Cyber Security of the UK's Critical National Infrastructure Contents

5Leadership within Government

Political leadership: driving change across Government and CNI sectors

75.There is no single Minister with responsibility for the cyber resilience of CNI, or for cyber security in general.237 Instead, there is a patchwork of cross-cutting ministerial oversight that is structured by department (with lead departments having responsibility for CNI sectors within their policy area), by key strategic objective within the 2016 NCSS, and by the remits of cross-government ministerial committees on national security.238 (See Box 3 for further detail.) Furthermore, for devolved policy areas, ministerial oversight is split between Westminster and the Devolved Administrations.

76.An advantage of this decentralised structure is that it captures the expertise of departments and allows for policy to be tailored to each CNI sector, with the support of specialist technical agencies and the Cabinet Office.239 However, focused political leadership is also essential, given the potential extensive impact of a major cyber attack on the UK’s CNI and the fast-changing nature of the threat, as well as the need to drive a consistent response across a number of departments and agencies.240 We have heard little to convince us that there is such a ‘controlling mind’ at the centre of Government that is proactively leading efforts to improve the cyber resilience of CNI.

77.Ciaran Martin provided the most positive account of the current arrangements, observing that they have delivered “consistently rising funding, strategic stability and the right balance … between organisational autonomy to get on with what we need to do and ministerial sponsorship”.241 He also told us that cyber security is frequently discussed by the National Security Council (NSC) and its sub-committees (Box 3), while the Home Secretary and the Chancellor of the Duchy of Lancaster receive fortnightly briefings from the NCSC on the latest operational threats and NCSC activity.242

Box 3: Ministerial oversight of the cyber resilience of CNI

Ministerial oversight of cyber resilience is performed concurrently at the departmental, objective-specific, and collective levels.

Departmental ministerial oversight: CNI sectors are assigned to a lead Government department; the respective Secretary of State is therefore responsible for its resilience (Table 1). The Cabinet Office oversees policy relating to, and coordination between, CNI. However, the Minister for the Cabinet Office (currently the Chancellor of the Duchy of Lancaster) does not have overall responsibility for CNI. For devolved matters, the Devolved Administrations have responsibility.

Table 1: Departmental responsibility for CNI sectors

CNI sector

Lead Government department

Chemicals

BEIS

Civil nuclear

BEIS

Communications (including broadcast, internet and post)

DCMS

Defence

MOD

Emergency services

DH&SC and DfT

Energy

BEIS

Finance

HM Treasury

Food

Defra

Government

Cabinet Office

Health and social care

DH&SC

Space

BEIS

Transport

DfT

Water and sewerage

Defra

Source: Cabinet Office, National Security Secretariat (CNI0013) para 25

Objective-specific ministerial oversight: Five Cabinet Ministers have been assigned responsibility for delivering key strategic objectives under the 2016 NCSS (Table 2).

Table 2: Objective-specific ministerial oversight of the 2016 NCSS

Cabinet Minister

Area of responsibility

Home Secretary

Responses to high-category cyber incidents and countering cyber-crime

Defence Secretary

The development of the UK’s offensive cyber capability (in collaboration with GCHQ)

Foreign Secretary

The NCSC (as part of his statutory responsibility for GCHQ)

Secretary of State for DCMS

Digital matters, including the relevant growth, innovation and skills aspects of cyber security

Chancellor of the Duchy of Lancaster

Responsible to Parliament for the NCSS and NCSP

Source: Cabinet Office, National Security Secretariat (CNI0013) para 21


Collective ministerial oversight: the cyber resilience of CNI falls within the purview of a Cabinet Committee and two of its sub-committees that focus on cross-government national security policy. These Committees have three different Chairs and meet with varying frequency (Table 3). In 2017 the National Security Council (NSC) sub-committee for cyber security was disbanded, having existed for just over a year.

Table 3: Cross-government ministerial oversight of cyber security and CNI

Cabinet Committee

Committee Chair

Area of responsibility

Frequency of meetings

NSC

Prime Minister

Sets and oversees cross-government cyber security strategy, as part of its responsibility for national security overall

Weekly when Parliament is sitting

NSC (Strategic Defence and Security Review—SDSR)sub-committee

Chancellor of the Exchequer*

Sets and oversees the delivery of the NCSS and NCSP, ensures coherence of cross-government activity on cyber, and holds to account those departments and agencies responsible for delivering NCSS objectives, as part of its responsibility for the delivery of the SDSR

Biannually

NSC (Threats, Hazards, Resilience and Contingencies—THRC)
sub-committee

Chancellor of the Duchy of Lancaster

Considers issues relating to security threats, hazards, resilience and contingencies. It provides strategic leadership for the Government’s work to prevent, prepare, respond to and recover from the highest-priority risks, including those to CNI

