At the start of January, the government introduced a refresh to its Cyber Security Strategy to form the Government Cyber Action Plan(GCAP). Published alongside the second reading of the Cyber Security and Resilience Bill in Parliament, the GCAP sets out how government will rise to meet a growing range of online threats.

The £210 million plan outlines roles and relationships between organisations working with the public sector, including clear milestones, strengthened governance and centralised support. It will be driven by a new Government Cyber Unit aiming to boost cyber defences and digital resilience across government departments and the wider public sector.

So, what is the Cyber Action Plan and how will it impact UK organizations?

Trustworthy And Resilient

The Cyber Action Plan was originally put in place to ensure government organisations were resilient to cyber vulnerabilities and attacks by 2030. It is now being revamped because government monitoring showed that progress in implementing it was “too slow,” and more radical action was needed to meet the 2030 target, Kristina Holt, managing associate at Foot Anstey, tells SC Media UK.

The initiative is designed to improve security across the public sector by sharing information and best practices on how to manage risks. This is something that does take place organically through peer-to-peer networks. However, “putting cash behind investment to facilitate data sharing” will make the process “easier and more effective,” according to Ivan Milenkovic, vice president risk technology EMEA at Qualys.

The plan also puts strong emphasis on accountability and capability. “It calls for clear ownership of cyber risk at leadership level, better central support for departments, shared services to reduce duplication, and coordinated approaches to incident response and recovery,” Simon Pamplin, CTO of Certes explains.

Organisations Covered 

The plan applies broadly across central government departments, arm’s-length bodies and public sector organisations, as well as the suppliers that support them. This includes both ministerial and non-ministerial departments, executive agencies, non-departmental public bodies and organisations such as the Met Office and DVLA.

It also extends to organisations delivering services at a local or regional level, such as NHS trusts and local authorities. It’s important to note that suppliers “are explicitly in scope,” says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University. This includes strategic suppliers, due to their scale or criticality, and all other suppliers delivering services to government, he says.

While the plan is focused on government, it also has important implications for organisations across the public sector ecosystem. “As the engine of modern organisations, supply chains are complex and layered, creating multiple penetration points for cyber criminals to breach different systems and organisations, with a risk that multiplies with every layer,” according to Chris Anley, chief scientist at NCC Group.

With this in mind, the plan “sets out clear expectations” for how public sector organisations engage with suppliers, he says.

UK Cybersecurity Regulation 

The plan is not a law. It is the method by which the UK public sector will try to control cyber risk to the public sector, says Holt. There are, however, a number of other regulations that businesses ought to have on their radar, including the Network and Information Security (NIS) Regulations and General Update To Data Protection Regulation (GDPR), she says.

The Cyber Security and Resilience Bill, currently making its way through Parliament, would be a new law in this area, expanding the NIS regulations to apply to managed service providers and data centres, Holt adds.

The plan is designed to work alongside existing frameworks, creating “a single and consistent approach” to cyber resilience across government, says Curran. For example, the Cyber Security and Resilience Bill focuses on protecting essential services such as water, energy and transport across the wider economy, he says. “The Cyber Action Plan mirrors this approach for the public sector, ensuring government bodies are held to the same standards.”

It’s supported by GovAssure, which provides an objective view of cyber resilience across government systems, helping to identify weaknesses and track progress more effectively. 

A core principle running throughout is “secure by design,” confirming the need for security to be built into digital services from the outset, rather than added later, says Curran. 

Impact For UK Businesses

The biggest impact will be felt by organisations that supply the government, says Curran. Under the new approach, the government will establish formal strategic partnerships with key suppliers, with clear cyber security and resilience requirements built into those relationships, he says.

Strategic suppliers will be held accountable for the level of cyber risk they introduce across government systems. All suppliers will be expected to understand and actively manage their cyber risk in line with the standards set by contracting authorities, he says. This includes proactively reporting incidents and cooperating with response and recovery efforts. “In major incidents, strategic suppliers may be required to engage directly with the Government Cyber Unit,” according to Curran.

Broadly, the plan provides an increased focus on ensuring all supply chain organisations understand their accountability and responsibility for government cyber security and resilience, says Holt. “The ripple effects of these changes are likely to be felt across UK supply chains.”

To prepare for this eventuality, suppliers must review their response and recovery capabilities against government expectations, Curran says. “They will need to comply with clearer requirements around risk management and incident reporting set by contracting authorities. Those designated as strategic suppliers should be prepared to engage directly with the Government Cyber Unit and enter into formal strategic partnership arrangements.”

Organisations impacted by the Government Cyber Action Plan should act now to strengthen core cyber resilience and address long-standing weaknesses, particularly in legacy systems and skills, says Anley. To succeed, he says organisations must “track progress against clear, measurable targets” and collaborate across the public and private sector, to “harness the UK’s world-leading cyber expertise.”

Kate O'Flaherty Cybersecurity and privacy journalist