National Cyber Security Strategy 2016

NATIONAL CYBER SECURITY
STRATEGY 2016-2021
Contents
FOREWORD ...................................................................................................6
PREFACE........................................................................................................7
1 EXECUTIVE SUMMARY ................................................................................8
2 INTRODUCTION ..........................................................................................12
The scope of the strategy .............................................................................14
3 STRATEGIC CONTEXT................................................................................16
Threats ..........................................................................................................17
Cyber criminals ........................................................................................17
States and state-sponsored threats.........................................................18
Terrorists ..................................................................................................19
Hacktivists................................................................................................19
Script Kiddies .........................................................................................20
Vulnerabilities ................................................................................................22
An expanding range of devices ...............................................................22
Poor cyber hygiene and compliance........................................................22
Insufficient training and skills ...................................................................22
Legacy and unpatched systems ..............................................................23
Availability of hacking resources..............................................................23
Conclusions...................................................................................................23
4 OUR NATIONAL RESPONSE ......................................................................24
Our vision ......................................................................................................25
Principles.......................................................................................................25
Roles and responsibilities .............................................................................26
Individuals ................................................................................................26
Businesses and organisations .................................................................26
Government..............................................................................................26
Driving change: the role of the market .....................................................27
Driving change: expanded role for the Government ................................27
IMPLEMENTATION PLAN ...........................................................................30
5 DEFEND........................................................................................................32
5.1. Active Cyber Defence.............................................................................33
5.2. Building a more secure Internet .............................................................35
5.3. Protecting government...........................................................................37
5.4. Protecting our critical national infrastructure and other priority sectors....39
5.5. Changing public and business behaviours ............................................42
5.6. Managing incidents and understanding the threat.................................44
6 DETER ..........................................................................................................46
6.1. Cybers role in deterrence ......................................................................47
6.2. Reducing cyber crime ............................................................................47
6.3. Countering hostile foreign actors ...........................................................49
6.4. Preventing terrorism ...............................................................................50
6.5. Enhancing sovereign capabilities offensive cyber...............................51
6.6. Enhancing sovereign capabilities cryptography..................................51
7 DEVELOP......................................................................................................54
7.1. Strengthening cyber security skills.........................................................55
7.2. Stimulating growth in the cyber security sector.....................................57
7.3. Promoting cyber security science and technology ................................59
7.4. Effective horizon scanning .....................................................................60
8 INTERNATIONAL ACTION ..........................................................................62
9 METRICS ......................................................................................................66
10 CONCLUSION: Cyber Security beyond 2021 ............................................70
Annex 1: Acronyms .....................................................................................73
Annex 2: Glossary........................................................................................74
Annex 3: Headline implementation programme .......................................78
FOREWORD
FOREWORD
The UK is one of the worlds leading The new National Cyber Security Centre will
digital nations. Much of our prosperity provide a hub of world-class, user-friendly
now depends on our ability to secure our expertise for businesses and individuals, as
technology, data and networks from the well as rapid response to major incidents.
many threats we face.
Government has a clear leadership role,
Yet cyber attacks are growing more but we will also foster a wider commercial
frequent, sophisticated and damaging when ecosystem, recognising where industry
they succeed. So we are taking decisive can innovate faster than us. This includes
action to protect both our economy and the a drive to get the best young minds into
privacy of UK citizens. cyber security.
Our National Cyber Security Strategy sets out The cyber threat impacts the whole of our
our plan to make Britain confident, capable society, so we want to make very clear
and resilient in a fast-moving digital world. that everyone has a part to play in our
national response. Its why this strategy is
Over the lifetime of this five-year strategy, an unprecedented exercise in transparency.
we will invest 1.9 billion in defending We can no longer afford to have this
our systems and infrastructure, deterring discussion behind closed doors.
our adversaries, and developing a whole-
society capability from the biggest Ultimately, this is a threat that cannot be
companies to the individual citizen. completely eliminated. Digital technology
works because it is open, and that
From the most basic cyber hygiene, to the openness brings with it risk. What we
most sophisticated deterrence, we need a can do is reduce the threat to a level that
comprehensive response. ensures we remain at the vanguard of the
digital revolution. This strategy sets out how.
We will focus on raising the cost of
mounting an attack against anyone in the
UK, both through stronger defences and
better cyber skills. This is no longer just
an issue for the IT department but for the
whole workforce. Cyber skills need to reach The Rt Hon Philip Hammond MP,
into every profession. Chancellor of the Exchequer
National Cyber Security Strategy 2016

7
PREFACE
PREFACE
Our primary responsibility is to keep As Minister for the Cabinet Office with
the nation safe and deliver competent responsibility for cyber security and
government. This strategy reflects these government security, I am determined
duties. It is a bold and ambitious approach to to see this strategy implemented in full.
tackling the many threats our country faces in I will work closely with colleagues across
cyberspace. Managing and mitigating those Government and with partners in the
threats is a task for us all but the Government Devolved Administrations, the wider public
recognises its special responsibility to lead sector, industry and academia to ensure we
the national effort required. achieve that ambition.
The Government is committed to ensuring

the commitments set out in this strategy
are carried out and that we accurately
monitor and regularly report on progress
in meeting them. We will also keep our The Rt Hon Ben Gummer MP,
approach under review and respond to Minister for the Cabinet Office
changes in the level of threat we face as and Paymaster General
well as evolutions in security technologies.
Government also has a special

responsibility to the citizen, to companies
and organisations operating in the UK,
and to our international allies and partners.
We should be able to assure them that
every effort made has been to render our
systems safe and to protect our data and
our networks from attack or interference.
We must therefore set ourselves the highest
standards of cyber security and ensure we
adhere to them, both as the cornerstone
of the countrys national security and
economic wellbeing and also as an example
for others to follow. We shall report back on
progress made on an annual basis.

8
Section 1
EXECUTIVE SUMMARY
1. EXECUTIVE
SUMMARY

9
Section 1
EXECUTIVE SUMMARY
1.1. The future of the UKs security and DETER The UK will be a
prosperity rests on digital foundations. hard target for all forms of
The challenge of our generation is to build aggression in cyberspace.
a flourishing digital society that is both We detect, understand,
resilient to cyber threats, and equipped with investigate and disrupt
the knowledge and capabilities required to hostile action taken against us,
maximise opportunities and manage risks. pursuing and prosecuting offenders.
We have the means to take offensive
1.2. We are critically dependent on the action in cyberspace, should we
Internet. However, it is inherently insecure choose to do so.
and there will always be attempts to exploit
weaknesses to launch cyber attacks. This DEVELOP We have
threat cannot be eliminated completely, but an innovative, growing
the risk can be greatly reduced to a level cyber security industry,
that allows society to continue to prosper, underpinned by world-
and benefit from the huge opportunities leading scientific
that digital technology brings. research and development. We have
a self-sustaining pipeline of talent
1.3. The 2011 National Cyber Security providing the skills to meet our national
Strategy, underpinned by the British needs across the public and private
Governments 860m National Cyber sectors. Our cutting-edge analysis
Security Programme, has delivered and expertise will enable the UK to
substantial improvements to UK cyber meet and overcome future threats
security. It achieved important outcomes and challenges.
by looking to the market to drive secure
cyber behaviours. But this approach has 1.6. Underpinning these objectives, we
not achieved the scale and pace of change will pursue INTERNATIONAL ACTION
required to stay ahead of the fast moving and exert our influence by investing in
threat. We now need to go further. partnerships that shape the global evolution
of cyberspace in a manner that advances
1.4. Our vision for 2021 is that our wider economic and security interests.
the UK is secure and resilient to We will deepen existing links with our
cyber threats, prosperous and closest international partners, recognising
confident in the digital world. that this enhances our collective security.
We will also develop relationships with new
1.5. To realise this vision we will partners to build their levels of cyber security
work to achieve the following objectives: and protect UK interests overseas. We will
do this both bilaterally and multilaterally,
DEFEND We have the including through the EU, NATO and the
means to defend the UK UN. We will deliver clear messages about
against evolving cyber consequences to adversaries who threaten
threats, to respond to harm our interests, or those of our allies,
effectively to incidents, to in cyberspace.
ensure UK networks, data and systems
are protected and resilient. Citizens, 1.7. To achieve these outcomes over
businesses and the public sector the next five years, the UK Government
have the knowledge and ability to intends to intervene more actively and use
defend themselves. increased investment, while continuing

10
Section 1
EXECUTIVE SUMMARY
to support market forces to raise cyber 1.11. We will have the means to respond
security standards across the UK. The to cyber attacks in the same way as
UK Government, in partnership with the we respond to any other attack, using
Devolved Administrations of Scotland, whichever capability is most appropriate,
Wales and Northern Ireland, will work with including an offensive cyber capability.
the private and public sectors to ensure that
individuals, businesses and organisations 1.12. We will use the authority and
adopt the behaviours required to stay safe influence of the UK Government to invest
on the Internet. We will have measures in in programmes to address the shortage of
place to intervene (where necessary and cyber security skills in the UK, from schools
within the scope of our powers) to drive to universities and across the workforce.
improvements that are in the national
interest, particularly in relation to the cyber 1.13. We will launch two new cyber
security of our critical national infrastructure. innovation centres to drive the development
of cutting-edge cyber products and
1.8. The UK Government will draw on dynamic new cyber security companies.
its capabilities and those of industry to We will also allocate a proportion of the
develop and apply active cyber defence 165m Defence and Cyber Innovation
measures to significantly enhance the levels Fund to support innovative procurement in
of cyber security across UK networks. defence and security.
These measures include minimising the
most common forms of phishing attacks, 1.14. We will invest a total of 1.9 billion
filtering known bad IP addresses, and over the next five years to transform
actively blocking malicious online activity. significantly the UKs cyber security.
Improvements in basic cyber security
will raise the UKs resilience to the most
commonly deployed cyber threats.
1.9. We have created a National Cyber

Security Centre (NCSC) to be the authority
on the UKs cyber security environment,
sharing knowledge, addressing systemic
vulnerabilties and providing leadership on
key national cyber security issues.
1.10. We will ensure that our Armed Forces

are resilient and have the strong cyber
defences they need to secure and defend
their networks and platforms, continuing
to operate and retaining global freedom of
manoeuvre despite cyber threats. Our military
Cyber Security Operations Centre will work
closely with the NCSC and we will ensure
that the Armed Forces can assist in the event
of a significant national cyber attack.
1
Understanding the threats to networks, and then devising and implementing measures to proactively combat or defend
against those threats. See Glossary for an explanation of all technical terms.

11
Section 1
EXECUTIVE SUMMARY
12
Section 2
INTRODUCTION
2. INTRODUCTION

13
Section 2
INTRODUCTION
2.1. Information and communication determination to address cyber threats

technologies have evolved over the and put in place tough and innovative
last two decades and are now integrated measures, as a world leader in cyber
into virtually every aspect of our lives. security. This National Cyber Security
The UK is a digitalised society. Our Strategy delivers on that commitment.
economy and our daily lives are the
richer for it. 2.6. In preparing this new strategy,
the Government is building on the
2.2. The transformation brought achievements, objectives and
about by this digitalisation creates judgements of the first five-year
new dependencies. Our economy, the National Cyber Security Strategy
administration of government and the issued in 2011. The Government
provision of essential services now rely invested 860m over that period, and
on the integrity of cyberspace and on the is proud of what has been achieved.
infrastructure, systems and data which The policies, institutions and initiatives
underpin it. A loss of trust in that integrity developed over the last five years have
would jeopardise the benefits of this helped to establish the UK as a leading
technological revolution. global player in cyber security.
2.3. Much of the hardware and 2.7. These are sound foundations.
software originally developed to facilitate But the persistence and ingenuity of those
this interconnected digital environment who would threaten us, the prevalence
has prioritised efficiency, cost and the of our vulnerabilities and gaps in our
convenience of the user, but has not always capabilities and defences mean we need
had security designed in from the start. to work even harder to keep pace with
Malicious actors hostile states, criminal the threat. A comprehensive approach is
or terrorist organisations and individuals required if we are to effectively secure our
can exploit the gap between convenience cyber interests. Our resolution to make
and security. Narrowing that gap is a further investment and interventions is
national priority. based on the following assessments:
2.4. The expansion of the Internet the scale and dynamic nature of cyber
beyond computers and mobile phones threats, and our vulnerability and
into other cyber-physical or smart dependency, mean that maintaining
systems is extending the threat of remote the current approach will not in itself
exploitation to a whole host of new be sufficient to keep us safe;
technologies. Systems and technologies a market based approach to
that underpin our daily lives such as the promotion of cyber hygiene has
power grids, air traffic control systems, not produced the required pace and
satellites, medical technologies, industrial scale of change; therefore, Government
plants and traffic lights are connected has to lead the way and intervene
to the Internet and, therefore, potentially more directly by bringing its influence
vulnerable to interference. and resources to bear to address
cyber threats;
2.5. The 2015 National Security the Government alone cannot provide
Strategy (NSS) reaffirmed the cyber for all aspects of the nations cyber
threat as a Tier One risk to UK interests. security. An embedded and
The NSS set out the Governments sustainable approach is needed

14
Section 2
INTRODUCTION
where citizens, industry and other all parts of the UK, recognising that, to
partners in society and government, the extent that it touches on devolved
play their full part in securing our matters, we will work closely with the
networks, services and data; devolved Governments on its application
the UK needs a vibrant cyber security to Scotland, Wales and Northern
sector and supporting skills base that Ireland (respecting the three separate
can keep pace with and get ahead of legal jurisdictions, and four education
the changing threat. systems, that exist in the UK). Where
proposals set out in the strategy relate to
THE SCOPE OF THE STRATEGY devolved matters, their implementation
will be agreed as appropriate with those
2.8. This strategy is intended to shape Governments in accordance with the
the Governments policy, while also offering devolution settlements.
a coherent and compelling vision to share
with the public and private sector, civil 2.10. The strategy sets out proposed
society, academia and the wider population. or recommended actions aimed at all
sectors of the economy and society,
2.9. The strategy covers the whole of from central government departments, to
the UK. The UK Government will seek to leaders across industry and the individual
ensure the strategy is implemented for citizen. The strategy aims to increase

15
Section 2
INTRODUCTION
cyber security at all levels for our collective our updated assessment of the
benefit and will be the basis on which the strategic context, including the current
UK engages internationally to promote and evolving threats: who poses the
good internet governance. most serious threat to our interests,
and the tools at their disposal;
2.11. In this strategy, cyber security a review of vulnerabilities and how these
refers to the protection of information have developed over the last five years;
systems (hardware, software and the Governments vision for cyber
associated infrastructure), the data on security in 2021 and the key objectives
them, and the services they provide, to achieve that goal, including guiding
from unauthorised access, harm or misuse. principles, roles and responsibilities,
This includes harm caused intentionally and how and where government
by the operator of the system, or intervention will make a difference;
accidentally, as a result of failing to how we intend to put our policy
follow security procedures. into practice: setting out where the
Government will lead and where we
2.12. Consistent with our assessment of expect to work in partnership with
the challenge we face and building on the others; and
achievements of the 2011 strategy, this how we intend to assess our progress
document sets out: towards our objectives.

