20.The Government’s approach to cyber security, writ large, is framed by the 2016 NCSS, which was published in November 2016. It explicitly recognises that the “market based approach” to cyber security under the earlier 2011 strategy had not achieved “the scale and pace of change required to stay ahead of the fast moving threat”. As such, it acknowledges the need for the Government to “intervene more directly”, “by bringing its influence and resources to bear to address cyber threats”. It states:
The UK Government, in partnership with the Devolved Administrations of Scotland, Wales and Northern Ireland, will work with the private and public sectors to ensure that individuals, businesses and organisations adopt the behaviours required to stay safe on the Internet. We will have measures in place to intervene (where necessary and within the scope of our powers) to drive improvements that are in the national interest, particularly in relation to the cyber security of our critical national infrastructure.
21.Many of those who submitted written evidence to our inquiry and that of our predecessor Committee welcomed the step change in Government approach in the 2016 NCSS, with some describing the strategy—and the activity it underpins—as world-leading. This appears to be borne out by the notable level of international interest in the UK’s approach to cyber security, which is reported in the NCSC’s 2018 Annual Review; the NCSC’s CEO Ciaran Martin refers directly to other countries’ “admiration” for it. However, there appears to be little beyond anecdotal evidence that the UK is at the forefront of international efforts on cyber security. As we observed in relation to cyber security skills, a more methodical, rigorous comparison with allies and adversaries alike would be beneficial to the UK in benchmarking and continually improving its own approach.
22.The 2016 NCSS does not address what the Government’s priorities are in protecting the UK’s CNI from cyber attack. Indeed, the strategy adds “priority sectors” to the established list of thirteen sectors, citing “other companies and organisations, beyond the CNI, that require a greater level of support.” This is in contrast to the approach taken in the US Government’s September 2018 National Cyber Strategy, which identifies seven “key areas” from within its list of sixteen ‘critical infrastructure sectors’.
23.The principal purpose of defining ‘critical’ infrastructure should be to enable the Government and industry to prioritise their efforts, focusing their attention on those assets whose failure or impairment would have the greatest impact on the UK’s national security and its economy. However, with every CNI sector now “systemically connected”, more government and business processes being automated, internet-connected devices proliferating under the Internet of Things, and even entire cities designed to be ‘smart’, it is more difficult than ever to determine where truly ‘critical’ infrastructure ends and where the ‘wider economy’ begins.
24.BT Group observed that “the Government’s definition of Critical National Infrastructure (CNI) is too wide … and therefore no longer helpful in terms of identifying the key parts of UK infrastructure that need enhanced protection.” ISACA, a professional association for IT governance, suggested the Government adopt a tiered approach to CNI sectors, with some tiers treated as ‘firsts among equals’. The NCSC reports that it has been working with lead Government departments to map “critical systems” across CNI sectors to better understand their “interconnectedness” and, therefore, improve their resilience. This should, as the NCSC Annual Review notes, help establish priorities for Government intervention based on an “overarching view” of CNI. Such work is highly important, given the potential impact and risk of “cascading” failures between interconnected sectors, which we heard are not yet well understood.
25.The 2016 NCSS also does not differentiate between the varying complexity of the CNI sectors in terms of the number and type of organisations that fall within the threshold for ‘critical’ infrastructure. In some sectors, such as defence, government and water, a relatively small number of organisations are responsible for ‘critical’ assets. In these sectors there are only a few institutions for the Government to work with and, in the case of defence and government, it has a high degree of control or influence over them. By contrast, ‘critical’ assets in finance, food and transport are more varied, with key organisations covering only a small part of the sectors involved. In such sectors, governmental action must necessarily be more indirect, with fewer bodies closely connected to the Government and with corporate activity inherently more market-led and less institutionalised. This variation in complexity across the CNI spectrum affects how sectors engage with cyber security and act to improve resilience. It will consequently have an important bearing on how the Government should prioritise its efforts and assess the results.
26.‘Critical’ national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical. The 2016 National Cyber Security Strategy provides few clues as to how the Government is managing this issue or how it is prioritising its efforts between CNI sectors. It also fails to acknowledge the varying complexity of the CNI sectors and the bearing this should have on the Government’s approach. Asserting that the UK is at the forefront of international efforts on cyber security is not sufficient.
27.The next National Cyber Security Strategy, due for publication in 2021 should be informed by a mapping of the key interdependencies between CNI sectors—and therefore of national-level cyber risk to CNI—which the Government should complete as soon as possible and keep under continual review. The priorities identified in the next Strategy should also take account of the CNI sectors’ respective maturity in terms of cyber resilience and the varying levels of Government influence over operators in each sector.
