancashire.
important role in our national effort.
We will make more routine use of the
NCF’s capabilities to disrupt threats Citizens
from both state and non-state actors
and to support the UK’s wider national 57. This strategy aims to remove as
security interests. Our campaigns will much of the burden of cyber security
also benefit from major new investment from citizens as possible but we will all
in high-end capabilities for law continue to have an important role to
enforcement at national, regional and play. Whilst the government will do as
local levels. This will help us to tackle the much as possible to stop cyber attacks
substantial threat from ransomware and before they cause harm to people,
increasingly innovative cyber criminals. some threat actors will find a way to
We will also continue to make use of circumvent these protections. We can
the UK’s autonomous cyber sanctions all take action to improve the security of
regime and attributions process to the assets we value in both the physical
impose costs on our adversaries and and virtual worlds.20 That means fulfilling
call out malign and reckless and attacks. our personal responsibility to take all
reasonable steps to safeguard not
55. Putting cyber power at the heart only our hardware – our smartphones
of the UK’s foreign policy agenda and other devices – but also the data,
and recognising that every part of software and systems that afford us
the strategy requires international freedom, flexibility and convenience
engagement. We will reinforce our core in our private and professional lives.
alliances and engage a broader range To support this, the government
of countries to counter the spread of provides technically accurate, timely
digital authoritarianism. Over the next and actionable advice. Civil society
few years, we will increase investment organisations and community groups
in international programmes to support also play a major role supporting people
20
Cyber Aware is the government’s advice on how to stay secure online
37
Government 62. Most areas of cyber policy and
the majority of measures outlined in
61. The UK government is uniquely this strategy relate to reserved matters
positioned to bring together the such as national security, foreign affairs
intelligence necessary to understand the and defence, telecommunications,
most sophisticated threats, make and product standards and safety,
enforce the law, set national standards, and consumer protection. But the
and counter threats from hostile actors development and implementation of
including conducting offensive cyber this strategy still depends on input,
operations. Through this strategy action and investment by the devolved
we will invest in strengthening our governments of Northern Ireland,
national cyber capabilities. Government Scotland and Wales. This is especially
departments and public sector bodies true where this relates to devolved
are also responsible for protecting policy areas which sit primarily within
their own networks and systems. As the ‘ecosystem’ and ‘resilience’ pillars of
the holder of significant data and a this strategy, such as education, policing
provider of services, the government and the cyber resilience of certain
takes stringent measures to provide critical sectors including their own public
safeguards for its information assets. sectors. Coordination and cooperation
Lastly, the government also has an across the four nations of the UK is
important responsibility to advise essential to ensure the greatest impact
and inform citizens, businesses and across the whole country. This requires
organisations what they need to do regular and early engagement by the
to protect themselves online. Where Cabinet Office and other UK government
necessary this includes setting the departments with their Welsh, Scottish
standards we expect key companies and Northern Irish counterparts to share
and organisations to meet in order to information on priorities and plans. This
protect all of us. also helps to avoid duplication and get
the best value from public funding. The
devolved governments will continue
to develop their own cyber strategies
and plans, aligning them with this UK
government strategy.
21
HMG, National Cyber Security Strategy 2016 to 2021 (2016): paragraph 1.9
41
The National Cyber Force
Established in 2020, the National NCF operations can be used to
Cyber Force (NCF) is responsible for influence individuals and groups, disrupt
operating in and through cyberspace to online and communications systems
counter, disrupt, degrade and contest and degrade the operations of physical
those who would do harm to the UK systems. This type of activity is often
or its allies, to keep the country safe referred to as offensive cyber (OC).
and to protect and promote the UK’s
interests at home and abroad. The NCF NCF operations are conducted in line
is made up of a roughly equal share of with a well-established legal framework,
personnel from defence and intelligence which includes the Intelligence Services
and brings together their expertise, Act 1994 and the Investigatory Powers
resources and authorities under a single Act 2016. The UK has previously
command structure. It will be based in made it clear that it develops and
Samlesbury, Lancashire. deploys capabilities in accordance
with international law, including the law
The NCF delivers a broad range of of armed conflict where applicable.
outcomes in the interests of national Its activities are subject to ministerial
security, such as support to defence, approval, judicial oversight and
the UK’s economic wellbeing and the Parliamentary review, making the UK’s
prevention of serious NCF activities governance regime for cyber operations
range, from the tactical through to the one of the strongest in the world.
strategic, against both state actors and
non-state actors. Its work falls into three
main categories:
43
Law Enforcement’s
National Cyber
Crime Network
Established over the course of the These are further complemented by
National Cyber Security Strategy 2016- dedicated Local Cyber Crime Units
2021, law enforcement’s national cyber (LCCUs), embedded in each of the 43
crime network has developed a fully police forces and synchronised through
integrated response to cyber crime, a regional coordinator. These Regional
ready to deliver an intelligence-led and Local CCUs can investigate and
response to all forms of cyber attacks pursue offenders, help business and
against individuals, organisations or victims protect themselves from attack
whole sectors. This is a nationwide and work with partners to prevent
system operating at national, regional vulnerable individuals from being drawn
and local levels. It provides victim care, into committing cyber crime.
helps businesses and people to be
protected and to recover swiftly, and Centralised crime reporting, triage
pursues criminal justice outcomes and analysis is provided through
against perpetrators. Action Fraud, hosted by the City of
London Police. The most serious and/
The National Crime Agency’s (NCA) or complex cases are subsequently
National Cyber Crime Unit (NCCU) referred to the NCA and regional
provides national leadership and network to pursue, while other cases
coordination of the response, supported are disseminated to local forces. The
by a network of dedicated Regional City of London Police also coordinate
Cyber Crime Units (RCCUs) in each victim support, including through the
of England and Wales’s nine police Economic Crime Victim Care Unit.
regions, in partnership with their
counterparts in Police Scotland and Systems are being joined up with
Police Service of Northern Ireland, as transformed forensic, intelligence
well as the Metropolitan Police Service’s and data-sharing capabilities to build
Cyber Crime Unit. a single platform so that national
and regional units can access all the
specialist high-end capabilities and
tools being developed. This includes
the ability to collaborate effectively with
partners in the security and intelligence
community, in particular to respond
to blended criminal and state threats.