16
Section 3
STRATEGIC CONTEXT
3. STRATEGIC CONTEXT

17
Section 3
STRATEGIC CONTEXT
3.1. When the last National Cyber THREATS

Security Strategy was published in 2011,
the scale of technological change and its Cyber criminals
impact was already apparent. The trends
and opportunities described then have 3.2. This strategy deals with cyber crime
since accelerated. New technologies in the context of two interrelated forms of
and applications have come to the fore, criminal activity:
and greater uptake of internet-based
technologies worldwide, in particular cyber-dependent crimes crimes
in developing countries, has offered that can be committed only
increasing opportunities for economic and through the use of Information and
social development. These developments Communications Technology (ICT)
have brought, or will bring, significant devices, where the devices are both
advantages to connected societies such the tool for committing the crime,
as ours. But as our reliance on networks and the target of the crime (e.g.
in the UK and overseas grows, so do the developing and propagating malware
opportunities for those who would seek for financial gain, hacking to steal,
to compromise our systems and data. damage, distort or destroy data
Equally, the geopolitical landscape has and/or network or activity); and
changed. Malicious cyber activity knows cyber-enabled crimes traditional
no international boundaries. State actors crimes which can be increased in scale
are experimenting with offensive cyber or reach by the use of computers,
capabilities. Cyber criminals are broadening computer networks or other forms of
their efforts and expanding their strategic ICT (such as cyber-enabled fraud and
modus operandi to achieve higher value data theft).
pay-outs from UK citizens, organisations
and institutions. Terrorists, and their 3.3. Much of the most serious cyber
sympathisers, are conducting low-level crime mainly fraud, theft and extortion
attacks and aspire to carry out more against the UK continues to be perpetrated
significant acts. This chapter sets out our predominantly by financially motivated
assessment of the nature of these threats, Russian-language organised criminal
our vulnerabilities and how these continue groups (OCGs) in Eastern Europe, with
to evolve. many of the criminal marketplace services
being hosted in these countries. However,
the threat also emanates from other
countries and regions, and from inside the
UK itself, with emerging threats from South
Asia and West Africa of increasing concern.

18
Section 3
STRATEGIC CONTEXT
3.4. Even when key individuals States and state-sponsored threats

responsible for the most damaging cyber
criminal activities against the UK are 3.7. We regularly see attempts by states
identified, it is often difficult for the UK and state-sponsored groups to penetrate
and international law enforcement UK networks for political, diplomatic,
agencies to prosecute them when they technological, commercial and strategic
are located in jurisdictions with limited, advantage, with a principal focus on the
or no, extradition arrangements. government, defence, finance, energy and
telecommunications sectors.
3.5. These OCGs are principally
responsible for developing and deploying 3.8. The capacity and impact of
the increasingly advanced malware that these state cyber programmes varies.
infects the computers and networks of The most advanced nations continue
UK citizens, our industry and government. to improve their capabilities at pace,
The impact is dispersed throughout integrating encryption and anonymisation
the UK, but the cumulative effect is services into their tools in order to remain
significant. These attacks are becoming covert. While they have the technical
increasingly aggressive and confrontational, capability to deploy sophisticated attacks,
as illustrated by the increasing use of they can often achieve their aims using
ransomware, and threats of distributed basic tools and techniques against
denial of service (DDoS) for extortion. vulnerable targets because the defences
of their victims are poor.
3.6. Whilst OCGs may pose a significant
threat to our collective prosperity and 3.9. Only a handful of states have the
security, equally of concern is the technical capabilities to pose a serious
continuing threat from acts of less threat to the UKs overall security and
sophisticated but widespread cyber crimes prosperity. But many other states
carried out against individuals or smaller are developing sophisticated cyber
organisations. programmes that could pose a threat
to UK interests in the near future. Many
states seeking to develop cyber espionage
Internet banking fraud, which covers capability can purchase computer network
fraudulent payments taken from a exploitation tools off the shelf and
repurpose these to conduct espionage.
customers bank account using the
internet banking channel, rose by 64% 3.10. Beyond the espionage threat, a small
to 133.5m in 2015. The number of number of hostile foreign threat actors have
developed and deployed offensive cyber
cases increased at a lower rate of 23%, capabilities, including destructive ones.
which Financial Fraud Action UK said These capabilities threaten the security of
is evidence of the growing trend for the UKs critical national infrastructure and
industrial control systems. Some states
criminals to target business and high may use these capabilities in contravention
net-worth customers. of international law in the belief that
they can do so with relative impunity,
encouraging others to follow suit. Whilst
destructive attacks around the world remain
rare, they are rising in number and impact.

19
Section 3
STRATEGIC CONTEXT
Terrorists Hacktivists
3.11. Terrorist groups continue to aspire 3.13. Hacktivist groups are decentralised
to conduct damaging cyber activity against and issue-orientated. They form and select
the UK and its interests. The current their targets in response to perceived
technical capability of terrorists is judged grievances, introducing a vigilante quality
to be low. Nonetheless the impact of even to many of their acts. While the majority
low-capability activity against the UK to of hacktivist cyber activity is disruptive in
date has been disproportionately high: nature (website defacement or DDoS), more
simple defacements and doxing activity able hacktivists have been able to inflict
(where hacked personal details are leaked greater and lasting damage on their victims.
online) enable terrorist groups and their
supporters to attract media attention and
INSIDERS
intimidate their victims.
Insider threats remain a cyber risk to
Terrorists using the Internet for organisations in the UK. Malicious
insiders, who are trusted employees
their purposes does not equal cyber of an organisation and have access
terrorism. However, by increasingly to critical systems and data, pose
engaging in cyber-space, and given the the greatest threat. They can cause
financial and reputational damage
availability of cyber-crime as a service, through the theft of sensitive data and
one can assume that they would be in intellectual property. They can also pose
the position to launch cyber attacks a destructive cyber threat if they use
their privileged knowledge, or access, to
ENISA Threat Landscape 2015 facilitate, or launch, an attack to disrupt
or degrade critical services on the
network of their organisations, or wipe
3.12. The current assessment is that
data from the network.
physical, rather than cyber, terrorist attacks
will remain the priority for terrorist groups
Of equal concern are those insiders
for the immediate future. As an increasingly
or employees who accidentally cause
computer-literate generation engages
cyber harm through inadvertent
in extremism, potentially exchanging
clicking on a phishing email, plugging
enhanced technical skills, we envisage
an infected USB into a computer,
a greater volume of low-sophistication
or ignoring security procedures and
(defacement or DDoS) disruptive activity
downloading unsafe content from the
against the UK. The potential for a number
Internet. Whilst they have no intention
of skilled extremist lone actors to emerge
of deliberately harming the organisation,
will also increase, as will the risk that a
their privileged access to systems and
terrorist organisation will seek to enlist an
data mean their actions can cause just
established insider. Terrorists will likely
as much damage as a malicious insider.
use any cyber capability to achieve the
These individuals are often the victims of
maximum effect possible. Thus, even a
social engineering they can unwittingly
moderate increase in terrorist capability
provide access to the networks of their
may constitute a significant threat to the
organisation or carry out instructions in
UK and its interests.
good faith that benefit the fraudster.

20
Section 3
STRATEGIC CONTEXT
The overall cyber risk to an organisation CASE STUDY 1: TALKTALK

from insider threats is not just about COMPROMISE
unauthorised access to information
systems and their content. The physical On 21 October 2015, UK
security controls protecting those telecommunications provider TalkTalk
systems from inappropriate access, or reported a successful cyber attack and
removal of sensitive data or proprietary a possible breach of customer data.
information on different forms of media, Subsequent investigation determined
are equally important. Similarly, a robust that a database containing customer
personnel security culture that is alive details had been accessed via public-
to the threat posed by disaffected facing internet servers, with the records
employees, fraud in the workforce of approximately 157,000 customers at
and industrial and other forms of risk, including names, addresses and
espionage is an important element in a bank account details.
comprehensive approach to security.
On the same day, several TalkTalk
employees received an email with a
Script Kiddies ransom demand for payment in Bitcoins.
The attackers detailed the structure of
3.14. So-called script kiddies generally the database as apparent proof that it
less skilled individuals who use scripts had been accessed.
or programmes developed by others to
conduct cyber attacks are not assessed TalkTalks report of the breach helped
as posing a substantive threat to the the police, supported by specialists at
wider economy or society. But they do the National Crime Agency, to arrest the
have access to hacking guides, resources main suspects, all based in the UK, in
and tools on the Internet. Due to the October and November 2015.
vulnerabilities found in internet-facing
systems used by many organisations, the The attack demonstrates that, even
actions of script kiddies can, in some within large cyber-aware organisations,
cases, have a disproportionately damaging vulnerabilities can persist. Their
impact on an affected organisation. exploitation can have a disproportionate
effect in terms of reputational damage
and operational disruption, and this
incident generated substantial media
attention. TalkTalks rapid reporting of
the breach enabled law enforcement
to respond in a timely manner, and
both the public and government to
mitigate the potential loss of sensitive
data. The incident cost TalkTalk an
estimated 60m and the loss of 95,000
customers, as well as a sharp drop in
their share price.

21
Section 3
STRATEGIC CONTEXT
CASE STUDY 2: ATTACK ON BANGLADESH SWIFT Alliance Access software running in

BANKS SWIFT SYSTEM the Bangladesh Bank infrastructure. BAE
concluded that criminals are conducting
The Society for Worldwide Interbank more and more sophisticated attacks
Financial Telecommunication (SWIFT) against victim organisations, particularly in
provides a network that enables financial the area of network intrusions.
institutions worldwide to send and receive
information about financial transactions CASE STUDY 3: UKRAINE POWER GRID
in a secure way. As SWIFT sends ATTACK
payment orders which must be settled
by correspondent accounts that the A cyber attack on western Ukrainian
institutions have with each other, there electricity distribution companies
has long been concern over any potential Prykarpattya Oblenergo and Kyiv
for this process to be compromised by Oblenergo on 23 December 2015
cyber criminals or other malicious actors, caused a major power outage, with
seeking to inject illegitimate payment disruption to over 50 substations on
orders into the system or, in a worst case the distribution networks. The region
scenario, seeking to disable or disrupt the reportedly experienced a blackout for
functionality of the SWIFT network itself. several hours and many other customers
and areas sustained lesser disruptions to
In early February 2016, an attacker their power supplies, affecting more than
accessed the SWIFT payment system 220,000 consumers.
of the Bangladesh Bank and instructed
the New York Federal Reserve bank to Use of the BlackEnergy3 malware has
transfer money from Bangladesh Banks been blamed by some for the attack, after
account to accounts in the Philippines. samples were identified on the network.
The attempted fraud was US$951 million. At least six months before the attack,
30 transactions, worth US$850 million, attackers had sent phishing emails to the
were prevented by the banking system; offices of power utility companies in the
however, five transactions worth US$101 Ukraine containing malicious Microsoft
million went through. US$20 million, traced Office documents. However, the malware
to Sri Lanka, has since been recovered. was not likely to have been responsible
The remaining US$81 million transferred for opening the circuit breakers which
to the Philippines was laundered through resulted in the outage. It is probable that
casinos and some of the funds were then the malware enabled the attackers to
forwarded to Hong Kong. gather credentials that allowed them to
gain direct remote control of aspects of
The forensic investigation launched the network, which would subsequently
by Bangladesh Bank discovered that enable them to trigger the outage.
malware had been installed on the banks
systems and had been used to gather This Ukraine incident is the first confirmed
intelligence on the procedures used instance of a disruptive cyber attack on an
by the bank for international payments electricity network. Instances such as this
and fund transfers. Further analysis by further demonstrate the need for good cyber
BAE Systems of the malware linked security practices across all of our Critical
to the attack uncovered sophisticated National Infrastructure (CNI) to prevent
functionality for interacting with the local similar incidents occurring in the UK.

22
Section 3
STRATEGIC CONTEXT
VULNERABILITIES 10 Steps to Cyber Security, but also due

to the increased public profile of major
An expanding range of devices cyber incidents affecting governments
and corporations. Cyber attacks are not
3.15. When the last National Cyber necessarily sophisticated or inevitable
Security Strategy was published in and are often the result of exploited but
2011, most people conceived of cyber easily rectifiable and, often, preventable
security through the prism of protecting vulnerabilities. In most cases, it continues
devices such as their desktop computer to be the vulnerability of the victim, rather
or laptop. Since then the Internet has than the ingenuity of the attacker, that is
become increasingly integrated into our the deciding factor in the success of a
daily lives in ways we are largely oblivious cyber attack. Businesses and organisations
to. The Internet of Things creates new decide on where and how to invest in
opportunities for exploitation and increases cyber security based on a cost-benefit
the potential impact of attacks which have assessment, but they are ultimately liable
the potential to cause physical damage, for the security of their data and systems.
injury to persons and, in a worst case Only by balancing the risk to their critical
scenario, death. systems and sensitive data from cyber
attacks, with sufficient investment in
3.16. The rapid implementation of people, technology and governance,
connectivity in industrial control processes will businesses reduce their exposure to
in critical systems, across a wide range potential cyber harm.
of industries such as energy, mining,
agriculture and aviation, has created
the Industrial Internet of Things. This is There is no conceivable information
simultaneously opening up the possibility of security system that can stop one
devices and processes, which were never
vulnerable to such interference in the past,
person out of a hundred opening a
being hacked and tampered with, with phishing email, and that can be all
potentially disastrous consequences. it takes.
3.17. Therefore, we are no longer just Ciaran Martin, Director General for
vulnerable to cyber harms caused by the Cyber Security, GCHQ June 2015
lack of cyber security on our own devices
but by threats to the interconnected
systems that are fundamental to our Insufficient training and skills
society, health and welfare.
3.19. We lack the skills and
Poor cyber hygiene and compliance knowledge to meet our cyber security
needs across both the public and private
3.18. Awareness of technical sector. In businesses, many staff
vulnerabilities in software and networks, members are not cyber security
and the need for cyber hygiene in the UK, aware and do not understand their
has undoubtedly increased over the past responsibilities in this regard, partially
five years. This is in part a consequence due to a lack of formal training. The public
of initiatives like the Governments is also insufficiently cyber aware.

23
Section 3
STRATEGIC CONTEXT
Availability of hacking resources

Just under a fifth of businesses had
their staff take part in cyber security 3.22. The ready availability of hacking
training in the past year. information and user-friendly hacking tools
on the Internet is enabling those who want
Cyber Security Breaches Survey 2016. to develop a hacking capability to do so.
The information hackers need in order to
compromise victims successfully is often
3.20. We also need to develop the openly accessible and can be harvested
specialist skills and capabilities that will quickly. Everyone, from the living room
allow us to keep pace with rapidly evolving to the boardroom, needs to be aware of
technology and manage the associated the extent of exposure of their personal
cyber risks. This skills gap represents a details and systems on the Internet, and
national vulnerability that must be resolved. the degree to which that could leave them
vulnerable to malicious cyber exploitation.
Legacy and unpatched systems
3.21. Many organisations in the UK will 99.9% of exploited vulnerabilities

continue to use vulnerable legacy systems were compromised more than a year
until their next IT upgrade. Software on
these systems will often rely on older,
after the vulnerability was published.
unpatched versions. These older versions Verizon 2015 Data Breach
often suffer from vulnerabilities that Investigations report
attackers look for and have the tools to
exploit. An additional issue is the use
by some organisations of unsupported CONCLUSIONS
software, for which patching regimes do
not exist. 3.23. The UK has pursued policies and
established institutions that have enhanced
our defences and mitigated some of the
threat we face in cyberspace.
We recently analysed 115,000 Cisco
devices on the Internet and across 3.24. However, we are not yet ahead of the
customer environments as a way to threat. The types of malicious cyber actors
we must contend with, and their motivations,
bring attention to the security risks
have largely endured, even as the volume of
that aging infrastructure and lack malware and the numbers of such malicious
of attention to patching vulnerabilities actors has grown rapidly. The capability of
our most technically proficient adversaries,
present We found that 106,000
namely a select number of states and elite
of the 115,000 devices had known cyber criminals, has grown. Our collective
vulnerabilities in the software they challenge is to ensure our defences are
evolved and agile enough to counter them,
were running.
to reduce the ability of malicious actors to
Cisco 2016 Annual Security Report attack us and to address the root causes of
the vulnerabilities outlined above.

