37.In the 2016 NCSS, the Government sets out a clear division of responsibility for ensuring the cyber resilience of CNI:
Many of those who provided evidence considered this a natural division of responsibility that also takes account of the importance of public-private partnerships in managing cyber risk, given that the majority of CNI is privately owned.
38.However, as we noted in Chapter 3, the 2016 NCSS explicitly acknowledges that the key assumption underpinning the 2011 Strategy—that the private sector, including CNI operators, would be incentivised by consumer demand and the potential costs of a successful cyber attack to protect its own systems—is fundamentally flawed. It explains:
the combination of market forces and government encouragement has not been sufficient in itself to secure our long-term interests in cyberspace at the pace required. Too many networks, including in critical sectors, are still insecure. The market is not valuing, and therefore not managing, cyber risk correctly.
The Government acknowledges that, as a result,
cyber risk is still not fully understood and managed across much of the CNI, even as the threat continues to diversify and increase.
39.This suggests that the Government must now do more to ensure that all CNI operators, and especially those that are privately-owned, “manage their cyber risk in the national interest”—that is, that they put national security interests before business interests where they do not align. As University of Oxford cyber security researcher Jamie Collier pointed out, this is particularly important given that the costs and consequences of a major cyber attack on CNI, such as a power grid outage, “would fall on citizens rather than the relevant private owners”.
40.The 2016 NCSS certainly sets the expectation that the Government will assume an “expanded role” in addressing this market failure and “driving change” across the economy. Yet despite describing it as a priority, the Government’s efforts specifically in relation to CNI in the two years since the Strategy was published appear to have been limited. The Government’s most significant achievements so far have been:
41.The Government’s own 2016 review of regulation and incentives relating to cyber security suggested that there is much more that it could be doing. Options range from softer measures such as facilitating information-sharing, to more robust regulation imposing legal obligations on CNI operators, to legislation establishing “an offence of gross neglect in regards to computer infrastructure, particularly as it relates to CNI”—an option suggested by Manchester Metropolitan University. Not all these measures would be suitable or effective immediately. Noting a potential for unintended consequences from Government interventions more generally, Pete Cooper suggested that pursuing “a mix of approaches is probably the most productive”.
42.But the Government will first need to understand why many private- and public-sector operators have so far failed to prioritise investment in cyber resilience if it is to identify effective incentives and interventions. Ciaran Martin told us that although work had begun on establishing where operators’ commercial interests align with national security interests, and what happens when they do not, there is “more work” to do. Only then will the Government be able to identify how best to drive up the resilience of CNI in all sectors, while also establishing the structures and culture that will encourage CNI operators to increase their resilience to changing threats and new vulnerabilities in the long term.
43.The Government’s current approach to improving the cyber resilience of the UK’s critical national infrastructure is long on aspiration but short on delivery. Establishing the National Cyber Security Centre as the national technical authority and introducing more robust regulation for some CNI sectors were both important steps. The latter was mandatory for the UK as an EU member state, however. It appears that the Government is reluctant to move more forcefully and, by default, continues to rely on market forces to improve operators’ cyber resilience, despite recognising the previous failure of this approach. Its efforts so far certainly fail to do justice to the status of major cyber attacks as a top-tier threat to national security or to the importance of CNI to the economy. Greater urgency is required if the UK is to ‘get ahead’ and ‘stay ahead’ of the cyber threats to its CNI.
44.As we concluded in relation to cyber security skills in our July Report, the Government must first understand the problem before it can address it. The Government should therefore immediately commission work to understand how and why the market has failed to deliver improved cyber resilience of CNI in both the public and private sectors. Only then will it be in a position to identify the targeted interventions and incentives—whether regulatory or otherwise—that will drive up cyber resilience of CNI, while also establishing the culture and practices necessary for continual improvement in the long term.
45.Under the Government’s previous policy of ‘light touch’ regulation, only a handful of CNI sectors had regulators with specific statutory powers to assure operators’ cyber resilience (see Box 1). This has resulted in what the Government described as a “mixed” regulatory landscape, with the civil nuclear and financial services sectors possessing strong regulatory frameworks and other sectors lacking “backstop powers to intervene” or “clear cyber security standards”, or both.
Box 1: Regulatory landscape before May 2018
Before the NIS Regulations came into force, regulation of CNI sectors could be broadly divided into economic regulators tasked with overseeing market competition issues (for example, the energy regulator Ofgem and the water regulator Ofwat) and regulators with statutory powers specifically to oversee safety and security practices (for example, the Office for Nuclear Regulation). Since 2011 Ofcom has acted as both an economic and security regulator, with telecommunications providers required under UK law to take measures to protect the security and resilience of their networks. The three financial services regulators—the Bank of England, Financial Conduct Authority and Prudential Regulation Authority—have collectively focused on ensuring the resilience of the financial system. As the security trade association ADS observes, the extent to which many of these regulators had a formal role in overseeing the cyber security arrangements of privatised industries was unclear. This was especially the case for the economic regulators whose responsibility for price controls involved assessing the funding that CNI operators needed to manage cyber risk, but did not give specific powers to intervene if those measures applied were not “appropriate” to the risk.
46.In February 2018 the Government told us that it was committed to ensuring that there are “effective regulatory frameworks” in place. In May 2018 the UK brought into force the EU-wide NIS Directive, through the Network and Information Systems Regulations 2018 (Box 2). According to the Government, the NIS Regulations will drive “a consistency of approach and [level] up standards by introducing requirements in an appropriate and proportionate manner”. David Lidington told us that the aim of the new regulatory framework is not to “impose penalties”, but to “drive change in behaviour and alertness among the operators”.
