The cyber threat to the UK’s critical national infrastructure (CNI) is as credible, potentially devastating and immediate as any other threat faced by the UK, according to the Joint Committee on the National Security Strategy.
The Committee’s latest report says the Government is not acting with the urgency and forcefulness that the situation demands, with the UK’s CNI a natural target for a major cyber attack because of its importance to daily life and the economy.
The Report on Cyber Security of the UK’s Critical National Infrastructure says that as some states become more aggressive and non-state actors such as organised crime groups become much more capable, the range and number of potential attackers is growing.
In fact, the head of the National Cyber Security Centre has said that a major cyber attack on the United Kingdom is a matter of ‘when, not if’.
The state-sponsored 2017 WannaCry attack greatly affected the NHS even though it was not itself a target and demonstrated the potential significant consequences of attacks on UK infrastructure.
Ministers have acknowledged that more must be done to improve the cyber resilience of CNI and the Government has taken some important steps in the two years since the National Cyber Security Strategy was published.
It set up the National Cyber Security Centre as a national technical authority, but the Joint Committee says its current capacity is being outstripped by demand for its services.
The Joint Committee added that while a tightened regulatory regime, required by an EU Directive that applies to all member states, has been brought into force for some, but not all, CNI sectors, it will not be enough to achieve the required leap forward across the thirteen CNI sectors (including energy, health services, transport and water).
Chair of the Committee, Margaret Beckett MP, said: “We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat.
“It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure.
“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasises the need for continual improvement to cyber resilience across CNI sectors.
“My Committee recently reported on the importance of also building the cyber security skills base.
“Too often in our past the UK has been ill-prepared to deal with emerging risks.
“The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”