A newly published report from the UK joint parliamentary committee on national security strategy calls for greater political leadership on cyber-defence with a call for a cyber-security minister in the Cabinet to provide greater strategic direction and accountability.
The report - Cyber Security of the UK's Critical National Infrastructure - says: "Focused and proactive political leadership from the centre of Government is essential in driving change and ensuring a consistent approach across the many departments and agencies with responsibility for the resilience of CNI to cyber threats."
Concerns about diluted responsibility
Concerns are voiced that: "The current complex arrangements for ministerial responsibility mean that day-to-day oversight of cross-government efforts is, in reality, led by officials, with Ministers only occasionally ‘checking in’," which it says is: "wholly inadequate to the scale of the task facing the Government, and inappropriate in view of the Government’s own assessment that major cyber attacks are a top-tier national security threat."
Consequently the recommendation is that there should be a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources—in both the public and private sectors—and executing the measures needed to defend against the threat. This Minister should therefore be responsible and accountable for the cross-government development and delivery of the National Cyber Security Strategy and Programme, including those elements relating to CNI. This Minister should therefore:
be empowered to hold departmental Ministers to account;
sit on the National Security Council (NSC) and relevant NSC sub-committees; and
oversee the work of the National Cyber Security Centre and the relevant section of the National Security Secretariat.
Currently for devolved policy areas, ministerial oversight is split between Westminster and the Devolved Administrations with varying, generally limited, levels of engagement by the Secretaries of State in their respective CNI sectors; infrequent meetings of two of the three Cabinet Committees with responsibility for overseeing cross-government implementation and Cabinet Committees having limited discussion of problems that involve more than one department.
Coherent political leadership called for
The report adds that the coherence of political leadership from the centre of Government is further undermined by there being two Ministers with overlapping responsibility for the NCSP’s implementation. The exclusion of the Department for Digital, Culture, Media and Sport from the NSC is described as ‘puzzling’ given the criticality of its work on developing skills to the successful delivery of the 2016 NCSS.
While there is a call for operators to assume greater responsibility for cyber resilience at board level, with a clear point of accountability , the government is described as failing to do the same.
It is described as essential that the NCSC’s proactive leadership on the technical aspects of cyber resilience of CNI is not treated by Ministers as a substitute for strong political leadership in driving change across CNI sectors and relevant departments. Consequently, while the creation of the NCSC, as the UK’s technical (rather than strategy or policy) lead on cyber security is described as having had a positive impact in the two years since it was established, the report says that cross-government leadership on policy has become less clear since the NCSC was established and has even taken retrograde step with the effective loss of the original focal point for coordination—the Office of Cyber Security and Information Assurance (OCSIA).
Consequently it is currently unclear who leads, who coordinates and who is responsible, including at ministerial level, with activities and policy seemingly diffuse and ambiguous across departments.
Increased capacity needed at the NCSC
Ciaran Martin, head of the NCSC told the committee that it has 740 staff and a budget of £285 million for the 2016–2021 period, however it was also reported that expectations—at least on the part of CNI operators and regulators, and even of other parts of Government—already exceed the NCSC’s capacity. The report concludes that ts effectiveness will be limited unless it has access to the experts it needs in the numbers it requires.
The report says Government should publish a plan for the institutional development of the NCSC over the next decade, taking account of anticipated technological progress and setting out the resources and range of skills and expertise that the NCSC is likely to need. These requirements should be addressed in the Government’s forthcoming cyber-security skills strategy. Its budget—currently running to 2020–21—should be extended beyond that time horizon in next year’s Spending Review as a ring-fenced fund separate from (and safe from) general departmental budget pressures.
The next National Cyber Security Strategy, due for publication in 2021 should be informed by a mapping of the key interdependencies between CNI sectors—and therefore of national-level cyber risk to CNI—which the Government should complete as soon as possible and keep under continual review. The priorities identified in the next Strategy should also take account of the CNI sectors’ respective maturity in terms of cyber resilience and the varying levels of Government influence over operators in each sector.
NIS Regulations are seen as making a valuable contribution but the report warns they are not a ‘silver bullet’, noting:
the NIS Regulations are limited in scope, leaving some CNI sectors still without statutory regulation and enforcement powers for cyber risk management;
the fragmented responsibility for the NIS Regulations’ implementation across Whitehall, Devolved Administrations and regulators remains confusing and acts as a barrier to cross-sector consistency and collaboration—in particular, the introduction of joint Competent Authorities in some sectors clouds accountability and effectiveness; and
some designated ‘Competent Authorities’ currently lack the expertise and capacity to provide credible assurance of operators’ efforts—an issue we addressed directly in our July Report on cyber security skills.