24
Section 4
OUR NATIONAL RESPONSE
4. OUR NATIONAL
RESPONSE

25
Section 4
4.1. To mitigate the multiple threats needs across the public and private
we face and safeguard our interests in sectors. Our cutting-edge analysis
cyberspace, we need a strategic approach and expertise will enable the UK to
that underpins all our collective and meet and overcome future threats
individual actions in the digital domain over and challenges.
the next five years. This section sets out
our vision and strategic approach. 4.4. Underpinning these objectives, we
will pursue INTERNATIONAL ACTION
OUR VISION and exert our influence by investing in
partnerships. We will shape the global
4.2. Our vision for 2021 is that evolution of cyberspace in a manner
the UK is secure and resilient to cyber that advances our wider economic and
threats, prosperous and confident in security interests.
the digital world.
PRINCIPLES
4.3. To realise this vision, we will work to
achieve the following objectives: 4.5 In working towards these objectives,
the Government will apply the following
DEFEND We have the principles:
means to defend the UK
against evolving cyber our actions and policies will be driven
threats, to respond by the need to both protect our people
effectively to incidents, and enhance our prosperity;
and to ensure UK networks, data and we will treat a cyber attack on the UK
systems are protected and resilient. as seriously as we would an equivalent
Citizens, businesses and the public conventional attack and we will defend
sector have the knowledge and ability ourselves as necessary;
to defend themselves. we will act in accordance with national
and international law and expect others
DETER The UK will be a to do the same;
hard target for all forms of we will rigorously protect and promote
aggression in cyberspace. our core values. These include
We detect, understand, democracy; the rule of law; liberty;
investigate and disrupt open and accountable governments
hostile action taken against us, and institutions; human rights; and
pursuing and prosecuting offenders. freedom of expression;
We have the means to take offensive we will preserve and protect UK
action in cyberspace, should we citizens privacy;
choose to do so. we will work in partnership. Only

by working with the Devolved
DEVELOP We have Administrations, all parts of the public
an innovative, growing sector, businesses, institutions, and the
cyber security industry, individual citizen, can we successfully
underpinned by world- secure the UK in cyberspace;
leading scientific the Government will meet its
research and development. We have responsibilities and lead the
a self-sustaining pipeline of talent national response, but businesses,
providing the skills to meet our national organisations and individual citizens

26
Section 4
have a responsibility to take reasonable to safeguard not only our hardware our
steps to protect themselves online and smart phones and other devices but also
ensure they are resilient and able to the data, software and systems that afford
continue operating in the event of an us freedom, flexibility and convenience in
incident; our private and professional lives.
responsibility for the security of
organisations across the public Businesses and organisations
sector, including cyber security
and the protection of online data 4.8. Businesses, public and private
and services, lies with respective sector organisations and other institutions
Ministers, Permanent Secretaries and hold personal data, provide services,
Management Boards; and operate systems in the digital
we will not accept significant risk being domain. The connectivity of this
posed to the public and the country as information has revolutionised their
a whole as a result of businesses and operations. But with this technological
organisations failing to take the steps transformation comes the responsibility
needed to manage cyber threats; to safeguard the assets which they hold,
we will work closely with those maintain the services they provide, and
countries that share our views and incorporate the appropriate level of
with whom our security overlaps, security into the products they sell. The
recognising that cyber threats know citizen and consumer, and society at large,
no borders. We will also work broadly look to businesses and organisations to
across the range of international take all reasonable steps to protect their
partners to influence the wider personal data, and build resilience the
community, acknowledging the value ability to withstand and recover into the
of broad coalitions; and systems and structures on which they
to ensure Government interventions are depend. Businesses and organisations
having a substantive impact on overall must also understand that, if they are the
national cyber security and resilience, victim of a cyber attack, they are liable for
we will seek to define, analyse and the consequences.
present data which measures the state
of our collective cyber security and our Government
success in meeting our strategic goals.
4.9. The primary duty of the Government
ROLES AND RESPONSIBILITIES is to defend the country from attacks
by other states, to protect citizens and
4.6. Securing the national cyberspace will the economy from harm, and to set the
require a collective effort. Each and every domestic and international framework
one of us has an important part to play. to protect our interests, safeguard
fundamental rights, and bring criminals to
Individuals justice.
4.7. As citizens, employees and 4.10. As the holder of significant data and
consumers, we take practical steps to a provider of services, the Government
secure the assets we value in the physical takes stringent measures to provide
world. In the virtual world, we must do the safeguards for its information assets.
same. That means fulfilling our personal The Government also has an important
responsibility to take all reasonable steps responsibility to advise and inform citizens

27
Section 4
and organisations what they need to do 4.14. The market still has a role to
to protect themselves online, and where play and in the longer term will deliver
necessary, set the standards we expect key greater impact than the Government
companies and organisations to meet. ever can. However, the immediacy of the
threat facing the UK and the expanding
4.11. Although key sectors of our vulnerabilities of our digitalised environment
economy are in private hands, the call for greater action in the short term from
Government is ultimately responsible for the Government.
assuring their national resilience and, with
its partners across the administration, the Driving change: expanded role for the
maintenance of essential services and Government
functions across the whole of government.
4.15. The Government must therefore set
Driving change: the role of the market the pace in meeting the countrys national
cyber security needs. Only Government
4.12. The 2011 Strategy and National can draw on the intelligence and other
Cyber Security Programme sought to drive assets required to defend the country
outcomes and increase capacity in both from the most sophisticated threats.
the public and private sector by looking to Only Government can drive cooperation
the market to drive the right behaviours. across the public and private sectors and
We expected commercial pressures ensure information is shared between the
and government-instigated incentives to two. Government has a leading role, in
ensure adequate business investment in consultation with industry, in defining what
appropriate cyber security, to stimulate a good cyber security looks like and ensuring
flow of investment into our industry, and to it is implemented.
encourage an adequate pipeline of skills
into the sector. 4.16. The Government will bring about
a significant improvement in our national
4.13. Much has been achieved. Across cyber security over the next five years. This
the economy and wider society, awareness ambitious and transformational programme
of the risk and of the actions required to will focus on the following four broad areas:
mitigate cyber risk have increased over
the last five years. But the combination Levers and incentives. The
of market forces and government Government will invest to maximise
encouragement has not been sufficient in the potential of a truly innovative
itself to secure our long-term interests in UK cyber sector. We will do this by
cyberspace at the pace required. Too many supporting start-ups and investing
networks, including in critical sectors, are in innovation. We will also seek to
still insecure. The market is not valuing, identify and bring on talent earlier in the
and therefore not managing, cyber risk education system and develop clearer
correctly. Too many organisations are still routes into a profession that needs
suffering breaches at even the most basic better definition. The Government will
level. Too few investors are willing to risk also make use of all available levers,
supporting entrepreneurs in the sector. Too including the forthcoming General Data
few graduates and others with the right Protection Regulation (GDPR), to drive
skills are emerging from the education and up standards of cyber security across
training system. the economy, including, if required,
through regulation.

28
Section 4
Expanded intelligence and law

enforcement focus on the threat. Given the industrial-scale theft
The intelligence agencies, the Ministry of intellectual property from our
of Defence, the police and the National companies and universities, as well as
Crime Agency, in coordination with
international partner agencies, will expand the numerous phishing and malware
their efforts to identify, anticipate and scams that waste time and money, the
disrupt hostile cyber activities by foreign National Cyber Security Centre shows
actors, cyber criminals and terrorists. This
will improve their intelligence collection that the UK is focusing its efforts to
and exploitation, with the aim of obtaining combat the threats that exist online.
pre-emptive intelligence on the intent and
capabilities of our adversaries.
Robert Hannigan, Director GCHQ,
Development and deployment of March 2016
technology in partnership with industry,
including Active Cyber Defence
measures, to deepen our understanding 4.17. Delivering these changes to our
of the threat, to strengthen the security cyber security and resilience will require
of the UK public and private sector additional resources. In the Strategic
systems and networks in the face of that Defence and Security Review 2015, the
threat, and to disrupt malicious activity. Government set aside 1.9 billion over the
National Cyber Security Centre five years of the strategy to deliver these
(NCSC). The Government has commitments and objectives.
established a single, central body
for cyber security at a national level.
This body will manage national cyber
incidents, provide an authoritative
voice and centre of expertise on cyber
security, and deliver tailored support
and advice to departments, the
Devolved Administrations, regulators
and businesses. The NCSC will analyse,
detect and understand cyber threats,
and will also provide its cyber security
expertise to support the Governments
efforts to foster innovation, support a
thriving cyber security industry, and
stimulate the development of cyber
security skills. Uniquely for such a public-
facing body, its parent body is GCHQ
and it can therefore draw on the world-
class expertise and sensitive capabilities
of that organisation, improving the
support it will be able to provide to the
economy and society more widely. It will
remain the responsibility of government
departments to ensure they effectively
implement this cyber security advice.

29
Section 4
THE NATIONAL CYBER SECURITY CENTRE the capabilities already developed by

CESG the information security arm of
The National Cyber Security Centre GCHQ the Centre for the Protection of
(NCSC) launched on 1 October 2016. The National Infrastructure (CPNI), CERT-UK
NCSC provides a unique opportunity to (Computer Emergency Response Team)
build effective cyber security partnerships and the Centre for Cyber Assessment
between government, industry and the (CCA), enabling us to build on the best
public to ensure that the UK is safer of what we already have, whilst greatly
online. It will provide cyber incident simplifying the former arrangements. Its
response and be the UKs authoritative initial focus will be:
voice on cyber security. For the first time,
key sectors will be able to engage directly a world class incident management
with NCSC staff to get the best possible capability to respond to and reduce
advice and support on securing networks the harm from cyber incidents
and systems from cyber threats. from those affecting single
organisations through to national,
The NCSC provides: large scale attacks;
providing communications on how
a unified source of advice for organisations in the public and private
the Governments cyber security sector can deal with cyber security
threat intelligence and information issues, facilitating the sharing of
assurance; cyber threat information; and
the strong public face of the continuing to provide expert
Governments action against cyber sectoral advice to Government
threats working hand in hand with and critical sectors like
industry, academia and international telecommunications, energy and
partners to keep the UK protected finance, and providing cyber
against cyber attack; and security advice across the UK.
a public-facing organisation with

reach back into GCHQ to draw on The NCSC offers an effective means for
necessarily secret intelligence and the Government to deliver many elements
world-class technical expertise. of this strategy. We recognise that, as the
NCSC grows, its focus and capabilities
There will be a phased approach to will need to adapt to new challenges and
building the NCSCs capabilities over the lessons learned.
lifetime of this strategy. It brings together

30
Section 4
IMPLEMENTATION
PLAN

31
Section 4
Our goals for the countrys cyber security over the next five
years are rightly ambitious. To achieve them will require
us to act with consequence and determination across the
digital landscape. Activity to deliver the Governments vision
will advance the three primary objectives of the strategy:
to DEFEND our cyberspace, to DETER our adversaries and
to DEVELOP our capabilities, all underpinned by effective
INTERNATIONAL ACTION.

32
Section 5
DEFEND
5. DEFEND

33
Section 5
DEFEND
5.0.1. The DEFEND elements of this 5.1. ACTIVE CYBER DEFENCE

strategy aim to ensure that UK networks,
data and systems in the public, commercial 5.1.1. Active Cyber Defence (ACD) is the
and private spheres are resilient to and principle of implementing security measures
protected from cyber attack. It will never to strengthen a network or system to
be possible to stop every cyber attack, just make it more robust against attack. In a
as it is not possible to stop every crime. commercial context, Active Cyber Defence
However, together with citizens, education normally refers to cyber security analysts
providers, academia, businesses and other developing an understanding of the threats
governments, the UK can build layers of to their networks, and then devising and
defence that will significantly reduce our implementing measures to proactively
exposure to cyber incidents, protect our combat, or defend, against those threats. In
most precious assets, and allow us all to the context of this strategy, the Government
operate successfully and prosperously in has chosen to apply the same principle on
cyberspace. Acting to promote cooperation a larger scale: the Government will use its
between states and good cyber security unique expertise, capabilities and influence
practice is also in the interest of our to bring about a step-change in national
collective security. cyber security to respond to cyber threats.
The network we are attempting to defend
5.0.2. The Government will implement is the entire UK cyberspace. The activities
measures to ensure that citizens, proposed represent a defensive action plan,
businesses, public and private sector drawing on the expertise of NCSC as the
organisations and institutions have National Technical Authority to respond to
access to the right information to defend cyber threats to the UK at a macro level.
themselves. The National Cyber Security
Centre provides a unified source of advice Objectives
in government for threat intelligence
and information assurance, ensuring 5.1.2. In undertaking ACD, the Government
that we can offer tailored guidance for aims to:
cyber defence and respond quickly and
effectively to major incidents in cyberspace. make the UK a much harder target
The Government will work with industry for state sponsored actors and cyber
and international partners to define what criminals by increasing the resilience of
good cyber security looks like for public UK networks;
and private sectors, for our most important defeat the vast majority of high-
systems and services, and for the economy volume/low-sophistication malware
as a whole. We will build security by activity on UK networks by blocking
default into all new government and critical malware communications between
systems. Law enforcement agencies will hackers and their victims;
collaborate closely with industry and the evolve and increase the scope and
National Cyber Security Centre to provide scale of Governments capabilities to
dynamic criminal threat intelligence with disrupt serious state sponsored and
which industry can better defend itself, cyber criminal threats;
and to promote protective security advice secure our internet and
and standards. telecommunications traffic from
hijacking by malicious actors;

34
Section 5
DEFEND
harden the UKs critical infrastructure 5.1.4. Where possible, these initiatives will
and citizen-facing services against be delivered with or through partnerships
cyber threats; and with industry. For many, industry will be
disrupt the business model of attackers designing and leading implementation,
of every type, to demotivate them and with the Governments critical contribution
to reduce the harm that their attacks being expert support, advice and
can cause. thought-leadership.
Approach 5.1.5. The Government will also undertake

specific actions to implement these
5.1.3. In pursuit of these aims, the measures, which will include:
Government will:
working with CSPs to block malware
work with industry, especially attacks. We will do this by restricting
Communications Service Providers access to specific domains or web
(CSPs), to make it significantly harder sites that are known sources of
to attack UK internet services and malware. This is known as Domain
users, and greatly reduce the prospect Name System (DNS) blocking / filtering;
of attacks having a sustained impact preventing phishing activity that
on the UK. This will include tackling relies on domain spoofing (where an
phishing, blocking malicious domains email appears to be from a specific
and IP addresses, and other steps to sender, such as a bank or government
disrupt malware attacks. It will also department, but is actually fraudulent)
include measures to secure the UKs by deploying an email verification
telecommunications and internet system on government networks as
routing infrastructure; standard and encouraging industry to
increase the scale and development do likewise;
of GCHQ, Ministry of Defence and promoting security best practice
NCA capabilities to disrupt the most through multi-stakeholder internet
serious cyber threats to the governance organisations such as
UK, including campaigns by the Internet Corporation for Assigned
sophisticated cyber criminals and Names and Numbers (ICANN)
hostile foreign actors; and which coordinates the domain name
better protect government systems system), the Internet Engineering
and networks, help industry build Task Force (IETF) and the European
greater security into the CNI supply Regional Internet Registry (RIPE) and
chain, make the software ecosystem engagement with stakeholders in the
in the UK more secure, and provide UN Internet Governance Forum (IGF);
automated protections for government working with law enforcement channels
online services to the citizen. in order to protect UK citizens from
being targeted in cyber attacks from
unprotected infrastructure overseas;

35
Section 5
DEFEND
working towards the implementation 5.2. BUILDING A MORE SECURE

of controls to secure the routing INTERNET
of internet traffic for government
departments to ensure that it cannot 5.2.1. Changing technology provides us
be illegitimately re-routed by malicious with the opportunity to significantly reduce
actors; and the ability of our adversaries to conduct
investing in programmes in the Ministry cyber crime in the UK by ensuring that
of Defence, the NCA and GCHQ that future online products and services coming
will enhance the capabilities of these into use are secure by default. That means
organisations to respond to, and ensuring that the security controls built
disrupt, serious state-sponsored and into the software and hardware we use
criminal cyber activity targeting UK are activated as a default setting by the
networks. manufacturer so that the user experiences
the maximum security offered to them,
We will develop these technical unless they actively choose to turn it off.
interventions as threats evolve to ensure The challenge is to effect transformative
that UK citizens and businesses are change in a way that supports the end
protected by default from the majority of user and offers a commercially viable, but
large-scale commodity cyber attacks. secure, product or service all within the
context of maintaining the free and open
Measuring success nature of the Internet.
5.1.6. The Government will measure its

success in establishing effective ACD Internet-connected things are
by assessing progress towards the multiplying rapidly. We saw many
following outcomes:
proof-of-concept and real world
the UK is harder to phish, because we attacks in 2015, identifying serious
have large-scale defences against the vulnerabilities in cars, medical devices
use of malicious domains, more active
anti-phishing protection at scale and
and more. Manufacturers need to
it is much harder to use other forms prioritise security to reduce the risk
of communication, such as vishing of serious personal, economic and
and SMS spoofing, to conduct social
engineering attacks;
social consequences.
a far larger proportion of malware Symantec 2016 Internet Security
communications and technical Threat Report
artefacts associated with cyber attacks
and exploitation are being blocked;
the UKs internet and
telecommunications traffic is
significantly less vulnerable to rerouting
by malicious actors;
GCHQ, the Armed Forces and NCA
capabilities to respond to serious state-
sponsored and criminal threats have
significantly increased.

