CYBERUK 2023 – Reflections on securing an open and resilient future through global cooperation

Last week, the UK Government’s flagship cyber security event, CYBERUK, organised by the National Cyber Security Centre (NCSC), took place in Belfast.

In NCC Group’s eighth consecutive year sponsoring CYBERUK – this year as Technical Masterclass sponsors – we spoke to Global Head of Compliance Services, Duncan McDonald, and Public Sector Account Director, Craig Pollard for their key takeaways:

Collaborate to deliver security at scale

The two-day event saw conversation centred around securing an open and resilient digital future through collaboration – across borders, across industries and across the public and private sectors.

Throughout the many ministerial and international presentations and workshops, nowhere did this resonate more than when Victor Zhora, Chief Digital Transformation Officer of the SSSCIP of Ukraine, presented in person alongside his UK, US, and Five Eyes’ partners. This was framed by Lindy Cameron, CEO of NCSC, asking “how might the 19th CYBERUK in 2033 look back on the 2000 people in this audience if we don’t step up as a willing international coalition to meet the rapidly emerging threats from the likes of AI and quantum computing.”

In addition to combatting emerging threats on a global scale, strengthening public-private partnerships to build economy-wide resilience was another key theme at this year’s event. Speakers highlighted how malicious actors are exploiting low levels of resilience across society to mount their attacks – “the democratisation of crime” as the UK Security Minister put it. Actors are not wasting effort when the barriers are low and advanced attacks are not needed. This means that we’re seeing adequate, instead of advanced, persistent threats.

The UK Government is turning to its industry partners to help deliver resilience at scale, while utilising the regulatory levers at its disposal to drive up standards and build security in as default across those sectors at most risk such as digital service providers and hardware manufacturers. The world we know today was not built with security in mind. However, the world we want to be part of tomorrow must have security within its founding principles and running through its DNA.

Always be prepared

Cyber attacks are inevitable. Even organisations with the highest levels of cyber security might face sophisticated nation-state threats, or find their supply chain has been compromised. So, while organisations need to prioritise prevention, they also need to be ready to keep their businesses or services running in the event of an attack or incident.

The now UK Deputy Prime Minister, Oliver Dowden, announced the rollout of the UK Government’s GovAssure programme – an annual healthcheck on government departments’ cyberhealth. This will shine a light on the UK public sector’s levels of resilience and show whether the Government is practicing what it is preaching when it comes to preparedness.

Secure your supply chain

GovAssure will also bring outsourced service providers who are not delivering resilient and secure services into focus. At the same time, tackling the security risks that come with the complexity of global supply chains in the semiconductor industry was a firm item on this year’s CYBERUK agenda. We are seeing increasing pressure being placed on suppliers to provide tracking and traceability for their products and components, while also demonstrating their governance regimes.

‘Secure by Design’ is so 2022

There was a notable shift in the language used by senior decision-makers across the governments represented at CYBERUK – from ‘Secure by Design’ to ‘Secure by Default’. Currently, cyber risk is devolved downwards – but in policymakers’ view this is ineffective and places an unfair burden on citizens and smaller organisations. Through a ‘Secure by Default’ approach, governments want to shift the balance of responsibility on to those who have the broadest shoulders, reducing technical debt in legacy environments and improving automation of security. This is reflected across President Biden’s new National Cybersecurity Strategy, the Australian Government’s refresh of its Cyber Security Strategy through to 2030 and the UK Government’s ‘Cyber Duty to Protect’ programme.