Box 2: The Network and Information Systems Regulations 2018
The purpose of the NIS Regulations is to improve the security of certain industry sectors that provide essential services, with an emphasis on ensuring continuity of service. They do so by, among other provisions:
The regulations apply to the drinking water, energy, health, transport and digital infrastructure (communications) sectors, as well as certain digital service providers that fall outside the UK Government’s definition of ‘critical national infrastructure’ (see Chapter 3 for a discussion of the definition of CNI). The banking and finance sector is exempt from the NIS Regulations, despite being designated in the EU Directive, because equivalent regulation already exists under other UK legislation. The regulations set a threshold—for example, the number of customers served—to specify which operators in each sector are considered “essential services” within the scope of the regulations. About 500 operators of essential services and 200 digital service providers in the UK are expected to fall within the scope of the NIS Regulations.
When implementing security measures, operators within the scope of the NIS Regulations are required to follow guidance issued by the relevant Competent Authority. The fourteen cyber security principles set by the NCSC on behalf of the Government have been adopted by many of the Competent Authorities as a basis for their regulatory approach.
The NIS Regulations also make it mandatory for operators to report incidents whose impact exceeds the threshold set by the relevant Competent Authority “without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred”.
Although the Government describes fines under the legislation as a “last resort”, organisations that fail to implement effective cyber security measures could be fined up to £17 million.
47.It is too early to assess the impact of the NIS Regulations, which have been in force for only six months. The Government’s own assessment is that it will take at least a couple of years for the Regulations to take full effect. Nevertheless, many of those who provided written evidence welcomed the introduction of tougher regulation in general, and of the NIS Regulations specifically, as a way of setting a higher benchmark for cyber risk management across some CNI sectors as well as digital service providers. In particular, the move away from prescriptive standards towards a focus on outcomes under the NIS Regulations was welcomed because:
48.However, some witnesses expressed concern that moving to stronger regulatory oversight risks jeopardising the necessary collaboration and information-sharing between operators, regulators and the Government, which were described as essential to sustaining resilience to fast-changing threats. Ofgem’s Jonathan Brearley argued that the NIS Regulations must therefore be implemented in a way that still encourages operators to be “very transparent about their problems”, by avoiding an overly punitive approach.
49.Witnesses also cited three significant factors that could diminish the impact of the NIS Regulations in setting a higher benchmark for cyber resilience:
i)several CNI sectors still do not have a regulator with statutory powers to assure operators’ cyber resilience. The Government has said it will introduce regulatory regimes for non-NIS sectors and that these sectors will benefit in the meantime from the standards and guidance being developed in support of the NIS Regulations. The failure to include these sectors in the initial implementation of the NIS Regulations is regrettable. In addition, witnesses believed that the current scope of the NIS Regulations does not adequately account for the interconnected nature of the UK economy and its CNI sectors, and suggested that the Regulations be extended to areas “below” CNI such as manufacturing;
ii)the regulatory landscape established under the NIS Regulations is still fragmented, and is complicated by the introduction of joint ‘Competent Authorities’. The creation of multiple, sector-specific Competent Authorities under the NIS Regulations reflects a pre-existing division of responsibilities, with lead Government departments (in Whitehall and in the Devolved Administrations) responsible for the operational resilience of CNI in their policy areas but working in collaboration with sector regulators and relevant technical authorities. While this regulatory structure allows for differentiation between sectors according to their needs, it also acts as a potential barrier to cross-sector benchmarking, collaboration and learning—and therefore to cross-sector coherence; and
iii)there is mixed capacity among regulators (Competent Authorities and non-NIS regulators) to provide assurance and support to CNI operators, with newly designated Competent Authorities now embarking on a “steep learning curve”. As our July Report on cyber security skills described, some have found it extremely difficult to recruit the expertise they now need. The stated intention of some regulators to rely on the NCSC for technical advice and support also raises important questions about the NCSC’s own capacity to provide such support alongside its many other duties (see Chapter 5).
50.Many of the regulators that provided evidence took the view that ensuring consistency, collaboration and learning between CNI sectors was their collective responsibility, via cross-sector forums such as the UK Regulators Network. Yet there is also a role for central Government in promoting consistency and facilitating the sharing of best practice across sectors, at least in the short term. The NCSC is convening workshops for Competent Authorities, in addition to providing common standards and guidance. The ONR suggested that this cross-sector activity might be extended to the active development of “joint approaches” to shared problems—a much more ambitious goal.
51.The Network and Information Systems Regulations offer a more robust regulatory framework for many CNI sectors, especially in making it mandatory for operators to report incidents where their impact exceeds a predetermined threshold. Although these regulations have only recently come into force, we expect them to set a higher benchmark for cyber risk management in those CNI sectors where they apply. They should also, we hope, foster a culture of proactive and continual risk management by CNI operators, moving away from a ‘tick-box compliance’ approach.
53.A key question is how best to assure operators’ management of cyber risk, especially in the absence of agreed metrics for cyber risk and resilience (see paragraph 29). Some witnesses highlighted the potential value of threat- and intelligence-led ‘penetration testing’ as a technical assurance tool for regulators. While some CNI operators may conduct their own penetration testing—with such services available on a commercial basis—the scheme piloted by the financial services sector (called ‘CBEST’) is regulator-led and sector-wide. The advantages of this type of regulator-led scheme are:
54.Confidence in the potential of this assurance mechanism is high: the Government is actively leading the roll-out of the scheme to two other CNI sectors, and organisations such as the industry accreditation body CREST urged its further extension across all CNI sectors. Some other countries are reportedly adopting similar schemes as part of their own regulatory efforts.
55.However, such tests inevitably provide only a snapshot of an operator’s resilience at a particular moment in time, against a particular set of threats. In addition, penetration testing undertaken in the UK is limited to “legal and ethical means” of attack, potentially limiting the authenticity—and therefore the usefulness—of the simulation and its outcomes. For example, the Computer Misuse Act 1990 requires explicit authorisation from the operator and all those suppliers whose services may be touched upon during the simulation, while there are both legal and ethical barriers to targeting employees’ private lives as a means of breaching the operator’s outer perimeter. Those conducting real cyber attacks would obviously not face such constraints. And the evidence further suggests that there are a number of obstacles to a swift roll-out of penetration testing across CNI sectors:
These are all issues which the Government should consider as it seeks to extend regulatory penetration testing across CNI sectors and, crucially, to develop an understanding of the true resilience of the UK’s CNI, which is currently lacking. CREST has suggested that the Government create a strategy and detailed implementation plan for doing so.
