Written evidence submitted by Professor Daniel Dresner (GCR0001)
Professor Daniel Dresner is The University of Manchester’s first Professor of Cyber Security following 22 years with The National Computing Centre. He applies his diverse community-based cyber security approach developing standards, championing cyber security for SMEs for which he co-founded IASME, and works to find the symbiotic balance between people and technology in the quest for cyber security.
Daniel is active Manchester’s cyber ecosystem, furthering cyber security innovation and growth as part of DiSH – Digital Security Hub and steering cyber security outreach from the University’s – an NCSC-recognised Academic Centre of Excellence for Cyber Security Research – Centre for Digital Trust and Society. Daniel lectures on risk and cyber defence to Chevening cohorts from India and Western Balkans, and revived the cybernetics thought-leadership Ratio Club promoting a people-technology balance. His work is embedded in the assessment of Cyber Essentials.
Daniel was voted a top 20 cyber security influencer worldwide 2018-2021 and Security Serious Awards Best Educator in 2022.
Submission supported by Policy@Manchester
2. Recommendations and observations about a sociotechnical view
4 Recommendations and observations about observing basic, universal principles
5 Recommendations and observations about security as a defined, system requirement
6 Recommendations and observations about the cyber ‘attack surface’
7 Recommendations and observations about reducing cyber risk in the supply chain
8 Recommendations and observations about reducing contagion
9 Recommendations and observations about continued attention to old as well as the new
10 Recommendations and observations about a whole workforce approach
11 Recommendations and observations about cyber assessments
12 Recommendations and observations about secure change
13 Recommendations and observations about protection, operation, and [systemic] self preservation
14 Recommendations and observations about measuring cyber security
This paper comprises a written response to the inquiry: Government cyber resilience. It has been created from a study of the National Audit (NAO) Report – Value for money: Government cyber resilience 29 Jan 2025.
The paper comprises observations and commentary on the NAO report with complementary recommendations associated with the respective paragraphs for which references are given.
There are three key recommendations:
- Take a systemic view to coping with cyber security risk in the context of the whole government workforce. This could reduce the burden of staff employed in response and recovery that can be better spent on security improvement.
- Develop better relationships with the government supply chain where [at least] the prime contractor for systems pays a ‘cyber levy’ in cash, tax relief, or in kind to strengthen the cyber security posture of their suppliers and subcontractors. This is to counter the existing ‘risk throwing’ culture that through action – or inaction – expects cyber security behaviours in asymmetric arrangements to fall on people and entities beyond their capability.
- Meaningful measures of the state of cyber security still elude us[1]. Government should adopt a cascading balanced scorecard approach that is sensitive to the operational needs of its respective parts. However, this should only be regarded as half of the activity – that is the dials – and match this with the levers to direct systems out of the period of inevitable risk in which we live. The Cyber Assessment Framework (CAF) may provide the basis for this and create a much-needed extended framework for continuous assessment to de-risk government systems.
2. Recommendations and observations about a sociotechnical view
We should take an honest view of reality and admit that we shall continue in period of inevitable risk (Figures 1 and 2) for some time to come. It easy to over attend to the tangible security countermeasures of technology whilst being vocal about human factors. However, the effect seems to be that only those already engaged in sociotechnical balance do more that pay lip service to systemic views that include the people – directly and those who may benefit or suffer from a lack of confidentiality, integrity preservation, and availability in the systems which handle both personal data and command and control data for manufacturing, infrastructure, industry, and services for the which the personal data is processed. The National Cyber Security Centre – long-since labelled our ‘National Technical Authority’ should be renamed as our ‘National Sociotechnical Authority’.
Figure 1 Period of Inevitable risk shown as an increase in trustworthy systems
Figure 2 Period of Inevitable risk: sociotechnical view
It is not just the 'cyberists' or the 'cyber professionals' with a shower of post-nominals. Cyber is difficult. People like doing skills related activity as a move to bring the challenge under control because it is easy to understand, it is quick to give nice, reportable measurements like attendance at a briefing and qualifications. But these the activities are generally limited to a subset of the [so-called] cyber workforce (unless it's a click-through cyber awareness package trying to dampen down a time when something shouldn't be clicked). We are failing miserably the people whom we expect to compensate for the absence of built-in security lacking of sociotechnical systems (and their component parts) rather than rallying them as the extension of the professionals who design, build, and defend our information systems. We should consider the whole government workforce as part of its cyber workforce.
2.1 Reference to NAO report
With reference to Paragraph 3 of the Summary (page 5)
4 Recommendations and observations about observing basic, universal principles
Cyber security standards should be crafted as basic principles; short points of universal objectives regardless of the overall objectives the government function in question. These can be adopted (and adapted) by areas of government that would otherwise stand to declare a difference because of unique role-based objectives. A lack of perpetual, all-function objectives fall in the face of our adversaries whose objects fall into simple categories of criminal activity or political activity that is the antithesis of our values. Adversaries run a playbook with 5 universal evils: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE, Microsoft, 1999). Our universal objectives, forever the goal of systems, may be expressed as the requirement for any system to operate between the pillars of protection and the ability to preserve itself in the face of attack.