Continuing the ethos of ‘build it once,
build it nationally for the benefit of the
whole cyber crime network’, these
45
Part 2:
Implementation
22
DCMS, Cyber Security Sectoral Analysis 2021 (2021)
49
Objective 1: 68. More integrated and effective
regional cyber networks across the
Strengthen the structures, UK, enabling stronger partnerships
partnerships and networks between government, businesses and
necessary to support academia to support sectoral growth
and business resilience. We will work
a whole‑of‑society with regional cyber clusters and the
approach to cyber recently established UK Cyber Cluster
Collaboration (UKC3), the growing
66. Cyber power requires a number of regional cyber innovation
whole‑of‑society approach. Our centres and Cyber Resilience Centres,
competitive advantage will come from strengthening links between local
our ability to nurture and harness businesses, academic centres of
talent across the UK and get the right excellence and law enforcement.
people working together in the right
ways across the whole public sector, 69. These steps will build on the
industry and academia, pulling together range of existing relationships between
the whole cyber community. We will the National Cyber Security Centre
need to form a genuine integrated (NCSC) and its stakeholders, between
delivery partnership with industry and government departments, arm’s-length
ensure a broad geographic approach bodies and the sectors of the economy
across the nations and regions of the they represent, including CNI and
UK, working closely with the devolved regulators, and the government’s wider
governments of Northern Ireland, dialogue with industry and the digital
Scotland and Wales and seizing the and technology sectors.
levelling up opportunity that cyber power
presents. We will achieve the following
outcomes by 2025:
51
Cyber Organisations (Locations representative)
UK Cyber Clusters
2 Cyber North
3 Cyber Wales
6 Midlands Cyber
7 ScotlandIS Cyber
*Red dot and black line denotes both CSE and CSR status
CyberScotland Partnership
Edinburgh Napier University
10
1 Northumbria University
2 Newcastle University
NI Cyber
Security Centre
Lancaster University 2 GCHQ Scarborough
National Cyber Force
9 GCHQ Manchester
11
3
University of Birmingham De Montfort
4 University
7 University
NCSC Cheltenham of Warwick
6 8
University of South Wales University of
4 Cambridge
Cardiff University 3 5
12 9 University of Oxford
University of the West of England
1 5
University of Bristol
King’s College
6 London
8
GCHQ Bude Imperial College
University London
Royal of Kent University College,
Holloway London
Kingston
University
University
of Surrey
University of
Southampton
53
Objective 2: 71. A significant increase in the
number of people who have the
Enhance and expand the skills they need to enter the cyber
nation’s cyber skills at every workforce, building on the work
level, including through a happening across all four nations
of the UK to ensure education and
world class and diverse skills policy meets the demands of
cyber security profession people and employers. We will do
that inspires and equips this through a number of measures
including the expansion post‑16 training
future talent programmes in line with the needs of
70. Central to the UK’s ambitions will the cyber workforce, funding a range
be developing a sustained and diverse of skills bootcamps in cyber security,
supply of highly‑skilled people into the the national rollout of the Institutes of
cyber workforce, capable of securing the Technology programme, and continuing
core elements of the digital economy, as the CyberFirst bursaries scheme for
well as innovating and developing new undergraduates. This builds on the
approaches. This will support our aim government’s work to align the majority
to lead by example through recognising of post‑16 education and training with
and retaining expertise across the public strengthened employer‑led standards
sector and increasing our capability by 2030. These will be developed in
in law enforcement, defence and conjunction with the UK Cyber Security
security, including the National Cyber Council for the wider cyber community
Force (NCF). As with other parts of this and underpin apprenticeships, T Levels
strategy we will work with the devolved and new higher technical qualifications.
governments of Scotland, Wales and This will ensure that employers have a
Northern Ireland to ensure that a central role in designing and developing
consistent approach is taken across the qualifications and training.
country on, UK government initiatives
72. A higher quality and more
on devolved matters, such as education
established, recognised and
and skills. We will achieve the following
structured cyber security profession.
outcomes by 2025:
Underpinned by Royal Charter the UK
Cyber Security Council will establish
professional standards and pathways
into and through a cyber career, built on
the world‑leading Cyber Security Body
of Knowledge (CyBOK). And we will
explore all government levers, including
legislation, to embed these standards
across the profession, ensuring that
excellence and expertise can be
recognised clearly and consistently
across the cyber workforce.
55
The UK Cyber
Security Council
The UK Cyber Security Council The Council has four aims:
launched in March 2021 and is a world
first for the cyber security profession. • Thought leadership and professional
Its mission is to be the voice of the standards: leading the work to
profession, bringing clarity and structure develop and agree the standards
to the growing cyber workforce and the that define cyber security
range of qualifications, certifications and
• Careers and learning: supporting
degrees that exist across the field. This
employers and individuals as they
is a vital step, recognising that the cyber
make career decisions, with advice
profession incorporates a wide range of
on cyber security skills, professional
technical and non‑technical expertise
development and recognition
and specialisms across the economy,
similar in breadth to more established • Professional ethics: providing guiding
professions such as medicine and law. principles within which practicing
professionals and organisations
themselves can demonstrate ethical
practice in cyber security;
57
Objective 3: 78. A cyber sector that has achieved
greater than average global growth
Foster the growth of a year on year, including through trade
sustainable, innovative and and cyber exports. We will help cyber
internationally competitive businesses to access new markets
at home and overseas by supporting
cyber and information world‑leading flagship cyber events in
security sector, delivering the UK and inviting our most innovative
quality products and cyber businesses to participate in
trade missions and international cyber
services, which meet the fairs. And we will use public sector
needs of government and procurement more effectively and
the wider economy establish a comprehensive directory
of NCSC accredited providers to
76. To enhance our national cyber encourage the demand for high quality
power and drive digital growth and cyber security products and services.
exports, the UK needs a vibrant
cyber sector made up of high quality, 79. An even more innovative cyber
trustworthy companies. UK firms sector that has seen a significant
provide world‑leading technologies, increase in early stage investment
training and advice to both industry and and more cyber businesses that have
governments in the UK and globally. But been able to launch, grow and scale.
to develop cutting‑edge technologies Our new Cyber Runway programme
some companies need support and gives businesses a single focal point
connections to investment to reach for support, learning lessons from our
the stage where they can offer a previous programmes such as the Tech
viable product. Nation Cyber Programme, Cyber101
and Hut Zero. We will transform the
77. Companies also need to feel Cheltenham Innovation Centre, which
confident they are innovating in line includes the cyber accelerator ‘NCSC
with government approved parameters for Startups’, into a true international
that other organisations are also centre of innovation: the National Cyber
following. And there is more we can do Innovation Centre. We will draw on the
to help buyers navigate the complex expertise of organisations that exist to
landscape, with a huge range of promote and enable co‑creation, such
products and services of varying quality. as the National Security Technology
This will in turn stimulate demand in and Innovation Exchange. And we will
the ecosystem and support further encourage higher‑risk investment in
growth. We will achieve the following early stage cyber start‑ups, including
outcomes by 2025: through the National Security Strategic
Investment Fund, in partnership with the
British Business Bank
59
Interested in joining the
cyber workforce or starting
your own business?
