The head of the National Cyber Security Centre (NCSC) has said that a major cyber attack on the United Kingdom is a matter of ‘when, not if’. The UK’s critical national infrastructure (CNI) is a natural target for such an attack because of its importance to daily life and the economy. However, public opinion as yet has only a limited appreciation of what could befall us as a result of cyber attacks, which present as credible, potentially devastating and immediate a threat as any other that we face.
The Government has explicitly acknowledged that it must do more to improve the cyber resilience of our critical national infrastructure, irrespective of whether it is owned or operated in the public or private sector. While we applaud the aspiration, it appears the Government is not delivering on it with a meaningful sense of purpose or urgency. Its efforts so far certainly fail to do justice to its own assessment that major cyber attacks on the UK and interests are a top-tier threat to national security.
The threat to the UK and its critical national infrastructure is both growing and evolving. States such as Russia are branching out from cyber-enabled espionage and theft of intellectual property to preparing for disruptive attacks, such as those which affected Ukraine’s energy grid in 2015 and 2016. The 2017 WannaCry attack, which affected the NHS, also demonstrated that cyber attacks need not target critical national infrastructure deliberately to have significant consequences. In addition, some organised crime groups are becoming as capable as states, thereby increasing the number and range of potential attackers.
The objective must therefore be to make it as difficult and as costly as possible to succeed in attacking the UK’s critical national infrastructure—and to continue raising the bar as new threats emerge.
In the two years since the current National Cyber Security Strategy was published, the Government has taken some important steps. These include establishing a national technical authority on cyber security—the NCSC—and introduced more robust regulation for some, but not all, CNI sectors. That tightened regulatory regime was not the Government’s own initiative but instead flows from our acceptance of EU-wide regulations. Moreover, though a useful step forward, it will not be enough to achieve the required leap forward across the thirteen CNI sectors.
The Government must do much more to change the culture of CNI operators and their extended supply chains, ensuring that these issues are understood and addressed at board level and embedding the view that cyber risk is another business risk that must be proactively managed. This is also a lesson for the Government itself: cyber risk must be properly managed at the highest levels.
We also reported in July on the importance of addressing the shortage in specialist skills and deep expertise and urged the Government to prioritise delivering its cyber security skills strategy.
Getting ahead and staying ahead of the threat in these ways will require strong and sustained leadership. The NCSC is undoubtedly fulfilling its remit in providing technical leadership on cyber resilience, although we are concerned that expectations of the NCSC are outstripping the resources put at its disposal by the Government.
More significantly, identifiable political leadership is lacking. There is little evidence to suggest a ‘controlling mind’ at the centre of Government, driving change consistently across the many departments and CNI sectors involved. Unless this is addressed, the Government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the Government to appoint a single Cabinet Office Minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.
Published: 19 November 2018