Cyber Security of the UK's Critical National Infrastructure Contents

Conclusions and recommendations

Protecting CNI against cyber attack: a ‘wicked’ problem

1.The cyber threat to the UK’s CNI is growing. It is also evolving: hostile states are becoming more aggressive in their behaviour, with some states—especially Russia—starting to explore ways of disrupting CNI, in addition to conducting espionage and theft of intellectual property. Furthermore, while states still represent the most acute and direct cyber threat, non-state actors such as organised crime groups are developing increasingly sophisticated capabilities. (Paragraph 18)

2.Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely. Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the ‘new normal’ if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation. Building the resilience of CNI to cyber attacks in this way will make it harder for an attacker to achieve their objective—whoever that attacker may be, whatever their motive and however they choose to attack. (Paragraph 19)

Defining ‘critical’ national infrastructure

3.‘Critical’ national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical. The 2016 National Cyber Security Strategy provides few clues as to how the Government is managing this issue or how it is prioritising its efforts between CNI sectors. It also fails to acknowledge the varying complexity of the CNI sectors and the bearing this should have on the Government’s approach. Asserting that the UK is at the forefront of international efforts on cyber security is not sufficient. (Paragraph 26)

4.The next National Cyber Security Strategy, due for publication in 2021 should be informed by a mapping of the key interdependencies between CNI sectors—and therefore of national-level cyber risk to CNI—which the Government should complete as soon as possible and keep under continual review. The priorities identified in the next Strategy should also take account of the CNI sectors’ respective maturity in terms of cyber resilience and the varying levels of Government influence over operators in each sector. (Paragraph 27)

Setting and delivering strategic objectives, and measuring progress

5.The 2016 National Cyber Security Strategy states that ensuring the resilience of the UK’s critical national infrastructure to cyber attack is a priority for the Government. But the Strategy does not set out (a) what specifically the Government wants to achieve; (b) over what timeframe; or (c) how it intends to measure progress. We are therefore concerned that despite the designation of major cyber attacks as a top-tier threat to UK national security, the Government does not have clearly defined objectives for the five-year period covered by the Strategy nor a structured plan for delivering them. This echoes our findings specifically in relation to cyber security skills, which we set out in our July Report. (Paragraph 34)

6.The Government is unwilling to publish any information about the 2016–2021 National Cyber Security Programme other than its total budget of £1.9 billion. While we accept that some elements of the NCSP are security-sensitive and therefore should not be made public, such lack of transparency about such large sums of public money is of serious concern. It is also a backwards step, given that the previous Government published Annual Reports and high-level budget breakdowns by activity for the earlier 2011–2016 NCSP. (Paragraph 35)

7.The Government should resume publishing Annual Reports for the National Cyber Security Programme to improve transparency and aid external scrutiny. These should set out progress made, the challenges faced, and a breakdown of the budget by type of activity and by department or agency; it would also present a regular opportunity to review and adjust plans in response to changing threats, vulnerabilities and technological innovation (as we concluded in paragraph 19). Given the relatively large sum of public money and the many departments and agencies involved, the Government should also support a programme-wide audit of the NCSP by the National Audit Office to provide public and Parliamentary assurance. (Paragraph 36)

An “expanded role” for the Government on CNI?

8.The Government’s current approach to improving the cyber resilience of the UK’s critical national infrastructure is long on aspiration but short on delivery. Establishing the National Cyber Security Centre as the national technical authority and introducing more robust regulation for some CNI sectors were both important steps. The latter was mandatory for the UK as an EU member state, however. It appears that the Government is reluctant to move more forcefully and, by default, continues to rely on market forces to improve operators’ cyber resilience, despite recognising the previous failure of this approach. Its efforts so far certainly fail to do justice to the status of major cyber attacks as a top-tier threat to national security or to the importance of CNI to the economy. Greater urgency is required if the UK is to ‘get ahead’ and ‘stay ahead’ of the cyber threats to its CNI. (Paragraph 43)

9.As we concluded in relation to cyber security skills in our July Report, the Government must first understand the problem before it can address it. The Government should therefore immediately commission work to understand how and why the market has failed to deliver improved cyber resilience of CNI in both the public and private sectors. Only then will it be in a position to identify the targeted interventions and incentives—whether regulatory or otherwise—that will drive up cyber resilience of CNI, while also establishing the culture and practices necessary for continual improvement in the long term. (Paragraph 44)

Regulation: fixing market failure by setting a higher benchmark

10.The Network and Information Systems Regulations offer a more robust regulatory framework for many CNI sectors, especially in making it mandatory for operators to report incidents where their impact exceeds a predetermined threshold. Although these regulations have only recently come into force, we expect them to set a higher benchmark for cyber risk management in those CNI sectors where they apply. They should also, we hope, foster a culture of proactive and continual risk management by CNI operators, moving away from a ‘tick-box compliance’ approach. (Paragraph 51)

