The government is failing to deliver on promises to protect the UK’s critical national infrastructure (CNI) from cyber attacks, a report from a parliamentary committee has warned.
The threat to critical infrastructure, including the power grid, is growing, the committee reported, with some states -“especially Russia” – starting to explore ways of disrupting CNI.
“In addition, some organised crime groups are becoming as capable as states, thereby increasing the number and range of potential attackers,” the report added.
In a joint technical alert issued earlier this year, security agencies in the US and UK accused the Kremlin of being behind an ongoing hacking campaign targeting CNI in both countries.
The alert followed an advisory notice which warned that companies connected to CNI were being targeted by attackers believed to be based in eastern Europe.
Ciaran Martin, the head of the UK’s National Cyber Security Centre (NCSC), has warned that a major attack on the country is a matter of “when, not if” – but the report accuses the government of failing to respond to this risk assessment “with a meaningful sense of purpose or urgency”.
Describing the problem of cyber security within CNI as “wicked”, the report published on Monday from the joint committee on the national security strategy, extends its criticism to the government’s expectations of the NCSC, expectations which it said “are outstripping the resources put at its disposal”.
Legislation developed by the European Union and implemented in the UK this year introduced fines of up to £17m for CNI organisations if their cyber security preparations were not up to standard.
Although the UK will keep these regulations following Brexit, the committee noted with concern that the country’s “participation in EU-wide information-sharing and capacity-building is still subject to negotiation”.
Stuart McKenzie, the EMEA vice-president at the incident response arm – Mandiant – of cyber security firm FireEye, said he agreed with the committee’s description of cyber security as a “wicked” problem.
“Much of the technology used within CNI has grown organically, but remains fragile and relies on outdated technology in terms of security,” Mr McKenzie explained.
“The threats facing CNI have constantly evolved, meaning that today’s threat is something that wasn’t imaginable when many of the systems were originally designed, leaving them increasingly vulnerable. “
The joint committee also identified a lack of identifiable political leadership to strengthen cyber security within the UK’s critical infrastructure.
It wrote: “There is little evidence to suggest a ‘controlling mind’ at the centre of government, driving change consistently across the many departments and CNI sectors involved.”
As such it called for a cyber security minister post to be created – effectively a Cabinet Office minister designated as a cyber security lead.
This minister would “in a war situation, [have] the exclusive task of assembling the resources – in both the public and private sectors – and executing the measures needed to defend against the threat”.
The government has not yet responded to the committee’s report.