56.Threat- and intelligence-led penetration testing shows promise as a mechanism for providing technical assurance of CNI operators’ cyber risk management—all the more important in the absence of agreed metrics for cyber risk and resilience. However, such testing should be used in combination with other methods of regulatory assurance because it only provides a snapshot of operational resilience at a particular moment in time against a particular set of threats.
57.The Government should establish a plan (a) for the development of threat- and intelligence-led penetration testing and its roll-out across all CNI sectors that takes account of the mixed maturity of the sectors in terms of their cyber resilience; (b) for the development of the test methodology; and (c) for developing the cyber security industry’s capacity to deliver such advanced and accredited testing at scale. It should address the last point in its forthcoming cyber security skills strategy which, as we urged in our July Report, should be published as a matter of priority.
58.The Government has said that the NIS Regulations will continue to apply after the UK’s exit from the EU. The July 2018 White Paper, The Future Relationship between the United Kingdom and the European Union, also states the Government’s intention to continue participating in the EU-wide NIS Coordination Group and network of CSIRTs (Box 2)—the formal mechanisms that facilitate the sharing of information about threats and good practice, as well as cooperation on enforcement action and incident response, between EU Member States. Because cyber threats do not stop at national borders, it is also important that the UK continues to support policy development and capacity-building across the EU through the various NIS Coordination Group workstreams and cross-EU exercises.
59.However, whether and how the Government intends to take account of changes made to the NIS regime by the EU after the Brexit transition period ends is unclear. Furthermore, the extent of, and mechanism for, UK participation in EU-wide groups will ultimately be determined by the negotiations on the future UK–EU partnership. In his oral evidence in June 2018, David Lidington declined to comment on future cooperation with the EU in relation to CNI specifically. On the issue of wider security cooperation, he said the Government hopes to overcome “doctrinal issues with the EU institutions”, adding that “otherwise, it amounts to a deliberate decision by the EU negotiators to put EU citizens at greater risk than they are at the moment”. There is no evidence yet to suggest this impasse has been resolved.
60.The NIS Regulations will continue to apply in the UK following Brexit. However, the mechanism for UK participation in EU-wide information-sharing and capacity-building is still subject to negotiation. Given that cyber threats do not stop at national borders, the Government should prioritise maintaining access to the EU’s NIS Coordination Group and its workstreams to facilitate continued information-sharing and collaboration with EU Member States.
61.Using regulation to set a stronger framework within which CNI operators must act is only one of the interventions available to the Government. We heard that improving the culture of CNI operators and other relevant organisations is just as important, because this creates an environment in which “improvements are proactively implemented in anticipation of developments and new threats, rather than as a reaction to events”. In this regard, witnesses emphasised the fundamental importance of improving day-to-day cyber ‘hygiene’, which our July Report on cyber security skills identified as a “universal responsibility for all employees”. Lyndon Nelson from the Prudential Regulation Authority (PRA) told us, for example, that passwords “are the source of many vulnerabilities”, while others referred to the need for regular incident response and resilience exercises, cloud storage policies to ensure the safe custody of data, and regular staff training to raise awareness, among other basic steps.
62.Witnesses also raised a number of other non-regulatory interventions aimed at effecting cultural change across CNI sectors and their extended supply chains. Although many of these were discounted by the Government in its December 2016 review of regulation and incentives in relation to cyber security, the rest of this chapter explores those we consider to have the greatest potential in driving cultural change.
63.Supply chains are not formally regarded as part of the UK’s CNI, but they are nevertheless integral to their operation. In some cases, third-party companies directly supply a fundamental element of ‘critical’ services: railway services would not run in the UK without those external suppliers that provide the signalling equipment for Network Rail, for instance. Attackers are also increasingly exploiting supply chain vulnerabilities in order to gain access to CNI operators’ networks and systems—a development highlighted in the NCSC’s latest Annual Review—looking for any points of weakness in their networks. In July, for example, the United States’ Department for Homeland Security reported that a Russian state-sponsored group had breached the “control rooms” of US electricity companies by first penetrating the networks of vendors. In addition, the public disclosure of the ‘Meltdown’ and ‘Spectre’ security flaws affecting Intel, ARM and AMD computer chips in January demonstrates the potentially pervasive impact of hardware supply chain vulnerabilities.
64.Witnesses described non-contractual and contractual steps that CNI operators can—and in some cases already do—take to manage the risk with their immediate suppliers. These include:
The NIS Regulations also set an expectation that CNI operators in the five NIS sectors will ensure that “appropriate measures are employed where third party services are used”. These include “contractual agreements” and specified “security properties” for products and services on which “the essential service depends”. The Government, meanwhile, is stepping up the cyber security requirements for its direct suppliers, having announced in June that it will write minimum standards into its contracts and create the equivalent to a ‘credit rating’ for each of its prime suppliers.
65.However, Peter Gibbons of Network Rail told us that the principal challenge in managing what are often long and complex chains is not the operators’ direct suppliers, but their suppliers in turn. To meet this challenge, some CNI operators, including the Government, make it the contractual responsibility of the prime contractor to manage and assure risks in its own supply chain. National Grid is more prescriptive in its approach, requiring businesses down its supply chain to undergo the same certification processes as its direct suppliers. TechUK and security trade association ADS both highlight the defence sector’s use of cyber risk profiles and associated measures to ensure suppliers are managing risk, wherever they sit in the chain.
66.We heard that CNI operators face other, more complex difficulties in managing supply chains risks which would benefit from greater intervention by the Government:
i)it is difficult to mandate and enforce minimum security standards for those products (hardware, software or services) that are bought ‘off the shelf’, especially where these are procured from major international companies. Consequently, witnesses suggested that the Government should use its “buying power” and diplomatic presence in multinational forums such as the G7 to influence international providers, and potentially establish an NCSC-accredited ‘kitemark’ for trusted suppliers; and
ii)the widespread use of certain data service providers, software packages, computer processors and hardware creates “single points of failure” that could affect operators simultaneously across CNI sectors. Sean Kanuck, from IISS, argued that the Government should proactively identify these potential points of failure and prepare mitigation and contingency plans.
