Cyber Power - the ability to protect and promote national interests in and through cyberspace - is, according to the UK government, becoming an ever more vital lever of national power and a source of strategic advantage. But it comes at a price - the mounting cyber threats that are associated with it. The government's National Cyber Strategy 2022 sets out to exploit opportunities, and tackle evolving threats and risks. We asked some of the industry's key players whether that strategy is up to the task and what else needs to be done to make the UK more resilient to cyber-attacks.

"A lot of noise from some geopolitical pundits and think tanks - potentially backed by cyber security and defence lobbyists - continues to be generated against the backdrop of the war in the Ukraine," says Ian Thornton-Trump, CISO, Cyjax. With the conflict now running well over the 100 days' mark (as Computing Security went to press), many assumptions about the strength of the Russian military and cyber capabilities appear to have been greatly exaggerated. "The evidence of Russian military incompetence is littered across the battlefield and the idea that a Russian 'Battalion Tactical Group' could perform as a near peer adversary to the integrated NATO Battle Group was aspirational at best and farcical at worst."

So, too, it appears with Russian cyber forces, which also seem to have failed to achieve any sort of impactful, substantial or persistent cyber-attack on Ukraine during the conflict, he adds. "In fact, western technology firms were geared up and ready for a potential Russian onslaught of global cyber war, which has completely failed (so far) to materialise. These revelations about the iron and cyber curtain of the Russian 'Great Oz' should spark a NATO and G-20 rethink."

The idea of 'Cyber Power' as this vital lever of national power and a source of strategic advantage is questionable, states Thornton-Trump. "This does not seem to be the case and is being oversold as a solution to complex geopolitical relationships. China, for instance, is not going to cease being a protagonist against Taiwan's move towards independence because of a DDoS attack."

And as he points out: "Although some NATO cyber capabilities have greatly assisted the Ukraine defensive efforts, especially when it comes to Intelligence, Surveillance, Tracking & Reconnaissance (ISTAR) of Russian army leadership, Ukraine is not crying out for more cyber capabilities: it is requesting heavier weapons, such as more rocket artillery, howitzers and main battle tanks to defeat the enemy occupiers. Equal to the heavy weapons request and, perhaps even more effective, has been the extraordinary economic sanctions brought against Russia, which appear to be degrading and directly disrupting the ability of the Kremlin to wage the war with the bonus of undermining Putin's regime."

Setting aside the thoughts of the military industrial complex's lobbying efforts, what does he believe 'Cyber Power' can actually achieve, in real terms? "Not very much, it seems, other than espionage and surveillance of persons and groups of interest. Of course, there have been covert and overt cyber-attacks conducted by nation state actors against nation state defenders - by both sides - but the question to ask is whether any of those attacks have curtailed a nation state's behaviour or achieved any substantial geo-political outcomes? Without access to classified analysis reports on 'this top-secret cyber-attack or espionage campaign altered the course of history', Chinese, Russian, Iranian and North Korean leaders all seem eager to continue to pursue their own aggressive foreign policy objectives.

Ian Thornton-Trump, Cyjax: a lot of noise from some geopolitical pundits and think tanks continues to be generated against the backdrop of the war in the Ukraine.

"'Cyber power' - if we even want to accept it as a term - is just another tool of implementing foreign policy and, like others, it cannot stand alone or achieve any objectives without diplomatic, coalition building, economic aid (or sanctions) or overt or covert action, all of which require investment and support. When it comes to nation state objectives there is no 'cyber easy button': it remains a difficult and messy business."

BASIC SECURITY NEED
"In the National Cyber Strategy 2022, the UK government details its commitment to establishing a future where the nation is more resilient to cyberattack, cyber is a national economic and strategic asset, and the UK effectively defends its position as a 'cyber power'," states Phil Lewis, CEO at Titania. "One of the key areas the strategy rightly focuses on is the increasing need for basic cyber security across all sectors and highlights what more businesses should be doing to prevent cyber security breaches and close the gaps in national resilience. Because, without the basics in place, the nation is exposed."

The research used in the strategy indicates that 39% of businesses and 26% of charities have reported a security breach in the last year. But perhaps more worrying, says Lewis, is the line from Part 1 of the strategy that reads: 'Industry tells us that many businesses do not understand the cyber risks they face... and that there is often little motivation to report breaches and attacks.'

Understanding the potentially catastrophic risk that exploitable vulnerabilities can pose to an organisation's operations - or indeed an entire supply chain - is key to prioritising remediation and mitigation strategies in order to develop better resilience, he insists. "It's as important as threat detection and response, and arguably a more basic requirement for every organisation. There are world-leading UK solutions designed to automate the detection and remediation of complex network vulnerabilities, as well as endpoint vulnerabilities. And some of these tools can even help prioritise remediation, based on the criticality of the risk the vulnerability poses to businesses. So, understanding the true extent of risks is now within reach of businesses of all shapes and sizes within the UK economy and the supply chain."