Quarterly

Source: Q58 [David Lidington MP]; Cabinet Office, National Security Secretariat (CNI0013) paras 18–19; oral evidence taken on 6 March 2017, HC (2016–17) 153, Q101 [Amber Rudd MP]; Institute for Government, “Cabinet committees show Damian Green is de facto Deputy PM”, 27 July 2017

*When the Cabinet Office submitted written evidence in February 2018, the Home Secretary chaired the NSC (SDSR). The Government announced a change in chairmanship in October 2018. (Cabinet Office, List of Cabinet Committees and their members as at 25 October 2018, accessed 30 October 2018)

78.Other evidence suggests a much more passive approach by Ministers, including:

The coherence of political leadership from the centre of Government is further undermined by there being two Ministers with overlapping responsibility for the NCSP’s implementation (see Box 3, Tables 2 and 3). The exclusion of the Department for Digital, Culture, Media and Sport from the NSC is also puzzling given the criticality of its work on developing skills to the successful delivery of the 2016 NCSS.246 Having stated earlier that operators must assume greater responsibility for cyber resilience at board level, with a clear point of accountability (paragraphs 67–69), we note that the Government is failing to do the same at the equivalent management level.

79.Focused and proactive political leadership from the centre of Government is essential in driving change and ensuring a consistent approach across the many departments and agencies with responsibility for the resilience of CNI to cyber threats. We are concerned that the current complex arrangements for ministerial responsibility mean that day-to-day oversight of cross-government efforts is, in reality, led by officials, with Ministers only occasionally ‘checking in’. This is wholly inadequate to the scale of the task facing the Government, and inappropriate in view of the Government’s own assessment that major cyber attacks are a top-tier national security threat.

80.There should be a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources—in both the public and private sectors—and executing the measures needed to defend against the threat. This Minister should therefore be responsible and accountable for the cross-government development and delivery of the National Cyber Security Strategy and Programme, including those elements relating to CNI. This Minister should therefore:

81.The Government should also provide our Committee with evidence of the NSC sub-committees’ active oversight of cross-government efforts to improve the cyber resilience of the UK’s CNI. Its recent decision to share summaries of the agendas for relevant NSC sub-committees with us, in confidence and on a regular basis, is a welcome starting point.

Technical leadership: the National Cyber Security Centre

82.The creation of the NCSC, as the UK’s technical (rather than strategy or policy) lead on cyber security, was the ‘cornerstone’ of the 2016 NCSS. It makes a major contribution to, and frequently leads on, the initiatives described in the 2016 Strategy. In relation to CNI in particular, it has provided threat intelligence, technical guidance—especially in implementing the NIS Regulations (see Chapter 4)—and incident response support to lead Government departments, CNI operators and regulators. It has also taken the technical lead on efforts to make future CNI, such as 5G mobile internet, ‘secure by design’,247 guided research in areas relevant to the resilience of CNI, and supported initiatives intended to develop the range of technical and specialist skills needed by CNI operators and regulators.248

Providing a single point of contact

83.The evidence shows that the NCSC has had a positive impact in the two years since it was established in October 2016. We heard that the NCSC’s creation had, by and large, achieved the Government’s stated aim of rationalising the many Government bodies that previously dealt with elements of cyber security policy,249 250 although there continues to be some confusion about the relationship between the NCSC and the Centre for the Protection of National Infrastructure (the Government authority for protective security advice).251 However, echoing our own concerns about a strategic and policy vacuum at the centre of Government (above), the Information Assurance Advisory Council—a not-for-profit research organisation—also suggested that cross-government leadership on policy has become less clear since the NCSC was established. They told us:

the cross Whitehall function seems to have taken a retrograde step with the effective loss of the original focal point for coordination—the Office of Cyber Security and Information Assurance (OCSIA). It is currently unclear who leads, who coordinates and who is responsible, including at ministerial level, with activities and policy seemingly diffuse and ambiguous across departments.252

Collaborating with the private sector

84.We heard that, despite reports of early tensions, the NCSC is making progress on developing collaborative relationships with private-sector CNI operators and regulators.253 This is essential, not only because of the particular need for an effective public-private relationship in ensuring the resilience of the UK’s CNI, but also because the NCSC does not have enforcement powers, even in relation to the NIS Regulations.254 Witnesses brought to our attention two key points on which they felt the NCSC could improve:

85.There are other fundamental questions about the NCSC’s status as part of GCHQ. On the one hand, this arrangement confers a notable advantage, as the NCSC has easy access to key expertise and up-to-date intelligence. On the other hand, and as Emily Taylor, an Associate Fellow at Chatham House, explained, there is an inherent tension between the main function of GCHQ (gathering intelligence on threats, and keeping it private) and that of the NCSC (using a sanitised version of that intelligence to help operators and regulators defend CNI against those threats).261 We note that the 2004 Butler Report cautioned against intelligence and policy implementation becoming too closely intertwined, as a matter of principle.262 In discussing his experience of the response to the WannaCry attack, NHS Digital’s Rob Shaw raised his concerns about how this apparent conflict of interest on the part of the NCSC has been manifested in practice. He said:

