The cyber threat to the UK’s critical national infrastructure (CNI) – 13 sectors including energy, health services, transport and water – is as credible, potentially devastating and immediate as any other threat faced by the UK.
However, the Government is not acting with the urgency and forcefulness that the situation demands.
The Report on Cyber Security of the UK’s Critical National Infrastructure says the UK’s CNI is a natural target for a major cyber attack because of its importance to daily life and the economy.
Major cyber attacks are categorised by the Government as a top-tier threat to national security.
As some states become more aggressive and non-state actors such as organised crime groups become much more capable, the range and number of potential attackers is growing.
Major cyber attack on the UK is a matter of ‘when, not if’
The head of the National Cyber Security Centre has said that a major cyber attack on the United Kingdom is a matter of ‘when, not if’.
The state-sponsored 2017 WannaCry attack greatly affected the NHS even though it was not itself a target and demonstrated the potential significant consequences of attacks on UK infrastructure.
Ministers have acknowledged that more must be done to improve the cyber resilience of CNI and the Government has taken some important steps in the two years since the National Cyber Security Strategy was published.
It set up the National Cyber Security Centre as a national technical authority but its current capacity is being outstripped by demand for its services.
A tightened regulatory regime, required by an EU Directive that applies to all member states, has been brought into force for some, but not all, CNI sectors but will not be enough to achieve the required leap forward across the thirteen CNI sectors.
Struck by absence of political leadership
Chair of the Committee, Margaret Beckett MP, said:
“We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat.
It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.
There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.
My Committee recently reported on the importance of also building the cyber security skills base.
Too often in our past the UK has been ill-prepared to deal with emerging risks.
The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”