1Introduction
1.Since 2010 the Government has categorised major cyber attacks on the UK and its interests as a top-tier threat to national security. This means that such an attack is highly likely and/or would also have a high impact.1 The impact of technology, and especially of cyber threats, was identified as one of the four “particular challenges … likely to drive UK security priorities for the coming decade” in the 2015 National Security Strategy and Strategic Defence and Security Review 2015 (2015 NSS & SDSR).2 Its importance was reaffirmed by the Government’s National Security Capability Review in March 2018.3
2.The past year has seen cyber attacks on the health, telecommunications, energy and government sectors in the UK.4 And although the UK has yet to suffer the most severe form of cyber attack—which the Government defines as an attack leading to the sustained loss of essential services, severe economic or social consequences, or a loss of life5—the head of the National Cyber Security Centre (NCSC), Ciaran Martin, has said this is a matter of ‘when’, not ‘if’.6 The May 2017 WannaCry attack, which affected NHS services for several days, should serve as a stark warning of the implications of such an attack for national security.
3.There are also important implications for the UK’s future prosperity—one of the three strategic objectives of the 2015 NSS & SDSR.7 The effects of a major cyber attack on a just-in-time economy should not be underestimated.8 Furthermore, the UK’s ability to reap many of the economic benefits of future technology such as internet-connected devices (the ‘Internet of Things’), automation and robotics will depend on robust cyber security—and, as importantly, public confidence in that cyber security.
4.Given the Government’s emphasis on cyber threats in the 2015 NSS & SDSR, as well as the string of high-profile cyber attacks in 2016 and 2017, we decided to launch an inquiry into the cyber security of critical national infrastructure (CNI) as our first inquiry of the 2017 Parliament.9 The Government has identified thirteen national infrastructure sectors that are essential to the functioning of daily life: chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water.10 We set out to examine:
- the types and sources of cyber threats to CNI in the UK;
- the extent to which the Government’s definition of ‘critical national infrastructure’ is still valid in an interconnected economy;
- learning points drawn from the 2011 Cyber Security Strategy and the fitness for purpose of the 2016 Cyber Security Strategy in relation to CNI;
- the effectiveness of the strategic lead provided by the National Security Council, Government departments and agencies, and the NCSC, and the coherence of cross-government activity;
- the effectiveness of the Government’s relationships with private-sector operators and regulators in protecting CNI from cyber attack;
- the balance of responsibilities between the Government and private-sector operators in protecting CNI against cyber attack;
- the consistency of approach in the UK to legislation, regulation and standards governing each CNI sector and cyber security;
- the availability of skills and expertise to the relevant Government departments and agencies, to regulators, and to private-sector operators of CNI; and
- the extent to which the UK’s approach to the cyber security of CNI draws on or represents international best practice.
We published these terms of reference and a call for evidence for our inquiry in December 2017.11 Reflecting the weight of the evidence we received, our inquiry has focused primarily on issues relating to continuity of critical services, rather than the cyber-enabled theft of personal data or threats to democratic processes (which have been addressed by other Committees),12 although we recognise their significance. We also acknowledge the Government’s work to develop ‘cyber weapons’ under the National Offensive Cyber Programme but this was not an area covered by our inquiry.13
5.In February 2018 we held a private roundtable discussion on the cyber security of CNI, facilitated by techUK and attended by representatives of its member organisations.14 We took oral evidence in public from UK CNI operators (from representatives of the energy, transport and health sectors) as well as CNI-sector regulators and a trade body (representatives of the financial services, energy and communications sectors and the water sector, respectively). Our third evidence session focused on the shortage of essential cyber security skills.15 In June 2018 we took oral evidence from the Chancellor of the Duchy of Lancaster, Rt Hon David Lidington MP—the Cabinet Office Minister responsible for the delivery of the National Cyber Security Strategy 2016–2021 (2016 NCSS)—and Ciaran Martin, Chief Executive Officer of the NCSC. These two witnesses also gave us a private briefing after their evidence session.
6.This Report is the second of our inquiry. In July we published Cyber Security Skills and the UK’s Critical National Infrastructure, in which we concluded that
there are not enough people in the UK who both possess [the required] specialisms and are also willing and able to work in the CNI sector.16
Immediate and longer-term solutions must be found to this challenge. We are not reassured in this regard by the Government’s response to our Report on cyber security skills. Although positive in tone, it does not commit the Government to sufficient concrete action in the short term, with most of the initiatives referred to seemingly set to bear fruit towards the end of the next decade.17 Without a concerted, wide-ranging and creative effort to close the skills gap, this shortage in specialist skills and deep technical expertise will severely hinder the Government and the private sector in improving the UK’s CNI resilience to cyber threats at the pace required. The findings set out in this Report on the cyber security of CNI should be seen in that light.