36
Section 5
DEFEND
5.2.2. The Government is well-placed It will also put security at the heart of
to take a lead role in exploring those new product development, eliminate
new technologies that will better protect opportunities for criminal exploitation
our own systems, help industry build and thereby protect the end user.
greater security into the supply chain,
secure the software ecosystem and 5.2.5. To do this we will:
provide automated protections to citizens
accessing government services online. continue to encourage hardware and
The Government must test and implement software providers to sell products with
new technologies that provide automated security settings activated as default,
protection for government online products requiring the user to actively disable
and services. Where possible, similar these settings to make them insecure.
technologies should be offered to the Some vendors are already doing this,
private sector and the citizen. but some are not yet taking these
necessary steps;
Objective continue to develop an Internet
Protocol (IP) reputation service to
5.2.3. The majority of online products protect government digital services
and services coming into use become (this would allow online services to
secure by default by 2021. Consumers get information about an IP address
will be empowered to choose products connecting to them, helping the service
and services that have built-in security as make more informed risk management
a default setting. Individuals can switch off decisions in real time);
these settings if they choose to do so but seek to install products on government
those consumers who wish to engage in networks that will provide assurance
cyberspace in the most secure way will be that software is running correctly, and
automatically protected. not being maliciously interfered with;
look to expand beyond the GOV.UK
Our approach domain into other digital services
measures that notify users who are
5.2.4. We will pursue the following actions: running out-of-date browsers; and
invest in technologies like Trusted
the Government will lead by example Platform Modules (TPM) and emerging
by running secure services on the industry standards such as Fast
Internet that do not rely on the Internet Identity Online (FIDO), which do not rely
itself being secure; on passwords for user authentication,
the Government will explore options for but use the machine and other
collaboration with industry to develop devices in the users possession to
cutting-edge ways to make hardware and authenticate. The Government will test
software more secure by default; and innovative authentication mechanisms
we will adopt challenging new cyber to demonstrate what they can offer,
security technologies in government, both in terms of security and overall
encouraging Devolved Administrations user experience.
to do likewise, in order to reduce
perceived risks of adoption. This 5.2.6. The Government will also explore
will provide proof of concept and how to encourage the market by providing
demonstrate the security benefits of security ratings for new products, so that
new technologies and approaches. consumers have clear information on

37
Section 5
DEFEND
which products and services offer them face of continuous attempts by hostile
the greatest security. The Government actors to gain access to government and
will also explore how to link these product public sector networks and data.
ratings to new and existing regulators, and
ways to warn consumers when they are Objectives
about to take an action online that might
compromise their security. 5.3.2. We want to achieve the following
outcomes:
Measuring success
citizens use government online services
5.2.7. The Government will measure with confidence: they trust that their
its success in building a secure Internet sensitive information is safe and, in
by assessing progress towards the turn, understand their responsibility to
following outcomes: submit their sensitive information online
in a secure manner;
the majority of commodity products and the Government will set and adhere to
services available in the UK in 2021 are the most appropriate cyber security
making the UK more secure because standards, to ensure that all branches
they have their default security settings of government understand and meet
enabled by default or have security their obligations to secure their
integrated into their design; and networks, data and services; and
all government services provided the Governments critical assets,
at national, local and Devolved including those at the highest
Administration level are trusted by the classification, are protected from
UK public because they have been cyber attacks.
implemented as securely as possible,

and fraud levels are within acceptable Our approach
risk parameters.
5.3.3. The UK Government will continue to
5.3. PROTECTING GOVERNMENT move more of its services online so that the
UK can become truly digital by default.
5.3.1. The UK Government, Devolved The Government Digital Service (GDS),
Administrations and the wider public sector the Crown Commercial Service (CCS) and
hold large quantities of sensitive data. They the NCSC will ensure that all new digital
deliver essential services to the public and services built or procured by government
operate networks that are critical to national are also secure by default.
security and resilience. The Governments
systems underpin the functioning of our 5.3.4. The Governments networks are
society. The modernisation of public highly complex and in many cases still
sector services will continue to be the incorporate legacy systems, as well as
cornerstone of the UKs Digital Strategy some commercially available software
the Governments digital ambition is for the which is no longer supported by the
UK to be the worlds leading digital nation. vendor. We will ensure that there are no
To retain the trust of citizens in online public unmanaged risks from legacy systems and
sector services and systems, data held unsupported software.
by government must be protected and all
branches of government must implement 5.3.5. We will improve government and
appropriate levels of cyber security in the wider public sector resilience to cyber

38
Section 5
DEFEND
attack. This means ensuring an accurate with vastly differing information security
and up to date knowledge of all systems, resources and capability. The National Data
data, and those who have access to them. Guardian for Health and Care has set new
The likelihood and impact of a cyber data security standards for the health and
incident will be minimised by implementing social care systems in England, alongside
best practice as set out by the NCSC. a new data consent/opt-out model for
The Government will also ensure that it patients. The Government will work with
is able to respond effectively to cyber health and social care organisations to
incidents through a programme of incident implement these standards.
exercises and regular testing of government
networks. We will invite Devolved
Administrations and local authorities Britain is a world leader in cyber
to participate in these exercises, as
appropriate. Through automated scanning, security, but with growing threats,
we will ensure that we have a better this new Cyber Security Operations
knowledge of governments online security Centre will ensure our Armed forces
status.
continue to operate securely. Our
5.3.6. Cyber security is not just about increasing defence budget means that
technology. Almost all successful cyber we can stay ahead of our adversaries
attacks have a contributing human factor.
We will therefore continue to invest in our in cyberspace while also investing in
people, to ensure that everyone who works conventional capabilities
in government has a sound awareness of
cyber risk. We will develop specific cyber
The Rt Hon Michael Fallon MP,
expertise in areas where the risks are Defence Secretary, April 2016
heightened and ensure that we have the
right processes in place to manage these
risks effectively. 5.3.10. Cyber security is vital to our defence.
Our Armed Forces depend on information
5.3.7. The NCSC will develop world- and communications systems, both in the
leading cyber security guidance which will UK and on operations around the world. The
keep pace with the threat and development infrastructure and personnel of the Ministry
of new technologies. We will take steps to of Defence (MoD) are prominent targets.
make sure government organisations have Defence systems are regularly targeted by
easy access to threat information to inform criminals, foreign intelligence services and
their understanding of their own cyber risks other malicious actors seeking to exploit
and take appropriate action. personnel, disrupt business and operations,
and corrupt and steal information. We
5.3.8. We will continue to improve will enhance cyber threat awareness,
our highest classification networks to detection, and reaction functions, through
safeguard the Governments most sensitive the development of a Cyber Security
communications. Operations Centre (CSOC) that uses state-
of-the-art defensive cyber capabilities to
5.3.9. Health and care systems pose unique protect the MoDs cyberspace and deal with
challenges in the context of cyber security. threats. The CSOC will work closely with the
The sector employs around 1.6 million NCSC to confront the MoDs cyber security
people in over 40,000 organisations, each challenges and contribute to wider national
cyber security.
39
Section 5
DEFEND
Measuring success we are aware of, and actively

mitigating, all known internet-facing
5.3.11. The Government will measure vulnerabilities in government systems
its success in protecting government and services; and
networks, systems and data by assessing all suppliers to the Government meet
progress towards the following outcomes: appropriate cyber security standards.
the Government has an in-depth

5.4. PROTECTING OUR CRITICAL
understanding of the level of cyber
NATIONAL INFRASTRUCTURE AND
security risk across the whole of
OTHER PRIORITY SECTORS
government and the wider public
sector;
Context
individual government departments
and other bodies protect themselves 5.4.1 The cyber security of certain UK
in proportion to their level of risk and organisations is of particular importance
to an agreed government minimum because a successful cyber attack on
standard; them would have the severest impact on
government departments and the wider the countrys national security. This impact
public sector are resilient and can could have a bearing on the lives of UK
respond effectively to cyber incidents, citizens, the stability and strength of the
maintaining functions and recovering UK economy, or the UKs international
quickly; standing and reputation. This premium
new technologies and digital services group of companies and organisations
deployed by government will be cyber within the public and private sector
secure by default; includes the critical national infrastructure

40
Section 5
DEFEND
(CNI), which provides essential services Objective

to the nation. Ensuring the CNI is secure
and resilient against cyber attack will be a 5.4.3. the UK Government, working
priority for the Government. This premium with the Devolved Administrations and
group also includes other companies and other responsible authorities where
organisations, beyond the CNI, that require appropriate, will ensure that the UKs
a greater level of support. They include: most important organisations and
companies, including the CNI, are
the jewels in our economic crown sufficiently secure and resilient in the
the UKs most successful companies face of cyber attack. Neither the
and also those that hold our future Government nor other public bodies will
economic strength in the value of their take on the responsibility to manage this
research and intellectual property; risk for the private sector, which rightly
data holders not just organisations sits with boards, owners and operators.
that hold large amounts of personal But the Government will provide support
data, but also those that hold data on and assurance proportionate both to the
vulnerable citizens here and abroad, threat these companies and organisations
such as charities; face, and to the consequences of their
high-threat targets such as media being attacked.
organisations, where an attack could
harm the UKs reputation, damage
public confidence in the Government,
Cyber security is key to unlocking
or endanger freedom of expression;
the touchstones of our digital economy innovation and expansion, and by
digital service providers that enable adopting a tailored organisation
e-commerce and our digital economy,
and risk-centric approach to cyber
and who depend on consumer trust in
their services; and security, organisations can refocus on
those organisations that, through opportunities and exploration. Building
market forces and authority, can exert
trust in a business that operates
influence on the whole economy to
improve their cyber security, such as successfully within the Internet of
insurers, investors, regulators and Things (IoT), and that fully supports and
professional advisors.
protects individuals and their personal
5.4.2. More needs to be done to protect mobile devices (from a simple phone
these vital parts of our economy and to a health care device, from smart
support the organisations that heavily
appliances to smart cars), is a key
influence others. Our CNI in both the
private and public sector continues to competitive differentiator and must be
be a target for attack. Across these and a priority.
many other priority sectors cyber risk is
still not properly understood or managed, EYs Global Information Security
even as the threat continues to diversify Survey 2015
and increase.

41
Section 5
DEFEND
Our approach 5.4.7. The NCSC will provide these services

for the UKs most important companies
5.4.4. Organisations and company and organisations, including the CNI. It will
boards are responsible for ensuring their do so in partnership with departments and
networks are secure. They must identify regulators, who will assure whether cyber
critical systems and regularly assess risk is being managed in their sectors to the
their vulnerability against an evolving level demanded by the national interest.
technological landscape and threat.
They must invest in technology and their 5.4.8. The Government will also make
staff to reduce vulnerabilities in current sure that the right regulatory framework for
and future systems, and in their supply cyber security is in place, one that:
chain, to maintain a level of cyber security
proportionate to the risk. They must also ensures industry acts to protect itself
have tested capabilities in place to respond from the threat;
if an attack happens. For the CNI, they is outcome focused and sufficiently
must do this with government bodies and flexible so that it will not fall behind the
regulators so we can be confident that threat, or lead to compliance rather
cyber risk is being properly managed and than sound risk management;
if it is not intervene in the interests of is agile enough to foster growth and
national security. innovation, rather than lead it;
is harmonised with regimes in other
5.4.5. The Government will, therefore, jurisdictions so that UK companies
understand the level of cyber security do not suffer from a fragmented and
across our CNI and have measures in burdensome approach; and
place to intervene where necessary delivers, when combined with
to drive improvements that are in the effective support from the Government,
national interest. a competitive advantage for the UK.
5.4.6. The Government will: 5.4.9. Many of our industry sectors

are already regulated for cyber security.
share threat information with industry Nonetheless, we must ensure the right
that only the Government can obtain steps are taken across the whole
so they know what they must protect economy, including the CNI, to manage
themselves against; cyber security risks.
produce advice and guidance on how
to manage cyber risk and, working Measuring success
collaboratively with industry and
academia, define what good cyber 5.4.10. The Government will measure its
security looks like; success in protecting our CNI and other
stimulate the introduction of the high- priority sectors by assessing progress
end security needed to protect the CNI, towards the following outcomes:
such as training facilities, testing labs,
security standards and consultancy we understand the level of cyber
services; and security across the CNI, and have
conduct exercises with CNI companies measures in place to intervene, where
to assist them in managing their cyber necessary, to drive improvements in
risks and vulnerabilities. the national interest; and

