Government publishes National Cyber Strategy Annual Progress Report

Progress being made in all 5 action areas of the strategy, but there's still much to be done.

A new report published by the Cabinet Office this week outlines the key achievements and milestones over the last 18 months since the National Cyber Strategy was published.

The National Cyber Strategy 2022 Annual Progress Report 2022-2023 reflects upon the pace of geopolitical and technological change over that time, highlighting in particular Russia's illegal invasion of Ukraine and rapid advancements in artificial intelligence which come with significant implications for the UK's national security, prosperity and cyber power.

The report summarises progress made against the five pillars in the National Cyber Strategy, as well as what comes next:

Pillar 1: Strengthening the UK cyber ecosystem

Progress includes:

• Engaging over 2,000 schools, 2,500 teachers and 41,000 young people through Cyber Explorers.
• Establishing the National Cyber Advisory Board (NCAB).
• Supporting over 160 companies and entrepreneurs via Cyber Runway.
• The cyber sector has generated 5,300 new jobs in the past year, with an increase in total annual revenue of 3%, up to £10.5 billion.
• As part of a broader push on technology skills, the establishment of the Digital and Computing Skills Education Taskforce, chaired by the Department for Education and the Department for Science, Innovation and Technology.

Looking ahead:

The report states that self-sustaining interventions must be developed. To meet this challenge working relationships across the cyber sector, academia, business, the Government and the Devolved Administrations must be optimised, and this will include:

• Embedding the NCAB as a driving force behind the implementation of the strategy and a mechanism for helping to adapt and update the approach.
• Working with the Digital and Computing Skills Education Taskforce to develop lasting improvements to the pipeline of deep technical skills in computer science, with announcements in the next 12 months.
• Engaging with regional ecosystems across the UK to support the delivery of the government's national cyber and levelling-up strategies. And exploring opportunities for further UK government-funded innovation and skills initiatives, for example, to support the establishment of the National Cyber Force (NCF) in the North West.
• Supporting the UK Cyber Security Council to produce professional standards to underpin the needs of the cyber workforce. This work will need to accelerate in its second year in order to achieve the strategic ambitions set out in the national strategy.
• Building on international momentum around professional standards, collaborating with European and Five Eyes partners to shape the cyber profession beyond the UK.
• Enhancing the links between the NCAB and Academic Centres of Excellence in Cyber Security Research and Education; and improving the partnership structures surrounding the Academic Centres of Excellence in Cyber Security Research.

Pillar 2 Building a resilient and prosperous digital UK

Progress includes:

• Setting new, more specific ambitions to improve the cyber resilience of our critical national infrastructure (CNI).
• Announcing plans to strengthen the UK's cyber resilience legislation (the Security of Network & Information Systems Regulations).
• Responding to Russia's invasion of Ukraine with support to industry and CNI operators on the heightened cyber threat.
• 12,000 small businesses used National Cyber Security Centre's Cyber Action Plan and over 15,000 used the new ‘check your cyber security' tool.
• Over 27,000 organisations certified to either Cyber Essentials or Cyber Essentials Plus.

Looking ahead:

There is a need to shift the burden of cyber security away from the end users and increase protections to online services that benefit us all. Close working with industry and other organisations will underpin government's continued commitment to a whole of society approach to developing cyber resilience policy. This will include:

• Increasing the reach and take up of government's advice, guidance and support to businesses, organisations and individuals across the country to support them in improving their cyber defences, even in the face of increasing pressures.
• Maintaining focus on driving up standards across the public sector and CNI, and tackling key challenges, including those posed by legacy IT.
• Further supporting and encouraging organisations to protect themselves from ransomware, the most acute cyber threat to the UK, and to report incidents when they occur to ensure they can access the support available.
• Maintaining momentum in take-up of Cyber Essentials and continuing to take actions to promote board level engagement with cyber resilience.
• As announced last year, government will take forward reform of audit and corporate reporting, which will introduce a new statutory ‘Resilience Statement' to large company annual reports including specific consideration of digital security.
• Introducing strengthened cyber security legislation through the Security of Network and Information Systems Regulations, as soon as Parliamentary times allows.

Pillar 3: Taking the lead in the technologies vital to cyber power

Progress includes:

• Publishing the world's first App Store Privacy and Security Code of Practice, being implemented by all 13 major app store operators.
• Launching the Artificial Intelligence (AI) standards hub.
• Publishing the Secure Connected Places Playbook in collaboration with 6 local authorities.
• Being elected to the governing Council of the International Telecommunication Union (ITU).
• The Product Security and Telecommunications Infrastructure Act received royal assent, requiring manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products such as smart TVs.

Looking ahead:

Government recognises the wide-ranging impact that technologies continue to have on our lives and are embedding cyber security into technologies of today, and of tomorrow, such as artificial intelligence and quantum. These technologies can both enhance cyber security and amplify cyber risks - for example, adversarial cyber-attacks can manipulate artificial intelligence algorithms, leading to false positives or evading detection - therefore, government will be taking further actions in the following areas:

• Building on the UK's leadership in AI, the new expert taskforce backed by £100 million and hosting of the first major global summit on AI safety in the autumn, government will work to secure AI and machine learning technologies while encouraging innovation to thrive in the UK.
• Communicating a clear strategy on setting up a national laboratory for operational technology (OT); and aligning policy work and next steps on OT against the backdrop of wider initiatives.
• Promoting the rapid and widest possible uptake of new memory secure microprocessor technology that has been realised through the Digital Security by Design programme for the benefit of cyber security.
• Gathering further evidence to understand the impact of the Product Security and Telecommunications Infrastructure (PSTI) Bill.

Pillar 4: Advancing UK global leadership and influence

Progress includes:

• Providing £7.3m in cyber support to Ukraine since the start of the invasion.
• Setting up formal cyber dialogues with more than 10 countries across the world as well as the EU.
• Stepping up collaboration with international partners through the Counter Ransomware Initiative.
• Announcing a partnership with France and signing a joint statement with the US and 11 other countries on countering cyber proliferation, including co-chairing the policy pillar with Singapore.

Looking ahead:

In 2022 the UK announced four new cyber programmes to complement the wider cyber portfolio, and will focus on these throughout the next phase of the strategy:

• Ukraine - to help Ukrainian cyber defenders respond to materialising cyber-attacks, limited attacker access to vital networks and harden critical infrastructure to future assault.
• India - to deliver the UK's and India's commitments to a programme of co-operation focused on cyber governance deterrence, resilience and capacity building.
• Indo-Pacific - to provide deeper capacity building of a limited number of priority countries with emerging capabilities. And supporting partnerships with cyber mature countries and regional organisations.
• Africa - to help deliver the objective of deepening and developing a mutual partnership with African countries, working together to build more resilient and productive economies and open societies. The Africa Cyber Programme will support partner country development with Kenya, Nigeria and South Africa by helping to strengthen their cyber resilience and security and demonstrate the benefits of a free, open, peaceful, and secure cyberspace. The programme will also fund projects delivered by INTERPOL on cybercrime and the African Union, to support the development of cyber governance processes in Africa.

Pillar 5: Detecting, disrupting and deterring our adversaries

Progress includes:

• Taking down the GENESIS marketplace, a go-to service for cyber-criminals.
• Sanctioning seven Russian cyber criminals through coordinated action with the US.
• Publishing advice and guidance, including on the threat from commercial cyber proliferation and state-aligned groups sympathetic to Russia's invasion of Ukraine.
• Publishing ‘Responsible Cyber Power in Practice', setting out how the National Cyber Force's use of its cyber capabilities aligns with our values as a responsible cyber power.

Looking ahead: