National Cyber Security

Strategy 2016 - 2021

Progress Report

Autumn 2020
2 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

© Crown copyright 2020

Produced by Cabinet Office

You may re-use this information (excluding logos) free of charge in any format
or medium, under the terms of the Open Government Licence.

To view this licence, visit [Link]

government-licence/ or email: psi@[Link]

Where we have identified any third party copyright material you will need
to obtain permission from the copyright holders concerned.

Alternative format versions of this report are available on request from

publiccorrespondence@[Link]
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 3

Contents

Foreword 4

Introduction 5

Key achievements over the past year 7

Progress against strategic outcomes 10

Planning beyond 2021 37

4 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Foreword
Paymaster General

In this, the penultimate year of our five- As in previous years, this progress report
year National Cyber Security Strategy, is an opportunity to take stock and
the impact of the COVID-19 pandemic showcase successes like these, as well as
has reinforced the importance of ensuring look ahead to the future.
the security of the UK’s cyberspace.
The UK’s departure from the European
Millions of us have been relying more heavily on Union presents new opportunities to define
digital technology to work, shop and socialise. and strengthen our place in the world as a
It has been an empowering and liberating force sovereign and independent country. That
for good at a time when people have felt confined. includes how we tackle existing and emerging
It has been a lifeline keeping people connected cyber security threats at a time when the
with family and friends, ensuring the most global landscape is changing dramatically.
vulnerable receive medicines and food deliveries
and is underpinning the operational delivery Our approach to cyber security strategy
of our ongoing response to the pandemic. post 2021 will reinforce the outcome of the
current Integrated Review of the UK’s foreign,
But alongside the clear benefits technology defence, security and development policy.
brings come growing opportunities for It will ensure we can continue to defend the
criminals and other malicious actors, here UK against evolving cyber threats, deter
and abroad, to exploit cyber as a means to malicious actors, develop the cyber skills
cause us harm. That is why the role of this and cyber sector we need and build on the
strategy and the diverse range of talented and UK’s international leadership, influence and
committed cyber security professionals across action on cyber security in the years ahead.
all sectors of our economy are so important
in keeping citizens and services safe.

I want to thank those professionals,

particularly those in the National Cyber
Security Centre and law enforcement for the The Rt Hon Penny Mordaunt MP,
important role they have played in defending Paymaster General
the UK against an unprecedented increase
in cyber threats during the pandemic.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 5

Introduction

The global landscape has changed significantly Although the scale and international nature of
since the publication of the National Cyber these changes present challenges, there are
Security Strategy Progress Report in May also opportunities. With the UK’s departure
2019. We have seen unprecedented levels of from the European Union in January 2020, we
disruption to our way of life that few would can define and strengthen Britain’s place in
have predicted. The COVID-19 pandemic has the world as a global leader in cyber security,
increased our reliance on digital technologies as an independent, sovereign nation.
– for our personal communications with friends
and family and our ability to work remotely, The sustained, strategic investment and whole
as well as for businesses and government of society approach delivered so far through the
to continue to operate effectively, including National Cyber Security Strategy has ensured
in support of the national response. we are well placed to respond to this changing
environment and seize new opportunities.
These new ways of living and working highlight
the importance of cyber security, which is also
underlined by wider trends. An ever greater
reliance on digital networks and systems, more
rapid advances in new technologies, a wider
range of threats, and increasing international
competition on underlying technologies and
standards in cyberspace, emphasise the
need for good cyber security practices for
individuals, businesses and government.
6 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Over the past year we have: Underpinning this we have taken international
action to influence and shape the global
• Enhanced our capabilities and services evolution of cyberspace in a manner
to defend the UK against evolving cyber that advances our wider economic and
threats, particularly in the COVID-19 context, security interests, working with a coalition
while maintaining our world-leading ability to of partners to respond to and deter state-
respond effectively to incidents, and to make directed malicious cyber activity.
UK networks, data and systems protected
and resilient. Now, in the final year of the National Cyber
Security Strategy, we will continue to deliver
• Consolidated our law enforcement response, against these objectives, while supporting
from national to local level, to deter malicious the government’s vision for the UK’s role
actors so the UK remains a hard target for all in the world over the next decade.
forms of aggression in cyberspace.

• Continued to develop cyber skills and

the cyber sector through initiatives aimed
at promoting innovation in our dynamic,
growing cyber security industry.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 7

Key achievements over

the past year

Defend our people, organisations and infrastructure

• The National Cyber Security Centre (NCSC) • Provided additional protection to over 150
responded to over 600 cyber incidents significant NHS networks during COVID-19
in 2019 and over 700 in 2020, providing and engaged with 50 pharmaceutical
support to almost 1,200 victim organisations companies and universities involved in vaccine
and handling over 2,500 incidents since development, treatment, testing, epidemiology
commencing operations. studies and modelling, most notably for the
two leading UK-based vaccine projects at the
• Launched the Suspicious Email Reporting
University of Oxford and Imperial College.
Service (SERS), which successfully went
live in April 2020. In the first four months of • Delivered technical exercising programmes
operation the service has received 2.3 million in the civil nuclear sector to improve our
reports from members of the public. These preparedness for cyber attacks.
reports have enabled the National Cyber
• Published a cyber security toolkit to help
Security Centre to get 22,000 malicious URLs
businesses in the space sector to identify
and 9,300 malicious web links taken down.
and mitigate their cyber risk.
• Supported essential service providers –
retailers, charities and other organisations • Gained acclaim for developing the basis of
deemed essential to the UK’s response to the first globally applicable industry standard
COVID-19 – helping almost 1,200 of them to on consumer Internet of Things security.1
ensure their services are protected as far as • Validated our work on organisational barriers
possible from cyber attacks. to good cyber security via our Call for
• Launched the Cyber Aware campaign Evidence in November and December 2019,
to help the public and small businesses which generated over 130 responses.
stay secure online during COVID-19, and • Evaluated the impact, costs and benefits
published new guidance on secure home of the first 18 months of the Network
working, online shopping and secure use of and Information Systems Regulations in
video conferencing. improving cyber security of key services.