82. Our previous strategy placed 83. We have supported innovators
a major emphasis on growing the to grow and scale their businesses,
cyber skills base and cyber security ensuring the UK cyber ecosystem has
services sector in the UK. As outlined flourished over the last five years:
in the strategic context we have made
significant progress in growing the NCSC for Startups is pointing innovators
sector and exports: towards the most important strategic
challenges while its startups have
Helping cyber businesses find already taken part in over 160 new
international markets. The UK exported corporate trials.
£4.2billion of cyber services in 2020.
24
DCMS, Understanding the cyber security recruitment pool (2021)
61
86. We have been working to ensure The UK Cyber Cluster Collaboration
that everyone can join the cyber is building partnerships between
workforce, tackling inequality in the industry, schools and colleges to ensure
sector where only 16% are female, opportunities and expertise are available
and only 3% of senior roles are held by across the regions.
women and ethnic minorities.25
25
HMG, Cyber security skillls in the UK labour market (2021)
65
92. Our approach will be tailored to 95. We require government
each audience, supported by national departments, the wider public sector
capabilities that enable us to address and regulated operators of critical
systemic risks. The audiences we national infrastructure (CNI), to raise their
seek to protect and influence are UK standards and manage their risk more
citizens, businesses and organisations, proactively. We expect large businesses
the government and public sector, and and organisations, including providers of
those who operate our critical national digital services and platforms to be more
infrastructure (providing the key services accountable for protecting their systems,
such as drinking water, electricity, services and customers as a core part
finance, transport and telecoms which of running their business. In return,
we all rely on). government will do more to secure the
digital environment and tackle systemic
93. We will focus first on steps to risks and provide support through
secure the digital environment for all advice, tools, accreditation in the
UK internet users, prevent attacks, marketplace, and developing the skills
build basic security in products and that enable improvement.
services, and help individuals and small
businesses and organisations with basic 96. Our efforts to promote cyber
actions to improve cyber security. As resilience in the UK must also form
we move through to those with greater part of our international engagement.
responsibility and capability to put in The deepening globalisation of supply
place additional layers of security and chains, IT platforms, multinational
resilience proportionate to the risk, this businesses, and the internet itself, mean
will culminate in the highest level of we cannot improve the UK’s cyber
protection expected for the key public security in isolation. To respond to this
and essential services our people and challenge we will need to continue
economy rely on. building a better understanding of the
linkages between UK and global cyber
94. This must be a shared endeavour resilience, addressing areas of high risk
between the government and all parts and working with international partners
of the economy and society. It is the to build resilience that facilitates digital
responsibility of boards of businesses transformation, security and trade, for
and organisations to manage their mutual benefit as set out in the Pillar 4:
own cyber risk. Our aim is to set clear Global Leadership chapter.
expectations underpinned by the right
framework of incentives, support and
regulation to enable improvement and
transfer the burden of cyber security risk
away from end users and towards those
best placed to manage it.
67
Objective 1: 99. Government is leading by
example in its understanding of cyber
Improve the understanding risk. We will adopt the NCSC’s Cyber
of cyber risk to drive more Assessment Framework (CAF) as the
effective action on cyber assurance framework for all government
departments, and critical systems and
security and resilience common suppliers will be mapped.
97. We will deliver a much closer We will establish a new Government
partnership between government, Cyber Coordination Centre (GCCC)
businesses and organisations to drive and cross‑Government Vulnerability
up collective understanding of the Reporting Service (VRS) to enable the
risk, guide prioritisation and establish government to ‘defend as one’ when
the case for action. We will support managing incidents, vulnerabilities
citizens by working with businesses and threats. The VRS will aim for
and organisations that provide services valuable and trusted relationships with
to consumers; and further strengthen the security researcher community,
the government’s ability to identify delivering a reduction in vulnerabilities
cross‑cutting risks. We will achieve the across the government estate. We will
following outcomes by 2025: also continue to support and coordinate
with similar initiatives in the devolved
98. Government has an up to date governments, such as the proposed
strategic understanding of the establishment of a central coordination
nation’s cyber risk and uses this function for cyber resilience in Scotland.
understanding to identify systemic
risk,communicate priorities and drive 100. Across the UK’s CNI, we
strategy and delivery. We will sustain will have a more sophisticated
and drive further value from significant understanding of cyber risk. We
investments made in ‘understanding will increase the adoption of the
the threat’ from the previous National Cyber Assessment Framework (CAF)
Cyber Security Strategy; and build on or equivalents across CNI sectors,
existing efforts to understand risk in and improve comparability with
an increasingly interconnected world. other cyber security assessment and
This will include identifying where digital reporting frameworks in use. We will
supply chains are too concentrated, complete criticality reviews and map
and working with international dependencies within CNI and its
partners to manage collective risks. supply chains. We will build stronger
We will also improve our recording of partnerships with CNI owners and
Computer Misuse Act (CMA) offences, operators to improve access to threat
understanding the links between data and risk information, and agree risk
breaches and downstream criminality, posture. And we will work to understand
and increasing our knowledge of how new risks or where new CNI is emerging
CMA offences are facilitating other types as a consequence of digitalisation
of criminal activity. and new technologies, including as
part of broader priorities such as the
transition to Net Zero.
69
Objective 2: 105. It will mean working more closely
with relevant sectors including online
Prevent and resist cyber service providers, telecommunications,
attacks more effectively technology, banking and retail, to better
by improving management protect UK internet users, including
to: make it more difficult to register
of cyber risk within websites for illegal purposes, increase
UK organisations, and the take down and blocking of malicious
providing greater protection content online, improve the recovery and
return of stolen credentials, and enhance
to citizens the security of UK telecommunications
102. Our approach to preventing and infrastructure. We will also develop
resisting cyber attacks assumes: (i) options to give statutory backing to
that organisations have a responsibility citizen protections should voluntary
to take action to manage their own arrangements prove insufficient.
cyber risk but stronger frameworks of
106. Our efforts to reduce harm
accountability and good governance
at scale will also include tackling
are needed at board level to make
systemic risks from the digital supply
this a priority; (ii) that there is a role
chain. Where necessary we will
for government to play working with
intervene to promote supply chain
industry in taking steps to directly
diversification, as we are doing in
reduce risk at scale where it is uniquely
telecommunications; we will strengthen
placed to do so; and (iii) we must ensure
our collective economic security with
support and guidance is available to
improved information‑sharing and
help individuals, sole‑traders and small
robust, predictable and proportionate
businesses and organisations manage
approaches to foreign direct investment
their cyber risk. We will achieve the
(FDI) screening in critical sectors, and
following outcomes by 2025:
establish clear requirements for critical
103. Government has reduced harm and common suppliers to government.
to the UK at scale and reduced
107. Government’s critical functions
the burden on UK citizens. We will
are significantly hardened to
increasingly act upstream on behalf of
cyber attack and all government
all internet users in the UK, expanding
organisations – across the whole
our Active Cyber Defence measures
public sector – will be resilient to
to support a wider range of sectors,
known vulnerabilities and attack
including charities, academia and
methods by 2030. Our aim is to
small-to-medium sized businesses
establish the UK’s public sector as an
and citizens. And we will strengthen
exemplar of best practice. In support
protections to online services through
of this outcome we will publish the first
increased engagement and information
dedicated Government Cyber Security
sharing with industry.
