- The UK government’s strategic announcement on its public services cybersecurity strategy is a positive, as there is a real need to address cyber threats in the public sector.
- For the new cybersecurity strategy to succeed, key departments responsible for implementing the strategy within authorities and the public sector require operational transformation and greater agility.
Threat Level Across UK Public Sector
The UK Cabinet Office and Chancellor of the Duchy of Lancaster Steve Barclay announced on January 25 that the government will launch what it calls the “first ever government cybersecurity strategy” to counter increased cyberattacks on IT systems and associated services within public services. The government’s strategic initiative aims to address the sheer volume of cyberattacks on the UK public sector. Figures taken from the National Cyber Security Centre between September 2020 and August 2021 suggest that approximately 40% of cyberattacks were aimed at the public sector. Some of the authorities believed to have been compromised include the Redcar & Cleveland, Wealden District, Gloucester City, and Hackney Councils. Additionally, it’s believed that councils across the UK reported more than 700 data breaches in 2020 to the Information Commissioner’s Office (ICO). This, in the context of future increased digitization of public services encompassing technologies like Internet of Things and smart cities, could be a future catalyst in the exponential increase of cyberattacks in the public sector at a local and regional level.
The Level of Investment and Focus
The UK government’s strategic announcement with respect to its cybersecurity strategy is positive on paper, as there is a real need to address cyber threats in the public sector. The government’s cybersecurity approach entails a number of strategic announcements and initiatives including a new Government Cyber Coordination Centre (GCCC) to support coordination of cybersecurity efforts across the public sector, a new cross-government vulnerability reporting service enabling the public and organizations to report issues across digital services, and initiatives to facilitate culture change through partnerships with small businesses and academia. From the government’s announcements, three key initiatives could drive change and potentially reduce cyberattacks. These include: an assurance program across government addressing departmental vulnerabilities and appropriate measures; investment of GBP 37.8 million for local authorities to address cybersecurity, protecting key systems and services and measuring the cyber risk across supply chains of commercially implemented products within government systems; and instilling security as a key component of the procurement exercise.
Barriers to Success in UK Public Sector
The UK government’s cybersecurity strategic initiative looks good on paper and practically will improve cyber resiliency in some areas. However, for this to really work, foundations within an organization need to be agile, whether public sector or private enterprise.
Firstly, the public sector has historically been notoriously red-taped and rigid. Decisions around IT strategy often lack the vision required for the future modern, digitally connected business. This is further fueled in the legacy and dispersed nature of IT systems spanning the different business units across local and regional authority. Lastly, the level of funding the public sector historically has is behind the curve compared to private sector organizations of similar size and stature. All this plays a role in how successful the UK government will be with its new cybersecurity strategy, and simply approaching this from the top down with weak foundations within local authority will provide minimal success.
Considerations for Success
Unfortunately, in the short to midterm, it is unlikely that the UK government will provide the level of funding required to bring the local authority IT systems and services to where they need to be. However, what the government can do is bring in additional key strategic initiatives and programs within its new cybersecurity strategy that reform and re-organize departments that are laying down the foundations of IT and public-facing services delivered, learning from ‘best-in-class’ segments from the private sector such as financial, manufacturing, and retail when it comes to digital services. This will require IT, strategy, and sourcing departments to be visionaries of what they want to become in the future with respect to digitalization, as well as how future enterprise architecture strategies across systems supporting public services functions will support this future vision. Governance will also play a vital role, involving greater powers to teams and departments owning the strategic vision. Lastly, providers of infrastructure and IT services will be pivotal in transforming public services, and unlike previously when they were constrained by private sector budget restrictions, they need to bring more ‘skin in the game,’ delivering ‘best in class’ from successes in the private sector across verticals like financial and manufacturing.