Heightened Alert from NCSC
In April, the National Cyber Security Centre (NCSC) of the UK issued a significant threat alert, underscoring an uptick in cyber threats from state-sponsored actors aimed at the country’s Critical National Infrastructure. This announcement came during a period marked by a compelling speech from Cabinet Office Minister Oliver Dowden at the CyberUK conference in Belfast. Minister Dowden introduced a novel threat to the UK’s cyber defences, likening it to “the cyber equivalent of the Wagner group”—a reference to Russian-aligned cyber groups. Initially concentrating their disruptive activities in Ukraine and its environs, these groups have now expanded their focus to include the UK and its allies, posing a new and serious cyber threat.
Public Sector Vulnerabilities
The public sector in the UK, long a target for a myriad of cyber threats, finds itself particularly vulnerable. Data from the NCSC for the period between September 2020 and August 2021 reveals that 40% of all cyber incidents handled involved the public sector. Furthermore, freedom of information requests have disclosed that local authorities are bombarded by up to 10,000 cyber attacks daily.
The Menace of Supply Chain Attacks
A significant portion of these attacks targets the most vulnerable aspects of an organization’s cybersecurity structure—often its supply chains. Supply chain attacks, like those seen in the cases of SolarWinds in 2020, Log4J in 2021, and MOVEit Transfer in 2023, demonstrate the devastating impact such strategies can have. The UK’s public sector, including the NHS, has experienced severe disruptions due to breaches at supplier levels, emphasizing the critical need for robust supply chain security.
Strategic Government Response to Cyber Threats
In response, the UK Government has embraced a proactive leadership role in mitigating these risks through its National Cyber Security Strategy 2022 and the subsequent Government Cyber Security Strategy 2022-2030. These strategies are aimed specifically at fortifying the resilience of the public sector. They advocate for:
- A deeper understanding of supplier networks and their interdependencies.
- A centralized approach to mapping and managing critical and common suppliers to identify and address aggregate risks.
- Enhanced visibility to derive accurate risk assessments.
- The adoption of shared tools and services to address common cybersecurity issues effectively.
Moreover, the strategy’s “Defend-as-One” pillar aims to consolidate the public sector’s defensive capabilities by promoting the sharing of cybersecurity data and expertise across various organizations.
The Broken State of Third-Party Risk Management
Despite these governmental efforts, traditional methods of managing third-party risk in supply chains remain inefficient. Typically characterized by manual, time-consuming risk assessments that provide only a snapshot of a supplier’s security posture, these methods are fraught with redundancies and inefficiencies, making continuous monitoring and comprehensive visibility into extended supply chain risks nearly impossible.
A New Vision: Social Network Approach to Supply Chain Cyber Security
To overcome these limitations, the adoption of a new model, akin to a social network for supply chain security, is proposed. This model would function similarly to LinkedIn, where each public sector organization and their suppliers maintain profiles on a unified platform detailing their business operations, security measures, and other risk areas. This interconnected setup not only facilitates a comprehensive view of the supply chain ecosystem but also enhances the collective defense mechanism, essentially allowing the sector to “Defend-as-One.”
By fostering a network where every entity is interconnected, an attack on one is an attack on all, thereby elevating collective security measures. This approach not only boosts the resilience of individual organizations but also strengthens the sector’s overall defense against cyber threats.
Conclusion
As the UK’s public sector navigates these challenging cyber landscapes, the move towards a more collaborative, network-based approach to supply chain security offers a promising path forward. Entities such as NHS Test & Trace and various UK water companies have already begun to adopt this innovative approach, setting a precedent for others to follow. This new paradigm underscores the power of unity and collective action in the face of evolving cyber threats, heralding a new era of cybersecurity resilience. For more insights or to join this transformative initiative, engaging with entities already benefiting from this strategy is highly recommended.