There will be times when the NCSC has to take a security view on something and we have to take a healthcare view on it, so I have to have a difficult discussion. … If there was a security issue, I could not, for example, do anything that meant a risk to patient safety. I would always have to make sure that I put patient safety before intelligence.263

Meeting demand for NCSC services and expertise

86.There is an issue about whether the NCSC has sufficient capacity to meet the considerable—and growing—demand on its services and expertise.264 It is a relatively new organisation, whose influence has grown quickly since it was established in October 2016. Ciaran Martin told us that the NCSC has 740 staff and a budget of £285 million for the 2016–2021 period, which provides financial and strategic stability (paragraph 77).265

87.However, the NCSC’s remit is also already considerable. In the past year, it has reportedly “worked with thousands of systems and hundreds of organisations across the UK” in relation to CNI.266 Its work in support of the UK’s CNI is just one of its main responsibilities, which also includes engaging with the wider economy, including small and medium-sized enterprises, and raising public awareness on cyber security.267 Furthermore, the evidence we have received on CNI suggests that expectations—at least on the part of CNI operators and regulators, and even of other parts of Government—already exceed the NCSC’s capacity (for example, as was discussed in Chapter 4 in relation to the implementation of the NIS Regulations). NHS Digital’s Rob Shaw also raised this issue in relation to incident response—a key element of the NCSC’s work. Describing his experience of the WannaCry attack in May 2017, he told us that

I expected an army of NCSC staff to appear on the hillside and come in to help us out, but it said, “Where do you want either of our staff?” It does not have a lot of people with the expertise to do things on the ground.268

88.As we noted in our July Report on cyber security skills,269 this situation is compounded by what Ciaran Martin described as the “constant and difficult challenge” of recruiting the deep technical expertise it needs in areas such as 5G mobile internet.270 Although the NCSC supplements its workforce with secondees from the private sector under the Industry 100 initiative,271 its sector-specific expertise remains limited; for example, Professor Chris Johnson, of the UK Computing Research Committee, reported that there are still only “3 or 4 individuals” in the NCSC with “significant expertise” in aviation.272 There is a risk that such capacity constraints will undermine the NCSC in its role as the UK’s ‘one-stop shop’ for technical advice and support, and therefore its ability to support the delivery of the 2016 NCSS. Several witnesses called on the Government to support the NCSC’s further development, through additional funding if necessary.273

89.The National Cyber Security Centre has had an impressive impact in the two years since it was established as the national technical authority on cyber security. Although there are areas for improvement, it has made important contributions across a variety of Government and industry initiatives in relation to CNI, despite its lack of enforcement powers. However, we heard there are unresolved tensions derived from its status as part of GCHQ—an institutional relationship that also provides significant advantages. It is also essential that the NCSC’s proactive leadership on the technical aspects of the cyber resilience of CNI is not treated by Ministers as a substitute for strong political leadership in driving change across CNI sectors and relevant departments.

90.We continue to have concerns about the capacity of the NCSC to meet growing demand for its services and expertise. As the Government’s ‘one-stop shop’ for technical advice, the NCSC is integral to the Government’s and private sector’s efforts to improve the resilience of the UK’s CNI to cyber attack. However, its effectiveness will be limited unless it has access to the experts it needs in the numbers it requires. Consideration must also be given to likely future demands on the NCSC’s resources as technology continues to advance and the threat continues to grow.

91.The Government should publish a plan for the institutional development of the NCSC over the next decade, taking account of anticipated technological progress and setting out the resources and range of skills and expertise that the NCSC is likely to need. These requirements should be addressed in the Government’s forthcoming cyber security skills strategy. Its budget—currently running to 2020–21—should be extended beyond that time horizon in next year’s Spending Review as a ring-fenced fund separate from (and safe from) general departmental budget pressures.


237 BT Group stated that it does not even know which part of the Government owns the definition of CNI. BT Group (CNI0018) para 3.1

238 Q58 [David Lidington MP]; Cabinet Office, National Security Secretariat (CNI0013) paras 18–19, 21, 25

239 Cabinet Office, National Security Secretariat (CNI0013) para 25; Cabinet Office NSS (CNI0030) paras 6–7

240 Jamie Collier (CNI0006) para 1.1

241 Q58 [Ciaran Martin]; Q60

242 Q58 [Ciaran Martin]

244 Q59 [David Lidington MP]; oral evidence taken on 6 March 2017, HC (2016–17) 153, Q101 [Amber Rudd MP]

245 Q59 [David Lidington MP]

246 In addition to work on cyber security skills, DCMS also delivers work on implementing the GDPR and NIS Regulations, on the security of consumer Internet of Things devices and on programmes aimed at growing the cyber security industry in the UK. DCMS, “Cyber Security Month”, 31 October 2018, accessed 13 November 2018

