Whitehall departments will be required to undergo an external audit of their cyber resilience to help ministers “understand cyber risk across government”.
Called “Gov Assure,” the scheme will ask all government entities to undergo an independent assessment of their cyber setup and risk profile. This process will be based on the guidelines established in the Cyber Assessment Framework of the National Center for Cyber Security.
The measures were first unveiled as part of the Government’s Cyber Security Strategy, published earlier this year.
Cabinet Office Minister and Paymaster General Michael Ellis said: “This will create a single lens through which we can understand cyber risk across government and enable government departments to accurately assess their level of cyber assurance and highlight priority areas for improvement. Gov Assure will also help us take a strategic view of the government’s vulnerability, to help inform a strategic roadmap to defend ourselves as one.”
Ellis’s comments were made during CSW sister title PublicTechnologyThe annual Cyber Security Summit event, held in London last week. In the opening keynote presentation, the minister gave attendees an insight into the intent behind the public sector cyber plan and plans for its implementation in the coming months and years.
The 84-page policy document sets out the ambition that “critical public sector functions be significantly hardened against cyberattacks by 2025.”
By the end of this decade, the plan is for all public agencies to be “resilient to known vulnerabilities and attack methods.”
“To keep everyone safe online… the public sector must lead by example,” Ellis said. “If we want to continue to prevent public services from being squeezed and protect them from damaging consequences when they do, we must act. Our core public sector functions, from delivering public services to running the national security apparatus, must be more resilient than ever to cyberattacks.”
One of the key aspects of the strategy will be to develop and implement a public sector-wide framework to ensure that services, products and platforms are designed with security in mind. This “will ensure that appropriate and proportionate cybersecurity measures are embedded within the technology we all use,” the minister said.
“This world-leading framework will enable all of us to harness industry innovation by enhancing our ability to test, pilot and deploy business tools, services and capabilities,” he added. “This will be supported by robust measures to mitigate risk, including national regulation and international collaboration on standards.”
Cyber security becomes even more important given the government’s intention to “embrace the development of connected place technology” such as sensors and digitally enabled public infrastructure.
“When properly secured, smart city approaches have the opportunity to transform the interaction between government and citizens,” Ellis said. “Connected places provide tangible benefits to society, managing traffic, reducing pollution and saving money and resources. We must seize this opportunity to better serve our communities. But we must do this in a risk-aware way: the interconnectivity that allows places to function more efficiently also creates cyber vulnerabilities and the potential for cyber attacks.”
The government intends to boost existing NCSC Connected Places Cyber Security Principles guidelines. It will also “strengthen the ability of local authorities and organizations such as ports, universities and hospitals to purchase and use connected place technology securely,” Ellis told conference attendees.
Supporting the launch of the strategy will be a new Government Cyber Coordination Center. The entity is a joint venture between the Government Security Group, the Central Digital and Data Office and the NCSC.
The minister stated that the center “will transform the way we use cybersecurity data, by facilitating the management of threats and vulnerabilities at scale and fostering partnerships across the public sector” and the country at large.
It will also lead the government’s response to successful attacks.
“I am proud to say that when UK public services came under attack, the government acted quickly to support the recovery and operation of key services, and also to manage any risk of data theft,” said Ellis. “However, we must, inevitably, expect challenges.”
He added: “Where we can’t prevent them, we will quickly identify, investigate and coordinate our response to cyber threats, where criminals find weaknesses in our defenses, we will learn and rebuild them stronger.”
To help combat the current threat from Russia, the NCSC is supported by a newly created Government Information Cell, which has brought together some 35 staff members from the Ministry of the Interior, the Cabinet Office, the Department of Digital, Culture, Media and Sports, and the Ministry of Foreign Affairs. , Commonwealth and Development Office. The cell’s mandate is to counter Kremlin narratives about invading Ukraine.
“The NCSC has been regularly reaching out to major social media platforms to monitor and share information,” Ellis said. “Their work also helps our Government Information Cell, gathering counter-disinformation expertise to identify and tackle Russian information aggression targeting the UK.”
Sam Trendall is editor of CSW PublicTechnology’s sister title, where this story first appeared