Summary
Cyber security is not just about technology. It is about people, and the range of technical and specialist skills that are needed to ensure that the services, systems and networks we use every day are secure.
During our ongoing inquiry into the cyber security of the UK’s critical national infrastructure (CNI), we heard that although the UK has one of the most vibrant digital economies in the world, there is not currently the cyber security skills base to match, with both the Government and private sector affected by the shortage in skills.
This is particularly problematic in relation to CNI. The WannaCry attack in May 2017 did not deliberately target the National Health Service. Nevertheless, it demonstrated the potential consequences of a successful attack on the UK’s CNI. It also demonstrated the fundamental need to ensure that the UK has the capacity—now and in the future—to keep its CNI secure from cyber threats, as a matter of national security. As such, we have decided that the issue of cyber security skills and CNI merits the detailed attention of this Report. Our inquiry’s principal focus, on the cyber security of the UK’s CNI, will be considered in the main Report of this inquiry, which we intend to publish in the coming months.
We were struck by the Government’s apparent lack of urgency in addressing the cyber security skills gap in relation to CNI. CNI operators and regulators told us that the shortage in specialist skills and deep technical expertise is one of the greatest challenges they face in relation to cyber security. In particular, there is an “acute scarcity” of experts who understand the security implications of connecting often bespoke or legacy CNI control systems to the internet. Many operators and regulators also struggle to compete with the salaries offered by parts of the private sector. The talent pool is limited further by the failure to attract women to the profession, while the global nature of the skills shortage adds another source of competition for rare skills sets.
It became clear during our inquiry that there is a need to nurture both aptitude for those jobs that require only moderately specialist skills, as well as the deep technical expertise needed by the relatively small numbers of employees whose principal task or research area is the security of a given system, network or device against cyber threats. However, we found that the Government is not currently well placed to understand, and therefore to address, the gap between skills supply and demand. There is a lack of detailed analysis of which CNI sectors and specialisms are most acutely affected. At the most basic level, there is no common understanding of what should be counted as a cyber security skill or job.
We also heard that there is no silver bullet for the skills shortage facing the CNI sector. The Government must work in close partnership with industry, as well as with academia, to put in place a range of measures to meet short-term demand and develop a pipeline of specialists in the longer term. We identified several key measures that form part of the solution, including:
- using education, both inside and outside the classroom, to create a strong foundation for the future skills base. Despite a promising array of Government initiatives in this regard, we are concerned that the scale of these efforts does not yet match the scale of demand;
- industry being more creative in terms of how it recruits and reskills employees, albeit with Government support, given the importance of CNI to national security;
- professionalising the relatively immature cyber security industry—through achieving Royal Chartered status—which would also go some way towards raising the industry’s profile and making it a more attractive career option to more people. However, care must be taken that professionalisation does not inadvertently lead to exclusion; and
- identifying not only a lead Department (which is the Department for Digital, Culture, Media and Skills), but robust mechanisms for cross-government coordination and cooperation, clear lines of accountability, and a Minister with clear lead responsibility for the development of cyber security skills.
In November 2016 the Government committed to the publication of a standalone skills strategy, which would frame and give impetus to its various efforts. Yet the Government told us that this strategy will not now be published until December 2018. Without such a strategy, the Government risks pursuing a number of disparate but individually worthwhile initiatives that, due to inadequate coordination, fail to add up to more than the sum of their parts. Developing and publishing a cyber security skills strategy, with the close involvement of industry and academia, should be the Government’s first priority. It is a pressing matter of national security that it does so.
Published: by authority of the House of Lords and House of Commons