The term “special relationship,” coined by Winston Churchill, describes the close, longstanding alliance between the United States and the United Kingdom. It has been applied to cooperation during war, to trade and commerce, and even to intelligence sharing.
That special relationship has clearly influenced the two nations’ recent policy papers on national cybersecurity. The U.K. document, “National Cyber Strategy 2022,” was published in December of that year, while the U.S. “National Cybersecurity Strategy” was released in March 2023.
These strategies are mandates for everyone, from individual citizens to corporations and government entities, as well as allies and partners.
In addition to their titles, these high-level frameworks share many similarities, including a structure based on five pillars. Their major themes also echo one another. The US document calls for rebalancing the responsibility of defending cyberspace because end users currently bear too much of the load in mitigating cyber risks.
Likewise, the UK policy aims to remove as much of the cybersecurity burden as possible from citizens. As to which entities should take a larger role in cybersecurity, the two strategies focus on major technology companies (U.K.), and owners and operators of systems that hold data, as well as technology providers (U.S.). Both nations agree that partnerships across public and private sectors must be strengthened.
Despite this congruence of themes, the two policies differ in several ways, primarily related to emphasis and prioritization. One case in point is the protection of critical infrastructure.
In the U.S. policy, “Defend Critical Infrastructure” is Pillar 1, showing its top priority. In the U.K. strategy, critical national infrastructure (CNI) is covered under Pillar 2, “Cyber Resilience,” and is listed last among audiences to be protected (after citizens, businesses and organizations and the public sector.) However, the U.K. policy goes into more detail than its U.S. counterpart regarding CNI cybersecurity.
Now, let’s take a closer look at how these two strategy documents talk about cybersecurity for critical infrastructure.
Setting cybersecurity requirements
Both strategies discuss the need for new or improved standards in cybersecurity for critical infrastructure. This effort includes using secure-by-design principles in developing, testing and finding vulnerabilities in code and extending requirements to the cloud service providers that hold data.
As to who will set these standards, the U.K. document focuses on CNI operators, who must raise their standards and manage risk more proactively. The U.S. document takes a top-down approach, with the Federal government using “authorities” to set requirements based on performance, cybersecurity frameworks and voluntary standards and guidance.
Investing in cybersecurity
Strengthening cybersecurity requires financial investment by different stakeholders. The U.K. strategy cites planned investment by the national government of £2.6 billion in cyber and legacy IT over the coming three years. To enable critical infrastructure sectors to manage increased costs, the U.S. policy targets incentives for cybersecurity implementation and regulations to level the playing field and avoid under-provisioning of security measures due to competitive pressures.
The ability of critical infrastructure to repel threats and recover quickly from cyber attacks is an increasing concern as incidents escalate.
— A ransomware attack against the Irish Health Service Executive (HSE) disrupted Irish healthcare IT networks and hospitals for over 10 days.
— San Francisco’s Municipal Light Rail (MUNI) system was breached by ransomware actors, forcing the company to shut down the ticketing systems for four days.
— The Colonial Pipeline, one of the largest fuel pipelines in the U.S., was hit by a ransomware attack, forcing a complete shutdown that led to gasoline shortages.
— A DDoS attack targeted the Port of London Authority, forcing its website to go offline.
In the U.S. strategy, the Federal government plays a leading role in all aspects of critical infrastructure resilience, from facilitating collaboration among operators, government agencies and vendors “at speed and scale,” to strengthening its own systems through an emphasis on a zero trust framework and IT modernization.
As one example of a government initiative to improve resilience, a new U.S. Federal program, run by the Cybersecurity and Infrastructure Security Agency, will warn critical American companies that their systems are vulnerable to ransomware attacks before the hackers can successfully strike.
The U.K. strategy calls for better incident planning and regular exercising on the part of CNI operators. Specifically, the U.K. will set clear requirements for exercising and testing or adversary simulation across CNI operators.
CNI operators can become more resilient with better testing
The more vulnerabilities exist in the software that critical infrastructure operators depend on, the greater the risk to consumers, businesses and the entire supply chain. Continuous security testing early and throughout the software development lifecycle can enable operators to achieve better cyber resiliency. Continuous scanning for critical vulnerabilities and regular testing can improve security and support the goals of both U.K. and U.S. policy frameworks.
Critical infrastructure operators have found success in reaching their security testing and vulnerability management goals by using the Synack Platform. This solution pairs the Synack Red Team community of expert and vetted penetration testers with continuous scanning technology, as well as reporting and software patch verification. The Synack Platform can help organizations of all types – not just critical infrastructure operators – find vulnerabilities and identify their root causes so they can be eliminated.