11.Nevertheless, the NIS Regulations are not a ‘silver bullet’:

We are therefore concerned that the NIS Regulations will not be enough in themselves to achieve the required leap forward in cyber resilience across all CNI sectors (Paragraph 52)

12.Threat- and intelligence-led penetration testing shows promise as a mechanism for providing technical assurance of CNI operators’ cyber risk management—all the more important in the absence of agreed metrics for cyber risk and resilience. However, such testing should be used in combination with other methods of regulatory assurance because it only provides a snapshot of operational resilience at a particular moment in time against a particular set of threats. (Paragraph 56)

13.The Government should establish a plan (a) for the development of threat- and intelligence-led penetration testing and its roll-out across all CNI sectors that takes account of the mixed maturity of the sectors in terms of their cyber resilience; (b) for the development of the test methodology; and (c) for developing the cyber security industry’s capacity to deliver such advanced and accredited testing at scale. It should address the last point in its forthcoming cyber security skills strategy which, as we urged in our July Report, should be published as a matter of priority. (Paragraph 57)

14.The NIS Regulations will continue to apply in the UK following Brexit. However, the mechanism for UK participation in EU-wide information-sharing and capacity-building is still subject to negotiation. Given that cyber threats do not stop at national borders, the Government should prioritise maintaining access to the EU’s NIS Coordination Group and its workstreams to facilitate continued information-sharing and collaboration with EU Member States. (Paragraph 60)

Cultural change: creating an environment for continual improvement

15.The Government should set out in its response to this Report its assessment of how, and how effectively, the Huawei Cyber Security Evaluation Centre Oversight Board provides additional assurance in relation to the UK’s cyber security. (Paragraph 66)

16.A more holistic and effective approach to strengthening the cyber resilience of CNI requires changing the culture of CNI operators and their extended supply chains. Embedding the view that cyber risk is another business risk, which must be proactively managed, will be central to this process. It is especially important for those private-sector operators whose commercial interests may not always align with the demands of national security. (Paragraph 73)

17.The Government should give urgent consideration to non-regulatory incentives and interventions that have the potential to drive cultural change across CNI sectors, establishing an environment in which continual improvement is encouraged. The issues it should consider include:

Political leadership: driving change across Government and CNI sectors

18.Focused and proactive political leadership from the centre of Government is essential in driving change and ensuring a consistent approach across the many departments and agencies with responsibility for the resilience of CNI to cyber threats. We are concerned that the current complex arrangements for ministerial responsibility mean that day-to-day oversight of cross-government efforts is, in reality, led by officials, with Ministers only occasionally ‘checking in’. This is wholly inadequate to the scale of the task facing the Government, and inappropriate in view of the Government’s own assessment that major cyber attacks are a top-tier national security threat. (Paragraph 79)

19.There should be a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources—in both the public and private sectors—and executing the measures needed to defend against the threat. This Minister should therefore be responsible and accountable for the cross-government development and delivery of the National Cyber Security Strategy and Programme, including those elements relating to CNI. This Minister should therefore:

20.The Government should also provide our Committee with evidence of the NSC sub-committees’ active oversight of cross-government efforts to improve the cyber resilience of the UK’s CNI. Its recent decision to share summaries of the agendas for relevant NSC sub-committees with us, in confidence and on a regular basis, is a welcome starting point. (Paragraph 81)

21.The National Cyber Security Centre has had an impressive impact in the two years since it was established as the national technical authority on cyber security. Although there are areas for improvement, it has made important contributions across a variety of Government and industry initiatives in relation to CNI, despite its lack of enforcement powers. However, we heard there are unresolved tensions derived from its status as part of GCHQ—an institutional relationship that also provides significant advantages. It is also essential that the NCSC’s proactive leadership on the technical aspects of the cyber resilience of CNI is not treated by Ministers as a substitute for strong political leadership in driving change across CNI sectors and relevant departments. (Paragraph 89)

22.We continue to have concerns about the capacity of the NCSC to meet growing demand for its services and expertise. As the Government’s ‘one-stop shop’ for technical advice, the NCSC is integral to the Government’s and private sector’s efforts to improve the resilience of the UK’s CNI to cyber attack. However, its effectiveness will be limited unless it has access to the experts it needs in the numbers it requires. Consideration must also be given to likely future demands on the NCSC’s resources as technology continues to advance and the threat continues to grow. (Paragraph 90)

23.The Government should publish a plan for the institutional development of the NCSC over the next decade, taking account of anticipated technological progress and setting out the resources and range of skills and expertise that the NCSC is likely to need. These requirements should be addressed in the Government’s forthcoming cyber security skills strategy. Its budget—currently running to 2020–21—should be extended beyond that time horizon in next year’s Spending Review as a ring-fenced fund separate from (and safe from) general departmental budget pressures. (Paragraph 91)

Published: 19 November 2018