Government cannot do cyber alone, the Government minister Pat McFadden told day one of the CyberUK official conference, in Manchester. “You have to have good partnerships between the public and private sector,” he said, recalling the CrowdStrike incident of July 2024.
He said: “We worked closely with one of the sponsors of this conference, CrowdStrike, to manage the fallout of that. That wasn’t a cyber attack but it did cause ripples right across the country and the world. Flights grounded. Hospital appointments disrupted. Holidays cancelled. GP services cut off.”
He said that cyber is not just about vulnerability and risk; ‘it’s about economic growth too’.
He told the event at the Manchester Central conference centre that later this year, Labour will publish a new National Cyber Strategy, ‘that will set out how we want to approach these challenges and opportunities’; and has launched a Software Security Code of Practice, ‘to help all organisations take the measures they need to embed security and resilience’.
He described cyber attacks as a constant challenge. “I can’t stand here this morning and tell you that Government systems are bombproof. That is not the case.”
He mentioned the publishing of an intelligence assessment by NCSC ‘that shows AI is going to increase not only the frequency, but the intensity, of cyber attacks’. For more, visit the NCSC website.
McFadden described state-backed cyber hacking as’ the new normal’. He said: “Hostile states constantly working to degrade our military advantage. With cyber criminals who will routinely sell their services to other states. These cyber mercenaries can cause huge harm.”
He concluded: “Cyber attacks and cyber hacking are likely to be permanent features of this new global order – there is no point in pretending otherwise. But the opportunities are also huge, and I believe that this country, in its position of creativity and innovation, will be at the vanguard of cyberspace and cybersecurity for decades to come.”
For McFadden’s speech in full visit the Cabinet Office website. Among the event speakers from the NCSC are Richard Horne, CEO; for his speech, visit the NCSC website.
Assessment
In brief, the NCSC assessment is that ‘AI will almost certainly continue to make elements of cyber intrusion operations more effective and efficient, leading to an increase in frequency and intensity of cyber threats’.
Comments
Sabeen Malik, VP global government affairs & public policy at Rapid7, said: “It’s good to see the UK Government acknowledge the importance of public-private cooperation at CyberUK today. Effective cyber policy has to involve those with frontline expertise and experience. After all, when coming up with effective policy, it’s better to gain a consensus before amplifying the results.
“The private sector’s technical capabilities and situational awareness have to be combined with the government’s broader strategic view of national and international threats to combat cybercrime. For this to be truly effective, governments must go beyond self-attested best practices. Governments need to design partnerships that actively analyse the data gathered to identify which behaviours and deterrents actually work within the UK’s unique risk environment.
This means moving to concrete, evidence-based action. It also requires a willingness to revisit existing regulations and assess whether they are helping to reduce risk, or simply adding complexity without addressing core vulnerabilities.
A more dynamic and data-driven exchange between sectors is key to strengthening the UK’s cyber resilience. This will result in both public institutions and businesses being better equipped to defend against evolving threats.”
James Neilson, SVP International at OPSWAT, described the UK’s new Software Security Code of Practice as a clear call to developers and DevSecOps professionals to sharpen their focus on ‘security by design’ through secure design, build, testing, and deployment. He said: “By enabling deep content inspection, malware analysis, and automated Software Bill of Materials (SBOM) validation, software builders can assess third-party components, secure build environments, and detect vulnerabilities before deployment.
“Software developers often use third-party components, including open-source software, to speed up development and add features. However, these may contain known or newly discovered vulnerabilities, or even ones introduced maliciously. By securing their software supply chains — scanning for hidden threats, validating SBOMs, securing build environments, and ensuring that what is delivered is exactly what was intended — vendors can build greater resilience and trust into their software.
“This new code is a welcome move. It isn’t just a checklist — it’s a call to get serious about end-to-end security. A software supply chain is only as strong as its weakest link.”