We explored in our inquiry, and also in our October 2018 evidence session on the National Security and Investment white paper, the role of the Huawei Cyber Security Evaluation Centre Oversight Board in assessing the security of that company’s hardware in UK security-sensitive communications networks. The Government should set out in its response to this Report its assessment of how, and how effectively, the Huawei Cyber Security Evaluation Centre Oversight Board provides additional assurance in relation to the UK’s cyber security.
67.The Government places responsibility for managing cyber risk to private-sector CNI operators firmly on the companies’ boards. Yet according to techUK—and, indeed, the Government’s own assessment—”Cyber risk within CNI is still not fully understood or managed, despite the threat evolving and increasing.” As with any other business risk, company boards are expected to show leadership in assessing and managing cyber risk, which often involves making “difficult trade-offs in efficiency, convenience, and other areas related to performance.” It is therefore the duty of all board members to “get a little bit more technical”—as Ciaran Martin recently put it—by educating themselves about “the basics … of cyber attacks, cyber risks and cyber defences”.
68.There are additional steps that would enable better-informed decision-making and establish a stronger sense of accountability at board level. The NCSC recently published “five questions for boards to get on their agenda” as a starting point for internal conversations, with a view to publishing a more comprehensive “toolkit” for boards later in 2018. While this will no doubt aid those boards that choose to use it, the Government also previously considered—but discounted—making it mandatory for all companies (not just private-sector CNI operators) to identify a board member with specific responsibility for, and expertise in, cyber security. Such a step would ensure that boards have relevant expertise and a clear point of accountability for cyber resilience, covering both technical matters such as defences and cultural aspects such as staff behaviour.
69.A further option would be to mandate corporate reporting on cyber resilience for private-sector CNI operators, which would incentivise boards to focus on understanding and managing cyber risk. This would fit with the spirit of forthcoming reforms to the Companies Act 2006, due to take effect from January 2019. According to an October 2018 PwC report, companies are reluctant to “report insightfully” on cyber security due to concerns that this could increase their vulnerability to attack and potentially leave them open to increased legal or regulatory scrutiny. However, the reporting of non-sensitive information—such as how much time the board has spent discussing cyber resilience, the frequency of third-party testing and incident response exercises, and the number of incidents suffered in a reporting year and the lessons learned—would provide an indication of a board’s understanding of operational cyber risk and the extent of its risk mitigation activities. It would also help company shareholders and investors to play what Ciaran Martin recently described as a “stronger role in asking the tough questions” of boards about cyber risk management.
70.During our inquiry, we explored whether and how cyber insurance, covering both IT- and OT-related losses, might be beneficial in relation to CNI. According to the Association of British Insurers (ABI), levels of cyber insurance coverage in the UK and EU countries are low by comparison to the US market, which in 2016 accounted for approximately 85% of standalone global cyber insurance premiums. However, the UK market is expected to grow in the coming years, in part due to mandatory data breach reporting under the General Data Protection Regulation (GDPR), and partly in response to the increasing costs of business disruption caused by malware and ransomware attacks.
71.Witnesses offered mixed views on the utility of cyber insurance for CNI. Ofcom’s Steve Unger said that he would prefer CNI operators to take “direct responsibly” for cyber resilience, retaining a sense of their own accountability rather than ‘outsourcing’ it. The ONR further cautioned that cyber insurance should not be seen as a substitute for regulation, given that the former protects the financial interests of the insured, while regulation acts to protect the public interest. However, other witnesses, including the PRA’s Lyndon Nelson, were more positive. One key reason is the potential for cyber insurance to drive cultural change and improve baseline cyber resilience. This might be achieved, for example, through the application process, by ensuring companies regularly assess their cyber risk, or by insurers offering reduced premiums for compliance with basic standards, preferably aligned with regulatory requirements. Another reason is the specialist technical and communications support that insurance companies might offer their customers in responding to a successful cyber attack, with a view to reducing its impact and future vulnerability.
72.We heard that the cyber insurance industry will need to undergo significant development if it is to fulfil its potential, especially in relation to CNI. The most fundamental issue is how to quantify “dynamic” cyber risk accurately and calculate premiums accordingly. There are two principal challenges:
i)the ABI and Lloyd’s of London highlighted the lack of historical data which is conventionally used to guide assessments of current and future risk. Lloyd’s of London stated that cyber risk poses a “unique challenge” and that “actuarial methods based on history are inappropriate”. Consequently, it is seeking to develop new ways of assessing cyber risk; and
ii)according to the Cambridge Centre for Risk Studies, “it is challenging for insurers to fully understand the Operations Technology risks of complex engineering systems and thus harder for them confidently to insure this domain.” This in turn has implications for the insurers’ willingness to offer cyber insurance for CNI. In large part this is due to their responsibility to regulators to manage aggregation risk—that is, the possibility that many different types of policies will be triggered by the same incident (cyber and property policies, for example) or that the widespread use of the same technology or system by CNI operators (as in the case of WannaCry) will lead to multiple pay-outs.
As such, trade body Water UK summed up the views of many witnesses when it said that the water industry is maintaining “a watching brief” as the cyber insurance industry continues to mature.
73.A more holistic and effective approach to strengthening the cyber resilience of CNI requires changing the culture of CNI operators and their extended supply chains. Embedding the view that cyber risk is another business risk, which must be proactively managed, will be central to this process. It is especially important for those private-sector operators whose commercial interests may not always align with the demands of national security.
