TechDigits

Tech news
Friday, Mar 29, 2024

Four Takeaways From the New UK Cybersecurity Strategy

Four Takeaways From the New UK Cybersecurity Strategy

Two weeks ago, with much fanfare, the United Kingdom released a new strategy that sets out UK government’s approach to improving the country’s cybersecurity over the next five years.
It follows the UK’s previous effort dating back to 2011, and allocates £1.9 billion ($2.36 billion) over five years, doubling the previous investment of £860 million ($1 billion). This newest five year plan has the usual fare. It identifies the threats and vulnerabilities facing the UK, creates three pillars using alliteration (defend, deter and develop), and is filled with government-speak that could have been ripped from The Thick of It or Veep ("we need to invest in proofing ourselves against future threats").

The threats the UK identifies are not surprising. It singles out Russian-language organized cybercrime, state-sponsored threats, terrorist groups (although it caveats that terrorist groups are likely to prefer physical attacks over digital ones for the time being), hacktivists, and oddly, script kiddies. The strategy also points out the UK’s vulnerabilities, such as the proliferation of insecure internet of things devices, poor cyber hygiene, legacy and unpatched systems, and the availability of off-the-shelf hacking resources. These threats and vulnerabilities are not unique to the UK--every country connected to the internet faces identical or similar challenges.

There are four takeaways from the new strategy.

First, there seems to be an inherent tension between market incentives to spur better cybersecurity and regulation throughout the document. There’s a heavy emphasis placed on the importance of using a mix of intelligence sharing, incentives to spur the creation of cybersecurity products like certification schemes or incentives to create software that is "secure by default," and using the government as a test case for cybersecurity approaches with the hopes that they cascade into the private sector. However, the strategy recognizes that much of these same efforts were undertaken in the previous iteration of the strategy, with somewhat limited effect. The strategy leaves the door open to regulation but doesn’t elaborate on what that could look like. There’s also no mention of the EU network and information security directive, which the UK is still technically required to implement until it formally leaves the European Union.

Second, the strategy places heavy emphasis on taking "active cyber defense" measures to protect the UK. Generally, the term active cyber defense has been synonymous with hacking back, whereby companies and other non-government actors are allowed to retaliate in cyberspace and is controversial. In its strategy, that’s not what the UK is advocating. Instead, active cyber defense is defined as a series of technical measures, taken by government in cooperation with industry (mostly communications service providers), to make it "significantly harder to attack UK internet services and users." The technical measures include DNS filtering, coordinating botnet take-downs, DMARC and other methods to curtail phishing, man-in-the-middle attacks, and Border Gateway Protocol hijacks. If you’re technically-minded, you can read more about the UK active defense approach here.

Third, the UK, like many other countries, seems to be more open about resorting to the use of offensive cyber operations to protect and defend its interests. Five years ago, countries were loathe to openly talk about offensive cyber capabilities, with many only referencing defensive capabilities in what could be gleaned from official doctrine. Now, the UK is open about the need to invest in its National Offensive Cyber Program to ensure that UK capabilities "can be deployed at a time and place" of its choosing.

The strategy also makes clear that the UK will attribute state-sponsored cyber incidents publicly when "we judge it in the national interest to do so." Unlike the United States, Germany, Canada, South Korea, and others, the UK has yet to publicly accuse a state of being behind a specific cyber incident. Perhaps the new strategy signals that UK officials will be more open to naming and shaming as part of their cyber deterrence efforts.

Fourth the strategy makes explicit the UK’s desire to develop sovereign cryptographic capabilities, "developed in the UK, by British nationals." This raises a bunch of questions. Does the UK not trust crypto advocated by its other Five Eyes partners or in standardization bodies? Is it a response to the NSA’s alleged undermining of a widely used crypto standard that came to light as a result of Edward Snowden? Is the UK trying to stimulate the development of crypto that can be decrypted by law enforcement to fix the "going dark" problem?

