The cyber landscape is changing and constantly presenting new threats. Last year alone, it was reported that 81% of large organisations in the UK had suffered a cyber security breach, not to mention the cost, inconvenience and reputational damage these incidences can cause. Cyber risk in the UK Ministry of Defence (MoD) isn’t just costly in monetary terms, it’s a risk to our national security and something we take extremely seriously.
Why now is the time for change
Last year in our Cyber Resilient Strategy for Defence, we set out the compelling case for a renewed and sustained focus on building cyber resilience across Defence. This means making sure that our capabilities are inherently protected from the outset and throughout their lifecycle and built to be resilient against cyber-attacks with pre-planned recovery measures in place. This is a priority for UK Defence.
Consequently, progressing this has been a delivery priority for us this past year. We are, of course, coupling that with work to manage our cyber risk exposure in the here and now, but it is also imperative that we take the longer-term view here, designing in as much resilience as we can for our future capabilities.
As such, we are about to launch Secure by Design, which from July 2023, will be a key component of how cyber security is managed within the MoD. Secure by Design is a modern approach whereby SROs, capability owners and delivery teams are accountable and responsible for delivering systems that are cyber-secure.
How it works
With the increasing cyber threat that exists in the world, the new approach is essential. Teams must own the cyber security risk of their capabilities from concept to disposal and manage it effectively through the lifecycle of the capability.
Secure by Design improves security and greatly enhances the visibility of any risk areas. It will support the delivery of more secure systems through simplified processes, greater use of open standards, better guidance, more flexibility and empowered decision-making. Furthermore, it helps remove the perception of cyber security as a blocker or impediment to progress by enabling project teams to take ownership and accountability of risk and have more flexibility to manage the risk to their programme.
A Secure by Design project team has been piloting the new ways of working with 40 programmes over the last year. The team have therefore produced policy, process, guidance, and tooling to support projects on their journey. This includes a self-assessment tool that will enable projects to self-assess their maturity against security policy and technical guidance. This tool intends to help projects understand what they need to consider when delivering a capability and help track progress through delivery.
While the cyber responsibility and accountability will sit with the project teams, they will have access to all the support they need to effectively implement Secure by Design through a dedicated information portal, a range of tools and a helpdesk facility.
Changes for industry
Secure by Design also means changes for our industry partners. We often work with the industry as a partner in our MoD change programmes. Consequently, we need to make sure that our industry partners follow our Secure by Design principles when delivering on our behalf or partnering with us in delivery. The way we manage the cyber resilience of these programmes will now go through Secure by Design, and the continued support and expertise of our industry partners will remain vital as we implement this change. It will also enable us to take advantage of new and emerging technology, keeping us ahead of the curve without increasing our cyber risk.
Benefits for all
The Senior Responsible Officers (SROs) leading programmes that embrace Secure by Design can have confidence that the cyber security within their programmes is being managed effectively and allows the Project Leads to monitor progress throughout and communicate effectively. Security Leads can easily identify the programme's areas of strengths and weaknesses, enabling them to identify and inform the required planning activities. It will also reduce the workload and pressure on internal assurance teams, allowing them to focus on the most challenging programmes in defence whilst also enabling a spot check regime to be implemented to check compliance and quality is adopted throughout Defence.
Setting the bar
With the increasing cyber threats that exist, our cyber security processes must be able to adapt accordingly, ensuring we are always ahead of our adversaries. Safety isn’t treated as an add-on or an optional extra that can be traded out, and cyber security needs to be treated the same. The data captured through Secure by Design will allow the MoD to create a better view of cyber risk and enables us to understand our overall position on an ongoing basis.
Secure by Design will be a big step forward in ensuring that the systems used to deliver Defence outputs are secure and resilient to cyber-attack, and its launch is an important and significant milestone for the MoD.