Strategy. This will focus on more
104. This work is complementary to effective risk management processes,
other government priorities aimed at governance and accountability; centrally
protecting UK citizens online, such as developed and employed capabilities
the draft Online Safety Bill and policy to (including Active Cyber Defence); more
counter economic crimes such as fraud. comprehensive monitoring of systems,
71
113. A greater number of UK 115. Targeted legislation will primarily
businesses and organisations are focus around sectors where the
proactively managing their cyber potential impact of a cyber attack
risks and taking action to improve is greatest, including providers of
their cyber resilience. We will provide certain essential and digital services,
support and drive behaviour change data protection in the wider economy,
through the development of market and for larger businesses. This will
incentives that encourage effective be complementary to the Plan for
cyber security. Where necessary this Digital Regulation, initially focussing
will be complemented by targeted on regulations governing the security
legislation to ensure that cyber risk is of Network and Information Systems
managed effectively by those who have (NIS) – as outlined above and in the
the greatest responsibility to do so, and Technology chapter and the next steps
that the UK’s cyber security legislation for reforming the UK’s regime for the
remains effective in the light of evolving protection of personal data.
risk and technologies.
116. Further detail outlining the action
114. In support of these aims, we will we will take to improve business
increasingly work with market influencers resilience and cyber security across UK
(procurers, financial institutions, businesses and organisations will be set
investors, auditors and insurers) to out in the Cyber Security Regulation and
incentivise good cyber security practices Incentives Review.
across the economy. We will propose
improvements to corporate reporting of
resilience to risks, including cyber risks.
This will give investors and shareholders
better insight into how companies are
managing and mitigating material risks
to their business. And we will continue
to promote take‑up of accreditations
and standards such as the Cyber
Essentials certification scheme and
promote board level engagement in
cyber risk management.
73
Objective 3: 120. It is easier to report cyber
incidents and victims of cyber crime
Strengthen resilience at receive better support. Reporting
national and organisational information will also be used to help
level to prepare for, respond prevent future incidents and support
law enforcement to investigate, disrupt,
to and recover from and prosecute cyber criminals. In
cyber attacks support of this we will deliver a new
national fraud and cyber crime reporting
118. Despite efforts to understand and analysis service to replace Action
the risk and take preventative actions Fraud by 2025. We will encourage
some incidents will still occur. We need more reporting of cyber incidents in
to strengthen capabilities for incident other ways, including through a new
management and response across all business reporting capability in the
organisations, to minimise the harm City of London Police. In regulated
caused and provide better support to sectors we will enable regulators to
victims. We will achieve the following require reporting of a broader range
outcomes by 2025: of incidents including ‘near misses’.
The roll out of the National Economic
119. The UK’s strategic management
Crime Victim Care Unit will improve
and coordination of the response to
the support and guidance available to
nationally significant cyber incidents
victims after what can be a stressful and
is even more effective. We will build
harmful experience.
upon the government’s experience of
responding to significant cyber incidents, 121. Government and CNI are more
ensuring that lessons identified are used prepared to respond to and recover
to improve our policies and processes. from incidents, including through
We will share crisis management better incident planning and regular
experience with international partners exercising. We will help UK government
and industry and, in turn, identify best and CNI operators find the cyber
practice from elsewhere to enhance our exercising and incident management
preparedness and processes. We will services they need from the marketplace
ensure that NCSC and law enforcement by expanding the NCSC’s accredited
incident management teams have the scheme for Cyber Incident Response
requisite expertise and tools to respond and introducing a new scheme
to the full range of evolving incident for exercising.
types and co‑ordinate a national
response to priority threats.
75
Jen Ellis, Vice President of
Community and Public Affairs,
Rapid7
79
Technologies vital to
Cyber Power
A variety of existing and emerging • Quantum technologies,
technologies will be critical to the UK’s including quantum computing,
cyber power and we need to be able quantum sensing and
to anticipate, assess, and act on these post‑quantum cryptography
developments. We expect to prioritise a
range of technologies and applications This work will support, and be aligned
as we deliver the strategy, such as to, the delivery of a number of strategies
those set out below. This is not intended and outcomes across government, for
as an exhaustive or static list and our example, the National Data Strategy, the
priorities will continue to evolve in National AI Strategy and the Integrated
consultation with industry, academia and Review, as well as the technology
technical experts: focussed outcomes within this Pillar.
• Blockchain technology
and its applications such
as cryptocurrencies and
decentralised finance
• Semiconductors, microprocessor
chips, microprocessor architecture,
and their supply chain, design, and
manufacturing process
• Cryptographic authentication
including for identity and access
management and high assurance
cryptographic products
81
Objective 2:
Foster and sustain
sovereign and allied
advantage in the security
of technologies critical to
cyberspace
132. Where the UK has the potential to
Máire O’Neill, Principal establish a leading position or secure
Investigator at the Centre a competitive advantage in key areas
of cyber technology, or where reliance
for Secure Information on non‑allied sources of supply poses
Technologies (CSIT) unacceptable security risks, we will seek
to develop our domestic industrial base.
There will be some areas where we need
to maintain a truly sovereign capability,
and others where we will collaborate
with international partners or seek a
leading position in one aspect of the
market. This will require a coordinated
approach to stimulating innovation and
R&D in collaboration with industry and
academia. We will achieve the following
outcomes by 2025:
26
Microprocessors are the brains of many of the devices we use today. They are ubiquitous, including
in critical areas such as telecoms, defence, healthcare and across our major industries. Technological
advances in systems design are currently held back by security and safety concerns, which are
magnified by increasing system complexity.
27
DCMS, 5G Supply Chain Diversification Strategy (2020)
28
With a particular focus on those sectors identified in the National Security and Investment Act
2021: advanced robotics, artificial intelligence, communications, computing hardware, cryptographic
authentication, and quantum technologies
83
Digital Security by Design
Seventy per cent of current cyber
security vulnerabilities exploit a flaw in
how microprocessors are designed that
has been known about since the 1970s.