28.Most of those who submitted written evidence were positive about the ambition encapsulated in the 2016 NCSS. However, Dr Martyn Thomas of Gresham College criticised it for lacking a “credible roadmap” with specified “key milestones”, describing it as “a set of tactics rather than a strategy”. This appears to us to be a fair description of the section in the Strategy on CNI, which lacks:
As such, it is difficult to tell from the 2016 NCSS precisely what the Government wants to achieve in relation to CNI, over what timeframe or how it intends to assess progress along the way. It is also difficult to tell on what basis, therefore, the Government keeps its “strategic objectives and the balance of investment and activity from HMG under continual review”.
29.This lack of detail may be explained in part by a lack of agreed understanding on how best to describe or quantify risk and mitigation in relation to cyber security. The civil nuclear regulator, the Office for Nuclear Regulation (ONR), highlighted the need for “A simple commonly accepted basis for expressing exposure to cyber security risk across the critical national infrastructure”, which would enable effective comparison between CNI sectors and a more consistent approach by the Government, operators and regulators. Yorkshire Cyber Security Cluster stated that research into appropriate and useful metrics “must be encouraged as a matter of urgency”. When we asked the Government how it was measuring progress against the 2016 NCSS objectives, Ciaran Martin told us that
cybersecurity, despite its grounding in modern technology, has been the subject of relatively small amounts of performance data internationally, so we are seeking to develop those performance measures.
He pointed to the information included in the NCSC’s latest Annual Review and in the February 2018 annual report on Active Cyber Defence (ACD) as a way in which the Government is “seeking to move the debate on”.
30.The main vehicle for implementing the 2016 NCSS is the 2016–2021 National Cyber Security Programme (NCSP), a five-year programme of cross-government activity which includes initiatives to build the cyber security of CNI. Its budget of £1.9 billion over five years is more than double that of the first NCSP (2011–2016), which stood at £860 million—a significant uplift which was described by techUK as an indicator of “how seriously the Government is taking cyber security”.
31.The total budget is the only information about the 2016–2021 NCSP consistently published by the Government. This is in stark contrast to the Government’s previous practice of publishing Annual Reports on the delivery of the 2011 NCSS, which—although high-level in nature—included progress updates on key objectives and a breakdown of expenditure by types of activity, such as “National Sovereign capability to detect and defend high end threats” and “Education and skills”. While the NCSC’s Annual Reviews provide some information about NCSP expenditure—not least because the NCSC is itself partly funded under the NCSP—these documents provide only a snapshot of activity across Government. Many departments and agencies receive NCSP funding but this is not readily identifiable in their own Annual Reports and Accounts.
32.When we put this lack of transparency to David Lidington, he told us that
while there would certainly be some elements of that £1.9 billion that, while important, might not merit the highest degree of classification, the more information we give which allows both criminals and hostile state actors to subtract from the £1.9 billion and work out what we might be spending elsewhere and what that sum might be buying us, the more the risk increases.
33.We accept that the sensitivity of some NCSP activity means that particular elements cannot be publicly disclosed. However, the Government’s unwillingness to publish even basic information about the NCSP hinders external scrutiny of the effectiveness and value for money of the 2016 NCSS and the NCSP. It also has the practical effect of making it difficult for the private sector to understand the Government’s priorities, despite the essential nature of this partnership to building CNI resilience to cyber attack.
34.The 2016 National Cyber Security Strategy states that ensuring the resilience of the UK’s critical national infrastructure to cyber attack is a priority for the Government. But the Strategy does not set out (a) what specifically the Government wants to achieve; (b) over what timeframe; or (c) how it intends to measure progress. We are therefore concerned that despite the designation of major cyber attacks as a top-tier threat to UK national security, the Government does not have clearly defined objectives for the five-year period covered by the Strategy nor a structured plan for delivering them. This echoes our findings specifically in relation to cyber security skills, which we set out in our July Report.
35.The Government is unwilling to publish any information about the 2016–2021 National Cyber Security Programme other than its total budget of £1.9 billion. While we accept that some elements of the NCSP are security-sensitive and therefore should not be made public, such lack of transparency about such large sums of public money is of serious concern. It is also a backwards step, given that the previous Government published Annual Reports and high-level budget breakdowns by activity for the earlier 2011–2016 NCSP.
36.The Government should resume publishing Annual Reports for the National Cyber Security Programme to improve transparency and aid external scrutiny. These should set out progress made, the challenges faced, and a breakdown of the budget by type of activity and by department or agency; it would also present a regular opportunity to review and adjust plans in response to changing threats, vulnerabilities and technological innovation (as we concluded in paragraph 19). Given the relatively large sum of public money and the many departments and agencies involved, the Government should also support a programme-wide audit of the NCSP by the National Audit Office to provide public and Parliamentary assurance.
