The new head of Britain’s National Cyber Security Centre has urged public sector organisations to understand their exposure to cyber risk, including through their supply chains.
Richard Horne, the chief executive of the cybersecurity arm of GCHQ, said he will be repeatedly reminding leaders of the need to close gaps in their cyber defences – by being aware of where their exposures and vulnerabilities lie.
Horne, who stepped into the role last autumn following a career in the private sector, endorsed the recent findings of a National Audit Office report, which laid bare some of the cyber weaknesses in public sector legacy systems.
But he said as we move more public services online, there is a pressing need to address those gaps not just for the sake of cyber best practice, but as a ‘strategic imperative’.
At a speech at The Design Museum in London, he said: “It’s easy to just focus on the threat, when it is only part of the risk picture. The other two parts are exposure and vulnerability.
“As we transform our society, and especially government services, we are making ourselves more dependent on technology, and therefore more exposed to the impact of cyber attacks – and so the stakes are being raised constantly.”
It was the first time Horne, who joined NCSC from the accountancy giant PwC UK, where he chaired the Cyber Security Practice, had spoken publicly at a conference since taking up the role.
The keynote was aimed at public sector organisations, which were the focus of the recent National Audit Office report, which outlined how over 200 government legacy systems were deemed to be at severe risk of cyber intrusion.
He signalled that the upcoming Cyber Security and Resilience Bill will be an important step towards strengthening the cyber defences of public services, as more departments digitise their operations.
But cautioned: “Government organisations – and the functions and services they deliver – are the cornerstones of our society. It is their significance. But this also what makes them an attractive target for our adversaries.
“So as I said, as technology advances and our dependence on technology increases so too will the potential impact. This is inevitable.”
He added: “We need to take seriously our voice as the national technical authority – in being clear about the risk, and clear about actions that need to be taken. To that point, there is a leadership message that I will be repeating endlessly – that it is a leadership responsibility to: have a plan for how to continue operations and recover in the face of a successful cyber attack; understand their organisation’s exposure (and that includes through the supply chain); ensure appropriate defences are in place.”
Part of the response will be for the NCSC to remain a critical service in disseminating cyber best practice and technical guidance, and in particular investing in scalable mitigations such as the Active Cyber Defence programme.
But also there is a need to increase intelligence on the cyber activities of adversaries such as Russia, China, Iran and North Korea, hunting down any cyber intrusions into critical digital infrastructure and ‘evicting the attackers’.
He added: “The Government Cyber Security Strategy laid out in 2022, that we must continue work to harden our critical national infrastructure and ensure that the rest of the public sector is resilient to known vulnerabilities/attack methods by 2030 – and we know that we are a way off.
“We know that building the cyber defence capability to detect and respond to advanced threat will require changes.
“And this will build on the progress of the Government Cyber Coordination Centre that was established in 2023, which coordinates the operational cyber security efforts across the government sector. Enhancing government’s resilience and ability to ‘Defend as One’.”