Media coverage of the Government’s National Cyber Security Strategy focused on the Russian cyber security threat trailed by MI5 over the weekend, stoking fears of a new “Code War” if not actually a Cold War. However, the new document says a lot about issues close to home, too:
The Chancellor has staked his personal reputation on the cyber strategy. The 2011 iteration was led by the Cabinet Office but Hammond has launched this one himself. As the strategy requires cross-Government action, it will be a good measure of the Chancellor’s power in Whitehall – and, in turn, over Brexit.
The new cyber plans point to the Government’s Industrial Strategy. Key themes like using public funding to realise the commercial potential of academic research and targeted regulation to promote key sectors will run through the Autumn Statement and be a key part of the Industrial Strategy. If the Cyber Strategy is successful, it will also be a refreshing and admirable example of ‘joined-up Government’, as it will require deep cooperation between Departments that don’t normally see eye-to-eye.
The Government is willing to intervene in the private sector. The Cyber Strategy hints at vast swathes of new regulations on business, including forcing big companies to be ‘secure by default’, introducing a new cyber security rating system, and Government testing of suppliers’ cyber security measures. The Government thinks there is a competitive advantage in the UK being more cyber secure than any other market, so it explicitly says regulation here will be “as high as, or higher than, comparative advanced economies”. Public bodies, companies and even charities are all in the Government’s sights.
Private companies will be blamed when things go wrong. The new strategy paper makes clear that “businesses must understand that if they are the victim of a cyber attack, they are liable for the consequences”. The Government says it will take over a supplier’s functions if they are not cyber secure and pose a threat to national security (including risks to the delivery of public services). We think early engagement with the National Cyber Security Centre will be essential for companies looking to mitigate this risk – businesses will have to show they have at least tried to be cyber secure if they want to avoid the wrath of Whitehall.
The full National Cyber Security Strategy document is here: http://bit.ly/2fqrgca