shutterstock 2432112883

How UK Public Sector and Government Agencies Can Defend as One with Threat Intel Collaboration 

Dan Bridges

Technical Director, International, Cyware

A Fragmented Defence Can’t Stop Coordinated Threats 

The basis behind the UK’s “Defend as One” approach, part of the Government Cyber Security Strategy, is that the organisations essential to the stability of the government and public sector don’t stand a chance against today’s coordinated threats unless they stand together. 

Prior to the initiative, it was largely “every man for themselves” when it came to cybersecurity defence. This meant that government agencies, departments of water and power, and other critical infrastructure-connected entities (digital providers, manufacturers, etc.) were left up to their own devices when it came to cybersecurity measures that would protect the public interest.  

They had to find their own threat intelligence, staff the SOCs that could make it operational, eliminate swaths of redundant alerts, hunt down false positives, and ultimately find a way to respond to these threats, when they had a minute to catch their breath, in real-time.  

Meanwhile, attackers are getting savvier at working together, improving the malicious workflow with more cybercrime-as-a-service offerings, AI-based exploits, and ever-more distributable attacks.  

In order to give the UK’s government and public sector a fighting chance, the Government Cyber Security Strategy (GSCC) decided to fight fire with fire, at least where team effort is concerned. According to the official ‘Defend as One’ website:  

“The scale and pace of the threat demands a more comprehensive and joined-up response. Government will therefore ‘defend as one’; harnessing the value of sharing cyber security data, expertise and capabilities across government to present a defensive force disproportionately more powerful than the sum of its parts.” 

While the answer could lie in many forms, this is not an issue about increased legislation, filling the cyber talent gap, or pushing for more funding, although all are necessary. It is about taking a look at the power of many. And that means levelling up necessary cyber defences for these UK public sector entities by encouraging them to work together. Or, to work together where it matters most, in collaborative threat intelligence. Without the full picture, organisations will be flying blind. By sharing cybersecurity resources and information, each one, from the smallest municipal water facility to the largest Parliamentary agency – will have defensive capabilities they never could have had on their own.  

When looking at the situation from a 10,000-foot view, one thing is clear: only an ecosystem can be resilient.  

The Cybersecurity Realities for UK Public Sector Agencies 

Let’s look at the cybersecurity limitations, or simply realities, that these organisations face.  

Budget limitations, stemming from a lengthy and political legislative process, not only cut funding for vital cybersecurity solutions short but leave teams short-staffed. Under the slow process of government funding and approval, these entities struggle to plug personnel gaps, staff a fully operational SOC, and leverage the people power they need to fulfil vital cyber initiatives.  

Working alone, they are often isolated from larger threat intelligence networks available to big-scale public entities with beefy threat intelligence teams. Consequently, these front-line agencies – that protect everything from our transportation and power to our education and trade – go underserved in the cybersecurity department. 

The voter-dependent, public funding-based approach on which they run can also breed siloed cybersecurity operations and intelligence, borne from piecemeal additions of security tools and processes. These teams move ahead as they can, but they often lack the resources to build the proper stack (or strategy) up-front, leaving gaps in coverage and operations. 

According to the National Audit Office, a public spending watchdog, there were significant gaps in cyber resilience in an assessment of nearly 60 critical departmental IT systems, with multiple fundamental system controls at low levels of maturity across departments. From a 2024 ransomware attack on the NHS that postponed over 1700 procedures to a 2023 compromise of the British Library costing £600,000 in recovery to date, the UK’s essential and public services are clearly vulnerable to attack – and therefore targeted all the more.  

Attackers look for the low-hanging fruit, the weakest link, the ones that lack coordinated resources, or think it could never happen to them. Recognising this fact, the GSCC's mission to ‘Defend as One’ attempts to unify the strength of these disparate, victimised agencies and create a force that could defend with any sophisticated attack at scale.  

Why Intelligence Sharing and Collaboration Are Mission-Critical 

Not only are collaboration and intelligence sharing a plus in today’s threat landscape, I would go so far as to call them an imperative. 