4.1 Reference to NAO report
Paragraph 6 of the Summary (page 6)
5 Recommendations and observations about security as a defined, system requirement
Cyber security is one a set of complementary ‘non-functional’ dials in any systems (ISO/IEC 25010) that may be adjusted to meet objectives by the levers of governance and management.
5.1 Reference to NAO report
5. Paragraph 8 of the Summary (page 6)
6 Recommendations and observations about the cyber ‘attack surface’
But does not need to recognise that these are likely to form the attack surface which widens with outsourced/’as-a-service’ operations that may be privately run.
6.1 Reference to NAO report
Paragraph 10 of the Summary (page 7)
7 Recommendations and observations about reducing cyber risk in the supply chain
The supplier culture of throwing risk onto the customer [organisations]/user(s) must be challenged.
Adversarial relationships between government and suppliers relying on the letter of service level agreements rather than an attitude of mutually beneficial co-dependency leave current systems in the shadow of genuinely malevolent adversaries who are all too ready to collaborate toward mutual [nefarious] goals. Government needs to develop better relationships with its supply chain – and those in that supply chain with theirs – where [at least] the prime contractor for systems pays a ‘cyber levy’ in cash, tax relief, or in kind to strengthen the cyber security posture of their suppliers and subcontractors. In this way, we create a channel to reduce the security debt passed on to their customers in government This will counter the existing ‘risk throwing’ culture that through action – or inaction – expects cyber security behaviours in asymmetric arrangements to fall on people and entities beyond their capability.
7.1 Reference to NAO report
Paragraph 9 of the Summary (page 7)
8 Recommendations and observations about reducing contagion
Focus on secure architecture where insecure things do not introduce risk through contagion. Until secure-by-design is the embedded systems philosophy. And consider how many legacy systems remain running in part or entirely because a lack of understanding about their utility and no one will take the decision to switch them off.
8.1 Reference to NAO report
Paragraph 11 of the Key Findings (page 7)
9 Recommendations and observations about continued attention to old as well as the new
It is challenging to wary of well-established tools, techniques, and practices that can be brought to bear whilst still being mindful and active in the field of emerging threats of greater sophistication. However, this is precisely what must be. We must preserve the body of knowledge and the ability to practise is lessons whilst engaging with emerging opportunities. The lessons of established system defects manifesting in the shadow of [perhaps] more exciting challenging is a popular rant amongst cyber security practitioners.
9.1 Reference to NAO report
Paragraph 12 of the Key Findings (page 8)
10 Recommendations and observations about a whole workforce approach
HMG should take note of the early work of the International Coalition on the Cyber Security Workforce (founded at Wilton Park, Sept. 2024). This has not only considered the challenging of growing such but also to enable movement within it a route to a more sustainable employment proposition. This has yet to appreciate the opportunity in recognising that cyber security needs a whole workforce approach and should not restrict itself to the ‘cyberists’ and the demand on the few to protect the many. Only then can the requisite variety of diversity in adversity be appreciated as a fundamental countermeasure against criminal and hostile nation state ‘malwarefeasance’.
10.1 Reference to NAO report
Paragraph 14 of the Key Findings (page 9)
11 Recommendations and observations about cyber assessments
Using CAF as a benchmark of cyber security is commendable – but also with tighter, risk-agnostic frameworks such as Cyber Essentials supporting the areas of cyber risk more subject to flux. Results from assessments against CAF should be treated as circular and causal feedback promoting risk-sensitive change.
11.1 Reference to NAO report
Paragraph 12 of the Key Findings (page 9)
12 Recommendations and observations about secure change
Secure-by-design in an approach which – if taken over the decades of electrical, and electronic, and microtechnology deployment – would be saving us much [cyber] grief today. This has – of course – not been so. As a result, a culture of secure-change-by-design needs to be built into the system lifecycles (ISO/IEC 15288). In this way, technology may be improved or added to, the ‘non-functional’ requirement of security will be considered and actively improved too.
12.1 Reference to NAO report
Paragraph 16 of the Key Findings (page 10)
13 Recommendations and observations about protection, operation, and [systemic] self preservation
Traditional cyber security awareness needs to develop from throwing risk onto to users or user departments, to an appreciation of the cyber security lifecycle that starts with protection and extends to the action to be taken when incidents and events happen. This applies particularly to the routes to communications to those people in a position to support these two pillars – which may be labelled protection and preservation (or resilience) – and supporting the all- important operations for which the respective departments must maintain consistently. Protect, operate, and [systemic] self-preservation thus become the symbols of resilience and common objectives whatever the responsibilities of the ministry, department, agency, and so on, are in terms of national security or just the cyber security of its own services.
13.1 Reference to NAO report
Paragraph 17 of the Key Findings (page 10)
14 Recommendations and observations about measuring cyber security
HMG is not alone in the challenge of finding measures of success for cyber security. Perhaps – with reference to sustainable and resilient operations, then the Kaplan and Norton (1996) balanced scorecard approach may be useful. However, we are probably overdue in working into our scorecard metrics, the successes of our adversaries too until after the fact. It may be only then may we can apply the levers of change to the security outcomes dials to be sure that we are not heading towards harm.
In this way, we can nurture the continuous assessment – with action on that assessment – to de-risk government systems and fulfil the vision of Wiener, Ashby, Turing et alia.
14.1 Reference to NAO report
Paragraph 18 of the Key Findings (page 11)