These microprocessors are found in Phil Wilson, Director,
every digital device from televisions to Research & Development at
telecoms. The government has been
The Hut Group
working with the tech sector to fix this
and by 2025 a new microprocessor
design will be available for smartphones,
and a growing list of other devices.
137. Crypt-Key is the term used to 140. The UK has stronger Crypt‑Key
describe the UK’s use of cryptography capabilities and services in
to protect the critical information and government, able to meet the evolving
services on which the UK government, needs of the UK and our allies and
military and national security community ensuring we remain at the forefront
rely, including from attack by our most of Crypt‑Key development. We will
capable adversaries. It underpins provide strong technical leadership
our ability to choose how we deploy to understand user requirements and
our national security and defence improve our core services, including
capabilities. To be a world-leading provision of key material and assurance
Crypt-Key nation we need the right skills of products and systems. We will
and technologies both in government also transform Crypt‑Key services,
and in the private sector. harnessing new technologies so that
they become more flexible and invisible.
138. We will continue to invest in our
capabilities in government and work 141. The UK has advanced its
with our domestic Crypt‑Key industry to global leadership in Crypt‑Key and
ensure the UK remains one of a handful increased exports to our partners and
of nations able to develop sovereign allies. We will maintain our leadership
Crypt‑Key into the future. We will also role in the Five Eyes, NATO and other
continue to provide global leadership international partnerships and shape
in Crypt‑Key, including supporting the development of internationally
NATO as a supplier of key material. recognised standards to enable UK
This leadership will bring second order Crypt‑Key solutions to be interoperable.
benefits in sustaining a highly skilled And we will work with the industry to
industry in the UK and preserving our maximise export opportunities.
strength in highly resilient engineering,
with the potential to enable new robust
capabilities for other high assurance
contexts such as critical national
infrastructure. We will achieve the
following outcomes by 2025:
85
Objective 3: 144. Consumer connectable
products sold across the UK
Secure the next generation meet essential cyber security
of connected technologies, standards. We will introduce and
mitigating the cyber security implement the Product Security and
Telecommunications Infrastructure Bill
risks of dependence to enable enforcement of minimum
on global markets and security standards in all new consumer
ensuring UK users have connectable products sold in the
UK. We will support a cyber secure
access to trustworthy and transition to a smart and flexible energy
diverse supply system, including smart electric vehicle
charge‑points and energy smart
142. Over the next decade we will appliances. We will work with standards
continue to see computing power, bodies, industry and international
internet connectivity and automation partners to influence the global
embedded into more and more parts consensus on technical standards.
of our environment, including physical And we will help UK organisations to
objects and infrastructure and, in the procure, deploy and manage connected
longer‑term, humans themselves. This devices in a more secure way, including
will extend the scope of cyberspace by means of new security guidance for
and vastly increase the volume of data enterprise connected devices.
generated. The ability to manage data
safely and securely will become ever 145. Major providers of digital
more critical to the secure running services, including cloud, software,
of our economy. managed services and app stores,
are required to follow better
143. We need to ensure that wherever standards of cyber security, helping
possible the next generation of to protect organisations and consumers
connected technologies are designed, from cyber threats. We will strengthen
developed and deployed with security and expand the existing regulation
and resilience in mind and as part of a of digital service providers and boost
concerted effort to embrace a ‘secure the capability of the ICO to ensure
by design’ approach. The global nature digital providers are managing the
of technology supply chains means we risks associated with their services
will need to use all our available levers more proactively. We will continue
to more actively manage the risks of to engage with industry, including
technological dependence. Where the major technology companies, to
possible we will seek to ensure that harness market expertise and ensure
security is built in; where we cannot do that everyone plays a role in securing
this, we will implement robust measures the UK’s digital supply chains. And
to mitigate risk, including domestic we will lead the development of
regulation and international collaboration international policy solutions that focus
on standards. We will achieve the on digital suppliers.
following outcomes by 2025:
29
NCSC, Connected Places Cyber Security
Principles (2021)
30
Announced in the Innovation Strategy (2021)
31
The Connected and Automated Vehicles
Process for Assuring Safety and Security
(CAVPASS)
87
Objective 4: 149. More engaged multistakeholder
participation in the global digital
Work with the technical standards ecosystem.
multistakeholder community We will reinforce multistakeholder
to shape the development participation in key standards
development organisations and lead
of global digital technical by example with our delegations to the
standards in the priority International Telecommunication Union.
areas that matter most for We will promote open discussions on
the key trends and considerations for
upholding our democratic policy makers through the UN Internet
values, ensuring our cyber Governance Forum and other forums.
security, and advancing UK And we will strengthen coordination and
information sharing with international
strategic interests through partners, including through the Digital
science and technology Standards Points of Contact Group, set
up during the UK’s G7 presidency.
148. Global digital technical standards
are a core part of the functioning of the 150. Global digital technical
internet, telecommunication networks, standards in priority areas for the UK
and emerging technologies. How that are shaped more effectively by
they are developed and deployed can democratic values, cyber security
impact our cyber security objectives, considerations and UK research and
economic prosperity, and our norms innovation in emerging technologies.
and values. Historically these standards We will work with industry, academia,
have been shaped by those with the technical experts and civil society in
most market power and there are areas such as internet protocols, future
material barriers to entry that prevent networks and Artificial Intelligence
some important stakeholders, including (AI), to raise awareness of important
SMEs, academics, and other experts, public policy considerations in technical
from participating. We will achieve the standards development. We will pilot an
following outcomes by 2025: AI standards hub to support the UK’s
global engagement in AI standardisation,
as set out in the National AI strategy.
91
Objective 1: 155. The UK’s international partners
have stronger capabilities, political
Strengthen the cyber resolve, governance, and systems
security and resilience for investigating and disrupting
of international partners cyber threats, as well as for building
resilience. This will have resulted in
and increase collective a reduced threat from abroad to UK
action to disrupt and deter citizens. We will prioritise our cyber
adversaries capacity building assistance in Eastern
Europe, Africa and the Indo‑Pacific,
154. Collective action and mutual and continue to work with key allies
resilience are critical to countering in the Middle East and the Americas.
threats upstream, whilst also reducing We will develop a more integrated,
the incentives for cyber threat actors whole‑of‑government technical
to carry out attacks against the UK offer, with greater investment in law
and its partners. We will achieve the enforcement and defence expertise,
following by 2025: drawing more on UK industry and
academia. Our focus will be on
protecting critical international supply
chains and infrastructure, advancing
the secure use of digital technologies
and working with industry partners to
do so at scale.