1 (ETSI Technical Specification 103 645)

8 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Deter our adversaries Develop our research,

skills and industry
• The National Crime Agency, Regional • Helped grow the cyber security sector by
Organised Crime Units and local police supporting business through accelerators.
forces carried out over 1,000 disruptions in In 2019 there were approximately 1,200 firms
the past year, more than doubling figures active within the UK providing cyber security
from the previous year. products and services, an increase of 44%
since 2018.
• Launched, consolidated and integrated the
Force Specialist Cyber Crime Units into all • UK cyber security exports were worth £3.96
43 forces in England and Wales, so now billion in 2019, representing 55% of total UK
all police forces have specialist officers in security exports (the largest single category)
place to investigate cyber crime and provide compared with £2.1 billion in 2018.
victim support.
• 2019 was a record year for cyber security
• Grew the international coalition willing to investment, with £348 million in fundraising
work with us to respond to and deter state- across 80 deals.
directed malicious cyber activity, including
• To respond to the challenges of young
by publicly attributing a range of cyber
people studying at home, we delivered a
incidents. For example, in February 2020,
new Virtual Cyber School, which provides
the UK, along with 22 countries plus the EU
a free online platform for up to 20,000
and NATO, called out the Russian GRU for
students aged 13 to 18 years.
attacks on Georgia in 2019.
• Our world-leading CyberFirst Bursary
• Developed the evidence base for sanctions
programme continues to grow and attract
listings under the new cyber sanctions
highly motivated, talented undergraduates.
regime with EU partners.
There are 750 students in the scheme,
• Built a Commonwealth network of with 180 to be onboarded. All 56 bursary
47 countries to improve cross-border students who graduated so far are now in
cooperation and the handling of digital full-time cyber security roles.
evidence for criminal investigations.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 9

International
• Initiated cross-government cyber dialogues • Funded specific overseas campaigns, for
with 20 new countries, in addition to example Get Safe Online’s £0.5 million
continuing longer-standing bilateral online safety awareness campaign in the
engagements. Caribbean, which reached over 1 million
people in 12 countries, who are now better
• Grew our network of overseas cyber officers. equipped to protect themselves from cyber
By the end of FY 2020-21 we should have attacks. The campaign will expand into the
20 full-time regional cyber leads across five Pacific and Africa in 2020/21.
continents, on top of our network of 70+ part
time cyber officers. • Developed, jointly with Australia, New
Zealand, Canada and the Netherlands, a
• Continued to support the Global Cyber Women in International Security and Cyber
Security Capacity Centre (GCSCC) in Oxford Fellowship, which supported 35 mid-career
University and its world-leading model to diplomats from ASEAN, Pacific, South
assess cyber security capacity maturity. America and Commonwealth countries to
This allows nations to benchmark their engage in high-level cyber discussions at
cyber security capacity and set priorities for the UN.
developing their cyber security capabilities.
Over 80 assessments using the model
have now been completed, with at least
15 completed in the last year.

• Bolstered the Commonwealth Cyber

Declaration through capacity-building
activity during the UK’s Chair-in-Office.
Ninety-six events were held in 31 countries,
and over 1,500 people trained during the
UK’s Chair-in-Office period.
10 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Progress against
strategic outcomes

SO1: Understanding the threat

Our objective is to ensure that the UK has the capability to effectively detect,
investigate and counter the threat from the cyber activities of our adversaries.

Malicious activity from state and state- In May, the Foreign Secretary called out
sponsored groups remains a threat to the UK’s hostile actors using the COVID-19 pandemic
interests in cyberspace. During the COVID-19 as an opportunity to carry out malicious cyber
pandemic, we have observed a number of state activity. More recently, the Foreign Secretary
and non-state actors looking to take advantage issued a statement of concern in support
of the situation, either as an opportunity to of the US indictment and attribution against
exploit changes in the working patterns of Chinese cyber actors for their engagement
businesses and individuals, or for intelligence in attacks against commercial, medical and
gathering and disruption. The National Cyber academic institutions across 11 countries.
Security Centre (NCSC), as the UK’s National All of which serves to strengthen international
Technical Authority, has been able to provide law and norms and helps to deter future
additional protection to over 150 significant malicious activity across the world.
NHS networks across the UK, and responded
to over 50 related cyber threats and incidents As an example of work to improve cyber
that could have impacted operational services defences at scale, our initial work to collate
at times of critical national response. indicators of compromise (IoC) of relevance to
the protection of essential services resulted
We also detected targeting of vaccine in around 50,000 IoCs being shared, and
research in the UK, and worked directly with subsequently we have continued to add
the victims to mitigate the attacks, as well more IoCs at an average of 500 per week.
as responding with attributions alongside We have also onboarded new organisations
international partners. We have provided to our IoC sharing mechanisms, including
threat reports, protective guidance, bespoke the World Health Organization.
advice, support and incident response.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 11

Priorities to the end of the Strategy

The UK has adapted with agility to the cyber
threats posed by the COVID-19 pandemic.
But we are not complacent, and we continue
to see proliferation of malware in cyberspace,
a blurring of lines between state-directed activity
and criminality, and a high risk appetite from
our adversaries. Our recent focus on protection
of health and related sectors has provided
unique insights into the activities of nation states
that would do harm to the UK. It is the ability
of the UK to combine threat intelligence with
information from industry partners and victims,
analyse this, and then widely share the tactics
used by malicious actors that continues to be
highly effective in countering our opponents.
12 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO2: Tackling cyber crime

Our objective is that the impact of cyber crime on the UK and its interests is
significantly reduced and cyber criminals are deterred from targeting the UK.

