Written evidence submitted by Rt Hon Oliver Dowden MP, Deputy Prime Minister
I am writing in response to your letter of the 12 July and can provide the following answers to your questions. I have sent a separate, private response to a number of the questions where the information you requested is sensitive, as agreed in advance with your clerk.
1. HMG’s written evidence refers to a Senior Ransomware Steering Group. Please provide Terms of Reference for this group, along with meeting dates and topics since September 2021.
The Senior Ransomware Steering Group meets monthly, has a cross-Whitehall policy and operational membership and is part of the Threat Pillar of the National Cyber Strategy. The Secretariat function for the SRSG is provided by the Home Office’s Cyber Policy Unit. The SRSG discusses live policy issues and operational activities including, but not limited to, international and industry engagement and our use of sanctions designations.
2. Does the Government have a specific strategy on ransomware? If so, when was it finalised and disseminated across Government?
Answer provided at a higher classification.
3. How many FTE civil servants currently work on cyber security policy and strategy specifically (not cyber more broadly, and not just as one part of a broader portfolio), within a) the Home Office and b) the Cabinet Office?
Civil servants currently working on cyber security policy and strategy in the Home Office are members of the Cyber Policy Unit in the Homeland Security Group. In the Cabinet Office the relevant teams are the National Cyber Strategy Team in the National Security Secretariat and the Cyber Directorate in the Government Security Group who are responsible for the Government Cyber Security Strategy. There is also a team in the Resilience Directorate in the Economic and Domestic Affairs Secretariat who lead on the cyber resilience of critical national infrastructure. We cannot provide FTE information at this classification.
a. Can you provide equivalent headcount figures for a) human trafficking and b) illegal migration?
Answer provided at a higher classification.
4. Are there any cross-Government working groups for the implementation of the Threat pillar of the National Cyber Strategy? If so, please share the group’s Terms of Reference and a list of meeting dates since December 2022 (or earlier, if the group predates the publication of the Strategy).
Answer provided at a higher classification.
5. We have been advised that the National Cyber Programme (NCP) will form part of the Integrated Security Fund (ISF), along with the Conflict, Stability and Security Fund (CSSF). Will the CSSF and/or NCP elements of the fund be ring fenced?
a. Does the NCP element of the fund encompass the entirety of non- baselined funding for the National Cyber Programme?
b. Is the NCP fund intended to fund both domestic and international elements of the Programme? If so, will there be any limit on the amount of ISF expenditure that can be spent on domestic delivery?
c. If there will be no limit on expenditure on domestic delivery, are you able to provide estimates of the percentage of the ISF likely to be spent on domestic versus international work?
Answer provided at a higher classification.
6. Please share all meeting dates and topics for the NSC sub-committee on Resilience, between January 2022 and the date of your letter. If topics for these meetings were ever identified then please share those too, in private if necessary.
It is a long-established precedent that information about the discussions that have taken place in Cabinet and its Committees, and how often they have met, is not normally shared publicly.
7. We have heard that cryptocurrency is a key enabler for ransomware groups, and that the blockchain record can be exploited by law enforcement to track payments. In which part of Government are the national security implications of cryptocurrencies being considered? What levels of resource are being applied to tracking payments?’
Cross-government policy on cryptocurrencies is led by Her Majesty’s Treasury. The various national security implications are considered by a variety of other departments, including the Cabinet Office, Home Office, the Foreign, Commonwealth and Development Office, the National Crime Agency, the National Police Chief’s Council, as well as the UK intelligence agencies. The implications for cyber are managed by the Home Office-led Threat Pillar in close collaboration with intelligence and operational partners.
Cryptoassets provide a near-instant and low-cost way to transfer value across borders. Whilst the vast majority of cryptoasset transfers are conducted for valid purposes, they are an attractive technological enabler for criminal activity. As detailed in the recently published Economic Crime Plan 2, the Home Office will examine technological capabilities across the system, including formalising and strengthening Public Sector access to Track and Trace technology, to enhance pursuit of illicit cryptocurrency payments.
In terms of levels of resourcing being applied to track and trace capabilities, the NCA and NPCC have licences with blockchain forensic providers. The NCA and NPCC have enhanced their capability to work on high end upstream actors through complementing the licence software with in-house technologies. Further resources utilised include the use of data scientists to access these tools to assist with proactive and thematic intel development opportunities against illicit entities and actors.
