£37 million earmarked for councils in UK cybersecurity strategy

The UK government has launched its first cybersecurity strategy aimed specifically at protecting the public sector.

It includes £37.8 million (US$51 million) to help local authorities boost their cyber-resilience.

The government said that of the 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021, around 40 percent were aimed at the public sector.

In 2020, both Redcar & Cleveland and Hackney councils were hit by ransomware attacks, costing millions and impacting services including council tax, benefits and housing waiting lists. Gloucester City Council was hit by a fresh cyber-attack in December 2021, following a previous one in 2014.

Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office Steve Barclay said: “We cannot dismiss these events as one-offs. This is a growing trend – one whose pace shows no sign of slowing.”

Two pillars

The Government Cyber Security Strategy is based around two pillars. The first is building organisational cyber-resilience, which means public sector organisations having the right structures, mechanisms, tools and support in place to ensure that they can manage their cybersecurity risks. The second pillar is “defend as one”, focused on sharing data, expertise, and capabilities for a more joined-up cybersecurity approach.

The £37.8 million of additional funding will be invested through an expanded Department for Levelling Up, Housing and Communities Cyber and Digital programme to help tackle cybersecurity challenges facing councils and invest in local authority cyber-resilience, the Cabinet Office said. Further details will be made available in due course.

Under the strategy, a new Government Cyber Coordination Centre (GCCC) will be established. Situated at the Cabinet Office and based on private sector models such as the Financial Sector Cyber Collaboration Centre, the GCCC will work to rapidly identify, investigate and coordinate the government’s response to attacks on public sector systems, and to ensure that data is shared.

A new cross-government vulnerability reporting service will allow security researchers and members of the public to flag issues with public sector digital services.

The government is also planning a project “to reduce government risk through culture change, in partnership with small businesses and academia.”

Supply chains

A further focus will be more work to understand the growing risk from the supply chains of commercially provided products in government systems, ensuring security is a key part of procurement and working with industry on cyber vulnerabilities.

Barclay commented: “Our public services are precious and without them individuals can’t access the support that they rely on.

“If we want people to continue to access their pensions online, social care support from local government or health services, we need to step up our cyber defences.”

The government-focused cybersecurity plan follows the recent publication of the National Cyber Security Strategy, which called for more diversity in the cybersecurity workforce, expanding cyber capabilities and prioritising cybersecurity in businesses and digital supply chains. The government pledged to invest £2.6 billion in cyber and legacy IT over the next three years.