7.We are grateful to all those who have provided written and oral evidence to our inquiry and to that of our predecessor Committee. We also thank our Specialist Adviser for the inquiry, Ewan Lawson, and our standing Specialist Advisers, Professor Malcolm Chalmers, Professor Michael Clarke and Professor Sir Hew Strachan, for their input.18
1 HM Government, Fact Sheet 2: National Security Risk Assessment, October 2010, accessed 1 November 2018; HM Government, National Security Strategy and Strategic Defence and Security Review 2015, Cm 9161, November 2015, Annex A
2 HM Government, National Security Strategy and Strategic Defence and Security Review 2015, Cm 9161, November 2015, para 3.3
3 The National Security Capability Review identified two additional ‘particular challenges’, making the impact of technology, including cyber threats, one of six. HM Government, National Security Capability Review, March 2018, p. 5, para 2
5 National Cyber Security Centre (NCSC), “Annual Review 2018”, October 2018, p. 23
6 “Major cyber-attack on UK a matter of ‘when, not if’ – security chief”, The Guardian, 23 January 2018
7 HM Government, National Security Strategy and Strategic Defence and Security Review 2015, Cm 9161, November 2015
9 Our predecessor Committee launched an inquiry entitled “Cyber Security: UK National Security in a Digital World” in January 2017. The Committee took written evidence and held one oral evidence session before the June 2017 general election was called and Parliament was dissolved.
10 According to the Government’s Centre for the Protection of National Infrastructure (CPNI), not everything within a national infrastructure sector is judged to be “critical”. The Government’s official definition of CNI is:
“Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in:
a) Major detrimental impact on the availability, integrity or delivery of essential services—including those services whose integrity, if compromised, could result in significant loss of life or casualties—taking into account significant economic or social impacts; and/or
b) Significant impact on national security, national defence, or the functioning of the state.”
See CPNI, “Critical National Infrastructure”, accessed 28 June 2018
11 The inquiry terms of reference and call for evidence can be found on the Joint Committee on the National Security Strategy website.
12 House of Commons Digital, Culture, Media and Sport Committee, Fifth Report of Session 2017–19, Disinformation and ‘fake news’: Interim Report, HC 363; House of Commons Science and Technology Committee, Fourth Report of Session 2017–19, Algorithms in decision-making, HC 351; House of Lords European Union Committee, Third Report of Session 2017–19, Brexit: the EU data protection package, HL Paper 7; House of Commons Exiting the European Union Committee, Seventh Report of Session 2017–19, The progress of the UK’s negotiations on EU withdrawal: Data, HC 1317
13 HM Government, National Cyber Security Strategy 2016–2021, November 2016, para 6.5; “UK becomes first state to admit to offensive cyber attack capability”, Financial Times, 29 September 2013; Intelligence and Security Committee of Parliament, Annual Report 2016–2017, HC 655, Section 6; HM Government, Budget 2018, HC 1629, para 5.26 and Table 2.1
14 These organisations were Arqiva, CGI, Palo Alto Networks and Splunk.
15 Many of those CNI operators and regulators that provided evidence said that a shortage of skills is one of the greatest challenges they face in relation to cyber security. Q20 [Rob Shaw]; Q27; Q29; Q39 [Rob Crook, Dr Alastair MacWillson]; techUK (CNI0015) para 4; BT Group (CNI0018) para 8.1; Nokia (CNI0022) para 7.1
16 Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706, para 15
17 Joint Committee on the National Security Strategy, Second Special Report of 2017–19, Cyber Security Skills and the UK’s Critical National infrastructure: Government Response to the Committee’s Second Report of Session 2017–19, HL Paper 198, HC 1658
18 Ewan Lawson declared the following interests relating to this inquiry on 26 February 2018: Senior Research Fellow, Royal United Services Institute; Senior Teaching Fellow, Centre for International Studies and Diplomacy, SOAS, University of London; member of and unpaid adviser to Scottish National Party. Professor Malcolm Chalmers declared the following interests relating to this inquiry on 18 December 2017: Deputy Director-General, Royal United Services Institute. Professor Michael Clarke and Professor Sir Hew Strachan declared no interests relating to this inquiry. The full declarations of interests by Ewan Lawson, Professor Malcolm Chalmers, Professor Michael Clarke and Professor Sir Hew Strachan are available in the Committee’s Formal Minutes 2017–19.
Published: 19 November 2018