74.The Government should give urgent consideration to non-regulatory incentives and interventions that have the potential to drive cultural change across CNI sectors, establishing an environment in which continual improvement is encouraged. The issues it should consider include:
94 Lead Government departments are required to publish sector resilience plans for their respective sectors. HM Government, National Cyber Security Strategy 2016–2021, November 2016, paras 5.4.7–5.4.8; Cabinet Office, National Security Secretariat () para 35; [David Lidington MP]
95 Palo Alto Networks () para 31.1.1; CrowdStrike () para 6; The International Institute for Strategic Studies () para 6; BT Group () para 7.1; Aerospace, Defence, Security & Space () para 1.10; Nokia () para 6.1
97 Cabinet Office, National Security Secretariat () para 37
98 Jamie Collier () paras 2.1–2.2; Cabinet Office, National Security Secretariat () para 14; techUK () para 27. Some witnesses suggest it is unrealistic or even “irresponsible” of the Government to expect privately-owned companies to privilege national security over their commercial obligations to shareholders. They also pointed to the traditional role of the state in defending the country against other state actors. Manchester Metropolitan University () para 5.4; Dr Martyn Thomas () para 6.1; Glasswall Solutions Limited () paras 5.1–5.2
99 Jamie Collier () para 2.2
101 Cabinet Office, National Security Secretariat () para 33
102 Manchester Metropolitan University observes that there was “so much promise of action [under the 2016 NCSS], with so little eventual substance”. Manchester Metropolitan University () para 4.1
104 Cabinet Office, National Security Secretariat () para 36
105 [Lyndon Nelson, Paul Smith]; Manchester Metropolitan University () para 4.6; Jamie Collier () paras 3.3, 7; Palo Alto Networks () para 12; Chatham House () paras 2.1, 2.3; techUK () paras 36–39; Aerospace, Defence, Security & Space () paras 1.11–1.12; Nokia () para 5.2
106 There are four main services that at a high level involve: spotting website weaknesses; blocking access to malicious sites; taking down malicious content; and blocking fake emails. BT Group described the ACD programme as a “major learning point” addressed in the 2016 NCSS. BT Group () para 4.1; NCSC, Active Cyber Defence: one year on, 5 February 2018; NCSC, “”, October 2018, p. 14.
107 The NCSC’s 2018 Annual Review provides data for progress made under the ACD initiative so far in, for example, reducing the UK’s share of identified global phishing attacks from 5.3% (June 2016) to 2.4% (June 2018) and reducing the availability time for sites spoofing Government brands from 42 hours (2016) to 10 hours (2018). The review also shows an increase in the number of public-sector organisations using the service over the last year. NCSC, “”, October 2018, p. 15
108 The NCSC has no enforcement powers to require operators to take specific cyber security actions.
109 The NCSC Annual Review states: “We pilot our ACD tools with the public sector first and, where relevant, demonstrate the benefits to other sectors. This year, we are working with a range of companies and departments to understand how we can help different sectors. We are also encouraging a range of technology providers to offer similar services to their customers”. NCSC, , October 2018, p. 15
110 BT Group () para 4.1; [Peter Gibbons, Rob Shaw]
111 Water UK suggested that the Government could to more to offer more protective controls as a service, , Water UK () para 18
112 Directive (EU) of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (); Network and Information Systems Regulations 2018 ()
115 Manchester Metropolitan University () para 5.6
116 Pete Cooper () para 13
117 Witnesses cited the 2017 WannaCry attack as evidence that it is not just private-sector operators that face difficult decisions in trying to balance business needs with investment in cyber resilience, even though the public sector has no commercial obligations. [Rob Shaw]; Jamie Collier () para 3.2
118 [Ciaran Martin]
119 Cyber security researchers Jamie Collier and Pete Cooper both argue that organisations’ failure to invest sufficiently in cyber resilience in the years up to 2016 proves that this “hands-off approach” to regulation failed. Jamie Collier () para 3; Pete Cooper () para 12
120 Cabinet Office, National Security Secretariat () para 39
121 Cabinet Office, National Security Secretariat () para 38
122 The EU-wide General Data Protection Regulation (GDPR) also came into force in the UK in May 2018, under the Data Protection Act 2018. It is designed to modernise laws that protect the personal information of individuals. GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. This therefore includes UK CNI operators. Information Commissioner’s Office, Guide to the General Data Protection Regulation, 22 March 2018
123 Network and Information Systems Regulations 2018 ()
124 Cabinet Office, National Security Secretariat () para 41
125 [David Lidington]
126 The Government has advised Competent Authorities to take a “cautious approach to enforcement” in the first year while the designated operators of essential services adjust to the new expectations and the NCSC is still developing the Cyber Assessment Framework (‘Indicators of Good Practice’) which will likely inform many Competent Authorities’ early approach to the implementation of the NIS Regulations. The Government is also required to publish a review of the regulations by 9 May 2020, two years after they first came into force. Department for Digital, Culture, Media and Sport (DCMS), Security of Network and Information Systems: Guidance for Competent Authorities, April 2018, p. 23; [David Lidington MP]; Network and Information Systems Regulations 2018, Regulation 25.
127 NCC Group () para 220.127.116.11; Nettitude () para 21; techUK () para 46; Aerospace, Defence, Security & Space () para 1.15
128 Pete Cooper () para 12; Red Hat Inc () para 5; Corero () para 11; [Jonathan Brearley]
129 [Jonathan Brearley]; NCC Group () para 18.104.22.168; techUK () para 9; Pete Cooper () Executive Summary, para 12; Aerospace, Defence, Security & Space () para 1.15; UKCloud Ltd () para 3.3; Office for Nuclear Regulation () para 13
130 The United States’ 2018 National Cyber Strategy also states that it will work with the private sector to implement a “risk-management approach”. White House, National Cyber Strategy, September 2018, p. 8
132 The International Institute for Strategic Studies () para 6. They are also the hallmarks of the more mature regulatory approaches taken by the financial services and civil nuclear sectors. [Ciaran Martin]; Office for Nuclear Regulation () paras 5–6, 15
133 [Jonathan Brearley] The Government also states that collaboration between regulators and industry must continue. Cabinet Office, National Security Secretariat () para 13
134 In addition to the five CNI sectors covered by NIS (see Box 2), the financial services and civil nuclear sectors are covered by equivalent or better regulatory frameworks established under pre-existing legislation. Cabinet Office, National Security Secretariat () para 39
This leaves the chemicals, defence, emergency services, food, government and space sectors out of scope.