Over the past year, there have been over 1,000 in benefits such as the upskilling of officers,
disruptions carried out by the National Crime and coordinated and effective investigations
Agency, Regional Organised Crime Units and across regional and national boundaries.
local police forces, more than doubling figures
from the previous year. Over the same year Pursuing malicious and criminal actors in
we have carried out increased numbers of cyberspace is key, but law enforcement has
arrests, charges and cautions, as well as a also strengthened its ability to Prevent and
substantial number of interviews under caution. Prepare for cyber attacks through deterrence
and diversionary activity with those perceived
We have continued to develop and consolidate to be at risk of engaging in cyber crime, and
the law enforcement cyber crime network, which by supporting businesses and individuals
this year included the launch, consolidation to take action before falling victim to cyber
and integration of the Force Specialist Cyber crime in the first place. During COVID-19,
Crime Units in all 43 police forces in England we provided free educational and interactive
and Wales. Prior to the roll out of these units, gaming resources like CyberLand for young
only 32% of forces had a cyber capability, people to ethically test their cyber skills while
albeit varied. Now all forces have specialist delivering Prevent messaging. The NCA
officers and staff in place to investigate cyber report that the platform has attracted 50,000
crime and ensure victims receive a consistent users with 86% from the UK since May 2020.
response and advice from police. These The number of Prevent interventions in the
are an integral part of cyber crime network, year to March 2020 increased compared
tasked through a single national tasking to the previous year, aided by force activity
process. This has had a significant impact since the launch of the local cyber crime
at the local level, but also allows capacity units at the beginning of the financial year.
in the National Crime Agency and Regional
Organised Crime Units to concentrate on more
complex, higher-harm cases. The devolved
administrations’ police forces’ response to
cyber crime is coordinated with that of the
national and regional network, meaning a
truly nationwide response. This has resulted
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 13

Following an initial pilot, a phased national Priorities to the end of the Strategy
rollout has begun of the National Economic
Crime and Victim Care Unit. With the aim of The National Crime Agency continues to
supporting each victim based on their individual improve capabilities across our law enforcement
requirements, and alongside the work of the Law response by further developing tools which
Enforcement PROTECT Network in supporting are made accessible at all levels of policing
victims and the 24/7 business incident reporting to support Pursue, Protect, Prevent and
line, significant support mechanisms are in Prepare activity. This will include delivering the
place for the victims of cyber attacks. ‘CyberChoices’ Prevent programme, aimed at
helping young people make informed choices
The local cyber crime units (launched in April and to use their cyber skills in a legal way. This
2019) responded to almost all victims referred is a national initiative, delivered by the Prevent
by Action Fraud over the past year and provided Teams within Regional Organised Crime
Protect advice with the aim of reducing the Units and Local Police Force Cyber Teams.
likelihood of revictimization. The capability to
provide this response did not exist prior to We will be delivering Cyber Business
the launch of the local units in April 2019 and Resilience Centres in each policing region in
shows a significant uplift in law enforcement England and Wales. These are a collaboration
support to victims compared to previous years. between the police, public, private sector
and academic partners to provide subsidised
or free products and cyber security
consultancy service to Small and Medium-
Sized Enterprises and micro businesses to
protect themselves against cyber attacks.
14 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO3: Responding to cyber incidents

Our objective is to ensure the UK has the capability to manage and respond effectively to
cyber incidents, to reduce the harm they cause to the UK and counter cyber adversaries.

The NCSC is the lead government organisation In May, NCSC soft-launched a service providing
for managing cyber incidents and has led on automated UK-focused incident notification
over 700 incidents in 2020, providing support to from trusted public, commercial and closed
almost 1,200 victim organisations, handling over sources, which includes several privileged
2,500 incidents since commencing operations. feeds not available elsewhere. As well as
NCSC and law enforcement continue to providing a unique service to organisations,
collaborate to simplify and improve the reporting it gives NCSC Incident Management teams
landscape for UK victims of cyber attacks. a means of safely gathering IPs and domain
names and bulk notifying organisations of
During the COVID-19 pandemic the NCSC’s security concerns, such as incident notifications
operations directorate has been enhancing the and vulnerability alerts. The service will go
monitoring and incident support afforded to to public Beta by the end of the year.
COVID-19 essential functions and enterprises
across the public and private sector. Priorities to the end of the Strategy
Exercise in a Box, the free NCSC cyber NCSC and its partners have developed
exercising tool, is going from strength to pioneering world-class capabilities to manage
strength with take-up increasing almost ten-fold and respond to cyber incidents. Over the
at the start of the year. It now has 10 separate remainder of the Strategy, the UK will continue
exercises covering everything from phishing to pursue innovative options for simplifying and
to ransomware. The most popular exercise automating aspects of the incident management
is a technical malware simulation exercise, process in order to reduce risk to the UK. In turn,
drawing on incident management experience that experience will be used to inform and enrich
and exercises customers have indicated they NCSC’s public advice and guidance offering.
would like to see. The most recent exercises
are based around recently released NCSC
guidance for supply chain risks, which allows
an organisation to understand and discuss
the risks associated with their reliance on
suppliers to deliver products, systems and
services, and those processes that their
organisation has in place to mitigate these risks.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 15

Case study – Home and remote working exercise

This exercise was developed at short notice by NCSC as a direct result of COVID-19 and
drew on the experience that elements of NCSC and some of our partners had at the outset
of ‘lockdown’ in adjusting to the new ways of working. The exercise draws on previous
guidance and exercises to bring multiple elements into a single place, such as Bring Your Own
Device, personal peripherals and remote access to data. It seeks to ensure that organisations
understand the controls they have in place to minimise the risks of data compromise where
home or remote working for employees is required. It covers connecting employees to
IT services, collaboration services and video conferencing and responding to a remote worker
security incident. The exercise launched in July, with current users standing at nearly 8,000.
16 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO4: Active Cyber Defence

Our objective is that our partnerships with industry on active cyber defence mean
that large scale phishing and malware attacks are no longer effective.

The ultimate goal for Active Cyber Defence devolved administrations. Commercial cyber
(ACD) is for there to be less harm caused by data combined with the Active Cyber Defence
cyber attacks. It represents a significant step- (ACD) Protective DNS service data also became
change in the UK’s approach to cyber security, a key source used for intrusion detection and
because of its voluntary, non-regulatory, non- analysis during December’s general election,
statutory approach delivered in partnership with by preventing public sector bodies from
central government, local governments and accessing domains known to be malicious.
business. COVID-19 has seen many of the ACD
services being used to help protect our most Across ACD tools over the past year, Web
essential services, from the NHS and ventilator Check, a service that helps find and fix
manufacturers to universities researching common vulnerabilities in UK public sector
vaccines and supermarket logistic companies. websites, has started to scan approximately
8,000 additional domains, bringing the total
Over the past year the significant achievement to nearly 35,000. In this time, around 10,000
has been the launch of the Suspicious Email urgent issues have been resolved. Mail Check,
Reporting Service (SERS), which successfully which assesses email security compliance, has
went live in April and is already experiencing started to scan an additional 3,000 domains,
notable success. In the first four months of bringing the total to over 8,000. Protective
operation the service has received 2.3 million Domain Name Service (PDNS) used to prevent
reports from members of the public. These the distribution of malware and viruses, has
reports have enabled the National Cyber started to protect an extra 325 organisations,
Security Centre to get 22,000 malicious URLs bringing the total to over 760. In addition, 216
and 9,300 malicious web links taken down. billion Domain Name Service (DNS) queries
have been handled and 92 million blocks have
Host Based Capability (HBC) is now in place been made. Takedown Service, removing
across 17 organisations in central government malicious content so it can’t cause harm,
and CNI clients. HBC is software that allows has identified over 8,000 phishing groups
NCSC to help organisations detect malicious infringing UK government brands and nearly
activity, understand their networks better and 22,000 groups infringing other UK IP space.
warn against major vulnerabilities. Since the
COVID-19 impact, the focus for HBC is on
help to the NHS, Public Health England and
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 17

