The Ministry of Defence (MOD) has released its new Cyber Resilience Strategy (CRS) – it highlights the strategic priorities where defence needs to be by 2026; the point when the MOD wants critical functions to be significantly hardened against cyber-attack.

With digital technology integrated into almost every defence asset these days, the need to identify, inspect and patch vulnerabilities in systems is becoming a must, well before they are taken advantage of by malicious state and non-state actors. This is also a requirement for the government’s vision for the UK to be at the forefront of the future frontier of cyberspace.

The strategy acknowledges that there are developing threats, evolving environments, and advancing technology, along with a recognition of what has to be overcome: misaligned culture, endemic obsolescence and inadequate cyber resilience within the MOD.

Individuals should be able to sufficiently operate equipment in a digital environment. From handling DDOS to phishing attacks people must learn, remain cyber aware, and be able to make appropriate security decisions. Considering much of the work force are likely working between the ages of 50-59, they may not have the same digital awareness of younger generations.

There is also an issue with out-of-date technology still being utilised, becoming a security concern. The WannaCry hack on the NHS in 2017 shows that outdated and obsolete systems that are still being utilised within government and organisations. Methods like waterfall (a, often slow, sequential development process compared to the fast, agile methodologies) may hinder the evolution of deployment of the latest technologies in defence capabilities.

Secure by Design

The ‘Secure by Design’ (SbD) concept means providing integrated system protection throughout the lifecycle of development. This approach is not novel but this strategy asserts its inception in the digital environment of defence capabilities. Although no timeframe is given, there will be updates and refreshers of policy and programmes to make sure these new standards are concrete. Considering there was no prior institutionalised policy/methodology, and development process was done on a mainly company-to-company basis, this move will be welcomed by industry.

MOD – Industry relationship

The strategy strives to “reset” the relationship with industry that transcends contracts, building a mutually supportive cyber resilience base. It will do this in multiple ways: using cyber security forums, improving visibility of critical capabilities, and adopting an “open mindset”.
SbD principles and policies will have to be implemented by industry in the future and in current capabilities.
High value defence information residing within industry will need to have strengthened protection and this will be partly be done by refreshing the Defence Cyber Protection Partnership process.

Rapidly detect and responding to threats

The strategy wants: strong “detect and respond” functions available for all teams engaged in cyber defence; to quickly implement “higher quality detection methods” and automate the processes to decrease workload and increase response time.
Improved equipment, tools and automation may help retain the number of software/security engineers. Often, well-trained engineers are attracted by higher wages in other sectors, so people often use the skills gained in MOD programs to “bounce” to other industries.

Implementation

The plans laid out by the strategy will be managed by a defensive cyber governance structure. Defensive Cyber Programmes will be the main delivery vehicle to run these cyber capabilities, complementing existing ones. Guiding the wider Defence equipment capability programmes, Cyber Defence and Risk will act as the main authorities for the implementation of SbD and core cyber protections to Defence organisations.

Altogether, this strategy has many different strategic priorities where defence needs to be by 2030. While some are overdue, this new approach to cyber resilience will be warmly welcomed by industry.