135 Cabinet Office, National Security Secretariat () paras 41–42
136 Professor Chris Johnson, writing on behalf of the UK Computing Research Committee, noted that the compromise of regional airports—which are currently excluded from the NIS Regulations—would have a knock-on impact on “core” infrastructure. UK Computing Research Committee, UKCRC () para 6
137 NCC Group () para 22.214.171.124; techUK () para 1.15; Aerospace, Defence, Security & Space () para 1.1.8
138 [Rob Shaw]. Ofcom’s Steve Unger argued that: “Clearly, different approaches have been taken in different sectors, but the most important thing is that in any given sector it is clear who is responsible.” [Steve Unger]
139 These joint Competent Authorities are often between a lead Government department and an existing regulator. The list of Competent Authorities is set out in Schedule 1 of the Network and Information Systems Regulations 2018 ().
140 Cabinet Office, National Security Secretariat () para 28; [Jonathan Brearley]
141 NCC Group () para 126.96.36.199; Nettitude () para 15; Jamie Collier () para 6; Pete Cooper () para 14
142 Dr Martyn Thomas () para 5.2; UK Computing Research Committee, UKCRC () para 17; Palo Alto Networks () paras 16–17, 27; techUK () para 50
143 The UK has established eleven Competent Authorities, based on a sector-by-sector approach. Competent Authorities have powers to issue information notices, carry out inspections, issue enforcement notices and issue penalty notices. The intention is that Competent Authorities will not only enforce the NIS Regulations, but will also be able to assist operators in understanding threats and risks to their respective operations and establish a system-wide view of threats and risks. DCMS, Security of Network and Information Systems: Guidance for Competent Authorities, April 2018; [Jonathan Brearley, Lyndon Nelson]
144 Water UK () para 8
145 For example, Ofgem’s role was previously limited to enforcing economic regulation in the energy sector but it is now assuming regulatory responsibility for the sector’s cyber resilience, albeit jointly with the Department for Business, Energy and Industrial Strategy. [Jonathan Brearley]
Ofcom is also assuming additional regulatory responsibility for cyber risk management in the telecommunications sector under the NIS Regulations. [Steve Unger]
146 Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706, paras 11, 15; [Jonathan Brearley, Steve Unger]. This is due in part to the highly competitive salaries offered by elements of the private sector. [Dr Alastair MacWillson]
147 [Jonathan Brearley]; Palo Alto Networks () paras 17, 26
The UK Computing Research Committee observes that the NCSC itself “lacks the human resources required to fully support all government departments and regulatory organizations involved in CNI”. UK Computing Research Committee, UKCRC () paras 10–11
148 [Jonathan Brearley, Steve Unger]; Financial Conduct Authority () para 10.2. Paul Smith, representing the water trade body Water UK, was also of this view. [Paul Smith]; Water UK () paras 13–14
In the 2018 Budget the Government stated that the UK Regulators Network will publish a plan in spring 2019 outlining how it will improve collaboration between regulators. HM Treasury, Budget 2018, HC 1629, 29 October 2018, para 4.31
149 Pete Cooper () para 14; Red Hat Inc () para 30
150 Cabinet Office, National Security Secretariat () para 36; Office for Nuclear Regulation () para 33
151 For example, identifying critical digital assets in complex industrial control systems. Office for Nuclear Regulation () para 33
152 Penetration testing is the process of running an authorised, controlled test on an organisation to identify vulnerabilities that an attacker could exploit. Advanced penetration testing also considers organisational factors such as personnel, physical access and incident response plans. CREST ()
153 Nettitude () para 22; NCC Group () paras 188.8.131.52–184.108.40.206; CREST () para 3; [Lyndon Nelson, Steve Unger]; Bank of England, Speech: Managing cyber risk—the global banking perspective, 10 June 2014, accessed 7 November 2018
154 [Steve Unger]; [Lyndon Nelson]. Steve Unger told us that the TBEST pilots have involved creating “mitigation programmes” to address vulnerabilities identified during penetration testing. The programmes are implemented by operators and overseen by regulators.
155 NCC Group () paras 220.127.116.11–18.104.22.168; [Lyndon Nelson]
156 [Lyndon Nelson]; Bank of England, Speech: Managing cyber risk—the global banking perspective, 10 June 2014, accessed 7 November 2018
157 These sectors are communications and government, and the schemes are known as ‘TBEST’ and ‘GBEST’, respectively. Discussion is also reportedly under way about extending the scheme to a fourth sector: civil nuclear. Cabinet Office, , accessed 24 October 2018; NCC Group () para 2.3.3; Nettitude () para 22; [Steve Unger]
158 CREST () para 9. NCC Group and Nettitude both echo this call. NCC Group () para 22.214.171.124; Nettitude () para 22
It should be noted that NCC Group and Nettitude are accredited providers of CBEST testing services; CREST played a key role in the design of CBEST alongside the Bank of England.
159 CREST () para 3; [Lyndon Nelson]
160 Dr Martyn Thomas also pointed to the coding errors, and therefore vulnerabilities, that remain in products and devices that have passed thorough testing processes. He therefore concluded: “In the light of the demonstrated ineffectiveness of testing in finding the majority of errors, the fact that a system has passed penetration testing should therefore provide little confidence that it is secure against cyberattack.” Dr Martyn Thomas () paras 3.5–3.6
161 The PRA’s Lyndon Nelson said that the restrictions to “legal and ethical means” most greatly affected the first part of penetration testing, which is an attempt to penetrate the “external barrier”, to see if an attacker could gain access to the operator’s systems and networks. It has fewer implications for the second part of the testing process, which is to explore what an attacker could achieve once the external barrier has been penetrated. ()
NCC Group explained further that the Computer Misuse Act 1990 “deems a person guilty of an offence if they knowingly cause a computer to perform any function with intent to secure unauthorised access to any programme or data held”. It consequently called for changes to the Act to facilitate more effective penetration testing. NCC Group () para 126.96.36.199
162 [Lyndon Nelson]. Even the most advanced, CBEST, has completed only one round of testing for 34 top-priority organisations.
