Is the UK cyber resilient?
Politicians and industry experts discuss how to fortify our digital networks
Defending the cyber domain is one of the great security challenges of the 21st century. The rise of the networked world has brought benefits but also dangers. These range from minor irritations affecting personal computers to large-scale attacks on business and even geopolitical threats, with rogue actors targeting power grids, weapons systems and democratic elections.
It is an issue growing in prominence, particularly since Boris Johnson’s controversial decision to allow Chinese giant Huawei a continued role in UK telecoms infrastructure. So what precisely does the cyber threat look like and how is the UK protecting itself? Prospect convened a roundtable in Westminster to discuss these questions. In attendance were politicians, industry figures and defence chiefs including Admiral Alan West and Baroness Pauline Neville-Jones. In the chair was Prospect deputy editor Steve Bloomfield.
All attendees agreed on the seriousness of the problem. Alex Towers from BT said when you consider the full spectrum, including, “scammers, phishing attacks” and more, “we have something like 4,000 attacks on the BT network every day,” showing the need for vigilance. Hostile actors are at work “all the time, and not just malign state actors, but all sorts of organised crime and much less organised crime.”
When critical national infrastructure is hacked there can be very real-world effects. For Keith Mayes, professor of information security at Royal Holloway, the concern is where digital and traditional infrastructure meet. “The big thing that worries me most is what we call the cyber-physical systems, the crossover between IT and operational technology.” For example “in a nuclear power station, we’ve got controllers, we’ve got sensors… and it used to be they were isolated from the internet. But for efficiency optimisation, it seems to be that we’re on this unstoppable train to connect everything together.”
Alarmingly, West, former chief of the naval staff, suggested there was lack of awareness about the threat posed by this increased connectivity, even at the top. He had seen proposals in the past for connecting the systems for our nuclear deterrent to other networks,” which increases the risk of outside attack. “It is almost inconceivable to me that anyone could think of that even for a second,” he continued: “The only way you can be absolutely certain of not being ‘got’ is if there’s an ‘air gap’”—if the system is not connected to other digital networks in any way.
More broadly there is a concern that not all parts of the government’s strategy are linked up. According to former chair of the Joint Intelligence Committee Neville-Jones, signs of a better strategy can be found in the Solarium project in the US, which draws political support from both sides of Congress and looks at “every level of society” to prepare for cyber “breakdown and recovery.” It aims to “ensure that certain obligations have been undertaken by the critical infrastructure networks of the country.” There are lessons for the UK here.
Towers said it is essential “to make sure that we all share much more transparently—and not in a competitive way—information about where we can see threats and how we are managing them.”
Martin Docherty-Hughes, SNP MP, said he thought there was a “lack of political leadership.” But that does not mean nothing is being done. The government has set up the National Cyber Security Centre. A representative from the centre said “my team are working day in day out with critical infrastructure” and parts of government are “preparing for operating in adversity.” The important thing is not just “looking to raise that cyber resilience” but also putting an emphasis on how to “detect and recover.”
Mark Neate, representing the Sellafield nuclear site, said the key is to “take a systemic view” of risk, to always be ready for things to go wrong, and to have safety measures in place for when they do. The NCSC understands the challenges and its creation has been a positive thing, he said. Mayes agreed that the NCSC is valuable, but wondered about the word “national” and stressed the “international angle” too, because cross-border collaboration is essential. You cannot have “effective regulation in one state,” added George Howarth, Labour MP, when the darker corners of the internet do not respect national boundaries.
Beyond the implementation of new protections, another question is how you inform the public about what is being done. This was of particular concern to Neville-Jones, who said “the activities of various [UK] governments in the areas of both security and resilience are not very widely known or understood. There is a public messaging problem here.” When there is an attack “how is the general public expected to behave except panicking? Because they do not know that there has been preparation.” Information can only be found after a hunt online.
Journalist Paul Wallace mentioned a scheme in Sweden where information leaflets were distributed to the public on security risks including cyber, and suggested it might serve as a model. Docherty-Hughes added that you don’t need to “reinvent the wheel” to learn from others who are reckoning with cybercrime. It’s better to “listen to them, learn from them,” particularly states like Estonia as they are “dealing with one of the most reactionary states on their borders” and have experience of responding to serious attacks.
Ultimately, says Neville-Jones, you have “to actually decide in a given crisis which set of activities, which businesses and which kinds of core services take priority.” There are certainly challenges in the official response, but when there are real-world consequences the government might at least have some experience of managing them. The NCSC figure argued “when an attack happens, and let’s assume it’s a hostile state, I don’t think we necessarily know straightaway if it’s a cyberattack or just a disruption to services. And in some ways… whether it’s transport failure or a signalling failure, or an energy shortage, actually, government is well exercised in that space.”
Looking ahead, there is an integrated defence and security review later this year, while the NCSC will get a new chief executive. Preparation must continue apace. Mayes from Royal Holloway said “The reality is everything can be successfully attacked.” The question is, “much effort is required to do that, and how much protection have you put in place to stop it?”
We want to hear what you think about this article. Submit a letter to firstname.lastname@example.org