A major cyber attack on the UK is a matter of ‘when, not if’

Government must do more to improve the cyber resilience of our critical national infrastructure

The UK’s critical national infrastructure (CNI) is a natural target for a major cyber attack because of its importance to daily life and the economy.

The Government has explicitly acknowledged that it must do more to improve the cyber resilience of our critical national infrastructure, irrespective of whether it is owned or operated in the public or private sector.

While we applaud the aspiration, it appears the Government is not delivering on it with a meaningful sense of purpose or urgency. Its efforts so far certainly fail to do justice to its own assessment that major cyber attacks on the UK and interests are a top-tier threat to national security.

Public opinion as yet has only a limited appreciation of what could befall us as a result of cyber attacks, which present as credible, potentially devastating and immediate a threat as any other that we face.

A major cyber attack on the United Kingdom is a matter of ‘when, not if’ - said the Head of the National Cyber Security Centre, Ciaran Martin.

States - such as Russia - are branching out from cyber-enabled espionage and theft of intellectual property to preparing for disruptive attacks. 

The attacks which affected Ukraine’s energy grid in 2015 and 2016 and the 2017 WannaCry attack, which affected the NHS, showed us that cyber attacks need not target CNI deliberately to have significant consequences.

The objective must therefore be to make it as difficult and as costly as possible to succeed in attacking the UK’s critical national infrastructure—and to continue raising the bar as new threats emerge.

The past year has seen cyber attacks on the health, telecommunications, energy and government sectors in the UK

Critical National Infrastructure sectors

The Government has explicitly said it must do more to improve the cyber resilience of our Critical National Infrastructure (CNI), whether it is owned or operated in the public or private sector.

It has taken some important steps, including establishing the National Cyber Security Centre and introducing more robust regulation for some, but not all, CNI sectors and their extended supply chains.

But this tightened regulatory regime was not its own initiative, coming instead from an EU-wide Directive. Nor will it be enough to achieve the required leap forward across the thirteen CNI sectors.

Our Report says the Government must do much more to change the culture of CNI operators and their extended supply chains.

Cyber risk is a business risk that must be proactively managed. The Government must make sure these issues are understood and addressed at board level. That counts for Government too.

Managing cyber risk

Managing cyber risk will require strong and sustained leadership. The National Cyber Security Centre must have the resources to do this effectively.

There must be also be leadership at the centre of Government to drive change across Government departments and CNI sectors.

We urge the Government to appoint a single Cabinet Office Minister to deliver improved cyber resilience across the UK’s CNI.

Unless this is addressed, the Government’s efforts will likely remain long on aspiration and short on delivery.

The Government has two months to respond to our report. To read more depth and detail about our recommendations, read our report on Cyber Security of the UK’s Critical National Infrastructure [PDF] or see more on our website.

If you're interested in the work of our committee, find out more about our other inquiries.