93
Objective 2: the Budapest Convention, ensuring that
it strengthens international cooperation
Shape global governance and maintains human rights protections.
to promote a free, open,
peaceful and secure 162. We will also continue to promote
the Budapest Convention on cyber
cyberspace crime, working with international
partners to make a compelling case
160. States who do not share the UK’s
for it to remain the premier international
values exploit the challenges presented by
agreement for cooperation. And we
a free and open internet to push forward
will continue to promote and enhance
their authoritarian visions for cyberspace,
multistakeholder processes for the
under the guise of security. The UK will
governance of the internet, including
take a more proactive approach, working
ICANN and at the Internet Governance
with our allies and partners to ensure
Forum (IGF). These efforts will be
international rules and frameworks
complemented by our work to shape
develop in line with our democratic
global digital technical standards
values. We aim to support national
(described in the Technology chapter)
and global economic growth, enhance
and our work to expand UK cyber
collective security, encourage responsible
security exports (set out below) which will
use of offensive cyber tools and enable
also help to embed UK standards into
real consequences for malicious and
the cyber ecosystems of other nations.
irresponsible activities. We will achieve the
following outcomes by 2025: 163. Most ‘middle ground’
countries support and promote
161. Global governance of
the UK’s vision for cyberspace
cyberspace and the internet is
and the future of the internet,
protecting UK interests and values,
more successfully countering the
with the UK and our partners having
influence of authoritarian states
greater influence over the development
over the multi‑stakeholder system.
and implementation of international
We will demonstrate that it is possible
governance and standards frameworks.
to address challenges in cyberspace
We will take a more progressive and
without adopting authoritarian
proactive approach to shaping the
approaches while also enabling
frameworks that govern cyberspace
innovation, development and growth.
to promote global economic growth
We will support countries grappling
and security. We will design and
with digitalisation to build the full range
deliver practical steps that unblock the
of legal and strategic communications
international debate on the application
expertise they need to engage with the
of rules, norms and principles in
international debate and to implement
cyberspace and move it towards a
agreed frameworks. We will continue
consensus on effective constraints on
to expose irresponsible use of cyber
destructive and destabilising activity.
capabilities, building trust internationally.
We will do this through key regional
And we will continue to demonstrate
and specialist organisations including
an open and transparent approach to
the OSCE, ASEAN and the GFCE and
our use of offensive cyber capabilities
engage constructively with the UN
wherever we can, reinforcing the UK’s
process to develop a new international
reputation as a force for good.
cyber crime treaty which sits alongside
32
Described in the UK Innovation Strategy (2021)
33
The UK Defence & Security Exports (UKDSE) Export Faculty is an online learning and development
hub aimed at SMEs in the defence and security sector with specific modules for cyber security
companies. Registering for the Faculty provides access to a programme of curriculum based learning
modules and in addition, valuable information around UK Defence and Security Exports planned
events and activities.
95
Charles Juma, UK Digital
Access Programme in Nairobi
97
Pillar 5:
Countering
Threats
99
169. But the threats have also grown • new investment to enable law
in sophistication, complexity and enforcement to pursue investigations
severity; and our efforts have not yet at scale and pace and to maintain a
fundamentally altered the risk calculus of technical edge over our adversaries
attackers who continue to successfully in order to prevent and detect
target the UK and its interests. Cyber serious criminals and the enabling
attacks against the UK are motivated services they rely upon
by espionage, criminal, commercial,
financial and political gain, sabotage • a major step up in data sharing
and disinformation. Attackers develop across government and industry as
capabilities that evade mitigations; outlined in the Resilience chapter
increasingly sophisticated cyber 171. Cyberspace presents opportunities
tools and related enablers have been for the UK, creating new ways to
commoditised in a growing industry, actively pursue our national interests.
lowering the barriers to entry for all For example, offensive cyber operations
types of malicious actors. And rewards offer us a range of flexible, scalable, and
are increasing as the ability of actors de‑escalatory measures that will help the
to steal and encrypt valuable data and UK to maintain our strategic advantage
extort ransomware payments continues and to deliver national priorities, often
to grow, disrupting businesses and key in ways that avoid the need to put
public services. The result has seen individuals at risk of physical harm.
attackers increasingly benefit financially,
exploit privacy and freedom of speech, 172. We will continue to develop and
and attempt to manipulate events invest in our offensive cyber capabilities,
through disinformation. through the NCF. The NCF will transform
the UK’s ability to contest adversaries
170. The UK’s approach will therefore in cyber space and the real world, to
now shift to a more integrated and protect the country, its people and
sustained campaign footing that will our way of life. These capabilities will
involve making routine, integrated and be used responsibly as a force for
creative use of the full range of levers good alongside diplomatic, economic,
and capabilities available to impose criminal justice and military levers of
costs on our adversaries, pursue and power. They will be used to support and
disrupt perpetrators and deter future advance a wide range of government
attacks. The key supporting elements of priorities relating to national security,
this approach will be: economic wellbeing, and in support
• the continued development of the of the prevention and detection of
NCF as the next step in the UK’s serious crime.
ability to conduct offensive cyber
operations against its adversaries
• tailored cross‑government
campaigns to tackle threats
to the UK – making use of our
diplomatic, military, intelligence, law
enforcement, economic, legal and
strategic communications tools
34
Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services
101
178. Information and data on the 179. The NCSC are also investigating
threat is routinely shared at scale ways to track emerging threats and
and pace and those who receive it continue to work with the Alan Turing
are more able to take action. The Institute to explore whether machine
NCSC has trialled a range of initiatives learning can be used to detect certain
to build up more effective communities types of cyber attack. This research will
of network defenders, across a wide continue to improve our understanding
variety of sectors, who not only receive of how we can use artificial intelligence
and are able to share threat information, to detect malicious activity.
