An ongoing failure to act with “meaningful sense of purpose or urgency” in the face of threats posed by cyber criminals and hackers puts critical national infrastructure at unnecessary risk from cyber attacks, a UK Parliamentary committee has warned.
The UK experienced a taste of the damage that cyber attacks can cause when the global WannaCry ransomware outbreak took down large portions of the National Health Service in 2017, causing disruption to hospitals and patients across the country.
Meanwhile, a recent warning from the National Cyber Security Centre (NCSC) suggested that hostile states will attempt deadly cyber attacks against the UK that threaten loss of life and other major consequences.
Despite these threats, the general public still only has a “limited appreciation” of what could be the “devastating” results of a major cyber attack against critical national infrastructure such as energy, health services, transport or water, according to a new report from the UK Parliament’s Joint Committee on the National Security Strategy.
The problems go to the very top, the report says: despite the growing and evolving threat to the UK’s critical national infrastructure, the country lacks the political leadership required to face the issue.
Its inquiry into cyber security and critical infrastructure has concluded that there’s no “controlling mind” at the centre of government for managing cyber risks and that “identifiable political leadership is lacking”.
“We are struck by the absence of political leadership at the centre of Government in responding to this top-tier national security threat,” said Margaret Beckett MP, Chair of the Joint Committee.
“It is a matter of real urgency that the Government makes clear which Cabinet Minister has cross-government responsibility for driving and delivering improved cyber security, especially in relation to our critical national infrastructure,” Beckett added.
The report suggests that “complex arrangements” for ministerial responsibility means that Ministers are only occasionally “checking in” on the issue of security in critical infrastructure.
Describing this set up as “wholly inadequate” and “inappropriate in view of the Government’s own assessment that major cyber attacks are a top-tier national security threat,” the committee recommends that the government appoints a Cabinet Office Minister for a new role focused on delivering improved resilience across the UK’s national infrastructure.
“There should be a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources–in both the public and private sectors–and executing the measures needed to defend against the threat,” the report said.
Other recommendations include how more must be done to ensure the issues are understood all the way down the supply chain and at board level — and how the next National Cyber Security Strategy should map out interdependencies between different critical infrastructure sectors to help determine national-level risks.
The report also calls on the government to be more transparent about its National Cyber Security Programme, noting how the government is “unwilling” to publish any information about it beyond its total budget of £1.9 billion.
In response to the report, a government spokesperson told ZDNet that “Ensuring our critical national infrastructure is secure and resilient against cyber attacks is a priority for the Government, which is why we are investing £1.9bn to improve our cyber capabilities”.
However, nothing was forthcoming on whether the recommendation of appointing a new minister will be followed: “Ministers have clear responsibilities that are rightly shared because every part of government must respond to the challenges we face,” the spokesperson said.
READ MORE ON CYBER SECURITY