62 techUK (), paras 3, 4.1; Nokia () para 5.1; Aerospace, Defence, Security and Space () paras 1.10–1.11; Palo Alto () para 5; UK Computing Research Committee, UKCRC () para 8; Glasswall Solutions Limited () para 4.1; The International Institute for Strategic Studies () paras 4, 8–9; Altran UK () para 6; Chatham House () para 5.4; Red Hat Inc () para 13; ISACA () para 2.2; BT () paras 4.1–4.2; PA Consulting () para 6. By contrast, Manchester Metropolitan University stated that the 2016 NCSS “should be looking to make the United Kingdom a world-leader in cybersecurity rather than proclaiming it has already achieved this.” Manchester Metropolitan University () para 4.1
63 NCSC, , October 2018, pp. 11, 17
64 Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706, para 13
65 Dr Martyn Thomas () para 9.1; Glasswall Solutions Limited () paras 9.1–9.3; The International Institute for Strategic Studies () para 8; Red Hat Inc () para 16; Corero () paras 12–13
The Government states that it “frequently draws upon the approaches and expertise of other countries in its cyber security work”, citing various visits to US institutions as examples. Cabinet Office, National Security Secretariat () para 51
66 This “premium group” includes the UK’s “most successful companies”, with an emphasis on research and development and intellectual property, “data holders” such as charities, which hold data on “vulnerable citizens”; “high-threat targets”, such as media organisations, with an emphasis on preventing damage to the UK’s reputation and public confidence in the Government; digital service providers that underpin the economy; and organisations with influence over the entire economy, such as insurers, investors, regulators and professional advisors. HM Government, National Cyber Security Strategy 2016–2021, November 2016, para 5.4.1
67 These areas are: national security; energy and power; banking and finance; health and safety; communications; information technology; and transportation. White House, National Cyber Strategy, September 2018, pp. 8–9. The full list of sixteen ‘critical infrastructure sectors’ is available at Department for Homeland Security, , accessed 30 October 2018
68 Nettitude () paras 9–10; Pete Cooper () para 1; Nokia () para 3.2
69 This might include, for example, electoral registration processes and the Universal Credit system. [Ciaran Martin]; NCC Group () para 126.96.36.199
70 The International Institute for Strategic Studies () para 5; Nettitude () para 9
71 [Ciaran Martin]; Nokia () para 3.3; Department for International Trade, , 28 March 2018, accessed 30 October 2018
72 BT Group () para 3.1
73 ISACA () para 1.4
74 NCSC, , 16 October 2018, p. 30.
75 Pete Cooper () paras 1–2; The International Institute for Strategic Studies () paras 4–5; Nokia () paras 3.1–3.2
76 Although the Government defines thirteen broad infrastructure sectors as ‘critical’, not all operators within these sectors are designated as CNI. Each sector has its own threshold for determining what is, and is not, a critical asset and therefore should be treated as such. For the energy sector, for example, it is any energy supplier that has more than 250,000 customers. For the financial services sector, it is the large banks, the payment systems and the Bank of England (which is also a payment system). [Jonathan Brearley, Lyndon Nelson]
77 Dr Martyn Thomas () paras 3.1–3.2
78 The section on CNI is included in the “Defend” section of the 2016 NCSS. The other two main sections are “Deter” and “Develop”. There is also a fourth element focused on international engagement. Cabinet Office, National Security Secretariat () para 12
80 Cabinet Office, National Security Secretariat () para 17
81 The Office for Nuclear Regulation (ONR) states that the reasons for this are “allied to many of the issues associated with cyber risk in general: the complexity and interconnected nature of modern digital systems, the range and diversity of adversary capabilities and motives, and the continual pace of developments.” Office for Nuclear Regulation () paras 7, 40
82 Yorkshire Cyber Security Cluster () para 3.4
83 [Ciaran Martin]
84 [Ciaran Martin]. See paragraph 40 for further information on Active Cyber Defence.
85 Cabinet Office, National Security Secretariat () para 24
86 Cabinet Office, National Security Secretariat () para 13; Cabinet Office, , April 2016, p. 5
87 techUK () para 32
88 See, for example, Cabinet Office, , April 2016. The breakdown of funding by type of activity under the NCSP is available in Annex A.
89 [Ciaran Martin]; NCSC, , October 2017; NCSC, , October 2018
90 [David Lidington MP]
91 In September 2016 the National Audit Office reported on the activities of the NCSC and the NCSP in relation to the Government’s protection of data. National Audit Office, Session 2016–17, Protecting information across government, HC 625
92 techUK () para 5.5; Information Assurance Advisory Council () paras 2(a)(vii), 8
93 In written evidence to the inquiry, the Cabinet Office stated: “Effective protection of CNI from cyber attack is a priority for Government and must be a partnership between Government, regulators and private-sector operators.” Cabinet Office, National Security Secretariat () para 27
Published: 19 November 2018