163 [Lyndon Nelson]
164 This is especially the case for those newly designated Competent Authorities under the NIS Regulations. Water UK’s Paul Smith told us that all relevant organisations within the water sector will be expected to undergo penetration testing. However, Ofgem’s Jonathan Brearley said that Ofgem is “still scoping up our standard-setting role” and that it would consider penetration testing during this process. [Paul Smith]; [Jonathan Brearley]
165 [Lyndon Nelson]; CREST () paras 7, 11
166 CREST () para 9
167 DCMS, Security of Network and Information Systems: Guidance for Competent Authorities, April 2018, section 5.2
168 HM Government, The Future Relationship between the United Kingdom and the European Union, , para 103; Directive (EU) of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (); DCMS, Security of Network and Information Systems: Guidance for Competent Authorities, April 2018, section 4.7
169 NCSC, , October 2018, pp. 18, 30
170 HM Government, National Cyber Security Strategy 2016–2021, November 2016; Cabinet Office, National Security Secretariat () paras 52–54. See also NCC Group () paras 2.1.5, 2.3.5; The International Institute for Strategic Studies () para 8; Red Hat Inc () para 14
171 This is particularly important if the Government is to reduce the burden of compliance on multinational operators working in other EU member states. ISACA () para 2.1; Aerospace, Defence, Security & Space () para 1.18
172 DCMS, Security of Network and Information Systems: Guidance for Competent Authorities, April 2018, section 5.2; NCC Group () para 2.3.6
174 We also heard concerns about the impact of Brexit on other aspects of the UK’s collaboration with EU partners on cyber security—for example, through the European Union Agency for Network and Information Security (ENISA). techUK () paras 41–43; ISACA () para 2.2. Witnesses also raised concerns about the impact of Brexit on the UK’s access to skills, with some questioning whether immigration policy after Brexit would continue to allow specialist skills to be recruited from the EU and beyond at a time when the cyber security skills shortfall in the UK is “peaking”. ISACA () para 188.8.131.52; techUK () para 62; Nokia () para 7.3; [Ruth Davis]
175 Office for Nuclear Regulation () para 41. Although the civil nuclear sector is considered to have one of the more mature approaches to sector-wide management of cyber risk, due to longstanding legislation focused on ensuring the safety and security of civil nuclear power, the ONR nevertheless said that “there is still a distance to travel” in this regard.
176 Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706, para 7
177 [Lyndon Nelson]. See also NCC Group () para 2.1.4; Chatham House () para 4.4
178 The evidence suggests a number of other basic steps and fundamental good practices that all CNI sectors should be implementing. These include: compliance with basic standards such as Cyber Essentials or ISO 27001; active participation by operators in the Government’s Cyber Security Information Sharing Platform (CiSP); sector-wide workshops convened by lead Government departments or regulators to facilitate information-sharing and lesson learning; and staff vetting, as well as phishing trials to raise staff awareness. ; [Phil Sheppard]; ; ; [Jonathan Brearley, Paul Smith]; [Ruth Davis]; ; Chatham House () para 4.1; Red Hat Inc () paras 23, 30; UKCloud Ltd (); Office for Nuclear Regulation () para 15; Financial Conduct Authority () para 8.2
180 Network Rail, , accessed 28 October 2018. Network Rail is the designated operator of essential services under the NIS Regulations, even though it outsources much of the operation of the UK railway services.
181 The NCSC highlighted the issue of supply chain security in its 2018 Annual Review, stating that it had become “acutely conscious of the role the supply chain plays in leaving organisations vulnerable to compromise”. NCSC, , October 2018, p. 11
182 Nettitude () para 10; techUK () para 21; The International Institute for Strategic Studies () para 8; Nokia () para 6.2
183 “Russian hackers reach U.S. utility control rooms, Homeland Security officials say”, The Wall Street Journal, 23 July 2018
184 “Spectre and Meltdown processor security flaws—explained”, The Guardian, 4 January 2018; The International Institute for Strategic Studies () para 8
185 Steve Unger and Jonathan Brearley, from Ofcom and Ofgem respectively, told us that it is incumbent on CNI operators to examine their supply chains, undertake an appropriate risk assessment and implement controls accordingly. This is the criteria against which regulators make their own assessment of operators’ risk management. [Steve Unger, Jonathan Brearley]
187 NCSC, , accessed 18 September 2018; British Standards Institution () para 6
188 NCSC, , accessed 28 October 2018
189 “Government mandates new cyber security standards for suppliers”, Cabinet Office press release, 26 September 2014; GOV.UK, June 2018, p. 2; Minimum Cyber Security Standards [David Lidington MP]; Jamie Collier () para 2.1
190 [Peter Gibbons]; techUK () para 21
191 [David Lidington MP]; [Rob Shaw]
192 [Rob Shaw, Phil Sheppard]
193 Requiring suppliers at each level of the CNI supply chain to undergo such certification also represents an opportunity to increase the uptake of Cyber Essentials—and therefore to raise the cyber security baseline—across the wider economy. The NCSC’s 2017 Annual Review reports that only 7,900 Cyber Essential certificates have been issued since 2014. NCSC, “”, October 2017, p. 36. Rowland Johnson, Chief Executive of the cyber security company Nettitude, attributes this slow uptake to its optional nature. Nettitude () para 5
194 The programme is called the Defence Cyber Protection Programme. It was established jointly by the Ministry of Defence and the defence industry in 2013. Its security standards are now based on Cyber Essentials and Cyber Essentials Plus. techUK () para 21; Aerospace, Defence, Security & Space () para 1.7. It should be noted that both techUK and ADS are directly involved in the DCPP.