As with any government strategy document, its implementation will determine its effectiveness. Much of the strategy rests on developing government capabilities with the hope that the UK private sector shamelessly pilfers the best ideas and approaches. Cybersecurity is probably one of the few areas where plagiarism is celebrated, not frowned upon.
Newsletter

Related Articles

TechDigits
0:00
0:00
Close
FTX's Bankman-Fried headed for jail after judge revokes bail
America's First New Nuclear Reactor in Nearly Seven Years Begins Operations
Southeast Asia moves closer to economic unity with new regional payments system
Today Hunter Biden’s best friend and business associate, Devon Archer, testified that Joe Biden met in Georgetown with Russian Moscow Mayor's Wife Yelena Baturina who later paid Hunter Biden $3.5 million in so called “consulting fees”
Google testing journalism AI. We are doing it already 2 years, and without Google biased propoganda and manipulated censorship
Musk announces Twitter name and logo change to X.com
The future of sports
TikTok Takes On Spotify And Apple, Launches Own Music Service
Hacktivist Collective Anonymous Launches 'Project Disclosure' to Unearth Information on UFOs and ETIs
Typo sends millions of US military emails to Russian ally Mali
Server Arrested For Theft After Refusing To Pay A Table's $100 Restaurant Bill When They Dined & Dashed
Democracy not: EU's Digital Commissioner Considers Shutting Down Social Media Platforms Amid Social Unrest
Sarah Silverman and Renowned Authors Lodge Copyright Infringement Case Against OpenAI and Meta
Why Do Tech Executives Support Kennedy Jr.?
The New York Times Announces Closure of its Sports Section in Favor of The Athletic
Florida Attorney General requests Meta CEO's testimony on company's platforms' alleged facilitation of illicit activities
The Poor Man With Money, Mark Zuckerberg, Unveils Twitter Replica with Heavy-Handed Censorship: A New Low in Innovation?
The Double-Edged Sword of AI: AI is linked to layoffs in industry that created it
US Sanctions on China's Chip Industry Backfire, Prompting Self-Inflicted Blowback
Meta Copy Twitter with New App, Threads
BlackRock Bitcoin ETF Application Refiled, Naming Coinbase as ‘Surveillance-Sharing’ Partner
UK Crypto and Stablecoin Regulations Become Law as Royal Assent is Granted
A Delaware city wants to let businesses vote in its elections
Alef Aeronautics Achieves Historic Milestone with Flight Certification for World's First Flying Car
Google Blocked Access to Canadian News in Response to New Legislation
French Politicians Advocate for Pan-European Regulation on Social Media Influencers
Melinda French Gates Advocates for Increased Female Representation in AI to Prevent Bias
Snapchat+ gains 4 million paying subscribers in its first year
Apple Makes History as the First Public Company Valued at $3 Trillion
Elon Musk Implements Twitter Limits to Tackle Data Scraping, but Faces Criticism for Technical Misunderstanding
EU and UK's Slow Electric Vehicle Adoption Raises Questions About the Transition to Green Mobility
Top Companies Express Concerns Over Europe's Proposed AI Law, Citing Competitiveness and Investment Risks
Meta Unveils Insights on AI Usage in Facebook and Instagram, Amid Growing Calls for Transparency
Crypto Scams Against Seniors Soar by 78% in 2022, Experts Urge Vigilance
The End of an Era: National Geographic Dismisses Last of Its Staff Writers
Shield Your Wallet: The Perils of Wireless Credit Card Theft
Harvard Scientist Who Studies Honesty Accused Of Data Fraud, Put On Leave
Putting an End to the Subscription Snare: The Battle Against Unwitting Commitments
The Legal Perils of AI: Lawyer Faces Sanctions for Relying on Fictional Cases Generated by Chatbot
ChatGPT’s "Grandma Exploit": Ingenious Hack Exposes Loophole in AI, Generates Free Software Codes
The Disney Downturn: A Near Billion-Dollar Box Office Blow for the House of Mouse
A Digital Showdown: Canada Challenges Tech Giants with The Online News Act, Meta Strikes Back
Distress in the Depths: Submersible and Passengers Missing in Titanic Wreckage Expedition
Mark Zuckerberg stealing another idea: Twitter
European Union's AI Regulations Risk Self-Sabotage, Cautions smart and brave Venture Capitalist Joe Lonsdale
Nvidia GPUs are so hard to get that rich venture capitalists are buying them for the startups they invest in
Chinese car exports surge
Reddit Blackout: Thousands of Communities Protest "Ludicrous" Pricing Changes
Nvidia Joins Tech Giants as First Chipmaker to Reach $1 Trillion Valuation
AI ‘extinction’ should be same priority as nuclear war – experts
×