247 NCSC, “Annual Review 2018”, October 2018, pp. 30–33

248 Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706; NCSC, “Annual Review 2018”, October 2018, pp. 40–45; Imperial College London (CNI0009) para 10

249 Q16; Q36 [Lyndon Nelson, Paul Smith]; Nettitude (CNI0003) para 15; Jamie Collier (CNI0006) paras 3.3, 7; Palo Alto Networks (CNI0011) para 12; Chatham House (CNI0012) para 2.1; techUK (CNI0015) paras 7, 36–37; BT Group (CNI0018) para 5.2; Aerospace, Defence, Security & Space (CNI0020) paras 1.12–1.13; Nokia (CNI0022) para 5.2; Corero (CNI0023) para 16

250 These bodies included the CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and relevant parts of the CPNI. NCSC, About us”, accessed 31 October 2018; HM Government, National Cyber Security Strategy 2016–2021, November 2016, p. 29

251 UK Computing Research Committee, UKCRC (CNI0005) paras 14–16. Professor Chris Johnson, writing on behalf of UK CRC, also stated his concern that the function previously performed by CERT UK has been given much less emphasis since it was incorporated into the NCSC. UK Computing Research Committee, UKCRC (CNI0005) para 16

252 Information Assurance Advisory Council (CYB0008) para 4. While the NCSC does not lead the development of cyber security strategy, it does have input into the strategy-making process, via the NSC. Q60 [Ciaran Martin]

253 Q16; Q36 [Lyndon Nelson, Paul Smith]; Palo Alto Networks (CNI0011) para 12; techUK (CNI0015) paras 36, 39; Aerospace, Defence, Security & Space (CNI0020) para 1.12; Nokia (CNI0022) para 5.2

254 Intelligence and Security Committee of Parliament, Annual Report 2016–2017, HC 655, paras 98–101

255 Manchester Metropolitan University (CNI0001) para 4.6; UK Computing Research Committee, UKCRC (CNI0005) para 14. The UK Computing Research Committee stated that direct contact between the NCSC and CNI operators declines rapidly outside the home counties.

256 NCSC, “Annual Review 2018”, October 2018, p. 11

257 Professor Chris Johnson, on behalf of the UK Computing Research Committee, suggested that information-sharing between the NCSC and industry was “one-way; from industry into the NCSC”. UK Computing Research Committee, UKCRC (CNI0005) para 12
ADS said that “clearer communication on the part of Government to industry around the risks facing individual business sectors would help to encourage an even stronger response in industry”. Aerospace, Defence, Security and Space (CNI0020) para 1.12

258 Q8 [Phil Sheppard]

259 Q36 [Paul Smith]

260 Financial Conduct Authority (CNI0033) para 12.1

261 Emily Taylor recommended that the NCSC be formally separated from GCHQ. Emily Taylor, Chatham House (CNI0012) paras 3.5–3.8. See also UK Computing Research Committee, UKCRC (CNI0005) para 12; Royal Society (CYB0040) para 3

263 Q16 [Rob Shaw]

264 Qq26–28. For example, Ofgem’s Jonathan Brearley told us that the energy sector is “heavily reliant” on the NCSC and stated Ofgem’s intention to rely further on the NCSC in its new capacity as Competent Authority. Qq26, 36 [Jonathan Brearley]

265 Ciaran Martin explained that this total number can be broken down into three sections of approximately 250, with the first group working on the “deeply operational” aspect of the NCSC and GCHQ’s work, the second on “understanding technology and how to protect it”, and the third as “outward-facing advisers, communications specialists and so on”, including “a couple of dozen public communications specialists”. Qq56, 61 [Ciaran Martin]

266 NCSC, “Annual Review 2018”, October 2018, p. 30

267 NCSC, “Annual Review 2018”, October 2018

268 Q16 [Rob Shaw]

269 Joint Committee on the National Security Strategy, Second Report of 2017–19, Cyber Security Skills and the UK’s Critical National Infrastructure, HL Paper 172, HC 706, para 9

270 Q61 [Ciaran Martin]

271 Ciaran Martin told us that, in June 2018, there were 80 such private-sector experts working for the NCSC, although not all of them worked full time. Q61 [Ciaran Martin]; NCSC, “Introduction to Industry 100”, accessed 31 October 2018

272 UK Computing Research Committee (CNI0005) para 10

273 Jamie Collier (CNI0006) para 3.3; UK Computing Research Committee, UKCRC (CNI0005) para 11; Palo Alto Networks (CNI0011) paras 14, 17; Corero (CNI0023) para 16




Published: 19 November 2018