42
Section 5
DEFEND
our most important companies and Objective

organisations understand the level of
threat and implement proportionate 5.5.2. Our objective is to ensure that
cyber security practices. individuals and organisations, regardless of
size or sector, are taking appropriate steps
5.5. CHANGING PUBLIC AND BUSINESS to protect themselves, and their customers,
BEHAVIOURS from the harm caused by cyber attacks.
5.5.1 A successful UK digital economy Our approach

relies upon the confidence of businesses
and the public in online services. The UK 5.5.3. The Government will provide the
The Government has worked with industry advice that the economy needs to protect
and other parts of the public sector to itself. We will improve how this advice is
increase awareness and understanding delivered to maximise its effect. For the
of the threat. The Government has also public, the Government will harness trusted
provided the public and business with voices to increase the reach, credibility and
access to some of the tools that they relevance of our message. We will provide
need to protect themselves. While there advice that is easy to act upon and relevant
are many organisations that are doing an to individuals, at the point they are accessing
excellent job in places, world-leading of services and exposing themselves to risk.
protecting themselves, and in providing We will involve the Devolved Administrations
services to others online, the majority of and other authorities as appropriate.
businesses and individuals are still not
properly managing cyber risk. 5.5.4. For businesses, we will work through
organisations such as insurers, regulators
and investors which can exert influence over
companies to ensure they manage cyber
Last year, the average cost of breaches
risk. In doing so, we will highlight the clear
to large businesses that had them was business benefits and the pricing of cyber
36,500. For small firms the average risk by market influencers. We will seek to
understand better why many organisations
cost of breaches was 3,100. 65% of
still fail to protect themselves adequately and
large organisations reported they had then work in partnership with organisations
suffered an information security breach such as professional standards bodies, to
move beyond raising awareness to persuade
in the past year, and 25% of these
companies to take action. We will also make
experienced a breach at least once a sure we have the right regulatory framework
month. Nearly seven out of ten attacks in place to manage those cyber risks the
market fails to address. As part of this, we
involved viruses, spyware or malware
will seek to use levers, such as the GDPR,
that might have been prevented using the to drive up standards of cyber security and
Governments Cyber Essentials scheme. protect citizens.
2016 Government Cyber Health Check 5.5.5. Individuals and organisations and
and Cyber Security Breaches Survey organisations in the UK will have access to
the information, education, and tools they
need to protect themselves. To ensure we
deliver a step-change in public behaviour,

43
Section 5
DEFEND
we will maintain a coherent and consistent priority sectors by assessing progress

set of messages on cyber security guidance towards the following outcomes:
from both the Government and our partners.
The NCSC will provide technical advice to the UK economys level of cyber
underpin this guidance. It will reflect business security is as high as, or higher than,
and public priorities and practices, and comparative advanced economies;
be clear, easily accessible and consistent, the number, severity and impact of
while keeping pace with the threat. Law successful cyber attacks against
enforcement will work closely with industry businesses in the UK has reduced,
and the NCSC to share the latest criminal because cyber hygiene standards
threat intelligence, to support industry to have improved; and
defend itself against threats, and to mitigate there is an improving cyber
the impact of attacks on UK victims. security culture across the UK
because organisations and the
Measuring success public understand their cyber risk
levels and understand the cyber
5.5.6. The Government will measure its hygiene steps they need to take to
success in protecting our CNI and other manage those risks.
CYBER AWARE or take up key cyber security behaviours

as a result of the Cyber Aware campaign.
The Cyber Aware campaign, formerly
Cyber Streetwise, gives the public the To find out more visit cyberaware.gov.uk
advice they need to protect themselves
from cyber criminals. Targeted messaging CYBER ESSENTIALS
delivered through social media and
advertising and in partnership with The Cyber Essentials scheme was
businesses promotes: developed to show organisations how
to protect themselves against low-level
using three random words to create a commodity threat. It lists five technical
strong password; and controls (access control; boundary
always downloading the latest
firewalls and Internet gateways; malware
software updates.
protection; patch management and
secure configuration) that organisations
Experts agree adopting these should have in place. The vast
behaviours will provide small businesses majority of cyber attacks use relatively
and individuals with protection simple methods which exploit basic
against cyber crime. Cyber Aware vulnerabilities in software and computer
is currently supported by 128 cross- systems. There are tools and techniques
sector partners, including the police openly available on the Internet
and businesses in the retail, leisure, which enable even low-skill actors to
travel and professional services sectors. exploit these vulnerabilities. Properly
In 2015/16 an estimated 10 million implementing the Cyber Essentials
adults and 1 million small businesses scheme will protect against the vast
stated they were more likely to maintain majority of common internet threats.

44
Section 5
DEFEND
5.6. MANAGING INCIDENTS AND specialist support from regular or reserve

UNDERSTANDING THE THREAT cyber personnel. While we will provide
all the support our resources will allow,
5.6.1. The number and severity of cyber the Government continues to stress the
incidents affecting organisations across importance of industry, society and the
the public and private sector are likely public acting to safeguard their basic
to increase. We therefore need to define cyber security.
how both the private sector and the public
engage with the Government during a Objectives
cyber incident. We will ensure that the
UK Governments level of support for 5.6.4. Our objectives are as follows:
each sector taking into account its
cyber maturity is clearly defined and the Government will provide a single,
understood. The Governments collection joined-up approach to incident
and dissemination of information about management, based on an improved
the threat must be delivered in a manner understanding and awareness of the
and at a speed suitable for all types threat and actions being taken against
of organisation. The private sector, us. The NCSC will be a key enabler, as
government and the public can currently will partnership with the private sector,
access multiple sources of information, law enforcement and other government
guidance and assistance on cyber security. departments, authorities and agencies;
This must be simplified. the NCSC defines clear processes
for reporting incidents, tailored to the
5.6.2. We must ensure that the profile of the victim; and
Government offering, both in response we will prevent the most common
to incidents, and in the provision of cyber incidents, and we will have
guidance, does not exist in isolation, but effective information-sharing
in partnership with the private sector. Our structures in place to inform
incident management processes should pre-incident planning.
reflect a holistic approach to incidents,

whereby we learn from partners and Our approach
share mitigation techniques. We will also
continue to use our relationships with other 5.6.5. It is the responsibility of organisation
Computer Emergency Response Teams and company management, in both the
(CERTs) and our allies as an integrated part public and private sector, to ensure their
of our incident management function. networks are secure and to exercise
incident response plans. In the event of
5.6.3. Current incident management a significant incident, the Government
remains somewhat fragmented across incident management process will reflect
government departments and this strategy the three distinct elements of a cyber
will create a unified approach. The NCSC incident: the precursor causes, the incident
will deliver a streamlined and effective itself and the post-incident response.
government-led incident response function.
In the event of a serious cyber incident, 5.6.6. To deliver incident management
we will ensure that the Armed Forces are that is effective for both government
able to provide assistance, whether in a and the private sector, we will work
conventional form addressing the physical closely to review and define the scope
impact of an incident, or in the form of of the Government response to ensure it

45
Section 5
DEFEND
reinforces cooperation. We will build on Measuring success

our national cyber exercise plan, using our
improved understanding and awareness of 5.6.9. The Government will measure
the threat, to improve our offer of support its success in managing incidents by
to public and private sector partners. assessing progress towards the following
outcomes:
5.6.7. We will create a trusted and credible
government identity for incident advice, a higher proportion of incidents are
assistance and assurance. This will increase reported to the authorities, leading to
the cyber security awareness across the a better understanding of the size and
UK digital community and will enable us scale of the threat;
the better to identify trends, take pro-active cyber incidents are managed
measures and, ultimately, prevent incidents. more effectively, efficiently and
comprehensively, as a result of the
5.6.8. In moving towards automated creation of the NCSC as a centralised
information sharing (i.e. cyber security incident reporting and response
systems automatically alerting each other mechanism; and
to incidents or attacks), we will deliver we will address the root causes of
a more effective service. This will allow attacks at a national level, reducing the
organisations to act swiftly on relevant occurrence of repeated exploitation
threat information. across multiple victims and sectors.

46
Section 6
DETER
6. DETER

47
Section 6
DETER
6.0.1. The National Security Strategy states 6.1.3. We will pursue a comprehensive
that defence and protection start with national approach to cyber security and
deterrence. This is as true in cyberspace deterrence that will make the UK a harder
as any other sphere. To realise our vision target, reducing the benefits and raising the
of a nation that is secure and resilient costs to an adversary be they political,
to cyber threats, and prosperous and diplomatic, economic or strategic. We must
confident in the digital world, we have ensure our capability and intent to respond
to dissuade and deter those who would are understood by potential adversaries in
harm us and our interests. To achieve order to influence their decision-making.
this we all need to continue to raise levels We shall have the tools and capabilities
of cyber security so that attacking us in we need: to deny our adversaries easy
cyberspace whether to steal from us or opportunities to compromise our networks
harm us is neither cheap nor easy. Our and systems; to understand their intent and
adversaries must know that they cannot act capabilities; to defeat commodity malware
with impunity: that we can and will identify threats at scale; and to respond and
them, and that we can act against them, protect the nation in cyberspace.
using the most appropriate response from
amongst all the tools at our disposal. We 6.2. REDUCING CYBER CRIME
will continue to build global alliances and
promote the application of international law 6.2.1. We need to raise the cost, raise
in cyberspace. We will also more actively the risk, and reduce the reward of cyber
disrupt the activity of all those who threaten criminals activity. While we must harden
us in cyberspace and the infrastructure on the UK against cyber attacks and reduce
which they rely. Delivering this ambition vulnerabilities, we must also focus
requires world-class sovereign capabilities. relentlessly on pursuing criminals who
continue to target the UK.
6.1. CYBERS ROLE IN DETERRENCE
6.2.2. Law enforcement agencies will
6.1.1. Cyberspace is only one sphere in focus their efforts on pursuing the criminals
which we must defend our interests and who persist in attacking UK citizens and
sovereignty. Just as our actions in the businesses. We will work with domestic
physical sphere are relevant to our cyber and international partners to target
security and deterrence, so our actions and criminals wherever they are located, and to
posture in cyberspace must contribute to dismantle their infrastructure and facilitation
our wider national security. networks. Law enforcement agencies will
also continue to help raise awareness and
6.1.2. The principles of deterrence are as standards of cyber security, in collaboration
applicable in cyberspace as they are in the with the NCSC.
physical sphere. The UK makes clear that
the full spectrum of our capabilities will be
used to deter adversaries and to deny them
opportunities to attack us. However, we
recognise that cyber security and resilience
are in themselves a means of deterring
attacks that rely on the exploitation of
vulnerabilities.

48
Section 6
DETER
6.2.3. This strategy complements the exploit UK infrastructure; and

2013 Serious and Organised Crime - tackle cyber crime upstream, adding
Strategy, which set out the UK friction to the criminal business model
Governments strategic response to by dismantling their infrastructure
cyber crime, alongside other types of and financial networks, and wherever
serious and organised crime. The National possible, bringing offenders to justice.
Cyber Crime Unit (NCCU) that sits within
the National Crime Agency (NCA) was build international partnerships to
established to lead and coordinate the end the perceived impunity of cyber
national response to cyber crime. Action criminals acting against the UK,
Fraud provides a national reporting centre by bringing criminals in overseas
for fraud and cyber crime. A network jurisdictions to justice;
of cyber crime units within Regional deter individuals from being attracted
Organised Crime Units (ROCUs) provide to, or becoming involved in, cyber
access to specialist cyber capabilities at crime by building on our early
a regional level, supporting the NCCU intervention measures;
and local forces. enhance collaborations with industry to
provide them with proactive intelligence
Objective on the threat, and to provide us with
the upstream intelligence that they
6.2.4. We will reduce the impact of cyber possess, in order to assist with our
crime on the UK and its interests by upstream disruption efforts;
deterring cyber criminals from targeting the develop a new 24/7 reporting and
UK and relentlessly pursuing those who triage capability in Action Fraud, linked
persist in attacking us. to the NCSC, the NCAs National
Cyber Crime Unit and the wider law
Our approach enforcement community, to improve
support to victims of cyber crime, to
6.2.5. To reduce the impact of cyber crime, provide a faster response to reported
we will: crimes and enhanced protective
security advice. A new reporting system
enhance the UKs law enforcement will be established to share information
capabilities and skills at national, in real time across law enforcement on
regional and local level to identify, cyber crime and threats;
pursue, prosecute and deter cyber work with the NCSC and the private
criminals within the UK and overseas; sector to reduce vulnerabilities in UK
build a better understanding of the infrastructure that could be exploited at
cyber crime business model, so we scale by cyber criminals; and
know where to target interventions in work with the finance sector to make
order to have the most disruptive effect the UK a more hostile environment
on criminal activity. We will use this for those seeking to monetise stolen
knowledge to: credentials, including by disrupting
their networks.
- make the UK a high-cost, high-risk
environment in which to operate by
targeting the UK nexus of criminality,
and by working with industry to
reduce the ability of criminals to

49
Section 6
DETER
Measuring success 6.3. COUNTERING HOSTILE FOREIGN

ACTORS
success in reducing cyber crime by assessing 6.3.1. We need to bring to bear the full
progress towards the following outcomes: range of government capabilities to counter
the threat posed by hostile foreign actors
we have a greater disruptive effect that increasingly threaten our political,
on cyber criminals attacking the UK, economic and military security. Working
with higher numbers of arrests and with international partners will be key to
convictions, and larger numbers of our success, and greater emphasis will
criminal networks dismantled as a be placed on engaging them and working
result of law enforcement intervention; with them to counter the threat. Much of
there is improved law enforcement this action will not be in the public domain.
capability, including greater capacity Our investment in sovereign capabilities
and skills of dedicated specialists and and partnerships with industry and the
mainstream officers and enhanced private sector will continue to underpin our
law enforcement capability amongst ability to detect, observe and identify this
overseas partners; constantly evolving activity against us.
there is improved effectiveness and
increased scale of early intervention Objective
measures dissuades and reforms
offenders; and 6.3.2. We will have strategies, policies
there are fewer low-level cyber and priorities in place for each adversary,
offences as a result of cyber criminal to ensure a proactive, well-calibrated and
services being harder to access and effective approach is taken to counter the
less effective. threat and in order to drive down the number
and severity of cyber incidents in the future.
WHAT TO DO IF YOU ARE A VICTIM OF
Our approach
CYBER CRIME
If you are a member of the public and 6.3.3. To reduce the cyber threat from
you believe that you are the victim of hostile foreign actors, we will:
cyber crime, or cyber enabled fraud, you
should contact Action Fraud. reinforce the application of
international law in cyberspace in
You can report the incident using Action addition to promoting the agreement
Frauds online fraud reporting tool of voluntary, non-binding norms of
anytime of the day or night, or call 0300 responsible state behaviour and the
123 2040. For further information see development and implementation of
www.actionfraud.police.uk confidence building measures;
The Action Fraud service is run by the
work with international partners,
City of London Police.
particularly through collective defence,
cooperative security, and enhanced
deterrence that our membership of
NATO affords;
identify both the unique and
generic aspects of our adversaries
cyber activity;

50
Section 6
DETER
generate and explore all available terrorists using and intending to use cyber
options for deterring and countering for this purpose. In doing so, we will
this threat, drawing on the full range of minimise their impact and prevent an uplift
government capabilities. We will take in terrorist cyber capability that would further
full account of other related factors, threaten UK networks and national security.
including country-specific strategies,
international cyber priorities, and cyber Objective
crime and prosperity objectives;
use existing networks and relationships 6.4.2. To mitigate the threat of terrorist
with our key international partners use of cyber, through the identification
to share information about current and disruption of terrorist cyber actors
and nascent threats, adding value to who currently hold, and aspire to build,
existing thought and expertise; and capability that could threaten UK
attribute specific cyber identities
national security.
publicly when we judge it in the
national interest to do so.

Our approach
Measuring success 6.4.3. To ensure the threat posed by cyber

terrorism remains low, we will:
success in countering the actions of hostile detect cyber terrorism threats,
foreign actors by assessing progress identifying actors who are seeking to
towards the following outcomes: conduct damaging network operations
against the UK and our allies;
the stronger information-sharing investigate and disrupt these cyber
networks that we have established with terrorism actors to prevent them from
our international partners, and wider using cyber capability against the UK
multilateral agreements in support of and its allies; and
lawful and responsible behaviour by work closely with international partners
states, are substantially contributing to to enable us to better tackle the threat
our ability to understand and respond from cyber terrorism.
to the threat, resulting in a better
defended UK; and Measuring success
our defence and deterrence measures,
alongside our country-specific 6.4.4. The Government will measure
strategies, are making the UK a its success in preventing terrorism by
harder target for hostile foreign assessing progress towards the
actors to act against. following outcomes:
6.4. PREVENTING TERRORISM a full understanding of risk posed by

cyber terrorism, through identification
6.4.1. The technical capability of terrorists and investigation of cyber terrorism
currently remains limited but they continue threats to the UK; and
to aspire to conduct damaging computer close monitoring, and disruption of
network operations against the UK, with terrorist cyber capability at the earliest
publicity and disruption as the primary opportunity, with the aim of preventing
objective of their cyber activity. The an increase in such terrorist capability
Government will identify and disrupt in the long term.

