The UK Government has updated its Cyber Action Plan, to tackle “critically high” cyber risk as part of the Roadmap for Modern Digital Government, looking to move toward proactive action, clear accountability, mandatory requirements, and comprehensive central support. £210 million has been invested in forming a new Government Cyber Unit, to provide direction and expert support.
The government shares findings from the first year of GovAssure, its cyber security scheme for assessing government critical systems, noting “significant gaps” in departments’ cyber security and resilience, and levels of low maturity with asset management, protective monitoring, and response planning. “Nearly a third (28 percent) of the government technology estate is estimated to be legacy technology, and therefore highly vulnerable to attack,” it states.
A target of making all government organisations resilient to known vulnerabilities and attack methods by 2030, set out in the Government Cyber Security Strategy in 2022, is now considered “not achievable”, according to the government. The plan presents a “new way forward” to set clear expectations, measurable objectives, and outcomes, following consultation with different departments, public sector organisations, industry partners, and the Government Cyber Advisory Board.
Delivery, led by the Government Cyber Unit, will focus on three phases, with phase one to April 2027 concentrating on building critical functions, establishing accountability and governance, setting up central services and support, outlining clear targets, and launching a new cyber profession for government. It will then move to scaling, with actions to be completed by April 2029 to include using cyber risk visibility to make data-driven decisions and investments, maturing response and recovery capabilities, and developing role-based learning pathways for high-risk cyber specialisms.
Beyond 2029, the plan is to support continuous improvement, with decision-making and prioritisation at all levels of government informed by sharing of central cyber data insights, investment in cross-government platforms, services, and infrastructure, and the delivery of central cyber support and services at scale. Current accountability structures have “failed to achieve the right level of resilience”, the government notes, with clear risk appetites to be set at all levels, and performance to be monitored.
When it comes to organisational cyber risk governance, accounting officers should be supported by board members and senior management to effectively manage risks, with responsibilities such as setting cyber risk strategy and risk appetite, appointing a board member with cyber expertise, appointing a CISO with authority to manage organisation-wide cyber security, and appointing a CDIO with authority for organisation-wide digital and IT. All organisations should assure the cyber security and resilience of their supply chain.
The government also sets out steps toward improving response and recovery, recognising current effort is “duplicated and uncoordinated”, with intelligence and insights often not being shared. Investment will be made in the Vulnerability Reporting Service, and coordination capabilities will be expanded to ensure effective cross-government response. Departments and the wider public sector will manage organisational cyber incidents across the full lifecycle, relying on support where appropriate, whilst suppliers will proactively report and cooperate on incident response and recovery impacting government organisations.
For detection at scale, the Cyber Coordination Centre will support where incidents exceed the capabilities of individual departments to manage, or where organisations do not have access to the right expertise, putting in place a panel of centrally-managed NCSC-accredited incident response providers “of last resort”. Organisations will be responsible for identifying and embedding lessons learned from incidents to ensure the wider government can benefit from their experience.
A Government Cyber Incident Response Plan will be published to provide the overarching framework, structure, roles and responsibilities for cyber incident response within government, existing support will be improved through enhanced threat and vulnerability notification services, and the government commits to pilot and define longer-term plans for services to help detect, triage, and investigate threats, including a library of intelligence-driven detection content.
To address the cyber skills gap, the Government Cyber Profession will provide a government-wide approach to attracting and retaining talent, and upskilling and supporting leadership and workforce. Departments will recruit cyber professionals through entry schemes and recruitment programmes, and look to upskill and retain with opportunities and competitive pay.
To effectively measure delivery, the government defines a series of implementation milestones to ensure accountability for delivering improvements, with priority activities covering the development of new risk management roles, processes, and governance; providing practical support on managing cyber risk and appetite; engaging with strategic suppliers to ensure resilience outcomes are met; supporting the managing and reporting of cyber risk “in alignment with government-wide risk processes”; and considering mechanisms to ensure suppliers manage government cyber risk.
Milestones for phase two will see a control library piloted by “at least five” organisations to demonstrate appropriate use, a data insights capability developed to support informed decision making, governmental departments completing a “Secure by Design” capability assessment, and departments establishing costed cyber security and resilience implementation plans to be reviewed and updated annually. Organisations will have restoration readiness plans, including mapped dependencies, minimum restoration standards, and rehearsed procedures.
By 2029 and beyond, organisations will be actively using cyber security control libraries to inform decision making, with data insights driving prioritisation of central government resources, all departments actively sharing threat and risk information in near-real-time, and 100 percent of organisations regularly exercising digital recovery and incident response plans.
Wider trend: NHS cyber resilience
For a December panel discussion, we explored cyber resilience within the NHS, focusing on some of the strategic challenges in this area around preparedness and recovery. Our panellists also discussed how to embed resilience into clinical, technical, and governance frameworks and make cyber security a priority across the healthcare sector. We were joined by Hubert Ametefe, CISO at Bedfordshire Hospitals NHS FT; Mike Fell, director of national cyber operations at NHS England; Julian Wiggins, healthcare solution director at Rackspace Technology; and Nasser Arif, cyber security manager for London NW University Healthcare and The Hillingdon Hospitals.
Guidance from NHS England has outlined ways non-executive directors can contribute to keeping their organisation safe from cyber attack, with Jamie Saunders, non-executive chair of the NHS England Cyber Security Risk Committee, noting, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.” The aim is to provide a resource to support, understand and deal with cyber security risks, and how external assessments provide insights, along with what questions to ask yourself, the board, and the questions the board should ask.
NHS England has shared plans for the reprocurement of the cyber operations external attack surface management system, launching a market engagement process. The engagement intends to brief the market ahead of procurement of a solution to protect IT systems that are internet-facing against cyber threats, with the scope to be delivered as a national service to NHS organisations. So far, NHS England has outlined how the solution should build on previous lessons learned, helping to reduce cyber risks and improve the overall understanding of security weaknesses within the NHS. It should also use “severity-based prioritisation of remediation” to address vulnerabilities and concerns, especially around exposed assets.
The Cyber Security and Resilience (Network and Information Systems) Bill has been published, introducing regulation for companies providing IT and cyber services to the NHS “for the first time”, including reporting duties around cyber incidents and requirements for cyber mitigation plans. Given the trusted access these companies hold to critical national infrastructure, government, and business networks, the Bill outlines clear security duties that will need to be met moving forward. “This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences,” the Department for Science, Innovation and Technology states.
