The Joint Committee on the National Security Strategy has published a damning report on the UK’s critical national infrastructure, citing an absence of government leadership in the face of inevitable cyber attacks.
The report, published today, states that:
“The cyber threat to the UK’s critical national infrastructure (CNI) – 13 sectors including energy, health services, transport and water – is as credible, potentially devastating and immediate as any other threat faced by the UK.”
The CNI is a natural target for major cyber attacks due to its importance to daily life and the wider economy.
Despite this, the government is not acting with the urgency and forcefulness required, the report concludes.
As some states become more aggressive and non-state actors, such as organised crime groups, become much more capable, the range and number of potential attackers is growing.
The head of the National Cyber Security Centre, Ciaran Martin, has previously stated that a major cyber attack on the UK is a matter of ‘when, not if’, referencing the WannaCry attack of 2017 that wreaked havoc on the NHS.
Ministers have, in the past, expressed concern over cybersecurity risks and stated that more needs to be done to guard against attacks. The Government has also taken some important steps in the two years since the National Cyber Security Strategy was published, not least in setting up the National Cyber Security Centre.
However, the Centre’s current capacity is being outstripped by demand. Furthermore, an EU Directive tightening cybersecurity regulations, has yet to be applied to all CNI sectors.
Chair of the Committee, Margaret Beckett MP, said:
We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat.
“It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.”
Margaret Beckett also stressed the need to create cultural change and build the cybersecurity skills base, in order to combat threats.
Revealing her frustration at how the UK has failed to address the serious security threats, she said:
“Too often in our past the UK has been ill-prepared to deal with emerging risks.
The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.
Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely, meaning continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the ‘new normal’, the report concludes.
Internet of Business says
The threat to the UK’s critical national infrastructure is growing and evolving. Some states are branching out from cyber-enabled espionage and theft of intellectual property to preparing for disruptive attacks, such as those which affected Ukraine’s energy grid in 2015 and 2016.
The 2017 WannaCry attack shows that cyber attacks need not target critical national infrastructure directly to have significant consequences. On top of this, some organised crime groups are becoming as capable as states, greatly increasing the number of potential attackers.
As the report reasons, the objective must be to make it as difficult and as costly as possible to succeed in attacking the UK’s critical national infrastructure – and to react to new threats as they emerge.
This won’t be possible unless the report’s principle concern – the lack of political leadership – is addressed. In a government fragmented by Brexit negotiations, vital issues such as cybersecurity are falling between the cracks.
The fact that the government is unwilling to disclose anything about the 2016 to 2021 National Cyber Security Programme, other than its £1.9 billion budget, is also concerning.
While some of its work will be secret by necessity, much of it isn’t, and a lack of transparency around how such a large sum is being spent only compounds growing cybersecurity concerns.
The government’s recent initiatives in the space have failed to go far enough. The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) launched a new Code of Practice for the manufacturers of Internet of Things devices just last month, with the aim of securing the consumer IoT, yet made its thirteen steps voluntary.
The government can be praised for its Secure by Design review, which was announced earlier this year and lays out plans to ensure that manufacturers embed security in the design process rather than bolt them on as an afterthought.
However, far more needs to be done to make robust, regularly evolving, cyber security the norm across critical national infrastructure.