- Security TWENTY
- Women in Security
The threat to the UK’s CNI (critical national infrastructure) is growing and evolving. It’s as credible, potentially devastating and immediate as any other threat faced by the UK, according to the Joint Committee on the National Security Strategy in a new report.
The committee of peers and MPs defines CNI as 13 sectors such as energy, health services, transport and water. The parliamentarians say the Government is not acting with the urgency and forcefulness that the situation demands. Their Report on Cyber Security of the UK’s Critical National Infrastructure says the UK’s CNI is a natural target for a major cyber attack because of its importance to daily life and the economy.
Major cyber attacks are categorised by the Government as a top-tier threat to national security. As some states become more aggressive and non-state actors such as organised crime groups become much more capable, the range and number of potential attackers is growing. The parliamentarians quote the head of the National Cyber Security Centre (NCSC) saying that a major cyber attack on the United Kingdom is a matter of ‘when, not if’.
The state-sponsored 2017 WannaCry attack greatly affected the NHS, even though it was not itself a target, and showed the potential significant consequences of attacks on UK infrastructure, according to the report.
Ministers have acknowledged that more must be done to improve the cyber resilience of CNI and the Government has taken some important steps in the two years since the National Cyber Security Strategy was published. It set up the NCSC as a national technical authority but its capacity is being outstripped by demand for its services, the committee warns.
A tightened regulatory regime, required by the NIS EU Directive (covering network and information systems) that applies to all member states, has been brought into force for some, but not all, CNI sectors. The 60-page report says this will not be enough to achieve the required leap forward across the 13 CNI sectors.
Chair of the Committee, the senior Labour MP Margaret Beckett, said: “We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat. It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.
“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.”
The Committee in July reported on the need for building the cyber security skills base. Mrs Beckett added: “Too often in our past the UK has been ill-prepared to deal with emerging risks. The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”
Pictured; Waterloo Clump, water tower with comms equipment, Burton upon Trent.
Veracode director, Paul Farrington, says: “The report states that ‘identifiable political leadership is lacking’. There are plenty of initiatives, but very little practical evidence of real change. We still see manufacturers churning out vulnerable electronic devices, that end up in the home. Big firms continue to write software for Government and the private sector, but are not required to deliver software free from security defects, or cover the cost of fixing them. This state of affairs is not dissimilar to the obesity epidemic we see in the western world. Just relying on consumers to make sensible choices against a backdrop of conflicting advice and evidence is unlikely to address the real problem. Manufacturers and retailers need to dissuaded from selling unhealthy food – the same is true in relation to software products and services. Whitehall also needs to encourage collaboration across Government departments by rewarding progress against security targets. The PM and Chancellor may need to withhold budget for public sector projects in those departments that are resistant to taking this security challenge seriously.”
Henry Harrison, co-founder and CTO of Garrison, a cybersecurity company, said: “Nations have been protecting their diplomatic and military secrets against “cyber” attack since the second World War, Enigma and Bletchley Park. However, the need to protect critical systems is much more recent, and not yet baked into our country’s DNA, even though a successful attack against critical systems could be even more significant than the loss of classified information.
“Historically there has been a vast gulf between the cybersecurity approaches used to protect secret government information versus those used by private sector organisations running critical infrastructure.
“Recent technological advances mean that it is now becoming much more practical for private sector organisations to adopt the sort of high security approaches that have to date been the preserve of the military and national security worlds. Such a change in mindset and approach is not optional – it is essential to ensure that the private sector is adequately equipped to play its part in defending the UK’s infrastructure.”
And Pete Banham at Mimecast said: “It’s vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives. Private sector businesses today need a risk and security champion in the boardroom; likewise, it’s time Government had a cyber tsar in the Cabinet. Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular ‘fire drills’ for all employees to respond to and recover to cyber-attacks. Cyber resilience in the office needs to be ingrained as buckling up a seatbelt on the drive to work.
“We’ve seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done. This includes email and web security tools to help prevent new strains of ransomware and awareness training for all employees to counter increasingly hard-to-detect social engineering.”