The first national strategy was published in 2011, covering the period 2011-2015: The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world. The National Cyber Security Programme received government funding of £860 million to deliver the strategy. 

Annual reports on progress towards the defined objectives have been published since 2011. The last report was published in April 2016: The UK Cyber Security Strategy 2011-2016 - Annual Report. 

For the new strategy 2016-2021, the Government will invest a total of £1.9 billion to achieve 13 strategic outcomes around the pillars of deter, defend, and develop. A proportion of the Defence and Cyber Innovation Fund will be allocated to support innovative procurement in defence and security. The strategy, which is government-led, includes two new cyber innovation centres as part of the drive towards an ecosystem through the development of cutting-edge cyber products and new, dynamic cyber security companies.

The National Cyber Security Centre operates as part of the UK Government Communications Headquarters and provides weekly and annual threat and vulnerability reports: https://www.ncsc.gov.uk/index/report

Operational since October 2016, the UK National Cyber Security Centre (NCSC) provides cyber incident response, replacing CESG (the information security arm of the GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). Law enforcement works closely the NCSC and industry to share the latest criminal threat intelligence to help industry defend itself and mitigate impact.

https://www.ncsc.gov.uk/incident-management.

Initial focus is on:

• Developing a world class incident management capability to respond to and reduce the harm from cyber incidents, from those affecting single organisations through to national, large-scale attacks.
• Providing communications on how organisations in the public and private sector can deal with cyber security issues, facilitating the sharing of cyber threat information.
• Continuing to provide expert sectoral advice to Government and critical sectors like telecommunications, energy and finance, and providing cyber security advice across the UK.

The NCSC is expected to adapt its focus and capabilities to new challenges and lessons learned.

The UK (HM) Government has announced plans to:

• Implement the EU Directive on Network and Information Systems based on a consultation.

The overall objective is to make the UK the safest place in the world to live and be online. Special emphasis is placed on making sure essential services are prepared for the increasing risk of a cyber-attack. Thus essential services like water, energy, transport and health firms need to be safeguarded against hacking attempts. Firms will also be required to show they have a strategy to cover power failures and environmental disasters.

• Adopt the EU General Data Protection Regulation (GDPR). The GDPR will replace the UK's Data Protection Act 1998 from 25 May 2018, giving citizens more control over what happens to personal information under proposals outlined by the government.

The GDPR will considerably strengthen the existing rules and responsibilities around how businesses process and safeguard consumer data. The GDPR will also force organisations to comply with a mandatory breach notification by disclosing a breach within 72 hours. This necessitates understanding and monitoring of threats, making risk management a top priority.

The current bill will effectively transfer the European Union's General Data Protection Regulation (GDPR) into UK law.

Bill: https://www.gov.uk/government/uploads/system/uploads/attachment_data/fil....

The motivation for the UK government is giving the country one of the most robust, yet dynamic, set of data laws in the world, giving people more control over their data, and requiring more consent for its use.

Proposals included in the bill will:

• make it simpler for people to withdraw consent for their personal data to be used.
• let people ask for data to be deleted.
• require firms to obtain "explicit" consent when they process sensitive personal data.
• expand personal data to include IP addresses, DNA and small text files known as cookies.
• let people get hold of the information organisations hold on them much more freely.
• make re-identifying people from anonymised or pseudonymised data a criminal offence.

Heavy fines will be imposed on organisations failing to comply with the legislation: up to £17m or 4% of global turnover.

The 2016-2021 strategy provides for levers and incentives for the UK private sector with government investments aimed at maximising the potential of an innovative UK cyber sector. It also gives more emphasis on the role of government in advising businesses and establishing partnerships to achieve objectives. Specifically, the strategy will:

• Ensure that businesses of all sizes and sectors take appropriate steps to protect themselves and their customers from the harm caused by cyber attacks by providing advice and tools that are easy to implement.
• Work with market influencers like insurers, regulators and investors to highlight the clear business benefits and pricing of cyber risk for more effective risk management.
• Create partnerships with professional standards bodies to move beyond awareness raising to persuade businesses to take action.
• Establish the right regulatory framework to manage cyber risks that the market fails to address. The GDPR will be one of the levers used to drive up standards of cyber security.

