Cyber Security Skills and the UK’s Critical National Infrastructure Contents

2Defining the cyber security skills gap

What are ‘cyber security skills’?

7.‘Cyber security skills’ are those skills associated with ensuring the security of information technology (IT—generally referring to information storage and integrity) and operational technology (OT—referring to systems that control physical devices).14 The latter is especially relevant to CNI.15 The term ‘cyber security skills’ covers a range of disciplines and can be divided into three broad tiers of specialism:

i)the elite, highly specialist skills and knowledge required by the relatively small numbers of employees whose principal task or research area is the security of a given system, network or device against cyber threats—for example, a network architect or penetration tester;

ii)the moderately specialist skills and knowledge required by all those whose jobs have now assumed an important cyber security element—for example, teachers, lawyers, auditors, HR managers or board-level directors who need to understand the cyber risk to business operations;

iii)knowledge and implementation of good cyber ‘hygiene’, which is a universal responsibility for all employees.16 17

There is a significant challenge “right across the economy” in all three tiers, as David Lidington acknowledged.18 However, in examining the capacity of operators, regulators and the Government to keep the UK’s CNI secure, our inquiry necessarily focused on the first two tiers, given the sector’s critical need for deep technical expertise and specialist skills.

A gap between skills supply and demand

8.A cyber security skills ‘gap’ of some degree is inevitable given that skills development must respond to, and try to keep pace with, the extraordinary rate of technological change. However, the evidence we have taken suggests that for the CNI sector, the gap between the demand and supply of skills in the top two tiers described in paragraph 7 is now verging on a crisis. Witnesses painted a stark picture of both industry and the Government “fishing” from the same limited talent “pool”19—a pool that is often restricted further by the requirement that some CNI-sector employees have a certain level of security clearance.20

9.The NCSC’s Ciaran Martin told us, for example, that the NCSC—the Government’s own technical authority on cyber security—finds it a “constant and difficult challenge” to recruit the deep technical expertise it needs,21 even though it is the NCSC’s role to provide specialist support and advice to other CNI sectors. Rob Crook, Managing Director of Cyber and Intelligence at the defence engineering and cyber security company Raytheon UK, reported that the vacancy rate in the company’s cyber security unit is 20–30%. This, he said, is more than double that of the engineering side of the company’s business.22 Steve Unger, Chief Technology Officer at the communications-sector regulator Ofcom, was of the view that “there are not enough people in the UK to do what is required for the country as a whole”.23 Such a situation is of serious concern, given the potentially severe implications for the security of the UK’s CNI and for UK national security more broadly.

10.During our inquiry, we heard several reasons why CNI operators and regulators believe they are finding it difficult to access the expertise they need. These include:

11.Witnesses identified two other factors that may exacerbate the situation. First, demand for specialist cyber security skills across the CNI sector is likely to increase further following the introduction by the Government of the NIS Regulations in May 2018. These impose a legal obligation on operators in some CNI sectors to improve cyber security standards;32 they also designate new Competent Authorities (Government Departments, existing regulators, or both) to provide oversight and enforcement.33 Secondly, witnesses raised concerns with us about immigration policy after Brexit, questioning whether it would continue to allow specialist skills to be imported from the EU and beyond at a time when the cyber security skills shortfall in the UK is “peaking”.34 35

Defining the skills gap—and the problem

12.There is a wealth of anecdotal evidence of a critical shortage of deep technical expertise and specialist cyber security skills. Nevertheless, the precise nature and extent of the problem is ill-defined, which in turn makes it more challenging to address. There is no independent, detailed data or comprehensive analysis that identifies:

The Government does not appear to have conducted such strategic-level analysis either. BT Security’s Ruth Davis told us:

… to my knowledge there is no official strategic quantification of that gap in the UK. The best estimate I have seen is that we have only about one-third of the candidates we need for the jobs posted. That strategic quantification of how big the gap is and what disciplines it is in is missing from current policy.36

13.There is also little in the way of concrete analysis of how the UK compares internationally. This is necessary for two reasons: first, to assess the CNI sector’s success in competing for talent in the context of a global skills shortage.37 Rob Crook, for example, reported that “Some data shows that the gap is more extreme in countries such as the UK and Israel”,38 although it is not clear exactly why this is the case. Secondly, it is essential to understand the UK’s capacity to stay ahead of, and defend CNI against, adversaries in cyberspace—whether they are countries such as Russia, China, Iran and North Korea or sophisticated cybercriminal groups, which are increasingly attaining state-level capabilities.39