195 The International Institute for Strategic Studies () para 8; UK Computing Research Committee, UKCRC () para 7. As Peter Gibbons stated, “We would not sit down with Microsoft and tell it what our security policies were and what it had to write into its operating systems.” [Peter Gibbons]
196 [Lyndon Nelson]
197 UK Computing Research Committee, UKCRC () para 7; The International Institute for Strategic Studies () para 8; Nettitude () para 12; [Peter Gibbons]. However, the assurance provided by a kitemark may be limited by the rapid evolution of threats and attackers’ capabilities as time passes. The Government has said it is considering several options for introducing a voluntary labelling scheme (kitemark) for consumer Internet of Things devices to “to aid consumer-purchasing decisions and to facilitate consumer trust in manufacturers”, further details are expected in spring 2019. DCMS, “”, 14 October 2018, accessed 1 November 2018
198 The International Institute for Strategic Studies () paras 7–8; UK Computing Research Committee, UKCRC () para 7
199 The International Institute for Strategic Studies () paras 7–8
200 [Peter Gibbons]; [Steve Unger]; oral evidence taken on 15 October 2018, HC (2017–19) 1634
201 Cabinet Office, National Security Secretariat () para 35. Board responsibility is not limited to private-sector CNI operators. Each of the Trusts and Foundations Trusts that make up the NHS is also managed by a board, for example.
203 In our July 2018 Report Cyber Security Skills and the UK’s Critical National Infrastructure, we observed that it is not only deep technical expertise on cyber security that is in short supply, but also “the moderately specialist skills and knowledge required by all those whose jobs have now assumed an important cyber security element—for example … board-level directors who need to understand the cyber risk to business operations”. Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706, paras 7, 15
204 NCSC, , 12 September 2018; Office for Nuclear Regulation () para 13
205 CrowdStrike () para 5
206 NCSC, , 12 September 2018
207 [Steve Unger]
208 NCSC, , 12 September 2018
210 [Lyndon Nelson]
211 This function might best be performed by a Non-Executive (rather than an Executive) Director, in view of the natural tensions between the commercial interests of private-sector CNI operators and the ‘public good’ and national security requirements of their operations. Dr Martyn Thomas () paras 6.1–6.2
212 The Financial Reporting Council, which regulates auditors, accountants and actuaries in the UK, has called for improved corporate reporting on cyber security by all companies. Financial Reporting Council, Annual Review of Corporate Reporting 2015/2016, October 2016, p. 32
213 The principal reform is to reporting on compliance with Section 172 of Companies Act 2006. According to the Institute of Directors, under the reforms all large private companies and unlisted plcs must explain in their strategic report—and publish on a website—how the directors have had regard to the matters set out in Section 172 of the Companies Act 2006. Institute of Directors, , 23 July 2018
214 Dr Richard Horne, Transparency in the digital age: companies should talk about their cyber security, PwC, October 2018. Dr Horne provided oral evidence to our predecessor Committee’s inquiry, in March 2017.
215 Dr Richard Horne, Transparency in the digital age: companies should talk about their cyber security, PwC, October 2018
216 , The Times, 10 April 2018
217 In its 2016 review of regulation and incentives in relation to cyber security, the Government discounted setting requirements for the public reporting of cyber risk—for example, in annual reports—in the short term at least. The review concludes that “Including information on cyber risk in annual reports is unlikely to be an effective or popular way of encouraging large-scale change in cyber risk management”. It did, however, commit to provide guidance to businesses about the type of information on cyber risk that should be included in annual reports and investor reports “in the long term”. HM Government, Cyber Security Regulation and Incentives Review, December 2016, pp. 20–21
218 Cambridge Centre for Risk Studies () para 11
219 In its December 2016 review of cyber security regulation and incentives, the Government declined to set the requirement for cyber insurance despite supporting its uptake. HM Government, Cyber Security Regulation and Incentives Review, December 2016, p. 22
220 ABI () para 1
221 Fines issued under GDPR are capped at €20 million or 4 percent of global turnover, whichever is greater.
222 ABI () paras 1–3; Cambridge Centre for Risk Studies () para 13
223 For example, it is estimated that business disruption caused by the June 2017 NotPetya cyber attack cost the global shipping container company Maersk $250–300 million. Andy Greenberg, “The untold story of NotPetya, the most devastating cyberattack in history”, Wired, 22 August 2018
224 [Steve Unger]
225 Office for Nuclear Regulation () para 30
226 [Lyndon Nelson]
227 ABI () para 10; Financial Conduct Authority () paras 9.1–9.2; Lloyd’s () paras 4–5; Cambridge Centre for Risk Studies () paras 15, 18; Office for Nuclear Regulation () para 28
228 [Lyndon Nelson]; Financial Conduct Authority () para 9.1; Lloyd’s () para 6
229 [Paul Smith]; Financial Conduct Authority () para 9.2
230 Cambridge Centre for Risk Studies () para 18
231 Other issues cited included the frequent misalignment between policy application questionnaires and established cyber security industry standards, and the lack of clarity about how insurers judge whether a company has been “unlucky or negligent” in the event of a successful cyber attack—and therefore whether to pay out on a policy. Cambridge Centre for Risk Studies () para 16; HM Government, Cyber Security Regulation and Incentives Review, December 2016, p. 22
232 ABI () paras 12–14; Lloyd’s () para 3
233 Lloyd’s () para 3
234 Cambridge Centre for Risk Studies () para 11
235 ABI () para 5; Cambridge Centre for Risk Studies () para 14. A scenario modelled by the Cambridge Centre for Risk Studies on behalf of Lloyd’s, in which the US power grid was subject to cyber attack, estimated a global economic loss of $1 trillion, with a global insurance industry loss of $71 billion in the worst case. Lloyd’s, Business Blackout: The insurance implications of a cyber attack on the US power grid, May 2015
236 Water UK () para 16
Published: 19 November 2018