- Security TWENTY
- Women in Security
Is the NIS Directive tightening the UK’s national security, or a lot of hot air? asks Andrew Lloyd, President at Corero Network Security.
When the UK Government launched its Digital Strategy in March 2017, it was a proud day for many people working in the cyber security industry. The ambition of making the UK “the safest place in the world to live and work online” demonstrated the importance of cyber security to our national interests, and there was a sense of optimism that the National Cyber Security Centre (NCSC) would be empowered to protect our critical national infrastructure from the dangers of serious cyber-attacks. But while we were all swept up by the rhetoric, the current situation suggests that we are at risk of losing sight of this vision, and are on the cusp of throwing away this golden opportunity to improve our resilience against serious attacks.
This is deeply concerning, given that the UK is facing ever more serious cyber threats each day. In January, Ciaran Martin, the head of the NCSC, warned that it was a matter of “when, not if” the UK faces a major cyber-attack that might cripple infrastructure such as energy supplies or the financial services sector. Across all parts of critical national infrastructure (CNI), we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking to cause political upheaval. Last year’s DDoS attacks against the transport network in Sweden caused train delays and disrupted travel services, while the WannaCry ransomware attacks last May demonstrated the capacity for cyber-attacks to impact people’s access to essential services.
So how is the UK dealing with these potential threats? Last month, the government published a response to its consultation on the UK’s implementation of the Network and Information Systems (NIS) Directive. This included confirming that UK critical infrastructure organisations may soon be liable for fines of up to £17m if they fail to implement robust cyber security measures. But despite the tough talk, the response avoided making any hard recommendations and instead relies on a more passive approach of deferring responsibility to the National Cyber Security Centre and the ‘Competent Authorities’.
Unfortunately, unless there is a significant increase in the precision of the guidance, this approach of passing the buck could result in almost no tightening of our national security. In January, the NCSC published its initial guidance for organisations looking to comply with the NIS Directive legislation. The measures outlined are heavily weighted on reactive attack reporting rather than advising organisations on how to better shore up their perimeter with proactive defence solutions. As an example, within the guidance organisations are asked to define their own risk profile, and then prove their resiliency against that profile – the equivalent of being graded on a test you wrote yourself.
Looking to the Competent Authorities, the Civil Aviation Authority (CAA) recently published a list of 26 cyber security controls as a framework for the regulation of cyber induced risks within the aviation industry. With respect to Network Perimeter Security, the list references various ISO standards, which explain that “special controls may also be required to maintain the availability of the network services and computers connected.” Against such vague guidance, it seems impossible that any aviation organisation could fail, effectively rendering the threat of receiving a £17m fine as meaningless. In addition, most of the security standards referenced are far from new. Whilst many of the principles hold true, few of the standards have been adapted for the modern, proactive security postures necessary to deliver real-time protection against the sophistication and frequency of today’s cyber-attacks.
Against this backdrop, there is widespread evidence that many CNI organisations are still not taking adequate steps to protect themselves and the essential services they provide to UK citizens. In August 2017, a Freedom of Information study conducted by Corero Network Security found that 39pc of CNI organisations in the UK (and 42pc of NHS Trusts) had still not completed the government’s ’10 Steps to Cyber Security’ – considered a series of fairly basic steps to improve cyber security, that was first introduced in 2012.
In this light, it’s unclear how the UK’s implementation of the NIS Directive can successfully set out a framework of minimum cyber security standards for CNI. If the intended outcome is genuinely tied to resilience against cyber-attacks, then these essential services should be required to remain available during an attack. The outcome described in the guidance merely points to the proper disclosure of failed protection and the swift recovery of that failure – which could prove grossly inadequate in the event of a serious cyber-attack on our critical infrastructure, that could put UK citizens’ safety at risk. The concern remains that the implementation of the NIS Directive will be viewed as a mere tick-box exercise, rather than delivering a safe and secure cyberspace for our essential services, and fulfilling its promise for the UK to set world-leading standards in this area. Let’s hope we can still seize this opportunity.