Martin Walsham, AMR CyberSecurity: what has been put forward is a balanced comprehensive strategy, so it is important to focus on implementing what has been proposed.

Perhaps it's not surprising then that understanding and prioritising cyber risks to better defend networks appears to underpin all five of the pillars outlined in the strategy, he comments, "as this has never been a more achievable goal with the right risk management frameworks and automation technology in place. And it's great to see that the Government continue to lead by example, significantly reducing its own cyber risks across the public sector by 2025, in order to advance the UK's global position as a cyber power."

Does the strategy and its implementation go far enough to ensure all critical national infrastructure (both commercial and governmental) and their supply chains establish defendable networks? "Time will tell," responds Lewis. "But its commitment to investing in cyber people, skills, partnerships, technologies and trusted risk management frameworks is clearly in the nation's best interest."

SIGNIFICANT CHANGE Working over the last 15 years in the Government sector cyber security industry, Martin Walsham, director of Cyber Security, AMR CyberSecurity, has witnessed significant change in the level of cross-connectivity, dependency on the ICT systems to operate and deliver core business functions, and the evolving threat level. This period has also seen a lot of stimulus to the digital cyber economy, with the development and growth of a large number of SMEs.

Phil Lewis, Titania: one key area the strategy rightly focuses on is the increasing need for basic cyber security across all sectors.

"This has resulted in the maturing of the UK market, the creation of new jobs and export opportunities; examples of these include Digital Shadows and Nettitude, which have grown, been acquired or received significant investment," he says. "This is something that I experienced first-hand with my first cyber start-up organisation, Info-Assure, which was acquired in 2016." The Government's current cyber strategy clearly sets out the main and evolving challenges, adds Walsham.

"It is based on an honest appraisal of the shortfalls in current posture relating to legacy systems and the presence of known vulnerabilities within aspects of the Government systems, as well as reflecting on NCSC involvement - in 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021, around 40% were aimed at the public sector. This upward trend shows no signs of abating." As with all strategies, it could be argued that more could be done and quicker, he says. "However, what has been put forward is a balanced comprehensive strategy, so it is important to focus on implementing what has been proposed. Most of the strategy detail is focused on resilience, detection and response. Very little detail is included outlining the Government strategy to deter and disrupt the root causes of cyber threats."

This is alluded to within the strategy, he adds, but very little detail has been provided: "Such capabilities will include advanced protection and detection techniques, as well as targeted use of government's offensive cyber capability and broader international and diplomatic efforts to disrupt and deter such threats."

If the strategy is to be effective, Walsham concludes, "then resilience, detection and response mechanisms need to be supported with robust measures to deter and disrupt, such as breaking up criminal networks and applying sanctions and other measures to aggressive nation states harming the UK sovereign cyber interests."

Scott McAvoy, Kyndryl: cybersecurity is very much a shared responsibility and businesses need to play their part.

FIVE KEY PILLARS
With cyber-attacks posing an increasingly dangerous threat to society, Government initiatives such as the National Cyber Strategy are more essential than ever, says Scott McAvoy, UKI associate partner A & IS Security Practice Kyndryl. "This latest strategy rests on five key pillars, ultimately aiming to strengthen the UK cyber ecosystem and build a more resilient digital UK. While it addresses some of the chinks in the current UK cybersecurity armour, the very nature of cybersecurity suggests it cannot protect entirely. Cyberthreats are an ever-moving and changing entity, and we need to reflect this in our approach to combatting them."

According to McAvoy, we're at the point where nothing and no-one is immune to the nefarious charms of cyber-attackers. "As such, cybersecurity is very much a shared responsibility and businesses need to play their part. As well as following the guidelines set out in the National Cyber Strategy, organisations need to adopt a 'resilience by design' mindset. Over the past 30 years, the IT industry has compartmentalised itself into neat towers and silos, which have eventually evolved into dedicated disciplines.

"Mainframe, server, network, cloud, applications, security etc, each is a dedicated discipline and often professionals managing these are only interested in their own performance, handing over responsibility whenever a problem falls outside their direct remit. This siloed approach is particularly unhelpful in the event of a cyberattack. The towers create responsibility gaps, which make it impossible to mount an effective recovery and response. Preparing for resilience means redefining the structure."

To break down silos, CIOs need to understand what the viable business function requirements are and ask how the whole IT estate, together, can work to support them, he concludes. "At a high level, it comes down to making sure that there is a generalist, holistic view of resilience in place. It needs to address what will actually matter to the business, not just in terms of resilience as an abstract ideal."