In Scotland, there has been an increase in Priorities to the end of the Strategy
uptake of NCSC’s ACD measures in the 124
eligible public sector bodies. As of May 2020, There are increasing demands to extend
73% are using the Protective DNS Service, the deployment of ACD beyond traditional
68% are using Mail Check, 83% are using government sectors and in particular in
Webcheck (or alternative solutions). Tarian, support of the private sector Critical National
the Regional Organised Cyber Crime Unit in Infrastructure (CNI). Through the ACD
South Wales, received National Cyber Security Broadening project we will aim to build on
Programme (NCSP) funding from the Welsh the success of the ACD programme and look
Government to develop an anti-phishing to expand the service to a broader range of
product, which is available free of charge to sectors to be able to benefit from automated
all organisations and individuals in Wales, protection. This will make better information
along with online cyber resilience training. available to customer organisations and
increase understanding of the challenges
faced by each sector and sub-sector, leading
to more useful offerings and solutions.
18 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO5: Making technology secure by design

Our objective is that the UK is more secure as a result of technology products and
services having cyber security designed into them and activated by default.

The use of internet-connected products The Department for Digital, Culture, Media
continues to grow, however, poor security and Sport (DCMS) have worked in partnership
practice remains commonplace across parts with NCSC to establish the UK as leaders
of the Internet of Things (IoT) sector. These in protecting its citizens from harm. Since
instances threaten to undermine the uptake of publishing the Code of Practice for Consumer
connected devices and the benefits that they IoT Security in March 2018, an updated Code
offer. The importance of this work has been of Practice was published in October 2018 and
compounded by the increased dependence translated into seven languages. Since then, we
on consumer smart devices while more people have sought to define an appropriate regulatory
work from home in light of COVID-19. approach that is robust, implementable and
future-proof, yet not overly burdensome.
The government is seeking to protect citizens In May 2019, we held a consultation on
and the wider economy from harm by ensuring regulation, outlining a number of options. In
that important security attributes are built the response to this consultation, there was
into devices. Following the 2019 consultation clear support to mandate important security
on regulation, the Minister for Digital and requirements through legislation. In 2020,
Infrastructure announced that the UK would DCMS worked to develop a final regulatory
be introducing legislation on this issue as proposal, which was open for feedback via
soon as parliamentary time allowed. a Call for Views until 6 September 2020.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 19

In addition, we have worked with international Priorities to the end of the Strategy
standards bodies such as ETSI to seek feedback
on our approach and to translate the principles Following the closure of the feedback
from the Code of Practice for Consumer IoT window in September 2020, we will work
Security into actionable and clear provisions. at pace to introduce legislation as soon as
In June 2020, ETSI published EN 303 645, the parliamentary time becomes available. We
first globally applicable standard for consumer will continue to support the development of
IoT security, which helps to further equip assurance and attestation schemes as well as
industry with guidelines on how to implement guidance materials and webinars to enable the
good practice. A core tenet of the regulatory implementation of good practice sooner. We
approach is to implement transparency between will continue to feed into the development of
those who make, stock and sell IoT devices. We international standards, maintaining an open
have also supported UK innovators through a dialogue with other governments and industry.
£400,000 grant programme to design assurance
and attestation schemes. Alongside NCSC,
DCMS have also co-funded a series of webinars
and guidance materials that are available online
free of charge and in various time zones.
20 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO6: Improving the cyber security of government

Our objective is that government networks and services will be as secure as possible
from the moment of their first implementation. The public will be able to use government
digital services with confidence, and trust that their information is safe.

The Transforming Government Security The Defence Cyber School (DCS) is providing
Programme is leading the development of four additional courses together with commercial
Cluster Security Units, bringing together 43 training, to expand its offer to a greater
separate departmental security offices, reducing number of cyber professionals in government
duplication, saving costs and benefiting from and the military. The programme includes
economies of scale, as well as being a central work with partners across government to
point of contact and knowledge for departments. deliver a virtual cyber training environment,
These units offer a range of corporate security accessible across the internet.
services that address key departmental risks,
in line with the baseline standards set by the Beyond central government, we have
Government Security Group and the latest continued to work in partnership with the
threat analysis. The programme is now piloting Local Government Association to support
Centres of Excellence. The purpose of these local councils in England. To date, over 200
is to provide centralised security consultancy councils have received funding to address
and advice to departments to achieve greater key issues and vulnerabilities. We have also
adherence to the minimum standards, improved worked with the NHS Trusts to improve their
access to expertise, consistency of service, cyber security, and provide a range of options
and a reduction of duplication of effort. and resources to protect our NHS from cyber
threats at a time of critical importance.
To test the effectiveness of the minimum cyber
security standards and active cyber defence
measures, the Government Red Team has
delivered six GBEST2 exercises which simulate
cyber attacks on government departments,
accurately replicating the real threats posed
by a full range of adversaries, from low-level
hackers and so-called ‘script kiddies’ to
serious and organised crime groups, terrorist
organisations and hostile nation states.