51
Section 6
DETER
6.5. ENHANCING SOVEREIGN Measuring success

CAPABILITIES OFFENSIVE CYBER
6.5.4. The Government will measure our
6.5.1. Offensive cyber capabilities involve success in establishing offensive cyber
deliberate intrusions into opponents capabilities by assessing progress towards
systems or networks, with the intention the following outcomes:
of causing damage, disruption or
destruction. Offensive cyber forms part the UK is a world leader in offensive
of the full spectrum of capabilities we cyber capability; and
will develop to deter adversaries and to the UK has established a pipeline
deny them opportunities to attack us, in of skills and expertise to develop
both cyberspace and the physical sphere. and deploy our sovereign offensive
Through our National Offensive Cyber cyber capabilities.
Programme (NOCP), we have a dedicated

capability to act in cyberspace and we 6.6. ENHANCING SOVEREIGN
will commit the resources to develop and CAPABILITIES CRYPTOGRAPHY
improve this capability.
6.6.1. Cryptographic capability is
Objective fundamental to protecting our most
sensitive information and to choosing how
6.5.2. We will ensure that we have at we deploy our Armed Forces and national
our disposal appropriate offensive cyber security capabilities. To maintain this
capabilities that can be deployed at a capability, we will require private sector
time and place of our choosing, for both skills and technologies that are assured by
deterrence and operational purposes, in GCHQ. This is likely to require work to be
accordance with national and international done in the UK, by British Nationals with
law. the requisite security clearance, working
for companies who are prepared to be
Our approach completely open with GCHQ in discussing
design and implementation details. The
6.5.3. To do this, we will: MOD and GCHQ are working to establish
a sound understanding of the long-term
invest in our NOCP the partnership cost implications of maintaining such
between the Ministry of Defence and sovereign cryptographic capabilities, based
GCHQ that is harnessing the skills and on prevailing market conditions and in
talents of both organisations to deliver cooperation with those companies currently
the tools, techniques and tradecraft able to provide such solutions.
required;
develop our ability to use offensive
Objective
cyber tools; and
develop the ability of our Armed Forces 6.6.2. We have the confidence that the
to deploy offensive cyber capabilities UK will always have political control over
as an integrated part of operations, those cryptographic capabilities vital to our
thereby enhancing the overall impact national security and, therefore, the means
we can achieve through military action. to protect UK secrets.

52
Section 6
DETER
Our approach ENCRYPTION

6.6.3. We will select the means that allow Encryption is the process of encoding
us to share information effectively with our data or information to prevent
allies, and ensure that trusted information unauthorised access to it.
and information systems are available,
when and where required. Working closely The Government is in favour of
with other government departments and encryption. It is a foundation stone
agencies, GCHQ and MOD will together of a strong, internet-based economy:
define sovereign requirements, and how it keeps peoples personal data and
best to meet those requirements when intellectual property secure, and ensures
suppliers must be domestic. This will be safe online commerce.
delivered through a new joint framework for
determining requirements for operational But as technology continues to evolve,
advantage and freedom of action. we have to ensure that there are no
guaranteed safe spaces for terrorists
Measuring success and criminals to operate beyond the
reach of the law.
success in maintaining our cryptographic The Government wants to work with
capabilities by assessing progress towards industry as technology develops
the following outcome: to ensure that, with a robust legal
framework and clear oversight, the
our sovereign cryptographic police and intelligence agencies
capabilities are effective in keeping our can access the content of the
secrets and sensitive information safe communications of terrorists and
from unauthorised disclosure. criminals. Existing legislation allows
for the communications of criminals
and terrorists to be intercepted when
a warrant is in place. Companies
have a duty to give effect to such
a warrant, providing the requested
communications, to the relevant
authority. When served with a warrant,
companies are asked to remove any
encryption that they themselves have
applied, or that has been applied
on their behalf, so that the material
provided is in readable form. The law
stipulates that companies are required
to take reasonable steps to give effect
to a warrant, and any assessment
of reasonableness will include an
assessment of the steps a company is
required to take to remove encryption.

53
Section 6
DETER

54
Section 7
DEVELOP
7. DEVELOP

55
Section 7
DEVELOP
7.0.1. The DEVELOP strand of the strategy long-term strategy that can build on
sets out how we will acquire and strengthen these interventions to close the skills
the tools and capabilities that the UK needs gap. However, it must be recognised
to protect itself from the cyber threat. that to have any profound impact, this
effort must be collaborative, with input
7.0.2. The UK requires more talented from a range of participants and influencers
and qualified cyber security professionals. across the Devolved Administrations,
The Government will act now to plug public sector, education providers,
the growing gap between demand and academia bodies and industry.
supply for key cyber security roles, and
inject renewed vigour into this area of Objective
education and training. This is a long-term,
transformative objective, and this strategy 7.1.3. The Governments ambition is to
will kick-start this important work, which ensure the sustained supply of the best
will necessarily continue beyond 2021. possible home-grown cyber security talent,
A skilled workforce is the lifeblood of a whilst funding specific interventions in the
vital and world leading cyber security short term to help meet known skills gaps.
commercial ecosystem. This ecosystem We will also define and develop the cyber
will ensure cyber start-ups prosper and security skills needed across the population
receive the investment and support they and workforce to operate safely and
need. This innovation and vigour can only securely online.
be provided by the private sector; but
the Government will act to support its 7.1.4. This requires action over the next
development, and actively promote the twenty years, not just the next five. We will
wider cyber security sector to the world define the long-term, coordinated set of
market. A dynamic and thriving scientific actions needed by government, industry,
research sector is required to support both education providers and academia to
the development of highly skilled people, establish a sustained supply of competent
and to ensure that new ideas translate into cyber security professionals, who meet
cutting-edge products. the requisite standards and certification to
practise confidently and securely.
7.1. STRENGTHENING CYBER SECURITY
SKILLS 7.1.5. We will close the skills gap in
Defence. We will attract cyber specialists
7.1.1. The UK needs to tackle the systemic to government who are not only effectively
issues at the heart of the cyber skills trained but also ready to maintain our
shortage: the lack of young people entering national security. This includes an
the profession; the shortage of current understanding of the impact of cyberspace
cyber security specialists; insufficient on military operations.
exposure to cyber and information security
concepts in computing courses; a shortage Our approach
of suitably qualified teachers; and the
absence of established career and training 7.1.6. We will develop and implement a
pathways into the profession. self-standing skills strategy that builds on
existing work to integrate cyber security
7.1.2. This calls for swift intervention by into the education system. This will
the Government to help address the continue to improve the state of computer
current shortage and develop a coherent science teaching overall and embed cyber

56
Section 7
DEVELOP
security into the curriculum. Everyone 7.1.9. Alongside this work, the Government
studying computer science, technology will invest in a range of initiatives to bring
or digital skills will learn the fundamentals about immediate improvements and inform
of cyber security and will be able to bring the development of the long-term skills
those skills into the workforce. As part strategy. These include:
of this effort, we will address the gender
imbalance in cyber-focused professions, establishing a schools programme
and reach people from more diverse to create a step change in specialist
backgrounds, to make sure we are cyber security education and
drawing from the widest available talent training for talented 14-18 year olds
pool. We will work closely with the (involving classroom-based activities,
Devolved Administrations to encourage a after-school sessions with expert
consistent approach across the UK. mentors, challenging projects and
summer schools);
7.1.7. We will set out more clearly the creating higher and degree-level
respective roles of government and apprenticeships within the energy,
industry, including how these might finance and transport sectors to
evolve over time. The UK Government address skills gaps in essential areas;
and Devolved Administrations have a establishing a fund to retrain
key role in creating the right environment candidates already in the workforce
for cyber security skills to be developed who show a high potential for the cyber
and to update the education system to security profession;
reflect the changing needs of industry and identifying and supporting quality cyber
government. But employers also have a graduate and post graduate education,
significant responsibility to clearly articulate and identifying and filling any specialist
their needs, as well as train and develop skills gaps acknowledging the key
employees and young people entering role that universities play in skills
the profession. Industry has an important development;
role in building diverse and attractive supporting the accreditation of teacher
career and training pathways in partnership professional development in cyber
with academia, professional bodies and security. This work will help teachers,
trade associations. and others supporting learning, to
understand cyber security education
7.1.8. In recognition of the collective and provide a method of externally
challenge we face in closing the skills accrediting such individuals;
gap, we will establish a skills advisory developing the cyber security
group formed of government, employers, profession, including through achieving
professional bodies, skills bodies, Royal Chartered status by 2020,
education providers and academia, which reinforcing the recognised body of cyber
will strengthen the coherence between security excellence within the industry
these key sectors. This group will support and providing a focal point which can
the development of a long-term strategy advise, shape and inform national policy;
which will take account of developments in developing a Defence Cyber Academy
the broad field of digital skills, ensuring that as a centre of excellence for cyber
cyber security considerations are aligned training and exercise across the
and incorporated throughout. This group Ministry of Defence and wider
will work with similar bodies across the UK. Government, addressing specialist
skills and wider education;

57
Section 7
DEVELOP
developing opportunities for across the economy; and

collaboration in training and education the Government and the Armed Forces
between government, the Armed and the Armed Forces have access to
Forces, industry and academia, cyber specialists able to maintain the
together with facilities to maintain and security and resilience of the UK.
exercise skills; and
we will work with industry to expand the 7.2. STIMULATING GROWTH IN THE
CyberFirst programme to identify and CYBER SECURITY SECTOR
nurture the diverse young talent pool to
defend our national security; and 7.2.1. A burgeoning and innovative cyber
embedding cyber security and digital security sector is a necessity for our modern,
skills as an integral an integral part of digital economy. UK cyber security firms
relevant courses within the education provide world-leading technologies, training
system, from primary to postgraduate and advice to industry and governments.
levels, setting standards, improving But whilst the UK is a leading player, it faces
quality and providing a firm foundation fierce competition to stay ahead. There are
for onwards progression into the field. also barriers that the Government needs
to address. UK companies and academics
As education is a devolved matter, develop cutting-edge technology, but some
some of these initiatives will apply mainly require support to develop the commercial
in England. We will however work with the and entrepreneurial skills required to thrive.
Devolved Administrations to encourage There are funding gaps that prevent SMEs
a consistent approach across the UK from growing and expanding into new
education systems. markets and territories. The most ground
breaking products and services,
Measuring success that offer the potential to keep us ahead
of the threat, struggle to find customers
7.1.10. The Government will measure our who are willing to act as early adopters.
success in strengthening cyber security Overcoming these challenges requires
skills by assessing progress towards the government, industry and academia to
following outcomes: work effectively together.
there are effective and clear entry Objective

routes into the cyber-security
profession, which are attractive to a 7.2.2. The Government will support the
diverse range of people; creation of a growing, innovative and
by 2021 cyber security is taught
thriving cyber security sector in the UK in
effectively as an integral part of
order to create an ecosystem where:
relevant courses from primary to
post-graduate level;
security companies prosper, and get
cyber security is widely acknowledged the investment they need to grow;
as an established profession with clear the best minds from government,
career pathways, and has achieved academia and the private sector
Royal Chartered Status; collaborate closely to spur innovation; and
appropriate cyber security knowledge customers of the Government and
is an integral part of the continual industry are sufficiently confident
professional development for relevant and prepared to adopt cutting-edge
non-cyber security professionals, services.

58
Section 7
DEVELOP
Our approach 7.2.4. We will also use the weight

of government procurement to spur
7.2.3. To create this ecosystem, we will: innovation. The Government faces some of
the hardest challenges in cyber security,
commercialise innovation in academia, and some of the biggest threats. We
providing training and mentoring to can, and must, pursue the most effective
academics; solutions to these problems. That means
establish two innovation centres, to making it easier for smaller companies
drive the development of cutting-edge to do business with government. It also
cyber products and dynamic new cyber means the Government must be less risk
security companies, which will sit at averse in testing and using new products.
the heart of a programme of initiatives This is a win-win solution: the Government
to give start-ups the support they need will get the best services, and innovative
to get their first customers and attract technology will get an early adopter,
further investment; making it easier to attract investment
allocate a proportion of the 165m and a larger customer base. We will
Defence and Cyber Innovation Fund encourage all parts of government,
to support innovative procurement in including the Devolved Administrations,
defence and security; to take a similar approach.
provide testing facilities for companies
to develop their products, together with
a fast-track form of assessment for
the next generation of cyber security We want to create a cyber ecosystem
products and services as they emerge, in which cyber start-ups proliferate, get
enabling customers to be confident in
their use; the investment and support they need
draw on the collective expertise of
to win business around the world, to
the industry-government Cyber
provide a pipeline of innovation that
Growth Partnership to help shape
and focus further growth and

channels ideas between the private
innovation interventions;
sector, government and academia.
help companies of all sizes scale-up
and access international markets; and The Rt Hon Matt Hancock MP,
promote agreed international standards Minister of State for Digital and Culture
that support access to the UK market.

