The UK’s Interesting (and Important) Strategy for National Cybersecurity

Defense is arguably the core function of the state – a government will protect its people. In that context, it has been interesting to observe the rise of cyber attacks as a major global threat. Defense agencies are used to protecting people from bombs and bullets, but what is their responsibility to protect against malware or man-in-the-middle attacks?

It’s a fascinating question, I think, without many clear answers. One way to approach it is by looking at the national cybersecurity apparatus in place across comparable companies. How, for instance, does the US promote cybersecurity compared to the UK?

Quite differently, as it turns out. As I will soon explore, the UK takes an active, highly involved approach to defending individuals and organizations against cyber attacks. The US feels more hands-off by comparison.

Granted, US cyber readiness is quickly changing; The State and Local Government Cybersecurity Act of 2021 makes cybersecurity a much bigger national priority. Still, I was struck while reading some recent research by how our friends across the pond handle cybersecurity (a clear and present danger to national security) compared to ourselves. It’s night and day from my perspective – and my hope is that we can learn from the UK way to improve over here, not just in the federal government but at security centers across the public and private sectors.

Get to Know the UK National Cyber Security Centre

“Protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.”

That’s the stated mission of Active Cyber Defence, a program of the UK National Cyber Security Centre (NCSC) that takes a refreshingly realistic approach (the majority is not the entirety) to stopping cyber attacks. More refreshing, however, is the emphasis on active defense designed to prevent attacks and protect proactively.

Other national governments, including the US, work to stop attacks and strengthen security, but that effort often feels underwhelming. To put this issue into perspective, does any US organization struggling with cybersecurity think of the government as their first or best solution? No. They solve problems by buying defenses, subscribing to services, hiring consultants, or recruiting staff. The government feels irrelevant in this equation. At least it does here, but that’s not the case in the UK.

The Active Cyber Defence program has, over the last five years, eliminated countless threats, significantly reduced cyber risk throughout the UK, and prevented gigantic losses. Which is to say, the impact has been real and significant.

To help understand what that impact looks like, consider the still-fresh Solar Winds attack that affected national governments around the world. The US had 9 agencies compromised, including all three branches of the military. It was bad. The UK, by comparison, hand only a few organizations affected, and all in the private sector. It was mild. The efforts of the NCSC don’t deserve all of the credit, but they undoubtedly deserve some. We should learn from what’s working.

What the Brits Do Differently

Let me reiterate that I don’t think the US cybersecurity efforts, handled primarily by the Cybersecurity & Infrastructure Security Agency (CISA), are severely derelict or deficient. They have plenty of successes to celebrate, not to mention more to protect than their counterparts in the UK. But when you compare CISA to NCSC, the differences in approach come into focus.

Here’s an easy exercise: Look over this page of free cybersecurity services and tools offered by the CISA. It’s just a long list of links to (primarily) third-party or open-source solutions. Now compare that to the page of services and tools offered by the NCSC. Not only is the presentation and organization much smarter, but all the resources highlighted were developed by the NCSC specifically.

The quality and character of the resources are different. But it strikes me that the entire approach is different. Consider this quote from the NCSC website – “ACD (active cyber defence) is intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks, which NCSC deal with in other ways.” The program targets the most common attacks and strives to prevent them proactively. It’s all about getting in front of attacks. As such, all of the tools, resources, and guidance facilitate finding and fixing weaknesses before they turn into incidents. By offering free assistance to organizations across the UK, the group responsible for lowering cyber risk is accomplishing exactly that. I wouldn’t say the US approach feels passive or reactive, necessarily. But what the Bits do feels a lot more active, agile, and animated to me.

As the emphasis of cybersecurity shifts to prevention (rather than detection and response), I think the Active Cyber Defence program is a model for other national cybersecurity efforts and one that also applies to any organization striving to improve cybersecurity. Make prevention the highest priority, and put the tools in place to make that possible. That’s where real resilience and risk reduction come from.

I have more thoughts on what makes this program unique and important. I also want to bring some data into the conversation to illustrate how and why Active Cyber Defence keeps the UK safer than places without it.

Stay tuned for that. In the meantime, I’m curious what this community thinks about national cybersecurity in the US, UK, or around the world? What’s working and what isn’t? And what are the lessons or resources we can bring into private sector security centers? I know this community has expertise in places where I have blind spots, so please bring your own perspectives to the table.

#cybersecurity #CISA #US #UK #Defense #NCSC