2 Government-led scheme to deliver controlled, bespoke, intelligence-led cyber security tests that replicate behaviours of
threat actors posing a genuine threat to systemically important institutions.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 21

Across the whole of the UK we continue to Priorities to the end of the Strategy
drive the security standards of government
networks. In Wales a Cyber Resilience and We have seen some positive progress against
Security Concordat in partnership with Welsh the Minimum Cyber Security Standards across
Local Government Association has been agreed Government. The Government Security Group
and includes a series of key cyber actions to be in the Cabinet Office is now working with
taken by the 22 local authorities in Wales and departments, including NCSC and Government
the three fire and rescue authorities. Significant Digital Service, to understand where any
take-up of Cyber Essentials as a result of changes need to be made to these standards.
the Scottish Government’s programme of This review is already underway and is intended
grant funding has meant that as of May 2020, to be an annual activity with updated standards
86% of public sector bodies have achieved published accordingly. Over time, the measures
Cyber Essentials or Cyber Essentials Plus. will be incremented to continually ‘raise the
bar’ to keep pace with a changing threat and
ensure appropriate management of risk.
22 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO7: Managing cyber risk in the wider economy and society

Our objective is that all organisations in the UK, large and small, are effectively
managing their cyber risk, supported by high-quality advice designed by the
NCSC, underpinned by the right mix of regulation and incentives.

Over the past year, the NCSC has In June 2019, we started work on a new Cyber
complemented its world-class set of advice Security Incentives and Regulation Review, to
and guidance with a range of targeted guidance capture views of the impact of General Data
pieces – for SMEs through to the largest of Protection Regulation (GDPR) and Network
companies – to help with a range of cyber risk and Information Systems (NIS) Regulation
management issues, from governance through to ensure advice and guidance is having a
to incident response. These have included the tangible impact on cyber security practices.
Cyber Insurance Guidance; the Small Business The work to improve cyber resilience has
Guide: Response and Recovery; Exercise in been centred on four policy objectives:
a Box to help organisations determine how
resilient they are to cyber attacks and practise (1) ensuring the foundations are in place,
their response in a safe environment; and so that organisations understand
the Board Toolkit, providing resources to what ‘good’ looks like;
encourage essential cyber security discussions
between the Board and their organisation. (2) ensuring appropriate skills exist to
implement this guidance (see SO9);
In Spring 2020, the government launched
a new phase of the Cyber Aware campaign (3) creating better market incentives for
to help the public and small businesses investing in cyber risk management; and
stay secure online during the COVID-19
(4) improving accountability and
pandemic. With people spending more time
responsibility across organisations.
living and working online, the campaign,
led by the NCSC in partnership with DCMS
and the Home Office, promoted six top tips
to stay secure and guard against increased
threats and scams related to COVID-19.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 23

This work goes a long way to providing Priorities to the end of the Strategy
organisations with the foundations to establish
effective cyber risk management practices. As part of our ongoing work on improving the
However, alongside a comprehensive Call for resilience of organisations to cyber attack, we
Evidence, further analysis sought to identify will seek to consult in early 2021 on further
where we need to go further to ensure action. regulatory interventions needed to improve
This resulted in renewed focus on market critical issues such as regulation of cyber
incentives and levers needed to improve governance and supply chain risk management.
governance and responsibility to complement
the voluntary advice, guidance and support
approach that NCSC has taken to date.

To ensure central government advice is

made applicable across the whole of the UK.
NCSP funding via the Welsh Government
has been used to translate key information
from [Link] into Welsh in order to
reach all members of Welsh society. Similarly
the Northern Ireland Cyber Security Centre
website was launched to reflect key NCSC
messages for a Northern Ireland context.
24 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO7.1: Managing cyber risk in Critical National Infrastructure (CNI)

Our objective is that all CNI operators are effectively managing their cyber risk, supported by high-
quality advice designed by the NCSC, underpinned by the right mix of regulation and incentives.

Over the past year we have led and coordinated existing policies or processes (69%). Of those
initiatives to evolve and strengthen CNI organisations that answered that they had
organisations’ approaches to cyber security. not made any changes to their governance
This has meant working across all levels of policies or processes as a result of the
government, with regulators, and with public NIS Regulations, the main reason was that
and private sector CNI organisations. We have appropriate measures were already in place.
sought to build our collective understanding
of the challenges that we face and develop The Post-Implementation Review also
capabilities to mitigate the threats effectively. highlighted a number of refinements to the
While the government can create the incentives, effectiveness of the Regulations which the
regulations and frameworks to drive positive government will bring forward for consultation.
behaviours and support CNI organisations,
ultimately the leaders of these organisations are To assist CNI organisations in accessing
responsible for investing the right resources to the trusted services and products they
manage the risks to critical systems properly. require to protect themselves, NCSC have
launched a CNI Hub on their website – a
Progress in improving the regulatory frameworks one-stop-shop where owners and operators
for cyber security has continued and a can connect with accredited suppliers.
Cyber Security Regulators Forum has been
established. We have continued to implement
the Network and Information Systems (NIS)
Regulations. The Post-Implementation Review
published in May 2020 showed early promise
that the NIS Regulations were driving change:
60% of Operators of Essential Services
(OES) identify the Regulations as responsible
for increasing the prioritisation of security
at a senior management level within their
organisation. The majority of OESs report that
they have introduced new security policies or
processes (79%) or updated or strengthened
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 25

Priorities to the end of the Strategy

It is increasingly important for government, As we look ahead, it is clear that CNI across
regulators and CNI operators to be able to the UK must remain agile enough to identify
assess cyber security measures protecting and adapt to new challenges and opportunities.
critical assets and functions and identify cyber The threats that we face will evolve in ways that
risk. We will continue to work across CNI are difficult to predict, and areas of interest
sectors to improve assessment and reporting such as supply chain will become of increasing
processes, and develop bespoke penetration importance. The partnership and collective
testing frameworks to help strengthen operators’ responsibility between all CNI stakeholders will
capability to defend against, manage and be ever more pivotal as we plan for the future.
recover from cyber incidents. Our efforts will also
continue to focus on improving our understanding
of our supply chains and dependencies.

Case study – UKSA Cyber Security Toolkit

Space is a diverse sector that provides key services such as position, navigation
and timing, Earth observation and communications services. The UK Space Agency
(UKSA) is working to develop a space sector that is resilient to disruptive challenges.
This includes working to assess and assure the resilience of critical systems.

