Today, the Joint Committee on the National Security Strategy has released its report, Cyber Security of the UK’s Critical National Infrastructure.
The wide-ranging report details the significant and growing challenges facing UK CNI from various actors, outlines the current Government response to date and describes the evolving regulatory landscape. The report states that the cyber threat to the UK’s CNI is as credible, potentially devastating and immediate as any other threat faced by the UK.
The report acknowledges the significant progress to date, particularly through the work of the National Cyber Security Centre (NCSC) and the effectiveness of the Network and Information Security (NIS) Directive in strengthening the resilience of CNI. It does, however, question whether this progress is quick enough or whether the NCSC has the resources to meet increasing demands. It outlines several recommendations the Joint Committee believes will ensure UK preparedness including appointing one Cabinet Office minister with designated responsibility for cyber security across Government departments.
Some of the key recommendations outlined in the report include:
- There should be a Cabinet Office Minister designated as cyber security lead, with oversight of both public and private sector initiatives and responsibility for progress;
- Government should produce continually updated plans for improving CNI to ensure agility in responding to this changing threats and in taking advantage of constant technological innovation;
- The next National Cyber Security Strategy, due in 2021 should be informed by a mapping of the key interdependencies between CNI sectors which the Government should complete as soon as possible and keep under continual review;
- The Government should resume publishing Annual Reports for the National Cyber Security Programme to improve transparency and aid external scrutiny;
- Given that cyber threats do not stop at national borders, the Government should prioritise maintaining access to the EU’s NIS Coordination Group and its workstreams to facilitate continued information sharing and collaboration with EU Member States; and
- The Government should give urgent consideration to non-regulatory incentives and interventions that have the potential to drive cultural change across CNI sectors, including insurance services, security-by-default and board level reforms.
Chair of the Committee, Margaret Beckett MP, said:
“We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat. It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure. There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.
“My Committee recently reported on the importance of also building the cyber security skills base. Too often in our past the UK has been ill-prepared to deal with emerging risks. The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”
Talal Rajab, Head of Cyber and National Security, techUK said:
“techUK is pleased to have contributed to the Joint Committee’s report into the cyber security of the UK’s critical national infrastructure and welcomes the important recommendations. The UK’s critical national infrastructure remains a key target for attack, whether from nation state actors or organised crime groups. Whilst the report correctly recognises the significant work that the National Cyber Security Centre (NCSC) has done in providing technical leadership on cyber resilience, it accepts that cyber risk within critical national infrastructure is still not fully understood or managed. This is an issue that requires utmost vigilance.
The recommendation for the creation of a Cyber Security Minister, responsible for the cross-government delivery of the National Cyber Security Strategy, has merit and should be explored further. Much has changed since the strategy was published in 2016, with the threat to government and businesses constantly evolving. As the current strategy draws to a close, it is vital that cyber security becomes business as usual across all areas of government. The appointment of a Cabinet Office Minister designated as a cyber security lead could help ensure government remains one step ahead of the threat and drive real change across departments.”