The Defence Cyber Protection Partnership (DCPP) was established in 2012 as a joint initiative between the MoD and industry to improve the protection of the defence supply chain from cyber threats. How does it work?
The guiding principle of the DCPP is the idea of defence and industry working hand-in-hand to address a problem that affects us all. The partnership – comprising government departments, private companies and trade associations – supports all of the work being developed around cyber security, and within that are three different work strands.
The first is around information sharing, and we have worked with the Cybersecurity Information Sharing Partnership (CiSP) to promote engagement. Another is around supply chain awareness, which is about engaging with the breadth and depth of the supply chain to get the message of cyber security across to suppliers.
An in-depth look at the National Cyber Security Programme
Civil service boosts cyber security skills with changes to apprenticeship and fast track schemes
Ed Vaizey: “Good cyber security underpins the entire digital economy"
New event: The European Cyber Security Summit
The third strand is around measurements and standards, which means developing appropriate and proportionate controls to go into procurement contracts. This then forms the foundation of the ‘Cyber Security Model’, and that’s at the heart of what we are doing at the moment.
The CSM is a three-stage process that begins with a risk assessment by the customer – the MoD project manager or requirements manager – with a series of 22 questions based on the nature of the contract. Then there is a set of controls for each of the risk levels, which sets out what the supplier needs to do. The final stage of the process is a supplier assurance questionnaire, which is the supplier’s way of demonstrating to the MoD that they have achieved the level of compliance required.
The team that delivered the Cyber Essentials Scheme – which outlines a set of controls to provide organisations with basic protection from the most prevalent threats – have also been involved in the process. We have also been working with CESG, the information security arm of GHCQ, and to a slightly lesser extent, the Centre for the Protection of National Infrastructure. While our work is very much defence-focussed, we want to ensure that we do is in step with wider government activity.
Has the government’s ability to respond to threats improved as a result of the programme?
The greatest achievements to date have come from information sharing. We’ve widened the pool of potential threat and vulnerability information with CiSP so that there is now a two-way sharing process, with a mechanism for government to flow information down to suppliers, but also for suppliers to flow information to government and to each other.
That doesn’t mean it’s ever going to be enough. The nature of the threat is such that we can never say we will be able to mitigate it completely, but what we can do is ensure that the base level of assurance is raised and keep it under constant review.
The ‘Cyber Security Model’ places extensive requirements on suppliers before an MoD contract is signed. Do you think this model could be use by other departments looking to improve their cyber security protection?
We adopted the Cyber Essentials requirements as the foundation for what we are doing, and clearly that cuts across all government departments and beyond government. But we are going further by mandating this into contracts, which is not something that has been done across the board.
We are very open to sharing what we have done and offering that as best practice. Clearly where other departments may wish to put additional controls in place, there would be value in ensuring that they approach that in a coherent way. Increasingly, contractors don’t work only for one government department so we need to be mindful that we don’t overburden them with multiple, over-lapping assurance activities when a single approach may be adequate.
In light of the call for fresh cuts to departmental budgets at the Spending Review, and the push for collaborative working across Whitehall, what lessons do you think can be learnt from the DCPP?
The main thing is to be clear about the common shared objective. There’s no getting away from it – if the secretary of state initiates an activity, it gives you a really powerful lever to get engagement. But it is just as important to get a sense of collective agreement that the project is something that everyone will ultimately benefit from.
We’ve had working groups supporting each of the work strands and those have been comprised from both MoD and industry, and in many areas industry have provided a lot of the ‘heavy-lifting’ in terms of the work that has been produced. So they haven’t just been coming to meetings and commenting, they have been actively developing the outputs. I think that’s been really powerful, and what it means is the thing we’ve ended up with is genuinely a better product, because it has that range of input.
Earlier this year, ministers announced plans to invest in the recruitment of cyber specialists in the civil service. Why is it so important to invest in digital skills?
We can’t get away from the fact that this is the way we all need to work. There is a huge benefit in delivering things in line with the digital-by-default concept, whether it’s for internal users or public customers. Everyone can see the benefits of working in a more agile way and taking advantage of all the huge leaps in technology that are out there. That absolutely drives the digital agenda.
Equally, there are potential risks in going down those same routes. If you drive both the digital recruitment alongside the cyber recruitment and increase the level of skills and capabilities within the civil service, what you end up with is the best of both worlds – you can take advantage of these new technologies, and you can be confident that you are doing that in a secure way. Having the right security enables you to also have the right technology.
Daniel Selman recently spoke at the Cyber Security Summit, held by CSW's parent company Dods. For video highlights of the day, click here.