14.However, Dr MacWillson told us that conducting such an analysis of the domestic skills gap or of the UK’s skills base relative to other countries’ will be extremely difficult until there is a clearer definition of what counts as a cyber security job or skill.40 He explained:

… people talk about the cyber skills gap or cyber skills in a singular way, as though the cyber problem is across the board […] That is one of the challenges: defining what people are talking about before they say there is a skills shortage.41

In answer to this challenge, Palo Alto Networks, a network and enterprise security company, advocates establishing a standardised framework that categorises and describes cybersecurity work. It cites as an example the framework created by the United States’ National Initiative for Cybersecurity Education (NICE) and published in August 2017 by the National Institute for Standards and Technology (see Figure 1).42

Figure 1: The NICE Cybersecurity Workforce Framework

Source: National Institute for Standards and Technology, US Department of Commerce

Such a framework would also be a starting point for identifying likely future demand for skills, with a view to minimising the lag between skills development and what one witness described as the “phenomenal” rate of technological change.43

15.Critical national infrastructure (CNI) is the backbone of the country’s security and economy. A range of specialist skills as well as deep technical expertise are needed to secure CNI against the large, growing and diverse cyber threat. Developing these skills will also have considerable economic benefits, given the importance of cyber security to those new technologies that will help to improve CNI operators’ future productivity and standards of service. However, there are not enough people in the UK who both possess such specialisms and are also willing and able to work in the CNI sector. This situation is of serious concern, given the potentially severe implications for the security of the UK’s CNI and for UK national security more broadly.

16.We are concerned that information about the nature of the cyber security skills gap in the CNI sector is primarily anecdotal. There is no detailed analysis available of which CNI sectors are most affected, in which disciplines and at which levels of expertise the shortage is most acute, or of where these gaps leave the UK critically vulnerable. The Government cannot hope to address the problem properly until it has defined it more rigorously. The first task will be to develop a clearer, and shared, understanding of what counts as a cyber security job and skill. The Government should publish a framework setting out the different types of skills required to ensure the cyber security of the UK’s CNI. In doing so, it might take the framework produced by the United States’ National Institute for Cybersecurity Education as a model. This new framework should form the basis of any future initiative to minimise the cyber security skills gap.

14 According to the Cambridge Centre for Risk Studies, the phrase ‘information technologies’ broadly refers to traditional PCs, company servers and networks, cloud storage, smartphones and tablets, while ‘operational technologies’ refers to internet-connected physical systems such as electricity substations, transportation control rooms, manufacturing plants, healthcare equipment, and their associated industrial control systems. (Cambridge Centre for Risk Studies (CNI0025) para 1)

15 Q39 [Rob Crook]

16 techUK (CNI0015) paras 58–59; Pete Cooper (CNI0019) para 16; Red Hat (CNI0021) para 26

17 In correspondence, the Government states: “Cyber security is a broad sector with a number of specialisms. We require a diverse blend of skills and talent to support the demands of our increasingly digital economy, ranging from the very technical to leadership, communication and policy making.” (See correspondence from David Lidington MP to the Chair, 12 July 2018, Annex, para 1)

19 Q18 [Peter Gibbons]; Q20 [Rob Shaw]; Q29; Q39 [Rob Crook, Dr Alastair MacWillson, Elliot Rose]; Q40 [Rob Crook, Ruth Davis]; Nettitude (CNI0003) para 24; Dr Martyn Thomas (CNI0004) para 8.1; ISACA (CNI0010) para 3.1; Palo Alto Networks (CNI0011) paras 27–28; BT Group (CNI0018) para 8.1; Pete Cooper (CNI0019) para 15; Red Hat (CNI0021) para 24; Nokia (CNI0022) para 7.1; Water UK (CNI0027) para 15; CREST (CNI0028) para 2; Office for Nuclear Regulation (CNI0031) paras 41–42; CyLon (CNI0032) para 2

20 techUK (CNI0015) para 61

21 Q61. Ciaran Martin told us that this challenge is ameliorated in part by the inward secondment of industry employees under the ‘Industry 100’ initiative.

