MPs and Peers on the Joint Committee on the National Security Strategy have today published a report on the UK’s critical national infrastructure, in which it calls out the government for its lack of clear political leadership in dealing with the threat.
The Committee has urged that the government appoint a single Cabinet Office Minister who is charged with delivering “improved cyber resilience” across the UK’s critical national infrastructure (CNI).
It has been two years since the government’s National Cyber Security Strategy was published, and since then the government has taken some steps to counter the growing international threat. For example, it has established a national technical authority on cyber security - the National Cyber Security Centre (NCSN) - and has introduced some new regulation.
For example, it was announced last summer that the Department for Digital, Culture, Media and Sport would invest £20 million in a cyber security programme to train almost 6,000 teenagers, in an attempt to help combat an anticipated shortfall in cyber skills.
Furthermore, the NSCS has released a report outlining the number of significant cyber attacks that have challenged the government in recent years - including the hugely disruptive WannaCry incident, which impacted huge swathes of the NHS.
However, given that the head of the NSCS has said that a major cyber attack on the UK is a matter of ‘when, not if’, the Joint Committee feels like more can be done.
Chair of the Committee, Margaret Beckett MP, said:
“We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat.
“It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.
“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.
“My Committee recently reported on the importance of also building the cyber security skills base.
“Too often in our past the UK has been ill-prepared to deal with emerging risks.
“The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”
The Committee’s report explains that the UK’s CNI is a natural target for a major cyber attack because of its “importance to daily life and the economy”. However, it notes, that public opinion only has a limited appreciation of what could befall the country as a result of cyber attacks, which present as “credible, potentially devastating and immediate a threat as any other that we face”.
And, as noted above, whilst the government has explicitly acknowledged that it must do more to improve cyber resilience, according to the Committee, it is “not delivering on it with a meaningful sense of purpose or urgency”.
The report adds that the threat to the UK is both growing and evolving, with countries such as Russia branching out from cyber-enabled espionage, to preparing for disruptive attacks. It cites the example of the attack that disrupted Ukraine’s energy grid in 2015 and 2016.
However, state attacks are not the only threat. The report adds:
“In addition, some organised crime groups are becoming as capable as states, thereby increasing the number and range of potential attackers.”
As a result, the aim the UK government should be working towards is to make it as “difficult and costly as possible” to succeed in attacking the UK’s CNI.
The Committee adds that the government must work with CNI operators to better understand the threat levels and how protections can be introduced. It adds:
“The Government must do much more to change the culture of CNI operators and their extended supply chains, ensuring that these issues are understood and addressed at board level and embedding the view that cyber risk is another business risk that must be proactively managed. This is also a lesson for the Government itself: cyber risk must be properly managed at the highest levels.”