To support the companies operating space infrastructure in improving their cyber

security, the UKSA has developed and published a toolkit for space asset owners. The
Cyber Security Toolkit is intended to help companies assess their vulnerabilities and the
level of risk, and promote adoption of recommended standards. Rollout of the toolkit in
the space industry will encourage increased risk awareness and embedding of cyber
security practices, and assist with dependency mapping and vulnerability analysis.
26 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Case study – The Cyber Assessment Framework

NCSC’s Cyber Assessment Framework (CAF) has become a well-established tool

supporting the work of multiple cyber regulators across different CNI sectors.

September 2019 saw the publication of a new version of the CAF specifically designed to
meet a wider range of regulatory requirements. In particular, the latest version better supports
regulation of the cyber aspects of safety, which is an increasingly important part of the cyber
regulatory landscape. Computerised safety systems could potentially be adversely affected
by a cyber incident – either as a side effect of a compromise not intended by the perpetrators
to affect safety, or as a result of a highly targeted cyber attack specifically aimed at reducing
the effectiveness of safety mechanisms. This is not just a theoretical possibility – there
has been at least one well-documented example of a cyber incident where safety systems
were targeted (see the NCSC advisory ‘TRITON Malware Targeting Safety Controllers’).

More recently, technical work by NCSC has expanded regulators’ ability to use the CAF to set
a range of target levels of cyber security in their sectors. These targets are aligned to levels of
risk, based on examples of sector scenarios derived from real-life cyber incidents. The Civil
Aviation Authority has become the first regulator to make use of this new capability with the
publication of their tiered CAF-based approach to cyber regulation in the aviation sector.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 27

SO8: Developing the cyber security sector

Our objective is to ensure that there is the right ecosystem in the UK to develop and
sustain a cyber security sector that can meet our national security demands.

The government has continued to fund a range of The strategy has created a clearer route
initiatives that are developing the cyber security to convert academic ideas into successful
sector and stimulating innovation. These include commercial products, through our Academic
world-class innovation centres in Cheltenham and Start-up Accelerator Programme (CyberASAP)
London, bootcamps and tailored programmes and UKRI’s Digital Security by Design
for cyber start-ups across the lifecycle, from Challenge (DSbD). During this period regional
entrepreneurs with ideas through to scale-ups. cyber clusters have grown and developed
These focus on many aspects of business growth across the UK and support local ecosystems,
including business skills, commercial resilience, for example promoting regional events and
investment and product development. This investor days, in collaboration with the Cyber
sector has seen remarkable growth between 1010 programme to provide opportunities
the end of 2017 and end of 2019, with company across the UK. Our funding and delivery of
numbers increasing by 44%, jobs increasing by a number of accelerator programmes have
37% and revenue increasing by 46%. The sector supported businesses, with LORCA cohorts
has received £1.1 billion investment since the raising over £160 million in investment and
start of NCSP, with 2019 being a record year winning more than 600 contracts since June
with £348 million investment. We estimate that 2018. Our innovation centres in Cheltenham
between 2015 and 2019 the number of cyber and London, as well as the Tech Nation Scale-
security companies in Scotland has also grown up Programme, have fostered an increase in
significantly - increasing from 50 to about 200. the number of UK companies able to grow
their business to a critical mass and compete
The UK Cyber Security Sector Analysis Report3 internationally. Our export strategy, supported
highlights that government initiatives have by the Cyber Ambassador and representatives,
collectively supported more than 200 businesses as well as external investment into talented UK
in the first three years of NCSP. Survey results companies, has been a key driver of growth.
from this analysis show that companies
involved in NCSP growth and innovation
initiatives have increased their revenue over
two years by twice the sector average.

3 [Link]
Sectoral_Analysis__2020__Report.pdf
28 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Priorities to the end of the Strategy

As the sector matures and diversifies, our
priority over the remaining period is to provide
support to early-stage companies through
our growth accelerators. We will also nurture
home-grown talent and ensure a sustainable
cyber skills pipeline, providing businesses
with a talented pool of candidates.

Case study – Digital Security by Design

The Digital Security by Design (DSbD) challenge is a wave 3 programme from the Industrial
Strategy Challenge Fund (run by UK Research and Innovation) bringing £70m of government
funding matched by £117m of industry co-investment, including from Microsoft and Google.
DSbD will radically update the foundation of the insecure digital computing infrastructure by
creating a new, more secure hardware and software ecosystem. Built on security capabilities
defined by UK research, the DSbD technologies developed through this programme will range
from a new and secure hardware prototype (Morello board), to enabling software, to secure
products and services. Together these will demonstrate how hardware can block cyber attacks
and even protect software from new vulnerabilities appearing online. This will help to ensure that
every UK organisation and consumer online is as secure and resilient to cyber threats as possible.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 29

SO9: Developing the cyber security skills pipeline

Our objective is that the UK has a sustainable supply of home-grown cyber-
skilled professionals to meet the growing demands of an increasingly digital
economy, in both the public and private sectors, and defence.

The government has been working to ensure the We have made a wide range of extracurricular
UK has the right level and blend of cyber security initiatives available to inspire young people
capability across the whole of the economy. to pursue a career in cyber security. In
We have seen notable progress in the last four 2019/20, we involved close to 57,000 young
years. The cyber security sector workforce people in our CyberFirst and Cyber Discovery
has grown to 43,000, an increase from 31,000 learning programmes. Our courses were
in 2017. We have engaged extensively extended to reach younger students with the
with industry, professional organisations, CyberFirst Trailblazers course introduced for
students, employers, existing cyber security 11 to 12 year-olds and Cyber Discovery is
professionals and academia to better now available for 13 year-olds. The CyberFirst
understand the nature of the cyber security Girls’ Competition online round attracted
skills challenge to ensure that the UK has the 11,900 girls, with the top teams competing
cyber security capability it needs to maintain in a new semi-finals format, which took place
its resilience to increasing cyber threats. simultaneously at 18 venues across the UK.