24 Nettitude (CNI0003) para 24; Imperial College London (CNI0009) para 13; CREST (CNI0028) paras 6–7

25 Cambridge Centre for Risk Studies (CNI0025) para 2

26 Q18 [Peter Gibbons]; Q20 [Rob Shaw]; Q29 [Jonathan Brearley, Steve Unger]; Q47 [Dr Alastair MacWillson]; Dr Martyn Thomas (CNI0004) para 8.1; ISACA (CNI0010) para; CyLon (CNI0032) para 2

28 UK Computing Research Committee (CNI0005) para 9. However, PA Consulting’s Elliot Rose told us that “It is quite a good thing in cybersecurity to have that degree of churn, because people bring new experiences from different sectors and areas.” (Q48 [Elliot Rose])

30 The IISP’s Dr MacWillson said the proportion is 7%; BT Security’s Ruth Davis suggested it is 11%. (Q42 [Dr Alastair MacWillson, Ruth Davis])

32 The NIS Regulations apply to the energy, transport, water, health and digital infrastructure sectors. However, the NCSC states that the guidance it is producing in support of the Regulations is widely applicable and “all sectors should take note of it”. (NCSC, “Introduction to the NIS Directive”, updated 30 April 2018, accessed 28 June 2018)

33 Steve Unger told us that it is “challenging” for Ofcom, which is taking on additional regulatory responsibilities under the NIS Regulations, to recruit people “with the right skills for this sort of issue”. Jonathan Brearley said it is similarly difficult for Ofgem (Q27 [Steve Unger, Jonathan Brearley]). We heard that some regulators intend to rely on the NCSC for technical advice and support in implementing the NIS Regulations (Q27 [Jonathan Brearley]). However, the UK Computing Research Committee observes that the NCSC itself “lacks the human resources required to fully support all government departments and regulatory organizations involved in CNI”. (UK Computing Research Committee (CNI0005) paras 10–11)

34 techUK (CNI0015) para 62. See also Q40 [Ruth Davis]; Nokia (CNI0022) para 7.3; ISACA (CNI0010) para

35 Concerns within the industry reportedly extend to immigration beyond the EU, especially in relation to the annual cap on Tier 2 visas. Before December 2017, the fixed monthly allocation of Tier 2 visas had been exceeded only once since the introduction of the annual cap in 2011. From December, it was exceeded in five consecutive months. In April 2018 a not-for-profit group, Tech London Advocates, reportedly warned the Government that current policy governing immigration from outside the European Economic Area and Switzerland, under the Tier 2 visa system, is “no longer fit for purpose”, leaving the UK “heading towards a skills crisis that threatens the future success of the industry”. (“Visa cap is creating UK skills crisis, say technology chiefs, The Times, 17 April 2018; “UK will review Tier 2 visa system, says Sajid Javid”, Financial Times, 3 June 2018)

37 Q39 [Dr Alastair MacWillson]; PA Consulting (CNI0029) para 5

38 Q40. Many of those who submitted written evidence cited the same study by job-search website Indeed, conducted between 2014 and 2016. This study suggested that of the ten countries examined, the UK suffered the second-worst skills shortage, behind Israel. However, the study also found that there was a 5% reduction in the UK skills gap during this two-year period. (“Indeed Spotlight: The Global Cybersecurity Skills Gap”, 17 January 2017, accessed 29 June 2018)

39 Q54 [Ciaran Martin]

40 In a June 2018 Report on the Government’s efforts to develop STEM (science, technology, engineering and mathematics) skills, the Public Accounts Committee found that the Government “is not well placed to understand the extent of the challenge and ensure the supply of STEM skills”, which includes cyber security skills, because it lacks a “universal definition” of what should be counted as a STEM subject or job. (House of Commons Committee of Public Accounts, Forty-Seventh Report of Session 2017–19, Delivering STEM skills for the economy, HC 691, June 2018, Summary and para 1)

41 Q39 [Dr Alastair MacWillson]. Elliot Rose of PA Consulting similarly calls for greater clarity of the term ‘cyber security skills’. He suggests that the lack of a firm definition of the range of skills encompassed by the term often results in a narrow focus on technical and programming skills over the psychological and organisational skills also required for “effective cyber defence”. (PA Consulting (CNI0029) para 2)

42 Palo Alto Networks explains that the NICE Framework established a common lexicon to describe all cyber security work and workers, breaking the industry down into categories, speciality areas and work roles—with the latter listing the knowledge, skills and abilities required to perform each role. (Palo Alto Networks (CNI0011) para 30; National Institute of Standards and Technology, “NICE Cybersecurity Workforce Framework, accessed 28 June 2018)

43 Q40 [Dr Alastair MacWillson]

Published: by authority of the House of Lords and House of Commons