59
Section 7
DEVELOP
Measuring success commercially successful products and

services. The UK will maintain its reputation
7.2.5. The Government will measure its for innovative excellence, including in those
success in stimulating growth in the cyber areas of exceptional national strength, such
security sector by assessing progress as the financial sector.
towards the following outcomes:
Our approach
greater than average global growth
in the size of the UK cyber sector year 7.3.3. To achieve this, the Government will
on year; encourage collaboration, innovative and
a significant increase in investment in flexible funding models for research, and the
early stage companies; commercialisation of research. Government
adoption of more innovative and will ensure that the human and behavioural
effective cyber security technologies in aspects of cyber are given sufficient
government. attention, and that systems beyond the
technical, such as business processes
7.3. PROMOTING CYBER SECURITY and organisational structures, are included
SCIENCE AND TECHNOLOGY within cyber science and technology.
7.3.1. The UKs thriving science and 7.3.4. This will underpin the creation
technology sector and its cutting-edge of products, systems and services that
research, underpins our world-leading are secure by default, with appropriate
cyber security capabilities. To maintain security considered from the outset and
and enhance the UKs reputation as a where security becomes a conscious
global leader in cutting-edge research, opt-out for users.
we need our academic research
establishments to continue to attract the 7.3.5. We will publish a detailed Cyber
best and the brightest minds in the field Science and Technology Strategy after a
of cyber security. This will require us to thorough consultation with partners and
foster centres of excellence that attract stakeholders. This will include identifying
the most able and dynamic scientists areas of science and technology that
and researchers, and deepen the active the Government, industry and academia
partnership between academia, the consider to be important and identifying
Government and industry. This will involve gaps in the UKs current capacity to
a match-making role for the Government, address them.
where we incentivise such collaborations.
Success would see us establish a self- 7.3.6. The Government will continue
sustaining ecosystem that allows ideas to provide funding and support for the
and people to circulate between the Academic Centres of Excellence, Research
three sectors in a mutually beneficial way. Institutes and Centres for Doctoral Training.
In addition, we will create a new Research
Objective Institute in a strategically important subject
area. We will also fund further research in
7.3.2. By 2021, the UK will have those areas where the upcoming Cyber
strengthened its position as a world Science and Technology Strategy identifies
leader in cyber science and technology. capability gaps. Important areas that will
Flexible partnerships between universities be given consideration include: big data
and industry will translate research into analytics; autonomous systems; trustworthy

60
Section 7
DEVELOP
industrial control systems; cyber-physical the UK is regarded as a global leader in

systems and the Internet of Things; smart cyber security research and innovation.
cities; automated system verification; and
the science of cyber security. 7.4. EFFECTIVE HORIZON SCANNING
7.3.7. We will continue to sponsor UK 7.4.1. The Government must ensure

national PhD students at the Academic that policy-making takes account of the
Centres of Excellence to increase the changing cyber, geopolitical and technology
number of UK nationals with cyber landscape. To do this, we need to make
expertise. effective use of broad horizon scanning
and assessment work. We need to invest in
7.3.8. The Government will work with proofing ourselves against future threats and
bodies, including Innovate UK and anticipate market changes that might affect
the Research Councils to encourage our cyber resilience in five to ten years time.
collaboration between industry, the We need horizon scanning programmes
Government and academia. To support this that generate recommendations to inform
collaboration we will review best practice current and future government policy and
concerning security classifications and programme planning.
identify security-cleared experts, including
academics. This will ensure that work from Objective
the unclassified space to beyond secret
can be as collaborative as possible. 7.4.2. The Government will ensure that our
horizon scanning programmes include a
7.3.9. The Government will fund a grand rigorous assessment of cyber risk, and that
challenge to identify and provide innovative this is integrated into cyber security and
solutions to some of the most pressing other technology policy development areas,
problems in cyber security. CyberInvest, a along with all-source assessment and other
new industry and Government partnership available evidence. We will join up horizon
to support cutting-edge cyber security scanning between national security and other
research and protect the UK in cyberspace, policy areas to ensure a holistic assessment
will be part of our approach to building of emerging challenges and opportunities.
the academic-government-industry
partnership. Our approach
Measuring success 7.4.3. We will:
7.3.10. The Government will measure identify gaps in current work, and
its success in promoting cyber security coordinate work across disciplinary
science and technology by assessing boundaries to develop a holistic approach
progress towards the following outcomes: to horizon scanning for cyber security;
promote better integration of technical
significantly increased numbers
aspects of cyber security with
of UK companies successfully
behavioural science;
commercialising academic cyber
support rigorous monitoring of the
research and fewer agreed and
cyber criminal market place to spot
identified gaps in the UKs cyber
new tools and services that might
security research capability with
enable technology transfer to hostile
effective action to close them; and
states, terrorists or criminals;

61
Section 7
DEVELOP
analyse emergent internet-connected international strategic and societal
process control technologies; trends and their impact on cyber.
anticipate vulnerabilities around digital

currencies; and 7.4.6. We will ensure that cyber security is
monitor market trends in
considered within the remit of the cross-
telecommunications technologies
Government Emerging Technology and
to develop early defences against
Innovation Analysis Cell (ETIAC), which
anticipated future attacks.
will be established to identify technology
threats and opportunities relevant to
7.4.4. We recognise that horizon scanning national security and that cyber is
goes beyond the technical, to include considered by existing horizon-scanning
political, economic, legislative, social structures, including the Government
and environmental dimensions. Cyber Futures Group (GFG), and the Cabinet
security is just one aspect of the issues Secretarys Advisory Group on horizon
that effective horizon scanning can help scanning (CSAG).
to address. Therefore, we will ensure that
where we conduct horizon scanning of Measuring success
these other policy areas, we will take into
account any cyber security implications. 7.4.7. The Government will measure our
success in establishing an effective horizon
7.4.5. We will also ensure that cyber scanning capability by assessing progress
policy-making follows an evidence-based towards the following outcomes:
approach, taking into account assessments
from all available sources. This will include, cross-government horizon scanning
for example: and all-source assessment are
integrated into cyber policy making; and
specific technical evidence, for example the impact of cyber security is
on the Internet of Things, or the future factored into all cross-government
role of advanced materials; and horizon scanning.

62
Section 8
INTERNATIONAL ACTION
8. INTERNATIONAL
ACTION

63
Section 8
8.1. Our economic prosperity and Objectives

social wellbeing increasingly depend on
the openness and security of networks 8.3. The UK aims to safeguard the
that extend beyond our own borders. long-term future of a free, open, peaceful
It is essential that we work closely with and secure cyberspace, driving economic
international partners to ensure the growth and underpinning the UKs national
continuation of a free, open, peaceful and security. On this basis, the UK will continue
secure cyberspace that delivers these to: champion the multi-stakeholder
benefits. This will only become more model of internet governance; oppose
important as the next billion users come data localisation; and work to build the
online across the globe. capacity of our partners to improve their
own cyber security. In order to reduce the
8.2. International cooperation on threat to the UK and our interests, much
cyber issues has become an essential of which originates overseas, we will seek
part of wider global economic and to influence the decision-making of those
security debates. It is a rapidly evolving engaging in cyber crime, cyber espionage,
area of policy, without a single agreed and disruptive or destructive cyber activity
international vision. The UK and its allies and continue to build frameworks to
have been successful in ensuring some support international cooperation.
elements of the rules-based international
system are in place: there has been Our Approach
agreement that international law applies
in cyberspace; that human rights apply 8.4. To do this we will:
online as they do offline; and a broad
consensus that the multi-stakeholder strengthen and embed a common
approach is the best way to manage the understanding of responsible state
complexities of governing the Internet. behaviour in cyberspace;
However, with a growing divide over how build on agreement that international
to address the common challenge of law applies in cyberspace;
reconciling national security with individual continue to promote the agreement
rights and freedoms, any global consensus of voluntary, non-binding, norms of
remains fragile. responsible state behaviour;
support the development and
implementation of confidence-building
We must work internationally to agree measures;
the rules of the road that will ensure increase our ability to disrupt and
prosecute cyber criminals based
the UKs future security and prosperity abroad, especially in hard-to-reach
in cyberspace. jurisdictions;
The Rt. Hon. Boris Johnson, MP, help foster an environment which
allows our law enforcement agencies
Foreign Secretary to work together to ensure fewer
places exist where cyber criminals
can act without fear of investigation
and prosecution;
promote the resilience of cyberspace
by shaping the technical standards
governing emerging technologies

64
Section 8
internationally (including encryption), building stronger relationships with

making cyberspace more secure by non-government actors industry,
design and promoting best practice; civil society, academia and the
work to build common approaches technical community. These actors
amongst like-minded countries for are crucial in informing and challenging
capabilities such as strong encryption, international policy formulation, and
which have cross-border implications; strengthening political messages on
build the capacity of others to tackle a wide range of cyber issues. Our
threats to the UK, and our interests world-class academic links provide
overseas; a neutral, collaborative platform with
continue to help our partners develop international partners.
their own cyber security since
we share a single cyberspace, we Measuring Success
collectively become stronger when
each country improves its own 8.6 The Government will measure its
defences; success in advancing our international
ensure that NATO is prepared for the interests in cyber by assessing progress
conflicts of the 21st century, which will towards the following outcomes:
play out in cyberspace as well as on
the battlefield; enhanced international collaboration
work with our allies to enable NATO to reduces cyber threat to the UK and
operate as effectively in cyberspace as our interest overseas;
it does on land, air and sea; and a common understanding of
ensure that the London Process of responsible state behaviour in
Global Conferences on Cyberspace cyberspace;
continues to promote global consensus international partners have increased

towards a free, open, peaceful and their cyber security capability; and
secure cyberspace. strengthened international consensus
on the benefits of a free, open,
8.5. There are a range of relationships peaceful and secure cyberspace.
and tools we will continue to invest in to
deliver and underpin all our international
cyber objectives; we cannot achieve our
objectives in isolation. These include:
working in concert with traditional

allies and new partners to establish
and maintain strong active political
and operational relationships; creating
the political conditions to build strong
global alliances;
using our influence with multilateral
organisations such as the United
Nations, G20, European Union,
NATO, OSCE, Council of Europe, the
Commonwealth and within the global
development community; and

65
Section 8

66
Section 9
METRICS
9. METRICS

67
Section 9
METRICS
9.1. Cyber security remains an area of 1. The UK has the capability effectively
relative immaturity when it comes to the to detect investigate and counter the
measurement of outcomes and impacts threat from the cyber activities of our
normally referred to as metrics. Already adversaries.
the science of cyber security has been
obscured by hyperbole and obstructed 2. The impact of cybercrime on the
by an absence of calibrated data. This is UK and its interests is significantly
a source of frustration for policy-makers reduced and cyber criminals are
and businesses alike, who have struggled deterred from targeting the UK.
to measure investment against outcomes.
The Government assesses that the effective 3. The UK has the capability to manage
use of metrics is essential for delivering this and respond effectively to cyber
strategy and focussing the resources that incidents to reduce the harm they
underpin it. cause to the UK and counter cyber
adversaries.
9.2. We will ensure that this strategy
is founded upon a rigorous and 4. Our partnerships with industry on
comprehensive set of metrics against active cyber defence mean that large
which we measure progress towards the scale phishing and malware attacks
outcomes we need to achieve. As well are no longer effective.
as being a major deliverable under the
Strategy in its own right, the NCSC will 5. The UK is more secure as a result of
play a crucial role in enabling other parts of technology products and services
Government, industry and society to deliver having cyber security designed into
all of these strategic outcomes within this them and activated by default.
strategy.
6. Government networks and services
9.3. Annex 3 sets out how the success will be as secure as possible from the
measures set out in the strategy will moment of their first implementation.
contribute to the strategic outcomes, The public will be able to use
which will be reviewed annually to ensure government digital services with
they accurately reflect our national goals confidence and trust that their
and requirements. The headline, strategic information is safe.
outcomes are as follows:
7. All organisations in the UK, large
and small, are effectively managing
their cyber risk and are supported by
high quality advice designed by the
NCSC, underpinned by the right mix
of regulation and incentives.
8. There is the right ecosystem in the

UK to develop and sustain a cyber
security sector that can meet our
national security demands.

68
Section 9
METRICS
9. The UK has a sustainable supply 11. The UK government is already

of home grown cyber skilled planning and preparing for policy
professionals to meet the growing implementation in advance of future
demands of an increasingly digital technologies and threats and is
economy, in both the public and future proofed.
private sectors, and defence.
12. The threat to the UK and our interests
10. The UK is universally acknowledged overseas is reduced due to increased
as a global leader in cyber security international consensus and capability
research and development, towards responsible state behaviour
underpinned by high levels of expertise in a free, open, peaceful and secure
in UK industry and academia. cyberspace.

69
Section 9
METRICS
13. UK Government policies, longer term outcomes are allocated beyond

organisations and structures are 2021 to industry, regulators, auditors,
simplified to maximise the coherence insurers and other parts of the public and
and effectiveness of the UKs private sector, as the effective management
response to the cyber threat. of cyber security risks is integrated into
standard management activity for all.
9.4. We recognise that some of our
ambitions for this strategy go beyond
its five year timescale. In order that any
future investment in cyber beyond 2021
can continue to deliver the maximum
transformative effect, we intend that these

70
CONCLUSION
CYBER SECURITY BEYOND 2021
CONCLUSION:
CYBER SECURITY
BEYOND 2021

71
CONCLUSION
CYBER SECURITY BEYOND 2021
10.1. The rapid evolution of the cyber 10.4. Even in the most optimistic scenario,
landscape will constantly throw up new some of the challenges the UK faces in
challenges as technology evolves and our the cyber domain, whether in scale or
adversaries act to exploit it. However, this complexity, may need more than five years
strategy aims to provide a range of policies, to address. This strategy nonetheless
tools and capabilities that will ensure we provides us with the means to transform
can respond quickly and flexibly to each our future security and safeguard our
new challenge as it arises. prosperity in the digital era.
10.2. Should we fail to act effectively,

the threat will continue to outpace our
ability to protect ourselves against it.
We can expect an explosion of threat
capability at all levels.
10.3. Conversely, if we realise these

ambitions, all parts of UK government,
business and society will play their part
in delivering the countrys overall cyber
security. If we can ensure security is
designed and built in, by default, into
commodity technologies, consumers
and businesses would have less cause
to worry about cyber security. Should
the UK consolidate its reputation as a
secure environment to do business online,
more global companies and investors
will choose to locate here. Security for
CNI networks and priority sectors would
be more effective. Potential attackers
looking to develop tools and attack
methods against systems holding key
functions and data would in turn have
to work harder to overcome the layered
security that surrounds them. This would
change the risk versus reward equation
for cyber criminals and malicious actors,
who would expect to face the same threat
of prosecution internationally as they do
for traditional crimes. If we can succeed
in mainstreaming cyber security across
all parts of our society, it could mean that
Government itself can step back from
such a prominent role, allowing the
market and the technology to drive the
evolution of cyber security across the
economy and society.

72
Annex 1
GLOSSARY
ANNEXES

73
Annex 1
ACRONYMS
ANNEX 1: ACRONYMS
CCA the Centre for Cyber Assessment. CPNI has built up strong partnerships
Based in the NCSC, it provides cyber with private sector organisations across
threat assessments for UK government the national infrastructure, creating a
departments to inform policy. trusted environment where information
can be shared for mutual benefit. Direct
CERT Computer Emergency Response relationships are augmented by an
Team. extended network, which includes other
government departments and professional
CERT-UK National Computer Emergency service organisations.
Response Team in the UK.
DDoS Distributed Denial of Service
CESG the National Technical Authority attack. The flooding of an information
for Information Assurance within the UK. system with more requests than it can
It provides a trusted, expert, independent, handle, resulting in authorised users being
research and intelligence-based service on unable to access it.
information security on behalf of UK the
government. GCHQ Government Communications
Headquarters; the centre for the
CNI Critical National Infrastructure. Those Governments signals intelligence
critical elements of infrastructure (namely activities and Cyber National Technical
assets, facilities, systems, networks or Authority (NTA).
processes and the essential workers that
operate and facilitate them), the loss or ICT Information and Communications
compromise of which could result in: Technology.
a. major detrimental impact on the

MOD Ministry of Defence
availability, integrity or delivery
of essential services including

NATO North Atlantic Treaty Organisation.
those services whose integrity,
if compromised, could result in

NCA National Crime Agency; a non-
significant loss of life or casualties
Ministerial government department.
taking into account significant
economic or social impacts; and/or NCSC the National Cyber Security
b. significant impact on national security, Centre.
national defence, or the functioning of
the state. OSCE Organisation for Security and
Cooperation in Europe.
CPNI the Centre for the Protection of
National Infrastructure. It delivers advice SME Small and medium-sized enterprises.
that aims to reduce the vulnerability of
organisations in the national infrastructure
to terrorism and espionage. It will also
work in partnership with NCSC to
provide holistic protective security
advice on threats from cyberspace.