Campaigns and Schemes:

• Cyber Aware campaign (formerly Cyber Streetwise) encourages behavioural changes for businesses and the public on protection in cyberspace. The campaign is currently supported by 128 cross-sector partners (e.g. businesses in retail, leisure, travel and professional services.
• Cyber Essentials scheme encourages the implementation of 5 technical controls to protect against the most common internet threats. It serves mainly as a reference to organisations providing services to central and local government, ensuring they comply with the most essential requirements.
• Cyber-Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.

The strategy also places greater emphasis on critical infrastructures, particularly the telecommunications sector. The objectives for this sector include:

• Working with industry, especially Communications Service Providers (CSPs), to make it significantly harder to attack UK internet services and users, and greatly reduce the prospect of attacks having a sustained impact on the UK. This includes measures to secure the UK's telecommunications and internet routing infrastructure.
• Improving the protection of government systems and networks, helping industry to build greater security into the supply chain of Critical National Infrastructures (CNI), making the software ecosystem in the UK more secure, and providing automated protections for government online services to citizens. 

The Government will also undertake specific actions, such as:

• Working with Communications Service Providers (CSPs) to block malware attacks, for example, by restricting access to specific domains or websites that are known sources of malware: Domain Name System (DNS) blocking/filtering.
• Promoting security best practice through multi-stakeholder internet governance organisations such as the Internet Corporation for Assigned Names and Numbers (ICANN), which coordinates the domain name system; the Internet Engineering Task Force (IETF) and the European Regional Internet Registry (RIPE), and engagement with stakeholders in the UN Internet Governance Forum (IGF). 

The NCSC works with industry, government and academia to build cybersecurity capacity for the next generation of researchers, students and innovation.

• New Talent: student bursary scheme and courses under CyberFirst: https://www.ncsc.gov.uk/new-talent.
• Academics and researchers: partnerships with government, industry and academia, identifying and supporting excellence in cyber security education and research and encouraging industry investment in academic research: www.ncsc.gov.uk/Academics-and-researchers.
• Industry: supporting, encouraging and facilitating cybersecurity research and innovation within the UK: www.ncsc.gov.uk/industry.
• Academic Centres of Excellence in Cyber Security Research, where 14 universities are officially recognised as ACE-CSR: https://www.ncsc.gov.uk/articles/academic-centres-excellence-cyber-secur....
• Certified Master's degrees: https://www.ncsc.gov.uk/education-research.
• Certified Bachelor's degrees: https://www.ncsc.gov.uk/education-research.

Cyber security training in schools: The government Department for Digital, Culture, Media and Sport is investing £20 million to fund cyber security training in schools with the intention of providing nearly 6,000 teenagers with the skills needed not just to protect themselves online, but also to build a future career in the cyber security industry.

Cyber Security Innovation Centre (July 2017): The London-based Centre will be tasked with conducting world-leading research and development into the next generation of security technology. It will receive investments of £14.5 million over a period of 3 years.The government has launched a competition to develop and design the unit. The new centre will bring together both established industry players and new start-ups to collaborate on the development of future security technologies. Through the unit, newly-formed businesses will get access to mentoring services, business support and early-stage growth advice. One of the aims is therefore also to give UK firms access to the latest cyber technology and allow start-ups to get the support they need to develop.

Cyber Security Centre for defence procurement (July 2017): Other capacity-building measures include the establishment of a Cyber Security Centre for defence procurement by the UK Ministry of Defence with an investment cost of £3 million. The centre's objectives are to:

• Enable Lockhead Martin to work more closely with UK partners to share knowledge and best practices, undertake research and develop new cyber defence capabilities.
• Create new jobs in the area of cybersecurity.

According to UK government spokespeople, this is another example of co-developing solutions to national security risks, where the national strategy helps drive partnerships with industry, including an investment of £10m in a new Cyber Innovation Fund to give start-ups the boost and partners they need.

The 2016-2021 strategy provides for 13 strategic outcomes, each with a set of indicative success metrics to 2021. The strategic outcomes and some of the indicative metrics are summarised below.