8. HMG’s written evidence notes that the Government is “aligning” its work on ransomware with its State Threats Strategy. Has this Strategy been finalised and disseminated across Government? If so, how exactly is it being aligned with the Government’s work on ransomware? If it has not yet been finalised, what is the expected timescale for this work?
As set out in the Integrated Review Refresh, the Government has adopted a new approach to countering state threats below the threshold of armed conflict, organising cross-government activity into four lines of effort: protecting ourselves, our allies and partners from the impact of this activity; engaging domestically and internationally to raise awareness of it and to deepen cooperation on countering it; building a deeper understanding of states’ activity and how to respond effectively; and competing directly with these states in creative and assertive ways, when appropriate. This approach will be threat agnostic and will not replace or duplicate threat specific work, such as that on ransomware. The threat to the UK from state actors is wide ranging and the Government will take a commensurate approach, ensuring that we draw on work happening across departments and intelligence agencies on threat and country specific activity.
9. The written evidence states: “the NCSC is expanding their accredited scheme for Cyber Incident Response companies and introducing a new scheme for exercising, which is of particular importance to CNI sectors. This includes ransomware-specific exercising to drive up awareness of the threat and strengthen operators’ ability to respond to an attack. It will also set out clear requirements for exercising and testing or adversary simulation across CNI operators.” Please provide an update on this work.
As part of the UK Industrial Control System (ICS) Cyber Lab project, initially focussed on UK CNI Operators using ICS in the Water and Energy Sectors, the NCSC is planning to include ransomware into the set of exercising scenarios. In addition, NCSC’s Cyber Adversary Simulation (CyAS) scheme will be available for use by UK Cyber Regulators to carry out testing in their sectors. We intend to test our approach, via the implementation of pilots within the Energy sector, working closely with Ofgem and industry.
The NCSC is also in the process of launching its Cyber Incident Exercising (CIE) Assurance Scheme that will assure industry providers of particular types of cyber exercising services against a related NCSC standard. The scheme will be run by delivery partners on behalf of the NCSC, the first assured CIE service providers expected to come on board by winter 2023.
Finally, the extended Cyber Incident Response scheme that was previously highlighted was launched to consumers on the 15th August.
10. HMG’s written evidence references work by then-DCMS to strengthen cyber skills. That portfolio is presumably now being led by the Department for Science, Innovation and Technology. It would be helpful to receive an update on recent and forthcoming initiatives, if not already in the public domain.
The Government is delivering a range of ambitious programmes to boost the number of people with the skills needed to enter the cyber workforce, both in government and across the wider economy. Recently, DSIT launched the ‘Upskill in Cyber’ programme, under the Government’s ‘Skills for Life’ scheme, which received over 3,750 applications for 200 places on the 14-week course. In addition, as part of the CyberFirst programme, DSIT has launched the Cyber Explorers platform to enthuse 11-14 year olds about a career in cyber and technology more broadly. As of June 2023, this programme has seen over 51,000 students, 2,500 teachers and more than 2,000 schools sign up since its launch in February 2022.
Industry is closely involved with these initiatives and wider efforts to establish the UK Cyber Security Council - the new professional authority for cyber security. The Council is working to clearly defining quality pathways into and through a cyber career, putting in place an assessment process to recognise skill and expertise from junior to the experienced Chartered level.
Work is underway to develop a government and wider public sector cyber skills strategy, which will propose evidence-led tactical and strategic interventions to build a sustainable pipeline for the attraction and retention of cyber talent.
11. Is there any other information that the Government would like to provide to update the written evidence submitted last year?
The NCSC has stood up the Cyber Insurance Industry Working Group (CIIWG), to engage industry stakeholders on how we raise the baseline level of resilience across insureds, create an enhanced data-sharing system, and encourage organisations to be transparent about their experience with cyber-attacks (particularly ransomware attacks).
The Government Security Group has launched an ambitious new strategic approach to address the skills gap across government and public sector, which includes identifying evidence-led best bets for tactical and systemic interventions. This builds on the work to date to attract, develop and retain the best talent including; offering enhanced pay through the DDAT pay framework, developing new apprenticeship programmes and a dedicated fast stream.
25 September 2023