A parliamentary committee has flashed the warning lights on the cyber threat to the UK’s critical national infrastructure (CNI).
The Joint Committee on National Security Strategy has published a report saying the threat is as immediate as any facing the country but the Government is not acting with the urgency the situation demands - especially in not making clear a senior minister should be in charge of the relevant plans.
The report calls for a Cabinet Office minister to be designated as cyber security lead who would assemble the necessary resources in public and private sectors in a war situation. He or she should be empowered to hold departmental ministers to account.
Chair of committee Margaret Beckett MP said: “We are struck by the absence of political leadership at the centre of Government in responding to this top tier national security threat.
“It is a matter of real urgency that the Government makes clear which Cabinet minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.
“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.”
Natural target
According to the Report on Cyber Security of the UK’s Critical National Infrastructure, the UK’s CNI is a natural target for a major cyber attack because of its importance to daily life and the economy. But it says the Government has not fully faced up to the nature of the threat, particularly the speed with which it is changing.
“Fast changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely,” the report says.
“Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the ‘new normal’ if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation.
“Building the resilience of CNI to cyber attacks in this way will make it harder for an attacker to achieve their objective - whoever that attacker may be, whatever their motive and however they choose to attack.”
Demand on NCSC
A major criticism is that, while the National Cyber Security Centre (NCSC) has been set up as a national technical authority on the issue, its current capacity is being outstripped by the demand for its services. Its effectiveness will be limited unless it has access to the experts it needs in the numbers it requires.
In response, the report says the Government should publish a plan for the institutional development of the NCSC over the next decade, taking account of anticipated technological progress and setting out the resources and range of skills and expertise that the NCSC is likely to need.
Another problem is that a tightened regulatory regime – notably with the Network and Information Systems Regulation – will not be enough to raise the level of cyber preparedness across all 13 CNI sectors.
This could be remedied partly by establishing a plan for the development of threat and intelligence led penetration tests and roll it out across all CNI sectors.
Interdependencies
Another recommendation is that the next National Cyber Security Strategy, due for publication in 2021, should be informed by a mapping of the key interdependencies between CNI sectors—and therefore of national level cyber risk to CNI—which the Government should complete as soon as possible and keep under continual review.
Its priorities should also take account of the CNI sectors’ respective maturity in terms of cyber resilience and the varying levels of Government influence over operators in each sector.
The report also calls for the Government to immediately commission research on why the market has failed to improve the resilience of the CNI, resume publishing annual reports of the National Cyber Security Programme.
Beckett added: “The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”
Image: The Scream by Edvard Munch, public domain