The UK’s Ministry of Defence (MoD) has announced its ambition to become resilient to all known cyber security vulnerabilities and cyber attack methods by no later than 2030.
It will also aim to have the department’s critical functions “significantly hardened” to cyber attacks by 2026 in a broad plan underpinned by a brand-new, MoD-specific ‘secure by design program’.
The principle of Secure by Design (SBD) will run throughout the MoD and apply to every one of its capabilities so that they can harness emerging technologies like automation and quantum computing, the government report read.
The MoD’s SBD programme will apply to the hardware and products the department procures and will bleed into its staff’s ways of working too.
All of the department’s capabilities, which include all tools, platforms and devices that are potentially vulnerable to cyber attacks, will be scrutinised and have the SBD thinking applied to them to maximise security.
Secure by design will also be applied to the MoD’s digital enterprise - a term it uses to describe the “digital backbone” on which all its capabilities depend - ensuring things like networks, applications, and data are all safeguarded.
“MOD has a key role to play in the UK being a responsible cyber power,” said Christine Maxwell, director of cyber defence and risk at the MoD. “This means it has never been more important to focus and reset defensive cyber.
“This strategy is central to actively tackling threats to cyber security, securing the Digital Backbone, and underpinning Defence’s ability to operate freely in cyberspace. We all have a role to play to build a cyber-resilient Defence.”
Before the MoD can work on embedding SBD throughout the organisation, it said there are several obstacles it needs to overcome, such as the culture of the department needing to become more focused and conscious of cyber security.
It also needs to address the mounting technological debt across the MoD and “accelerate the elimination of obsolete technologies from the digital environment”.
Public sector organisations are notoriously behind when it comes to refreshing technology and this approach has been blamed for cyber incidents in the past, such as the NHS’ failure to patch systems that led to WannaCry’s success.
The concept of cyber resilience is one the UK’s National Cyber Security Centre (NCSC) has been touting for some time and was one of the main watchwords at the most recent CYBERUK conference.
“If you really focus on the basics, and you focus on the resilience side, and you build your defences, and you focus more on yourself and less than your adversary, actually, that plays much to your favour, when perhaps you find yourself faced with that conflict. I think, very much, resilience is the line that we would draw from this,” said Paul Chichester, director of operations at the NCSC.
The NCSC has influenced a wider push for cyber resilience across all areas of the UK’s public sector in recent months.
An overhaul of the public sector IT strategy was announced in March this year, and the new security rules that will soon be applied to managed service providers (MSPs) after the government pushed for greater supply chain security, are just some of the moves the government has made to lock down its cyber posture.
The US has also been quick to implement new rules at the federal level to ensure its public sector departments are also protected against cyber attacks.
The cyber security and infrastructure security agency (CISA) mandated that all federal government departments needed to have a hundreds-long list of the most commonly exploited vulnerabilities patched by 22 May.
“We must shape the secure Digital Backbone as the game-changing transformation that will reset cyber defence,” said Laurence Lee, second permanent under secretary at the MoD.
“We will build resilience into our critical capabilities and systems, and make new capabilities Secure by Design. Our relationship with industry will fundamentally shift to work ever closer in delivering wider defence and security. Our people will become increasingly cyber aware to become sensors of the abnormal and informed decision-makers.”
