The government is failing to act with a “meaningful sense of purpose or urgency” to tackle the growing threat to critical national infrastructure (CNI), despite itself acknowledging the risks, according to a new parliamentary report.
Noting the impact of WannaCry on the NHS, increasingly destructive attacks launched by nation state like Russia, and the threat from organized crime groups which “are becoming as capable as states,” it cited the National Cyber Security Centre (NCSC)’s assessment that a major CNI attack is a matter of “when not if.”
“Identifiable political leadership is lacking. There is little evidence to suggest a ‘controlling mind’ at the center of government, driving change consistently across the many departments and CNI sectors involved,” it warned.
“Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”
Although the NCSC is doing good work, its limited resources threaten to be overwhelmed, while important regulation in the form of the NIS Directive covers only certain sectors, and in any case has been driven by leadership from the EU.
Part of the problem lies with the 2016 National Cyber Security Strategy, which doesn’t set out clearly defined objectives for protecting CNI. The government should therefore publish annual reports to improve transparency, which would also provide an opportunity to tweak the strategy in response to changing threats, the committee advised.
The government should also review each sector’s inter-dependencies and maturity and gain greater visibility into why the market has so far failed to deliver improved cyber resilience. A CNI-wide threat- and intelligence-led penetration testing program was recommended.
Regarding the necessary cultural change needed to improve cybersecurity in CNI organizations, the committee urged the government to consider improving board-level expertise and accountability, encouraging the management of supply chain risk, and the promotion of cyber insurance.
“We are struck by the absence of political leadership at the center of government in responding to this top-tier national security threat,” said committee chair, Margaret Beckett.
“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasizes the need for continual improvement to cyber resilience across CNI sectors.”
Experts welcomed the report’s findings.
“The Joint Committee is right to point out the importance of securing not just critical infrastructure itself, but the entire supply chain that supports it. We must never forget to question what an adversary might do to tamper with supply or design chains, even in areas such as open source software, where a cyber-criminal could introduce defects that practically an entire industry might use for many years,” said McAfee chief scientist, Raj Samani.
“Greater levels of transparency around technology design are vital. We need more visibility into what different components do, and how they do it. We also need greater visibility into what they should and shouldn’t be doing. More effort must be made to secure the most sensitive components of technology upon which we rely every day.”
Talal Rajab, head of cyber and national security at industry body, techUK, added that the issue required “utmost vigilance.”
“Much has changed since the strategy was published in 2016, with the threat to government and businesses constantly evolving,” he argued. “As the current strategy draws to a close, it is vital that cybersecurity becomes business as usual across all areas of government. The appointment of a Cabinet Office Minister designated as a cybersecurity lead could help ensure government remains one step ahead of the threat and drive real change across departments.”