but are increasingly capable at using
it for collective benefit. We will expand
this work, with an initial focus on
helping government defend itself better,
supported by the Government Cyber
Coordination Centre (described in the
Resilience chapter). The Financial Sector
Cyber Collaboration Centre is already
leading the way in the private sector.35
35
NCSC, Financial sector cyber collaboration centre (FSCCC) (2021)
103
Objective 2: 183. State, criminal and other
malicious cyber actors are less
Deter and disrupt state, able to target the UK as a result of
criminal and other malicious our disruption and denigration of
cyber actors and activities their activities and capabilities. We
will review the government’s policy
against the UK, its interests, and operational approach to tackling
and its citizens. ransomware, adopting this as one of
our priority campaigns, collaborating
180. We will achieve the following with industry and our international
outcomes by 2025: partners. We will maximise the
partnerships between the NCF, NCSC,
181. It is more costly and higher risk
NCA and wider law enforcement
for state, criminal and other malicious
and the diplomatic and intelligence
cyber actors to target the UK. We
communities to counter threats that
will implement sustained and tailored
disrupt the confidentiality, integrity and
deterrence campaigns that leverage the
availability of cyberspace or data and
full range of UK capabilities (including
services in cyberspace. In particular
diplomatic, economic, covert and overt
we will invest in capabilities to target
levers) to influence the behaviour of
cybercriminal infrastructure and deploy
malicious and criminal cyber actors. In
our law enforcement and offensive cyber
particular we will improve our signalling
capabilities to disrupt malicious cyber
to adversaries of our capability and
activity. Our adversaries are building
willingness to impose meaningful
cyber capabilities and increasingly using
costs, including through sanctions,
them for malign purposes. We will make
law enforcement and NCF operations.
full use of the NCF, where we deem it
And through NCA’s Cyber Choices
appropriate, to disrupt these efforts and
programme we will divert individuals
defend and protect the UK.
from becoming involved in cyber crime,
working with industry and academia 184. We will also counter the
to offer potential offenders better proliferation of high‑end cyber
alternatives such as apprenticeships and capabilities to states and organised
work placements. crime groups via commercial and
criminal marketplaces, tackling forums
182. We will also provide the tools
that enable, facilitate, or glamorise
and powers law enforcement and the
cyber criminality.
intelligence agencies need through the
Counter State Threats Bill, by updating
existing legislation and introducing
new offences to account for how state
threats have evolved. And we will amend
the Proceeds of Crime Act 2002 to
optimise law enforcement’s ability to
identify, seize and recover the proceeds
of cyber crime. In particular, we will do
this by creating a civil forfeiture power to
mitigate the risks posed by those who
cannot be prosecuted.
105
Objective 3: 188. We will also scale up and
develop law enforcement technical
Take action in and through capabilities against infrastructure and
cyberspace to support our cryptocurrency, which can be deployed
national security and the against other threats.
prevention and detection of 189. UK cyber capabilities are
serious crime integrated across the full breadth
of defence operations in line with the
186. We will achieve the following Integrated Operating Concept 2025.36
outcomes by 2025: This will maintain our competitive
warfighting edge over adversaries and
187. The UK’s cyber capabilities enable greater collaboration with our
have a greater impact in deterring allies and partners. We will continue
and disrupting non‑cyber threats. to progress the Defence Multi‑Domain
We will scale-up and develop the NCF, Integration Change Programme, which
delivering on our long-term vision for will bring together capabilities across
this key capability, ensuring that it is the domains, and deliver greater
fully integrated with GCHQ, MOD, SIS integration with other instruments of
and Dstl and working closely with law our national power, bolstering our
enforcement and wider government. military advantage over our adversaries.
We will deliver legal and proportionate Cyber will be a mainstream part of
offensive cyber operations through the defence business enabled by highly
NCF, acting responsibly in cyberspace skilled cyber specialists, an overall
and leading by example. Offensive cyber cyber awareness across the defence
operations will continue to support the workforce and cutting‑edge and resilient
UK’s national security, including our cyber capabilities.
defence and foreign policy, and in the
prevention of serious crime.
36
Ministry of Defence, Integrated Operating Concept (2020)
109
Taking action through
cyberspace to
counter terrorism
Counter Daesh campaign: MOD and During the Battle of Mosul, the self-
GCHQ’s work against Daesh is an declared capital of Daesh, we used
example of how we have taken active cyber tools and techniques in operations
steps to counter threats from those who alongside the military in support of
misuse the power of the internet and the coalition and as part of a wider,
modern communications. full‑spectrum campaign. The outcomes
of these operations were wide-
Daesh devoted much time and energy ranging. Disruption of communications,
to technology, to create media content degradation of propaganda, causing
used to radicalise and attract new distrust within groups, and denial of
recruits and to inspire terrorist attacks equipment and networks used as
around the world. In recent years we’ve part of their operations were all ways
seen the impact of this approach all over in which Daesh’s effectiveness could
Europe, including attacks in London and be reduced. We could also use cyber
Manchester. Daesh also used modern techniques to promote UK government
communications systems to command messaging to targets, or to highlight
and control their battlefield operations. their activities to those who may
This allowed them to operate flexibly, at unsuspectingly be providing them with
scale and pace, and to pose an even assistance. These operations made
greater danger to the populations they a significant contribution to coalition
sought to control, and to maximise their efforts to suppress Daesh propaganda,
reach across their so‑called caliphate. hindered their ability to coordinate
attacks, and protected coalition forces
on the battlefield.
111
Delivering Our Ambition
190. This strategy will mean nothing 192. All ministers play a role in ensuring
without a rigorous approach to that the UK cements its position as
implementing its objectives, monitoring a responsible and democratic cyber
and evaluating progress against them, power, able to protect and promote its
and having the mechanisms to adjust interests in and through cyberspace.
course where necessary. This chapter This list includes specific sets of
sets out our approach to delivery. responsibilities for ministers in leading
roles, either for implementing or
Roles and responsibilities coordinating one or more of the five
pillars of our National Cyber Strategy or
across Government overseeing our most important cyber
191. The National Cyber Strategy will capabilities and decisions.
be one of the sub‑strategies that will
• The Chancellor of the Duchy
collectively deliver the ambitions of
of Lancaster, supported by the
the Integrated Review. The National
Paymaster General, provides overall
Security Council will exercise ministerial
leadership across departments to
oversight of these strategies, monitoring
ensure an effective government
implementation and considering the
response to cyber threats, and
overall balance and direction of UK
fulfilment of our ambitions as a
strategy. Progress against the objectives
cyber power. This includes the
of the strategy will also be assessed
development and implementation
via the Government Planning and
of the National Cyber Strategy, the
Performance Framework and Outcome
supporting programme of investment
Delivery Plans.
and coordination of the government’s
efforts on cyber resilience. They also
have overall cross‑sector policy and
coordination responsibility for the
113
National Cyber Strategy
Ministerial Responsibilities
Prime Minister
Chancellor All
Digital Foreign Defence Home Secretaries
of the Duchy
Secretary Secretary Secretary Secretary of State
of Lancaster*
Ecosystem
Resilience
Risk oversight
Technology and supporting
policy reforms
Global
Leadership
Countering
Threat
Operations and delivery support across the strategy
National Cyber
Security Centre
National Crime
Agency
National Cyber Force
37
HM Treasury, Autumn Budget and Spending Review 2021 (2021)
115
Next steps
197. This strategy is intended as a
guide for action, not only for those in
government who have responsibility
for cyber and the wide range of other
related policies (see Annex A) but also
for every person and organisation across
the whole of our society with an interest
in and responsibility for our national
cyber effort. It is also the beginning of a
conversation that we want to continue,
to ensure our objectives and priorities
remain relevant over the next five to
ten years. We will use the publication
of this strategy as a platform for further
engagement with the public, private and
third sectors across the UK and invite
direct feedback to ukcyberstrategy@
cabinetoffice.gov.uk. We will report back
annually on the progress we are making
to implement this strategy.