At the start of the COVID-19 pandemic in March CyberFirst also hit the 100th industry sign-up
2020, we adapted our programmes to respond target, meaning it now has a portfolio of over
to the challenges of young people studying at 130 industry and government members of
home, to ensure we could continue to deliver the CyberFirst community. A new initiative,
key programmes. This included the new Virtual CyberFirst Schools, was launched in
Cyber School (part of Cyber Discovery), which January 2020 recognising schools that are
provides a free online platform for up to 20,000 exemplars in cyber security education.
students aged 13 to 18. By the summer, over
12,000 students had signed up to the Virtual
Cyber School. In addition, the next academic
year of the Cyber Discovery programme
was brought forward three months from
September 2020 to launch in June 2020 to
further respond to the challenges of students’
access to skills during COVID-19. As of mid-
August, 13,000 students had registered.
30 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Priorities to the end of the Strategy

Work continues at pace with the Institute for Following the publication of the 19 sections
Engineering and Technology (IET) to establish of the Cyber Security Body of Knowledge
the Cyber Security Council as a legal entity (CyBOK) in January 2020, we have already
by the end of 2020 and achieve Royal Charter received a request for a new Knowledge Area
status. This brings together a range of and completed an open consultation. We will
stakeholders from across the cyber profession, continue to raise awareness, encourage usage
as well as initially drawing on advice from and to firmly establish CyBOK as a foundation
established professions such as engineering. for development of the cyber security profession.

Case study – From Ciphers to Cyber Security

The London Science Museum hosted the ‘From Ciphers to Cyber Security’ exhibition from July
2019 to February 2020, with DCMS as the principal funder. The exhibition uncovered the world
of codebreaking, ciphers and secret communications and was an opportunity to encourage
the next generation of cyber security professionals. Free to visitors, the exhibition saw over
200,000 attend against a target of 172,000. Female visitors made up 46% and 54% were male,
with 35% of visitors under 16 years old. The exhibition will open in Manchester in spring 2021.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 31

SO10 and SO11: Research, development and future planning

Our objectives are that the UK is universally acknowledged as a global leader in cyber
security research and development, underpinned by high levels of expertise in UK industry
and academia, and that the UK government is already planning and preparing for policy
implementation in advance of future technologies and threats and is ‘future proofed’.

Promoting world-class research and the Our PhD sponsorship programme allows
UK’s research capability is a key part of students to pursue a doctorate of interest to
ensuring better cyber security now and into NCSC while being mentored by NCSC deep
the future. Research Institutes and the Alan technical experts. This programme supports
Turing Institute are long-standing initiatives training for the next generation of researchers
that have transformed the way in which higher and thought leaders in cyber security, with
education research institutes cooperate over 100 students now undertaking or
on cyber security research, providing completing advanced cyber security research
significant positive impact for the UK. training, in addition to the 73 students who
began their studies prior to the NCSS period.
In January 2020, the NCSC and DCMS launched This combination is successfully delivering
a call for universities wishing to be recognised both high quality research outputs, and
as an Academic Centre of Excellence in Cyber expertise in both academia and industry.
Security Education (ACE-CSE), building on
the 19 UK universities already recognised We have also focused on future planning through
as ACE-CSRs for their research. Eligible our horizon scanning pilot, which highlighted
higher education institutions (those already the importance of policy professionals taking a
offering an NCSC-certified degree) are able long-term approach to emerging technologies.
to apply for ACE-CSE recognition based on Our research must also be applied, and we
their recognised cyber security teaching, are working with industry partners in order to
combined with strategic institutional support, incentivise experimentation, innovation and
engagement and outreach activities. ACE-CSE structures and expertise in knowledge transfer.
recognition will be awarded in December 2020.
32 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

Earlier this year, via NSCP funding, NCSC Priorities to the end of the Strategy
established a research presence in Manchester.
Combining the NCSC’s desire to do more Our priority over the remaining period is to
work on protecting the CNI with building a provide continued support to the Engineering
more diverse workforce and making best use and Physical Sciences Research Council
of the different talent pools across the UK. (EPSRC) and the Economic and Social Research
Manchester has one of the fastest growing Council (ESRC) through the Digital Secure by
digital, creative and innovation communities Design challenge programme. NCSP funding
in Europe. Establishing a presence there will will allow the programme to deliver the initial
help NCSC influence and shape the future stages of seven transformative research projects
of cyber security. The Manchester Hub will which will bolster our understanding of critical
support the NCSC’s CNI work, focusing on issues including secure hardware systems.
Energy, Transport, Finance and Smart cities.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 33

SO12: International action

Our objective is that the threat to the UK and our interests overseas is reduced
due to increased international consensus and capability towards responsible
state behaviour in a free, open, peaceful and secure cyberspace.

The UK now has a mature cyber deterrence The UK and partners have worked together in
toolkit, which is maintaining an unprecedented key international organisations. In the UN this
rhythm of internationally coordinated actions has included coordinated activity in the Open-
to confront malicious cyber activity. We have Ended Working Group (OEWG) and Group of
publicly attributed reckless cyber attacks from Governmental Experts (GGE) processes (see
Russia during 2019/20, supported by a growing case study below), the UN High Level Panel
coalition, building on previous attributions of on Digital Cooperation, and the International
malicious cyber activity to China, Iran and the Telecommunication Union. To help other UN
DPRK. We are playing a leading role in the EU’s members, the UK led four regional workshops
cyber sanctions regime and its listings. The UK on laws and norms in cyberspace that took
has continued to work with the international place in Addis Ababa, Jakarta, Kuala Lumpur
community to deter harmful cyber activity using and Hanoi, and co-funded a wider programme
transparent and unambiguous communications, of national workshops in the ASEAN region
most notably delivering the NATO Cyber Pledge with Australia. These workshops encouraged
Conference in London in December 2019. African Union and ASEAN member states
to participate in international consultation
This year our cyber diplomacy has continued and working group mechanisms, moving
to strengthen with UK delegations active at both regions towards further adoption and
all major international events, such as the meaningful implementation of the UNGGE 2015
Singapore International Cyber Week, Israel report’s recommendations by operationalising
Cyber Week, and the inaugural Cybersecurity norms, improving confidence-building
Forum in Riyadh. During the year we have also measures, and developing cyber capacity.
held bilateral cyber dialogues with countries
including Germany, France, Japan and South
Korea, and mini-lateral dialogues with Nordic-
Baltic and Central European countries.
34 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