Recommendations to tackle limitations
Consequently the report says "The Government should establish a plan (a) for the development of threat- and intelligence-led penetration testing and its roll-out across all CNI sectors that takes account of the mixed maturity of the sectors in terms of their cyber-resilience; (b) for the development of the test methodology; and (c) for developing the cyber-security industry’s capacity to deliver such advanced and accredited testing at scale. The NIS Regulations will continue to apply in the UK following Brexit. However, the mechanism for UK participation in EU-wide information-sharing and capacity-building is still subject to negotiation and the Government should prioritise maintaining access to the EU’s NIS Coordination Group and its workstreams to facilitate continued information-sharing and collaboration with EU Member States.
It also calls on the Government to give urgent consideration to non-regulatory incentives and interventions that have the potential to drive cultural change across CNI sectors, establishing an environment in which continual improvement is encouraged. These include:
"how managing cyber-risk through and within the extended supply chains of CNI operators could be encouraged;
how the Government can best support operators in managing cyber risk associated with hardware, software and services bought ‘off the shelf’, especially those procured from major international suppliers;
improving board-level expertise and accountability. This includes identifying an expert board member with specific responsibility for cyber resilience and mandatory corporate reporting on cyber resilience, in accordance with the spirit of forthcoming reforms to the Companies Act 2006; and
how cyber insurance might be used to improve operators’ cyber practices, and how the Government can support the market in maturing more quickly."
Industry reaction supportive of plans
Commenting on the report in an email to SC Media UK, Greg Day, VP, and CSO EMEA, Palo Alto Networks said: "Our digital dependencies can only ever increase and having a dedicated minister in the Cabinet who can be the go-to contact point for every other minister that has a role with cyber-dependencies would provide them with a point of expertise. It is so important that there is a senior politician who bridges the knowledge from NCSC and brings this into the government and the formation of government policy. Sharing this day to day at the highest level is essential because in a space that is so dynamic if you’re not keeping up you’re left miles behind. This is just like every business that needs a broker of knowledge between board members and senior executives, and the technical world of cyber security."
Pete Banham, cyber resilience expert at Mimecast adds: "It’s vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives. Private sector businesses today need a risk and security champion in the boardroom; likewise, it’s time Government had a cyber tsar in the Cabinet.
"Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular ‘fire drills’ for all employees to respond to and recover to cyber-attacks. Cyber resilience in the office needs to be ingrained as buckling up a seatbelt on the drive to work.
"We’ve seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done. This includes email and web security tools to help prevent new strains of ransomware and awareness training for all employees to counter increasingly hard-to-detect social engineering.
"The proliferation of sophisticated cyber weapons and concentration of risks within a small number of global cloud providers, is also rapidly creating a greater risk to the UK’s GDP, outside of the core critical infrastructure. This is essentially the majority of business all putting their eggs into the same basket as each other. Future government action needs to begin to address this."
Henry Harrison, co-founder and CTO of Garrison, emailed SCMediaUK to add: ""Historically there has been a vast gulf between the cybersecurity approaches used to protect secret government information versus those used by private sector organisations running critical infrastructure.
"Recent technological advances mean that it is now becoming much more practical for private sector organisations to adopt the sort of high security approaches that have to date been the preserve of the military and national security worlds. Such a change in mindset and approach is not optional – it is essential to ensure that the private sector is adequately equipped to play its part in defending the UK’s infrastructure going forwards."
Stuart McKenzie, vice president EMEA, Mandiant at FireEye, described Critical National Infrastructure as a complex environment in terms of the threats its faces, the multi-stakeholder nature of its operations and the types of the technology involved. He emailed SCMediaUK to comment: " Much of the technology used within CNI has grown organically, but remains fragile and relies on outdated technology in terms of security. The threats facing CNI have constantly evolved, meaning that today’s threat is something that wasn’t imaginable when many of the systems were originally designed, leaving them increasingly vulnerable.
"We would recommend that CNI organisations conduct a mapping exercise to understand their exposure and risk and put in place some controls to protect the most critical threats. This should be conducted with a longer term plan in mind to improve all risk acceptance. As the report rightly points out, resources in Government are limited but there is expertise in industry that can help bolster plans and provide guidance on measures which can help begin to put in a protection framework….every organisation needs to have a really clear incident response plan that’s well tested and regularly rehearsed."
The team at NCC Group are reported to have contributed significantly to this report and Ollie Whitehouse, global CTO at NCC Group described it as providing, " a crucial, in-depth reflection of the current challenges facing the UK’s CNI, and the changes that need to be made to drive the sector forward."
He added: "It’s very encouraging to see a focus on the need for agility in a rapidly changing threat landscape, as well as calls to firmly embed cyber-risk management into business processes. This report sets out realistic solutions that would no doubt create a robust culture of security across the sector – in particular, calls to implement threat and intelligence-led testing, and put in place corporate reporting requirements on cyber-security.
"It’s now vital to ensure that relevant legislation, such as the Computer Misuse Act, is continuously assessed and kept up-to-date, and that political leadership and accountability when it comes to the UK’s CNI remains a priority. Continuous investment is also crucial – over the last couple of years, the work of the NCSC has started to make a dent, but financial support needs to continue well into the future in order to progress this further and truly transform the security posture of the UK’s CNI."
