Daniel - stock.adobe.com

Government lacks cyber resilience leadership, according to MPs

The government lacks political leadership and urgency in dealing with cyber threats, according to Joint Committee on National Security Strategy, calling for a minister in charge of delivering cyber resilience

The government needs to step up political leadership and be better prepared for potential cyber threats, according to MPs on the Joint Committee on the National Security Strategy.

Although the government has acknowledged it needs to do more to improve cyber resilience across “critical national infrastructure” (CNI), MPs on the committee said in their report that it remains an aspiration and they are seeing little evidence of action.

“While we applaud the aspiration, it appears the government is not delivering on it with a meaningful sense of purpose or urgency,” the report said.

“Its efforts so far certainly fail to do justice to its own assessment that major cyber attacks on the UK and interests are a top-tier threat to national security.”

The report added that a key issue is the lack of “identifiable political leadership”.

“There is little evidence to suggest a ‘controlling mind’ at the centre of government, driving change consistently across the many departments and critical national infrastructure sectors involved,” the report said.

“Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”

Read more about cyber security and government

The UK has suffered several major cyber attacks in recent years, including the WannaCry attack which affected the NHS, as well as attacks on UK Parliament and Scottish Parliament in 2017.

The Committee’s MPs are concerned that not enough is being done to deal with potential future threats. Committee chair Margaret Beckett said the MPs were “struck by the absence of political leadership at the centre of government in responding to this top-tier national security threat”.

“There are a whole host of areas where the government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors,” she said.

In 2016, the government published its National Cyber Security Strategy (NCSS), and announced £1.9bn in funding to drive the programme. However, the committee criticised the government for refusing to publish any information about how the programme is going.

“While we accept that some elements of the National Cyber Security Programme are security-sensitive and therefore should not be made public, such lack of transparency about such large sums of public money is of serious concern. ,” the report said, adding that it was a “backwards step” as the government has previously published annual reports and budget breakdowns for the old strategy.

Critical national infrastructure

The MPs said that although the 2016 strategy states that ensuring resilience of the country’s CBI to cyber attacks is a priority, it does not set out specifically how to do this, any timescale or how to measure progress.

“The 2016 NCSS does not address what the government’s priorities are in protecting the UK’s critical national infrastructure from cyber attack. The principal purpose of defining ‘critical’ infrastructure should be to enable the government and industry to prioritise their efforts, focusing their attention on those assets whose failure or impairment would have the greatest impact on the UK’s national security and its economy.

“We are therefore concerned that despite the designation of major cyber attacks as a top-tier threat to UK national security, the government does not have clearly defined objectives for the five-year period covered by the strategy nor a structured plan for delivering them,” the report said, adding that this echoed findings from the committee’s July report on cyber security skills.

CNI includes water supply, electricity generation, telecommunication, financial services, health and transport. Often these are relying on IT systems, as well as operational technology systems like electricity substations and transportation control rooms, which are likely to be bespoke and legacy systems not designed with cyber security in mind.

“This has the effect of creating new vulnerabilities and potentially exposing the systems to cyber attack,” the committee said, adding that the majority of these are privately owned, which raises “raises difficult questions for the government about how far to intervene in the operations of private companies to ensure that national security interests are prioritised and about what types of intervention would be most effective”.

The report added that while it’s impossible to secure CNI networks and systems completely, building resilience “will make it harder for an attacker to achieve their objective – whoever that attacker may be, whatever their motive and however they choose to attack”.

Read more on Hackers and cybercrime prevention