We have continued to support our international Priorities to the end of the Strategy
partners with a range of capacity-building
programmes. At its conclusion this year, the The UK will use its global leadership role to
UK’s Commonwealth Cyber Programme, support other countries building resilience in
under the Conflict, Stability and Security response to and recovery from major crises,
Fund, had delivered 96 events in 31 countries such as COVID-19. Projects are already
and trained over 1,500 people since October underway to protect the public and businesses
2018. Every Commonwealth country in vulnerable low and middle-income countries
benefited from the programme during the from COVID-19 themed cyber attacks.
UK’s term as Chair of the Commonwealth. We will continue to engage bilaterally and
The UK also remains a consortium partner multilaterally, being at the forefront of efforts
in the EU Cyber Resilience for Development to deter hostile state behaviour in cyberspace,
programme. Our projects have also supported and in the twin-track UN cyber negotiations,
our ability to shape the debate on cyber and as well as supporting the UN’s Roadmap for
technology security and deter threat actors. Digital Cooperation through the provision of
funds to strengthen the Internet Governance
Forum. Our capacity building programmes
will continue to expand in reach and scope,
through implementation of the Commonwealth
Cyber Declaration, full implementation
of the cyber pillar of the Prosperity Fund
Digital Access Programme and scoping
future projects in key areas such as critical
national and international infrastructure.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 35

Case study: UN and Women in Cyber

The UK and its partners helped to ensure substantive and influential multi-
stakeholder attendance at the UN Cyber Open-Ended Working Group (OEWG).

The UK, Australia, Canada, New Zealand and the Netherlands collaborated over the
course of 2019/20 to bring together a cohort of 35 female diplomats from Commonwealth
states in Africa who would not otherwise have had the opportunity to participate.

We supported their attendance at the OEWG and provided training on cyber security.
Women participating in this fellowship4 programme came from a global mix of
states with recognised lower capacity to fully engage with the negotiations.

The fellowship included UN negotiations training for, and attendance at, the OEWG discussions
which took place in New York in February 2020. These meetings reinforced international law
in cyberspace and promoted cyber security capacity and confidence building measures.

Attendance of the ‘Women and International Security in Cyberspace Fellowship’ coincided

with the second of the three sessions of the UN OEWG, and Fellowship attendance
delivered gender parity in First Committee for the first time in the UN’s 74-year history.

4 A Fellowship in the UN system is a specially tailored or selected training activity for the purpose of fulfilling special
learning objectives.
36 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

SO13: Strengthening our whole of government approach

Our objective is to ensure that UK government policies, organisations and structures are simplified
to maximise the coherence and effectiveness of the UK’s response to the cyber threat.

Our priority since launching the Strategy in 2016 Over the last year we have continued to
has been to transform the way that government enhance our ability to deliver an effective
organises itself, to be more efficient and effective response across the whole of government. As
in responding to the evolving challenges and previous sections of this report have detailed,
opportunities of cyber security and to further by integrating our law enforcement response,
integrate threat and vulnerability assessments improving cyber security standards across
to improve our ability to target our efforts under government and delivering communications
the National Strategy for greatest effect. campaigns and incident management
support during the COVID-19 pandemic.
Previous reviews from the Joint Committee
on the National Security Strategy, the Public Priorities to the end of the Strategy
Accounts Committee and the National Audit
Office have recognised the complex and Ensuring the coherence and effectiveness of
evolving cyber security threat facing the UK our response on cyber security is a key priority.
and the progress made over the course of the In anticipation of the current strategy coming to
2016-2021 National Cyber Security Strategy. an end in 2021 we have been working across
This includes consolidating our position as government, with law enforcement, industry and
a world-leading authority on cyber security, academia to build a comprehensive picture of
launching the National Cyber Security Centre the cyber security context, the achievements of
and strengthening international partnerships to the UK strategy to date and the gaps that remain
call out malign state activity in cyberspace. and shaping our ambition for the next period.

While recognising achievements, the reports This will form part of the government’s
also recognised that there was still work to approach in the Integrated Review of
do to ensure we maintain our momentum Security, Defence, Development and
over the remainder of the strategy. Foreign Policy (The Integrated Review).

The following section sets out further

information on planning beyond 2021.
 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020 37

Planning beyond 2021

As this report has shown, the government • A wider range of adversaries as criminals
continues to drive commitment across gain easier access to commoditised attack
industry, the wider economy and society, law capabilities and cyber techniques form a
enforcement and internationally to deliver growing part of states’ toolsets.
our national priorities for cyber security.
• Competing visions for the future of the
Our focus is on maintaining and enhancing internet and the risk of fragmentation,
this over the remaining period of the current making consensus on norms and ethics in
National Cyber Security Strategy and cyberspace harder to achieve.
Programme – we have made substantial
In February 2020 the Prime Minister announced
achievements, but there is more to do.
the Integrated Review of Security, Defence,
Development and Foreign Policy. This will
We also need to plan for the future. This
define the government’s ambition for the UK’s
report has highlighted growing risks, some
role in the world and the long-term strategic
accelerated by the COVID-19 pandemic,
aims of our national security and foreign
and longer-term trends that will shape the
policy. It will set out the way in which the UK
environment over the next decade:
will be a problem-solving and burden-sharing
• Ever greater reliance on digital networks nation, and a strong direction for recovery
and systems as daily life moves online, from COVID-19, at home and overseas.
bringing huge benefits but also creating new
This will help to shape our national approach and
systemic and individuals risks.
priorities on cyber security beyond 2021. Cyber
• Rapid technological change and greater security is a key element of our international,
global competition, challenging our ability to defence and security posture, as well as a
shape the technologies that will underpin our driving force for our economic prosperity.
future security and prosperity.
38 National Cyber Security Strategy 2016 - 2021 | Progress Report | Autumn 2020

The achievements of the last four years mean We will not achieve this unless we continue to
we start from a position of strength. Cyber work ever more effectively with partners in the
security is an area where the UK can genuinely UK and abroad – the devolved administrations,
claim to be world-leading. But a changing businesses, universities, local authorities, civil
global context will require a renewed response. society, international allies and individual citizens
The UK will need to strengthen our cyber – wherever they share our vision of the benefits
resilience to drive economic recovery, get that cyberspace can bring. The government will
ahead of changing technologies, and enhance continue to consult and engage with our partners
our international cooperation and engagement as we develop our approach for the future.
to work towards a more stable cyberspace.
National Cyber Security Progress Report
Strategy 2016 - 2021 Autumn 2020