74
Annex 2
GLOSSARY
ANNEX 2: GLOSSARY
Action Fraud the UKs national fraud Computer Network Exploitation (CNE)
and internet crime reporting centre, cyber espionage; the use of a computer
providing a central point of contact network to infiltrate a target computer
for the public and businesses. network and gather intelligence.
Active Cyber Defence (ACD) Cyber Crime marketplace the totality

the principle of implementing security of products and services that support the
measures to strengthen the security of a cyber crime ecosystem.
network or system to make it more robust
against attack. Cryptography the science or study of
analysing and deciphering codes and
Anonymisation the use of cryptographic ciphers; cryptanalysis.
anonymity tools to hide or mask ones
identity on the Internet. Cyber attack deliberate exploitation of
computer systems, digitally-dependent
Authentication the process of verifying enterprises and networks to cause harm.
the identity, or other attributes of a user,
process or device. Cyber crime cyber-dependent crime
(crimes that can only be committed through
Automated system verification the use of ICT devices, where the devices
measures to ensure that software and are both the tool for committing
hardware are working as expected, and the crime and the target of the crime);
without errors. or cyberenabled crime (crimes that
may be committed without ICT devices,
Autonomous System a collection of IP like financial fraud, but are changed
networks for which the routing is under the significantly by use of ICT in terms of scale
control of a specific entity or domain. and reach).
Big data data sets which are too big Cyber ecosystem the totality of
to process and manage with commodity interconnected infrastructure, persons,
software tools in a timely way, and require processes, data, information and
bespoke processing capabilities to manage communications technologies, along
their volumes, speed of delivery and with the environment and conditions that
multiplicity of sources. influence those interactions.
Bitcoin a digital currency and payment Cyber incident an occurrence that

system. actually or potentially poses a threat to a
computer, internet-connected device, or
Commodity malware malware that network or data processed, stored, or
is widely available for purchase, or free transmitted on those systems which
download, which is not customised and may require a response action to mitigate
is used by a wide range of different the consequences.
threat actors.

75
Annex 2
GLOSSARY
CyberInvest a 6.5m industry Data breach the unauthorised movement

and government scheme to support or disclosure of information on a network
cutting-edge cyber security research to a party who is not authorised to have
and protect the UK in cyberspace. access to, or see, the information.
Cyber-physical system systems with Domain a domain name locates

integrated computational and physical an organisation or other entity on the
components; smart systems. Internet and corresponds to an Internet
Protocol (IP) address.
Cyber resilience the overall ability of
systems and organisations to withstand Domain Name System (DNS) a naming
cyber events and, where harm is caused, system for computers and network services
recover from them. based on a hierarchy of domains.
Cyber security the protection of internet Doxing the practice of researching,

connected systems (to include hardware, or hacking, an individuals personally
software and associated infrastructure), identifiable information on the Internet,
the data on them, and the services they then publishing it.
provide, from unauthorised access, harm
or misuse. This includes harm caused e-commerce electronic commerce. Trade
intentionally by the operator of the system, conducted, or facilitated by, the Internet.
or accidentally, as a result of failing to
follow security procedures or being Encryption cryptographic transformation
manipulated into doing so. of data (called plaintext) into a form (called
cipher text) that conceals the datas
Cyber Security Challenge competitions original meaning, to prevent it from being
encouraging people to test their skills and known or used.
to consider a career in cyber.
Horizon scanning a systematic
Cyberspace the interdependent network examination of information to identify
of information technology infrastructures that potential threats, risks, emerging issues
includes the Internet, telecommunications and opportunities allowing for better
networks, computer systems, internet preparedness and the incorporation of
connected devices and embedded mitigation and exploitation into the
processors and controllers. It may also refer to policy-making process.
the virtual world or domain as an experienced
phenomenon, or abstract concept. Incident management the management
and coordination of activities to investigate,
Cyber threat anything capable of and remediate, an actual or potential
compromising the security of, or causing occurrence of an adverse cyber event
harm to, information systems and internet that may compromise or cause harm to
connected devices (to include hardware, a system or network.
software and associated infrastructure), the
data on them and the services they provide,
primarily by cyber means.

76
Annex 2
GLOSSARY
Incident response the activities that Network (computer) a collection of host

address the short-term, direct effects computers, together with the sub-network
of an incident, and may also support or inter-network, through which they can
short-term recovery. exchange data.
Industrial Control System (ICS) Offensive cyber the use of cyber

an information system used to capabilities to disrupt, deny, degrade or
control industrial processes, such destroy computers networks and internet
as manufacturing, product handling, connected devices.
production and distribution, or to control
infrastructure assets. Patching patching is the process
of updating software to fix bugs and
Industrial Internet of Things (IIoT) vulnerabilities
the use of Internet of Things technologies
in manufacturing and industry. Penetration testing activities designed
to test the resilience of a network or facility
Insider someone who has trusted access against hacking, which are authorised or
to the data and information systems of sponsored by the organisation being tested.
an organisation and poses an intentional,
accidental or unconscious cyber threat. Phishing the use of emails that appear to
originate from a trusted source, to deceive
Integrity the property that information recipients into clicking on malicious links
has not been changed accidentally, or or attachments that are weaponised with
deliberately, and is accurate and complete. malware, or share sensitive information,
with an unknown third party.
Internet a global computer network,
providing a variety of information and Ransomware malicious software that
communication facilities, consisting denies the user access to their files,
of interconnected networks using computer or device until a ransom is paid.
standardised communication protocols.
Reconnaissance the phase of an attack
Internet of Things the totality of devices, where an attacker gathers information on,
vehicles, buildings and other items and maps networks, as well as probing
embedded with electronics, software and them for exploitable vulnerabilities in order
sensors that communicate and exchange to hack them.
data over the Internet.
Risk the potential that a given cyber
London Process measures resulting threat will exploit the vulnerabilities of an
from the 2011 London Conference on information system and cause harm.
Cyberspace.
Router devices that interconnect logical
Malware malicious software, or code. networks by forwarding information to other
Malware includes viruses, worms, Trojans networks based upon IP addresses.
and spyware.

77
Annex 2
GLOSSARY
Script kiddie a less skilled individual who Vishing vishing or voice phishing is the
uses ready-made scripts, or programs, that use of voice technology (landline phones,
can be found on the Internet to conduct mobile phones, voice email, etc) to trick
cyber attacks, such as web defacements. individuals into revealing sensitive financial
or personal information to unauthorised
Secure by default the unlocking of the entities, usually to facilitate fraud.
secure use of commodity technologies
whereby security comes by default for users. Vulnerability bugs in software
programs that have the potential to be
Secure by design software, hardware exploited by attackers.
and systems that have been designed from
the ground up to be secure.
SMS spoofing a technique which masks

the origin of an SMS text message by
replacing the originating mobile number
(Sender ID) with alphanumeric text. It may
be used legitimately by a sender to replace
their mobile number with their own name,
or company name, for instance. Or it may
be used illegitimately, for example, to
fraudulently impersonate another person.
Social engineering the methods

attackers use to deceive and manipulate
victims into performing an action or
divulging confidential information.
Typically, such actions include opening
a malicious webpage, or running an
unwanted file attachment.
Trusted Platform Module (TPM) an

international standard for a secure
cryptoprocessor, which is a dedicated
microprocessor designed to secure
hardware by integrating cryptographic keys
into devices.
User a person, organisation entity,

or automated process, that accesses a
system, whether authorised to, or not.
Virus viruses are malicious computer

programs that can spread to other files.

78
Annex 3
HEADLINE IMPLEMENTATION PROGRAMME
ANNEX 3: HEADLINE IMPLEMENTATION PROGRAMME

NATIONAL CYBER SECURITY STRATEGY 2016-2021
Vision: the UK is secure and resilient to cyber threats; prosperous and confident
in the digital world
Strategic outcomes Indicative success measures (to 2021) Contributes to
1. The UK has the The stronger information sharing networks that we DETER
capability to have established with our international partners, and
effectively detect, wider multilateral agreements in support of lawful and
investigate and responsible behaviour by states, are substantially
counter the threat contributing to our ability to understand and respond to the
from the cyber threat, resulting in a better defended UK.
activities of our Our defence and deterrence measures, alongside our
adversaries. country-specific strategies, are making the UK a harder
target for hostile foreign actors and cyber terrorists to
succeed against.
Improved understanding of the cyber threat from hostile
foreign and terrorist actors, through identification and
investigation of cyber terrorism threats to the UK.
Ensuring that terrorist cyber capability remains low in the
long term, through close monitoring of capability, and
disruption of terrorist cyber potential and activity at the
earliest opportunity.
The UK is a world leader in offensive cyber capability.
The UK has established a pipeline of skills and expertise to
develop and deploy our sovereign offensive cyber capabilities.
Our sovereign cryptographic capabilities are effective in
keeping our secrets and sensitive information safe from
unauthorised disclosure.
2. The impact of We are having a greater disruptive effect on cyber criminals DETER
cybercrime on the attacking the UK, with increased numbers of arrests and
UK and its interests convictions, and larger numbers of criminal networks
is significantly dismantled as a result of law enforcement intervention.
reduced and Improved law enforcement capability, including: capacity
cyber criminals and skills for both dedicated specialists and mainstream
are deterred from officers; and enhanced overseas law enforcement capability.
targeting the UK. Improved effectiveness, and increased scale, of early
intervention (PREVENT) measures is dissuading and
reforming offenders.
A reduction in low-level cyber offences as a result of cyber
criminal services being harder to access and less effective.
3. The UK has A higher proportion of incidents are reported to the DEFEND

the capability authorities, leading to a better understanding of the size
to manage and and scale of the threat.
respond effectively Cyber incidents are managed more effectively, efficiently
to cyber incidents and comprehensively, as a result of the creation of the
to reduce the harm National Cyber Security Centre as a centralised incident
they cause to the reporting and response mechanism.
UK and counter We will address the root causes of attacks at a national
cyber adversaries. level, reducing the occurrence of repeated exploitation
across multiple victims and sectors.

79
Annex 3
4. Our partnerships The UK is harder to phish, because we have large-scale DEFEND

with industry defences against the use of malicious domains, more
on active cyber active anti-phishing protection at scale and it is much
defence mean harder to use other forms of communication, such as
that large scale vishing and SMS spoofing, to conduct social engineering
phishing and attacks.
malware attacks A far larger proportion of malware communications and
are no longer technical artefacts associated with cyber attacks and
effective. exploitation are being blocked.
The UKs internet and telecommunications traffic is
significantly less vulnerable to rerouting by malicious
actors.
GCHQ, Defence and NCA capabilities to respond to
serious state-sponsored and criminal threats have
significantly increased.
5. The UK is more The majority of commodity products and services available DEFEND
secure as a result in the UK in 2021 are making the UK more secure, because
of technology they have their default security settings enabled by default
products and or have security integrated into their design.
services having Government services are trusted by the UK public,
cyber security because they have been implemented as securely
designed into them as possible, and fraud levels against them are within
and activated by acceptable risk parameters.
default.
6. Government Government has an in-depth understanding of the level of DEFEND

networks and cyber security risk across the whole of government and the
services will be as wider public sector.
secure as possible Individual government departments and other bodies
from the moment protect themselves in proportion to their level of risk and to
of their first an agreed government minimum standard.
implementation. Government departments and the wider public sector are
The public will resilient and can respond effectively to cyber incidents,
be able to use maintaining functions and recovering quickly.
government digital New technologies and digital services deployed by
services with government will be cyber secure by default.
confidence, and We are aware of, and actively mitigating, all known
trust that their internet-facing vulnerabilities in government systems
information is safe. and services;
All government suppliers meet appropriate cyber security
standards.

80
Annex 3
7. All organisations We understand the level of cyber security across the CNI, DEFEND
in the UK, large and have measures in place to intervene, where necessary,
and small, are to drive improvements in the national interest.
effectively Our most important companies and organisations
managing their understand the level of threat and implement proportionate
cyber risk, are cyber security practices.
supported by The UK economys level of cyber security is as high as, or
high quality higher than, comparative advanced economies.
advice designed The number, severity and impact of successful cyber
by the NCSC, attacks against businesses in the UK has reduced,
underpinned by because cyber hygiene standards have been applied.
the right mix of The UK has an improving cyber security culture, because
regulation and organisations and the public understand their cyber risk
incentives. levels, and understand the cyber hygiene steps they need
to take to manage those risks.
8. There is the right Greater than average global growth in the size of the UK DEVELOP
ecosystem in the cyber sector year on year.
UK to develop and A significant increase in investment in early stage
sustain a cyber companies.
security sector
that can meet our
national security
demands.
9. The UK has a There are effective and clear entry routes into the cyber- DEVELOP
sustainable supply security profession, which are attractive to a diverse range
of home grown of people.
cyber skilled By 2021 cyber security is taught effectively as an integral
professionals to part of relevant courses within the education system, from
meet the growing primary to post-graduate level.
demands of an Cyber security is widely acknowledged as an established
increasingly digital profession with clear career pathways, and has achieved
economy, in both Royal Chartered Status.
the public and Appropriate cyber security knowledge is an integral part
private sectors, of the continual professional development for relevant
and defence. non-cyber security professionals, across the economy.
Government and the armed forces have access to cyber
specialists able to maintain the security and resilience of
the UK.

81
Annex 3
10. The UK is The number of UK companies successfully DEVELOP

universally commercialising academic cyber research has increased
acknowledged as significantly. There are fewer agreed and identified gaps in
a global leader the UKs cyber security research capability, and effective
in cyber security action has been taken to close them.
research and The UK is regarded as a global leader in cyber security
development, research and innovation.
underpinned
by high levels
of expertise in
UK industry and
academia.
11. The UK Cross-government horizon scanning work and all-source DEVELOP

government is assessment are integrated into cyber policy making.
already planning The impact of cyber security is factored into all cross-
and preparing government horizon scanning work.
for policy
implementation in
advance of future
technologies and
threats and is
'future proofed'.
12. The threat to Enhanced international collaboration reduces cyber threat INTERNATION-
the UK and our to the UK and our interest overseas; AL ACTION
interests overseas A common understanding of responsible state behaviour in AND
is reduced due cyberspace; INFLUENCE
to increased International partners increased their cyber security
international capability; and
consensus and Strengthened international consensus on the benefits of a
capability towards free, open, peaceful and secure cyberspace.
responsible state
behaviour in a free,
open peaceful and
secure cyberspace.
13. UK Government The Government cyber security responsibilities are CROSS

policies, understood and its services are accessible. CUTTING
organisations Our partners understand how best to interact with

and structures Government on cyber security issues
are simplified
to maximise the
coherence and
effectiveness of the
UK's response to
the cyber threat.

National Cyber Security Strategy 2016

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

National Cyber Security Strategy 2016

Uploaded by

Copyright:

Available Formats

NATIONAL CYBER SECURITY

1 EXECUTIVE SUMMARY ................................................................................8

The scope of the strategy .............................................................................14

Cyber criminals ........................................................................................17

States and state-sponsored threats.........................................................18

Script Kiddies .........................................................................................20

An expanding range of devices ...............................................................22

Poor cyber hygiene and compliance........................................................22

Insufficient training and skills ...................................................................22

Legacy and unpatched systems ..............................................................23

Availability of hacking resources..............................................................23

4 OUR NATIONAL RESPONSE ......................................................................24

Our vision ......................................................................................................25

Roles and responsibilities .............................................................................26

Businesses and organisations .................................................................26

Driving change: the role of the market .....................................................27

Driving change: expanded role for the Government ................................27

IMPLEMENTATION PLAN ...........................................................................30

5.1. Active Cyber Defence.............................................................................33

5.2. Building a more secure Internet .............................................................35

5.3. Protecting government...........................................................................37

5.5. Changing public and business behaviours ............................................42

5.6. Managing incidents and understanding the threat.................................44

6.1. Cybers role in deterrence ......................................................................47

6.2. Reducing cyber crime ............................................................................47

6.3. Countering hostile foreign actors ...........................................................49

6.4. Preventing terrorism ...............................................................................50

6.5. Enhancing sovereign capabilities offensive cyber...............................51

6.6. Enhancing sovereign capabilities cryptography..................................51

7.1. Strengthening cyber security skills.........................................................55

7.2. Stimulating growth in the cyber security sector.....................................57

7.3. Promoting cyber security science and technology ................................59

7.4. Effective horizon scanning .....................................................................60

8 INTERNATIONAL ACTION ..........................................................................62

10 CONCLUSION: Cyber Security beyond 2021 ............................................70

Annex 1: Acronyms .....................................................................................73

Annex 3: Headline implementation programme .......................................78