Narong Jongsirikul - Fotolia

CNI sector lacks cyber security skills, government warned

The UK’s critical national infrastructure sector is being negatively impacted by the lack of cyber security skills, a report warns

The gap between the demand and supply of suitably skilled cyber security workers in the critical national infrastructure (CNI) sector is a cause for alarm, the Joint Committee on the National Security Strategy has warned.

The UK Government has no real sense of the scale of the problem or how to address it effectively, according to a newly published report by the committee created to monitor the implementation and development of the UK’s National Security Strategy.

The report on cyber security skills was prompted by the committee’s continuing work on the cyber security of the UK’s critical national infrastructure, which includes water supply, electricity generation, telecommunication, financial services, health and transport.

“During our ongoing inquiry into the cyber security of the UK’s CNI, we heard that although the UK has one of the most vibrant digital economies in the world, there is not currently the cyber security skills base to match, with both the government and private sector affected by the shortage in skills,” the report said, adding that this is “particularly problematic” in relation to CNI.

The report concludes that the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK’s CNI operators and regulators in relation to cyber security.

The committee is concerned by the government’s lack of urgency and calls on ministers to step forward and take the lead in developing a strategy to provide drive and direction.

“It is of utmost importance to the UK’s national security that it has the capacity, now and in the future, to keep CNI services, systems and networks secure” the report said.

Read more about the cyber security skills shortage

The WannaCry attack in May 2017 did not deliberately target the National Health Service (NHS), but the report said it demonstrated the fundamental need to ensure the UK is able to keep CNI secure from cyber threat.

A lack of detailed analysis of which CNI sectors are most acutely affected, the report said, is impacting on the government’s ability to understand, and therefore address the gap between skills supply and demand.

The report notes that a skills strategy, promised by government in November 2016 to frame and give impetus to its various efforts, is now scheduled to be published on in December 2018.

Without such a strategy, the report said “the government risks pursuing a number of disparate but individually worthwhile initiatives that, due to inadequate coordination, fail to add up to more than the sum of their parts.

“Developing and publishing a cyber security skills strategy, with the close involvement of industry and academia, should be the government’s first priority. It is a pressing matter of national security that it does so,” the committee said.

The report identifies four key measures that the committee believes form part of the solution. First, is using education to create a strong foundation for the future skills base. Second, is industry being more creative in terms of how it recruits and reskills employees.

Professionalising the cyber security industry

Third is professionalising the relatively immature cyber security industry through achieving Royal Chartered status, and fourth is the introduction of robust mechanisms for cross-government coordination and cooperation, clear lines of accountability, and a minister with clear lead responsibility for the development of cyber security skills.

“Our report reveals there is a real problem with the availability of people skilled in cyber security, but a worrying lack of focus from the government to address it,” said Margaret Beckett, chair of the Joint Committee.

“We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us; but also the much larger number of posts which require moderately specialist skills. We found little to reassure us that government has fully grasped the problem and is planning appropriately,” she said.

Beckett said that the committee acknowledges that the cyber security profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications.

“However, we are calling on government to work closely with industry and education to consider short-term demand as well as long-term planning.

“As a very first response, government must work in close partnership with the CNI sector and providers to create a cyber security skills strategy to give clarity and direction. It is a pressing matter of national security to do so,” she said.

Protecting critical sectors

TechUK, which worked with the Joint Committee on its inquiry into the cyber resilience of the UK’s critical national infrastructure, said the report rightly recognises that a lack of cyber security skills in the UK is unduly affecting the ability of CNI operators to protect the critical sectors UK citizens rely on.

However, Talal Rajab, head of cyber and national security at TechUK said the organisation welcomes the many initiatives that government has conducted in this regard from the classroom to the boardroom.

“This includes the recent announcement pertaining to the creation of a cyber professional body that will establish career pathways for cyber professionals to enter the sector.

“We also commend the ongoing work of the National Cyber Security Centre’s CyberFirst programme inspiring young people, especially girls, to consider a career in cyber. We look forward to working with government as it increases activities to plug the cyber skills gap and protect the UK’s critical services,” he said.

Ollie Whitehouse, global CTO at global cyber security and risk mitigation firm, NCC Group said the report’s focus on skills is welcome. “We fully support the development of a cyber security skills strategy and will commit to working closely with government and academia to address this challenging issue,” he said.

As a business, Whitehouse said NCC Group’s success relies on bringing in the right people with the right skills.

“While we are already attempting to close to skills gap through both our own initiatives and our support of external schemes like CyberFirst and CyberInvest, we see huge benefits in a government-led skills strategy,” he said.

Read more on Hackers and cybercrime prevention