38
Home Office, Beating Crime Plan (2021)
119
Directly supporting the National Cyber
Strategy are two further publications
that set out how individual parts of the
strategy will be met.
121
Key roles and Computer Security Incident
responsibilities Response Team (CSIRT)
13. The National Cyber Security Centre
National Framework
is the UK’s CSIRT. It is responsible for
10. The Cabinet Office is responsible monitoring cyber security incidents
for the National Cyber Strategy, which at a national level; providing real‑time
comprises the NIS National Strategy. threat analysis, defence against national
The Cabinet Office also has overall cyber‑attacks, technical advice, and
responsibility for improving the security response to major cyber incidents to
and resilience of critical national help minimise harm.
infrastructure.
14. NCSC maintains the
11. The Department for Digital, outcome‑based Cyber Assessment
Culture, Media and Sport (DCMS) Framework (CAF) and provides
is responsible for the overall extensive guidance on cyber security
implementation of the NIS Regulations, matters as National Technical Authority.
including co‑ordinating the relevant
authorities and NCSC. DCMS Competent Authorities
issues guidance for competent
15. These are responsible for
authorities to support wider NIS
oversight and enforcement of the NIS
implementation across the UK.
Regulations in their sectors, designating
and assessing the compliance of OESs
Single Point of Contact (SPOC)
and RDSPs to the requirements of the
12. The national contact point NIS Regulations. They are set out in
for engagement with international Schedule 1 of the NIS Regulations and a
[EU] partners on NIS, coordinating list is provided in section 3.
requests for action or information and
submitting annual incident statistics.
The National Cyber Security Centre
is the UK’s SPOC.
123
List of key authorities for NIS implementation
National Authorities
Competent Authorities
Sector Subsector England Wales Scotland Northern
Ireland
Energy Electricity Joint: Department for Business, Energy, and Department of
Industrial Strategy and the Gas and Electricity Finance
Markets Authority (Ofgem)
Oil Department for Business, Energy, and Department of
Industrial Strategy Finance
Gas Joint: Department for Business, Energy, and Department of
Industrial Strategy and the Gas and Electricity Finance
Markets Authority (Ofgem)39
Transport Air Joint: Department for Transport and The Civil Aviation
Authority (CAA)
Rail Department for Transport Department of
Finance
Water Department for Transport
Road Department for Transport Scottish Department of
Ministers Finance
Healthcare Healthcare Department of Welsh Scottish Department of
settings Health and Ministers Ministers Finance
Social Care
Drinking Drinking Department Welsh Drinking Department of
Water Water for Ministers Water Quality Finance
Environment, Regulator for
Food and Scotland
Rural Affairs
Digital Digital Office of Communication (Ofcom)
Infrastructure Infrastructure
39
For certain exceptions the Department for Business, Energy, and Industrial Strategy is the sole
Competent Authority. For further detail see Schedule 1 and 2 of the Network and Information Systems
Regulations 2018.
125
b. significant impact on national Cyber Incident – an occurrence that
security, national defence, or the actually or potentially poses a threat to
functioning of the state. a computer, internet-connected device,
or network – or data processed, stored,
Crypt-Key (CK) – the term used to or transmitted on those systems –
describe the UK’s use of cryptography which may require a response action to
to protect the critical information and mitigate the consequences.
services on which the UK government,
military and national security community Cyber Resilience – The overall ability of
rely, including from attack by our most systems, organisations and citizens to
capable adversaries. withstand cyber events and, where harm
is caused, recover from them.
Cryptocurrency – a digital currency and
payment system, e.g. Bitcoin. Cyber Risk – The potential that a
given cyber threat will exploit the
Cryptography – the science or study vulnerabilities of an information system
of analysing and deciphering codes and and cause harm.
ciphers; cryptanalysis.
Cyber Security – The protection of
Cyber Assessment Framework internet-connected systems (to include
(CAF) – provides a systematic and hardware, software and associated
comprehensive approach to assessing infrastructure), the data on them,
the extent to which cyber risks to and the services they provide, from
essential functions are being managed unauthorised access, harm or misuse.
by the organisation responsible. This includes harm caused intentionally
by the operator of the system, or
Cyber Attack – deliberate
accidentally, as a result of failing to
exploitation of computer systems,
follow security procedures or being
digitally-dependent enterprises and
manipulated into doing so.
networks to cause harm.
Cyber Security Body of Knowledge
Cyber crime – cyber-dependent
(CyBOK) – A unique resource, providing
crime (crimes that can only be added]
for the first time an underpinning body of
committed through the use of ICT
knowledge encompassing the breadth
devices, where the devices are both the
and depth of cyber security, showing
tool for committing the crime and the
that cyber security encompasses a wide
target of the crime); or cyber–enabled
range of disciplines.
crime (crimes that may be committed
without ICT devices, like financial fraud, Cyber Threat – anything capable of
but are changed significantly by use of compromising the security of, or causing
ICT in terms of scale and reach). harm to, information systems and
internet connected devices (to include
Cyber ecosystem – the totality of
hardware, software and associated
interconnected infrastructure, persons,
infrastructure), the data on them and
processes, data, information and
the services they provide, primarily
communications technologies, along
by cyber means.
with the environment and conditions that
influence those interactions.
127
Integrated Review – ‘Global Britain in a National Cyber Security Centre
Competitive Age, the Integrated Review (NCSC) – the UK’s technical authority
of Security, Defence, Development for cyber threats, providing a unified
and Foreign Policy’, describes the national response to cyber incidents to
government’s vision for the UK’s role in minimise harm, helping with recovery
the world over the next decade and the and learning lessons for the future.
action government will take to 2025.
Network and Information Systems
Integrity – in information (NIS) Regulations 2018 – UK
security, integrity means that regulations that provide legal measures
information has not been changed to boost the level of security (both cyber
accidentally, or deliberately, and is & physical resilience) of network and
accurate and complete. information systems for the provision of
essential services and digital services.
Internet – a global computer network,
providing a variety of information and OECD – The Organisation for
communication facilities, consisting Economic Co-operation and
of interconnected networks using Development, an intergovernmental
standardised communication protocols. economic organisation.
129
130 National Cyber Strategy