When, not if: a category-one cyberattack is just a matter of time

Yet the government is still woefully underprepared. (This article features in Prospect's new cyber resilience supplement)

August 30, 2019

A category-one cyberattack on the UK is a matter of “when, not if”—that is the view of Ciaran Martin, head of the UK’s National Cyber Security Centre. He said this several months after the 2017 WannaCry ransomware attack, which disrupted NHS services across the country. This year he confirmed that the risk of such an attack has not receded. In other words, we should expect worse to come.

Cyber resilience is a key strand of our country’s security. In the 2018 “National Security Capability Review,” the government pledged to “continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.” Ensuring our critical national infrastructure (CNI) is resilient to future attacks through a regulatory framework is part of the UK’s preparation for national resilience.

That is why the parliamentary committee of which I am chair, the Joint Committee on the National Security Strategy, conducted an inquiry into the cybersecurity of the UK’s CNI. And in July, we returned to our work on the “National Security Capability Review” and the Modernising Defence Programme, with a follow-up report. We repeated our concerns that the cornerstones of the UK’s national security are being undermined as the government fails to keep pace.

Critical infrastructure is, by definition, a priority for the UK. CNI comprises 13 sectors including energy, health services, transport, communications and water—much of this is privately-owned. It is, therefore, not within the government’s direct gift to deliver change. But we were struck by its lack of urgency in addressing the cyberthreats to those services that are essential to the functioning of daily life.

Despite some important steps—including establishing the National Cyber Security Centre in 2016 and introducing more robust regulation for some (but not all) CNI sectors—we found that the government must do much more. Only then will we achieve the leap forward that will thwart the cyber-enabled espionage, disruption and destruction that both states and organised crime groups can now use against us.

At the heart of the problem, we identified a lack of political leadership. We did not see a central force within the government driving change across Whitehall, with sufficient momentum to deliver a sustained impact on the public or private sector. Whether this will improve under the new administration remains to be seen.

We exposed a significant cybersecurity skills shortage that is already preventing CNI operators, regulators and the government from recruiting the expertise they need to keep the UK secure. The shortage in specialist skills and deep technical expertise is one of the greatest challenges in cybersecurity, but we argued that the government had no real sense of the problem, let alone of how to address it.

“The government appears almost wilfully myopic about the challenge”
The House of Commons Public Accounts Committee (PAC) published its own report on “Cyber security in the UK.” This strongly echoed our own findings but suggested the situation is even worse than we had feared. The PAC concluded that the government is only just beginning to make progress in delivering its key objectives on cybersecurity, set in 2016, “after a poor start.” It “has not yet been clear what the strategy will actually deliver by 2021.” And it “lacks the robust evidence base it needs to make informed decisions about cybersecurity.” Having failed to produce a business case for its five-year strategy in 2016, the government now cannot “judge the value for money” of its delivery.

Perhaps the most disturbing aspect of the whole story is that the government appears almost wilfully myopic about the scale of the challenge it faces. How many times do we need to repeat our message?

One small step forward came in May, when the government issued a progress report. Since the last annual report on cybersecurity appeared in 2016, this is to be welcomed. However, this new report paints a rosy picture which is utterly at odds with the fundamental concerns outlined by my own committee and the PAC. It states that the 2016 strategy has “driven transformational changes across government and society” in its first three years, and has “helped to establish the UK as a world leader in cybersecurity.”

There have been some promising first steps but nothing which amounts to this “transformation.” The government would do well to remember that it is not enough to be a world leader in cybersecurity if that is an extremely low bar over which to leap.

Instead, it must do much more to embed cyber resilience into the workings of the UK economy, and particularly, its CNI. Only this will keep the UK’s increasingly digital society secure in the long term. We have recently recommended an increase in the defence budget. The MoD must be supported by the Treasury in its efforts to harness new technology and innovation.

My committee will be firmly on repeat until the government gets the message.

This piece features in Prospect’s new cyber resilience supplement