A. Day-to-Day (BAU) Operations: 

On a “business as usual” basis, early warnings and shared context from peers could level up the threat intelligence game of any small public enterprise. Multi-point threat information helps teams that are already short-staffed avoid doing the same work twice. Instead of duplicating analysis, they can build off each other's insights and save time. 

Additionally, this open-handed information sharing enhances community trust and increases the readiness of the whole group before crises hit.  

B. During Emergencies and Crises: 

Cross-informational organisations sharing also offer real-time situational awareness across jurisdictions. This makes for a faster, more effective coordinated response. An information-sharing model supports mutual aid and cross-agency response models, because the security of one is really the security of the whole.  

Remember, the experience attackers have with one member of the group can often set their expectation for the rest. In other words, if one rural power plant or Tribal authority was easy to compromise, chances are attacks on others in their ecosystem would shortly follow. 

C. Long-Term National Resilience: 

In many cases, the “whole” may mean an industry, sector, or group of corporations. With SLTTs, the whole often refers to whole cities, counties, or states at large. Because threat actors exploit the weakest link, sharing threat intelligence freely with those in the group raises the level of security for all, not only the next jurisdiction over, but the citizens that rely on those resources. 

Additionally, interconnected systems mean that local incidents have reverberating federal implications as well. A blow to a state-wide utility is a blow to national security, and a sign to the world – this population is vulnerable. UK public sector collaboration not only protects local municipalities from compliance harm and reputational damage, it bolsters national cybersecurity posture in a significant way.  

The Problem: Sharing Is Still Too Manual, Too Slow, and Too Siloed 

So, what’s to say beyond “UK critical sectors should share their information more often”? The answer is, it’s not so simple. 

Currently, these agencies share threat intelligence via emails, PDFs, or legacy portals. This is slow and siloed – not at all near what it needs to be to keep up with AI-based and emerging threats. Analysts waste days reformatting data this way, chasing context, verifying information, and doing this manually that could be done by a machine. 

This amounts to delayed incident response, missed threat indicators, and fragmented cyber defence in the real world. Even if they wanted to give information to other agencies, by the time they shared it, the threat would already be inside.  

The Solution: Real-Time Collaboration with Cyware Collaborate 

Thankfully, technology comes to the aid of State, Local, Tribal, and Territorial agencies as well as attackers. This is what the right technology - Cyware Collaborate - can do.  

What Is Cyware Collaborate? 

Cyware Collaborate is a purpose-built platform for real-time threat intelligence sharing and operational collaboration across government and public sector entities. It facilitates smooth, easy ingestion, analysis, processing, and, of course, sharing of information across agency and entity lines - while reducing the overall operational workload of each. 

Key capabilities include seamless ingestion of threat data from a myriad of external and internal sources, in both human-readable and machine-readable formats. It boosts situational awareness with automated alerts, distributes threat advisories from any source to any platform, creates working groups to facilitate investigative collaboration, and facilitates sharing at scale. 

Key Benefits to Public Sector Agencies 

This results in key benefits for UK public sector organisations, including the ability to: 

  • Instantly operationalise threat intelligence from peers, MS-ISACs, and government sources. 
  • Build a trust-based sharing community with control over what’s shared and with whom. 
  • Respond faster with shared context, playbooks, and coordination. 
  • Close the loop between intelligence and action. 

Conclusion 

The UK’s essential sectors and critical infrastructure can no longer afford to wait when it comes to threat intelligence information sharing. Global threat actors are incredibly organised and tactical in their approach, and faced with a disorganised offensive, they are picking public sector entities off one by one.  

These smaller organisations may not be able to wave a magic wand and improve in the ways they want to the most – funding, staffing, or legislation – but one thing they can do is put their heads together to experience the synergy of shared threat collaboration. When facing a fast-moving, sophisticated adversary, this is one area of cybersecurity where one and one make three. And nothing is more resilient than a hardened, unified ecosystem.  

To learn how Cyware’s solutions can better protect UK Government organisations from cyber threats, book a demo now.