Yet the government is still woefully underprepared. (This article features in Prospect's new cyber resilience supplement)by Margaret Beckett / August 30, 2019 / Leave a comment
A category-one cyberattack on the UK is a matter of “when, not if”—that is the view of Ciaran Martin, head of the UK’s National Cyber Security Centre. He said this several months after the 2017 WannaCry ransomware attack, which disrupted NHS services across the country. This year he confirmed that the risk of such an attack has not receded. In other words, we should expect worse to come.
Cyber resilience is a key strand of our country’s security. In the 2018 “National Security Capability Review,” the government pledged to “continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.” Ensuring our critical national infrastructure (CNI) is resilient to future attacks through a regulatory framework is part of the UK’s preparation for national resilience.
That is why the parliamentary committee of which I am chair, the Joint Committee on the National Security Strategy, conducted an inquiry into the cybersecurity of the UK’s CNI. And in July, we returned to our work on the “National Security Capability Review” and the Modernising Defence Programme, with a follow-up report. We repeated our concerns that the cornerstones of the UK’s national security are being undermined as the government fails to keep pace.
Critical infrastructure is, by definition, a priority for the UK. CNI comprises 13 sectors including energy, health services, transport, communications and water—much of this is privately-owned. It is, therefore, not within the government’s direct gift to deliver change. But we were struck by its lack of urgency in addressing the cyberthreats to those services that are essential to the functioning of daily life.
Despite some important steps—including establishing the National Cyber Security Centre in 2016 and introducing more robust regulation for some (but not all) CNI sectors—we found that the government must do much more. Only then will we achieve the leap forward that will thwart the cyber-enabled espionage, disruption and destruction that both states and organised crime groups can now use against us.
At the heart of the problem, we identified a lack of political leadership. We did not see a central force within the government driving change across Whitehall, with sufficient momentum to deliver a sustained impact on the public or private sector. Whether this will improve under the new administration remains to be seen.