Talal Rajab, Head of Cyber and National Security, techUK, another organisation that contributed to the Joint Committee’s report, noted how: " The UK’s critical national infrastructure remains a key target for attack, whether from nation state actors or organised crime groups." He said that the recommendation for the creation of a Cyber Security Minister, responsible for the cross-government delivery of the National Cyber Security Strategy should be explored further and said: "As the current strategy draws to a close, it is vital that cyber-security becomes business as usual across all areas of government. The appointment of a Cabinet Office Minister designated as a cyber security lead could help ensure government remains one step ahead of the threat and drive real change across departments."
Matt Walmsley, EMEA Director at Vectra agreed that cyber security needs to be a core priority for government, noting how the report suggested existing UK government defence and security organisations with cyber remits may not be best placed to drive change within CNI operators.
He added: "The cyber-security skills gap is alive and well, it’s challenging to hire and retrain cyber-security talent. Within the next three years there will be in excess of 350,000 unfilled European cyber-security jobs than candidates (*Frost & Sullivan). The Joint Committee’s report correctly identifies this gap, and the need for government to play its part in developing a UK cyber-skills base. We need to reduce the barriers to entry into our profession and recognise that training for yesterday’s wars won’t necessarily well prepare you for tomorrow’s cyber battles.
AI has an increasingly important role in this respect, not to replace but to augment humans to make it easier for them to operate by providing them with security analysis and insights at a speed and scale impossible for humans to achieve. This provides the opportunity to spot and respond to attacks that gain a foothold inside an organisation, before they can move, escalate privileges, and meet their nefarious end game goals. All defences are imperfect, and you increasingly achieve diminishing returns for additional layers of defence. CNI must adopt a healthy paranoia of "I’m already compromised, where and how?" and early detection and response to active attacks is imperative. Having a clearly owned responsibility within Government for ensuring the protection of our country’s critical national infrastructure should be a part of improving the nation’s cyber resilience and mean it becomes a top priority."
Israel Barak, chief information security officer, Cybereason, noted how much of critical infrastructure is generally old, poorly patched and managed, and was designed before cyber threats were a significant concern. He says: "This means the ability to cause damage is significant, if the attacker knows what they are doing. Power grids are vulnerable to cascading failures and if attackers know which substation to take offline or cause a surge in, they can take down significant portions of grids without conducting a large number of intrusions.
"Beyond power generation, there are significant localised effects a hacker can create by going after sewage/water treatment, industrial chemical production, or the transportation system. As it stands right now, public-private partnerships are the lynchpin of keeping critical infrastructure safe. More often than not, security measures come in the form of recommendations rather than edicts from the government and it is up to each individual provider to adopt or ignore. Strengthening that connection and creating a real understanding within the private sector of the real risk they face is key to building a more resilient sector."
Irra Ariella Khi, CEO of Vchain agreed that appointing a dedicated cyber security minister would bring much needed focus and resource to improve cyber defence and resilience in the UK and especially to critical infrastructure (such as our borders and airports), saying: "It would bring the UK closer to the approach of other countries where a national approach to cyber-security is not just nice-to-have; it is a fundamental feature of the country’s approach to security. Currently, cyber security is too often an afterthought, and this has to change - especially where sensitive data is concerned.
"For critical industries - such as the airline industry that we work in - the approach of "if it ain’t broke don’t fix it" just doesn’t fly anymore. Organisations trusted with highly sensitive or personal data cannot continue to use old, flawed systems of 'confidential' centralised data storage and then just deal with the ramifications when these are inevitably breached. There needs to be a move in cyber security and data management towards privacy by design: using systems that are built from the outset to be secure, with privacy by design architecture built into the core of any sensitive data product."
Andrew Tsonchev, director of technology at Darktrace Industrial also called for more government spend on cyber-security noting that given the increased militarisation of cyberspace, the UK private sector is now directly exposed to transnational threats.
"There is a wide range of maturity amongst UK organisations that are now facing the prospect of nation state threat of the highest level. Government oversight is essential but will not solve this problem alone. It requires significant investment by the private sector in new security technologies.
"The NIS directive is already doing great work to raise the level of cyber maturity among UK providers of critical infrastructure, but more can certainly be done. Digitisation and adoption of AI technologies are essential for the growth of UK business. This means that cyber security challenges are coupling UK business strategy with national security, creating potential trade-offs and strategic risks. The appointment of a dedicated Cyber Security Minister may indeed help to coordinate these efforts and align national priorities of growth and defence."
Ian Smith, Founder and CEO of Gospel Technology called for: "A greater focus and prioritisation of cyber-security and its association with new data management techniques within our government will make sure that we can enjoy the benefits of the 'digital-first’ age without having to worry about the exposure of critical and sensitive information. To prevent the UK from becoming the playground for commercial and state sponsored for cybercrime, it is essential that the technology underpinning how departments, politicians and public figures collaborate are designed with today’s world in mind." He concluded: "A commitment to delivering this is vital to the safety and security of every UK citizen."