The Joint Committee on the National Security Strategy has published its report on the UK’s Critical National Infrastructure (CNI) in which it states that the threat to the UK’s CNI is both “growing and evolving”. Indeed, the cyber threat posed to the UK’s CNI – ie 13 sectors including energy, health services, transport and water – is said to be “as credible, potentially devastating and immediate” as any other threat faced at the present time.
However, according to the Committee, the Government is not acting with the urgency and forcefulness that the situation demands.
The report on ‘Cyber Security of the UK’s Critical National Infrastructure’ suggests that the UK’s CNI is a natural target for a major cyber attack because of its importance to daily life and the economy. Major cyber attacks are categorised by the Government as a top-tier threat to national security. As some states become more aggressive and non-state actors such as organised crime groups become much more capable, so the range and number of potential attackers is growing.
Matter of ‘when’ not ‘if’
Ciaran Martin, head of the National Cyber Security Centre, has said that a major cyber attack on home shores is a matter of ‘when’ not ‘if’. The state-sponsored 2017 WannaCry attack greatly affected the NHS even though it wasn’t itself a target and demonstrated the potentially significant consequences of attacks on the UK’s infrastructure.
Ministers have acknowledged that more must be done to improve the cyber resilience of CNI and the Government has taken some important steps in the two years since the National Cyber Security Strategy was published. It set up the National Cyber Security Centre as a national technical authority, but the Committee observes that the Centre’s “current capacity is being outstripped by demand for its services”.
A tightened regulatory regime, required by an EU Directive that applies to all Member States, has been brought into force for some, but not all CNI sectors. However, the Joint Committee on the National Security Strategy feels this will not be enough to achieve “the required leap forward” across the 13 recognised CNI sectors.
Absence of political leadership
Dame Margaret Beckett MP, chair of the Committee, said: “We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat. It’s a matter of real urgency that the Government makes clear which Cabinet minister has cross-Government responsibility for driving and delivering improved cyber security, and especially so in relation to our CNI.”
Beckett went on to comment: “There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors. My Committee recently reported on the importance of also building the cyber security skills base. Too often in our past, the UK has been ill-prepared to deal with emerging risks. The Government should be open about our vulnerability and rally support for measures which specifically match the gravity of the threat to our CNI.”