In April 2021, it was revealed that Boris Johnson’s personal phone number was freely available online for 15 years, nestled at the bottom of a press release published in 2006 when he was the shadow higher education minister. Three months ago, cybersecurity researchers from the University of Toronto’s Citizen Lab released an explosive report detailing traces of the NSO Group’s Pegasus spyware within UK government networks, including Downing Street and the Foreign Office.
While there is no evidence linking these two events, security experts have condemned the lack of basic cybersecurity at the heart of government. “It’s vital that anyone with access to sensitive material up to and including the PM have to pay close attention to the basic rules of cybersecurity, including their phone numbers,” said Peter Ricketts, the UK government’s former national security advisor, at the time of the Pegasus revelation.
But with Johnson now preparing to step down, what is his cybersecurity legacy at a time when the National Cyber Security Centre (NCSC) is warning of a “potentially protracted period” of cyber-threats from Russia?
Recent cybersecurity statistics paint a picture of rising data breaches and cyberattacks in the UK, with the public and private sector largely unprepared for such events. Local councils across the country have been hit by a spate of ransomware and data breaches, with East Sussex, Hampshire County and Gloucestershire County alone suffering more than 2,000 data breaches in 2020 and 2021, according to a study by privacy researchers at VPN comparison site VPN Overview. During a speech to launch the government’s Cyber Security Strategy earlier this year, the then chancellor of the Duchy of Lancaster, Steve Barclay, said that recent data breaches are a “growing trend – one whose pace shows no sign of slowing”.
Data from the Department of Culture, Media and Sport’s (DCMS) latest Cyber Security Breaches survey confirms this growing trend. Since 2019, the number of data breaches and cyberattacks identified by businesses and charities has also increased, with almost four in ten businesses and a third of charities reporting such incidents as of this year.
Part of the government’s solution to improve cybersecurity across the board includes a raft of policies designed by the NCSC to help UK businesses protect themselves against common threats. But data from the same survey shows a startling lack of awareness among businesses of the government’s cybersecurity initiatives, with barely any improvement in the past few years.
Just three out of ten businesses surveyed have heard of the Cyber Aware email security programme, which encourages people to improve their email security through using strong passwords and two-step verification. This figure has crept up from 21 per cent in 2017, while less than 20 per cent of businesses remain unaware of the NCSC’s 10 Steps and Cyber Essentials programmes. The 10 Steps initiative provides basic advice on identity and access management for example, while Cyber Essentials is a formal certification scheme for businesses to conduct self-assessments on their cybersecurity preparedness.
This lack of awareness among business and charities also translates into the low take-up of such initiatives. According to the DCMS survey, just 6 per cent of organisations have undertaken the Cyber Essentials certification, while only 1 per cent of businesses have signed up for the Cyber Essentials Plus scheme, which involves an external assessment. The global cybersecurity standard ISO 27001 and a payment card data assessment are more widely adopted among those organisations surveyed, but still by a minority.
The last three years of Johnson’s premiership have seen the UK government roll out the country’s first National Cyber Strategy and other headline-grabbing initiatives like a National Cyber Force. Whether these high-profile policies translate into a more secure cyberspace is yet to be seen, but the current reality of cybersecurity in the UK paints a markedly different picture.
[See also: Andrew Marr: The Tories’ new nightmare]