Strengthening UK cyber resilience (Guest blog by HP Inc)
The past 12 months have reminded us of the risks to our security coming from every corner of the globe from nation-states, criminals, and rouge actors. This year’s National Cyber Security Centre Annual Review confirmed that cybercrime continues to be the most significant of these threats for consumers and small businesses.
Looking at the big picture, it is clear the cybersecurity threat is not at the forefront of minds when it comes to risk, despite the recent joint warning from the Head of MI5 and the FBI that commercial organisations on both sides of the Atlantic are increasingly being targeted by state-sponsored hackers. This is a challenge that requires us to raise our game domestically, and collaborate more effectively, internationally.
End-point security is a major challenge, particularly for the public sector. The Government’s Cybersecurity Strategy is very welcome but fails to mention device security once. When it comes to cybersecurity, everyone typically thinks about software, but the resilience of our PCs, laptops and printers is often underappreciated.
A lack of protection for hardware in our schools and hospitals leaves the UK vulnerable to malign actors, and the data shows that the Government remains an attractive target for cyber attackers, with 40% of cyber incidents between 2020 and 2021 affecting the public sector[1]. Oliver Dowden recently acknowledged that the UK is now the third most targeted country for cyberattacks, behind only the USA and Ukraine.
Those working from home will already be aware of cybersecurity measures and what feels like a constant stream of requests to restart and update our laptops. Whilst these can be annoying and time-consuming, we must recognise the increased risks that greater levels of hybrid working bring.
We are far more vulnerable to cyberattacks without the security protections that the office affords us – such as firewalls and blacklisted IP addresses – and the increased reliance on technology to facilitate our work. As the blurred line between our personal and professional lives continue to increase, this will only heighten the risk of sensitive information falling into the wrong hands.
Combating fraud requires Government, businesses, and individuals across the UK, to work together. Greater cooperation and knowledge sharing can make a real difference. Raising awareness of the different types of fraud we face and its impact on all corners of the UK is the first key step to arming us with the knowledge to stay safe online. The NCSC’s Cyber Aware campaign, which revealed that in the runup to Christmas online shopping scams lost on average £1,000 per person in the same period last year, is a great move in the right direction.
We also need to ensure our policies and requirements have greater teeth to better protect UK plc. There are three simple steps the Government can take to do this.
Firstly, we could mandate device security requirements as one of the award criteria for the purchase of laptops, computers, and printers. Strengthening these requirements would help protect schools and hospitals which have seen a sharp rise in both the amount and sophistication of attacks in recent years. This can protect us from the types of attackers that perpetrated the SolarWinds hack, which brought swathes of the US public sector’s tech infrastructure to a virtual standstill.
Secondly, now the UK has left the European Union, we are in a much stronger position to defend our own national interest within our own public procurement rules. It would send a strong signal to malicious actors around the world if the Government used the Procurement Bill, which is currently being considered by Parliament, to exclude suppliers to the public sector on cybersecurity grounds.
Finally, the Procurement Bill should, through the National Procurement Policy Statement (NPPS), which sets out national priorities and guidance for contracting authorities, explicitly set out cyber security requirements as a required purchasing criteria in public sector procurement. It is extremely welcome that Labour’s Shadow Cabinet Office Minister Florence Eshalomi is proposing to add cyber security” to Clause 13 of the Bill. This amendment would make cyber security one of the strategic national priorities for procurement, and it would strengthen national security focus of the Bill. Hopefully, this amendment could get cross-party support, and will be taken over by Government.
Taken together, these measures would help safeguard the UK from any potential attack from rogue actors and nation-states and bring us into line with best practice from across the world. If we can all keep this kind of dialogue going, working together to raise standards and upgrade the nation's defences and resiliency.
[1] https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030