1. The UK has the capability to effectively detect, investigate and counter the threat from the cyber activities of adversaries: Stronger information sharing established with international partners. Improved understanding of threats related to cyber terrorism. Pipeline of skills and expertise for the development and deployment of sovereign ofensive cyber capabilities. Effective sovereign cryptographic capabilities with regard to secret and sensitive information. DETER.
2. The impact of cybercrime on the UK and its interests is significantly reduced and cyber criminals are deterred from targeting the UK: Dismanteling criminal networks. Improved law enforcement capability, including overseas. Improved early intervention measures. Reduction in low-level cyber offences. DETER & PREVENT.
3. The UK has the capability to manage and effectively respond to cyber incidents to reduce harm they cause in the UK and counter cyber adversaries: Higher proportion of incidents are reported to the authorities, leading to a better understanding of the size and scale of the threat. Better management of cyber incidents enabled by the NCSC as a centralised incident reporting and response mechanism. Investigating the root causes of attacks at a national level and reducing occurrence of repeated exploitation across multiple sectors. DEFEND
4. Partnerships with industry on active cyber defence mean that large scale phishing and malware attacks are no longer effective: Large-scale defences against the use of malicious domains, more anti-phishing protection and harder to use other forms of harmful communications. The UK's internet and telecommunications traffic is significantly less vulnerable to rerouting by malicious actors. GCQH, Defence and the National Crime Agency (NCA) capabilities to respond to serious state-sponsored and criminal threats have significantly increased. DEFEND
5. The UK is more secure as a result of technology products and services having cyber security designed into them and activated by default: Most commodity products and services available in the UK in 2021 make it more secure, because they have security settings enabled by default or security integrated by design. Government services are trusted by the UK public because they are implemented as securely as possible, and fraud levels are within acceptable risk parameters. DEFEND
6. Government networks and services will be as secure as possible from first implementation. The public will be able to use government digital services with confidence, and trust that their information is safe: Government has in-depth understanding of the level of cyber security risk across the whole of government and the wider public sector. Resilience and effective response to cyber incidents, maintaining functions and recovering quickly. New technologies and digital services deployed by government will be cyber secure by default. All government suppliers meet appropriate cyber security standards. DEFEND
7. All organisations, large and small, are effectively managing their cyber risk, are supported by high quality advice designed by the NCSC, underpinned by the right mix of regulation and incentives: See risk assessment plan above. DEFEND
8. There is the right ecosystem in the UK to develop and sustain a cyber security sector that can meet national security demands: Greater than average global growth in the size of the UK cyber sector year on year. Significant increase in investment in early stage companies. DEVELOP
9. The UK has a sustainable supply of home grown cyber skilled professionals to meet the growing demands of an increasingly digital economy, in both the public and private sectors and defence: Effective and clear entry routes into the cyber-security profession and attractive to a diverse range of people. By 2021 cyber security is taught effectively as an integral part of relevant courses within the education system, from primary to post-graduate level. Cyber security is widely acknowledged as an established profession and has achieved Royal Chartered Status. DEVELOP
10. The UK is universally acknowledged as a global leader in cyber security research and development, underpinned by high levels of expertise in UK industry and academia: Significant increase in the number of UK companies successfully commercialising academic cyber research, with fewer identified gaps in national research capability. The UK has a reputation as being a global leader in cyber security research and innovation. DEVELOP
11. The UK government is already planning and preparing for policy implementation in advance of future technologies and threats and is "future proofed": Enhanced international collaboration reduces cyber threat. Common understanding of responsible state behaviour. Increased cyber security of international partners and increased consensus on the benefits of a free, open, peaceful and secure cyberspace. DEVELOP
12. Threat to UK interests overseas is reduced due to increased international consensus and capability towards responsible state behaviour in a free, open peaceful and secure cyberspace: With the same outcomes as number 11. INTERNATIONAL ACTION & INFLUENCE.
13. UK Government policies, organisations and structures are simplified to maximise the coherence and effectiveness of the UK's response to the cyber threat: Government cyber security responsibilities are understood and services are accessible. Partners understand how best to interact with Government on cyber security issues. CROSS-CUTTING