The National Cyber Security Centre (NCSC), part of GCHQ, unveiled two key initiatives aimed at strengthening the UK’s national cyber resilience. Announced at last week’s CYBERUK conference, these initiatives are designed to boost confidence in cyber defences across the public and private sectors. It detailed a new ecosystem of assured Cyber Resilience Test Facilities that will enable vendors to demonstrate and validate the cyber resilience of their products, and a Cyber Adversary Simulation (CyAS) scheme, launching this summer, will help organizations assess and enhance their ability to detect and respond to real-world cyber threats.
“The Cyber Resilience Test Facilities and Cyber Adversary Simulation schemes mark a significant step forward in our mission to enhance the UK’s cyber resilience,” Jonathon Ellison, director for national resilience of NCSC, said in a media statement. “The test facilities will allow consumers to be more confident in the security of connected products. And through testing their response to simulated cyber attacks, the UK’s most critical infrastructure will be further empowered to defend against evolving online threats.”
The NCSC also warned that U.K. critical systems are facing growing risks due to a widening ‘digital divide’—the gap between organizations that can adapt to AI (artificial intelligence)-enabled threats and those that cannot. In a report released on the opening day of the CYBERUK conference, the NCSC warned that developments in AI are likely to accelerate the time between the discovery of software vulnerabilities and their exploitation by malicious actors, highlighting the growing cyber threat expected between now and 2027.
The CTRFs program is developing a national network of assured facilities that will allow technology vendors to demonstrate the cyber resilience of their products in a consistent and structured way, enabling independent audits and assessments by public and private sector organisations, including the U.K. government.
The CRTFs will adopt a principles-based assurance (PBA) methodology, moving away from traditional compliance-based schemes, to enhance consumer confidence in the cyber resilience of products and broaden the range of assured products.
The NCSC is set to launch a new scheme for CyAS in early summer. Companies assured under the scheme will deliver services to test an organisation’s cyber resilience, including their ability to prevent, detect, and respond to simulated cyber attacks.
The CyAS scheme has been developed in partnership with cyber oversight bodies, cyber regulators, and the government, who are exploring the use of the scheme in their sectors. It has been designed as a means of providing end-to-end assurance and evidence for any organisation of sufficient maturity and criticality to test their cyber defences. The scheme will launch as a Minimum Viable Product and is expected to evolve as the user community grows.
These schemes are the latest in the NCSC’s efforts to help organisations bolster resilience and work towards addressing concerns raised by CEO Richard Horne in December 2024 about the growing gap between cyber threats and existing defences.
The newly announced schemes build on the NCSC’s ongoing efforts to help organisations strengthen their cyber resilience and directly address concerns raised by CEO Richard Horne last December about the widening gap between evolving threats and current defences. Horne emphasized the urgent need for sustained vigilance in an increasingly aggressive digital environment and urged U.K. organizations to follow NCSC guidance and take collective action to close the resilience gap, as the NCSC’s eighth Annual Review reveals a growing threat landscape, including intensified activity from hostile state actors.
Last week, the U.K. government introduced a voluntary Software Security Code of Practice to enhance the security and resilience of software used by organizations and businesses to help software vendors and their customers reduce the likelihood and impact of supply chain attacks and other resilience-related incidents, which often stem from avoidable weaknesses in software development and maintenance.
