Public Accounts Committee report warns that the UK is extremely vulnerable due to its advanced digital economy
The Public Accounts Committee (PAC) has warned in a new report that the United Kingdom is now more than ever, “particularly vulnerable to the risk of cyber attacks.”
It said that because the UK is one of the world’s leading digital economies and is global leader in putting government systems online, the UK is especially vulnerable to cyber attacks from hostile countries, criminal gangs and individuals.
And the PAC warned that the Government has not made sufficient progress on developing long-term objectives for the National Security Strategy, “which has been hampered by a weak evidence base and lack of business case.”
The warning that the UK is at risk from cyber attacks will come as no surprise.
It said a weak evidence base and the lack of a business case has hampered government efforts, and make it difficult for the Cabinet Office to predict whether it reach its targets in 2021.
The PAC also said that the lack of a business case makes it difficult for the PAC to assess whether the government has achieved value for money, and if indeed, enough money was put aside in the first place.
“With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks,” explained committee chair Meg Hillier MP. “As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.”
“We welcome the National Cyber Security Strategy but are concerned that the Programme designed to deliver it is insufficient,” said Hillier. “As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases – despite being allocated £1.9bn funding.”
“Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021,” she added. “This does not represent a resilient security strategy.”
“In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined,” she said.
The PAC made a number of recommendations for the government.
It said the Cabinet Office should ensure it produces a properly costed business case, and that it should write to the PAC by November this year, “setting out what progress it is making in using evidence-based decisions in prioritising cyber security work.”
It also said that the Cabinet Office publishes its costed plan in the Autumn, it needs to define its deliverables by March 2021.
The PAC also wants the Cabinet Office to explain how it intends to influence the different sectors in the economy – for example, retail 0 to provide consumers with information on their cyber resilience.
The security industry has welcomed the PAC report and one expert said it makes for alarming reading.
“This is an alarming report to see and will shock many of those who read it,” explained David Emm, principal security researcher at Kaspersky. “UK business is dependent on digital technology, making it a real target for cybercriminals – in that sense, the UK is a victim of its own success.”
“However, it is just yet another warning, and a particularly stark one, that every individual and organisation in the country has to become more aware when it comes to protecting themselves online,” said Emm. “This underlines the importance of having an effective cyber-security strategy. Without this, organisations can’t know what security gaps there are and therefore can’t assess the risks they face.”
“The cyber-threat landscape evolves very quickly, and – as in a game of chess – the one with the best strategy takes control and gains an advantage,” Emm said. “It is integral that more is done by the cybersecurity industry, and governments, to ensure the UK remains as immune to cybercrime as possible. This includes developing an ‘online common sense’ that makes staff and consumers more resilient to the social engineering approaches that characterise most cyber-attacks.”
Another expert pointed out that the report demonstrates the number of high-profile cyber attacks over the past 12 months.
“A large proportion of these breaches can be attributed to organisations who haven’t shored up their defences across all parts of their ecosystems,” said Chris Hodson, EMEA CISO at Tanium. “Organisations must understand threats targeting their business and focus on uniting IT operations and security teams to ensure that basic security hygiene practices are firmly in place.”
“This includes standard secure configurations of all devices, applying patches in a timely manner and improving the speed at which they identify and respond to attacks,” said Hodson. “BlueKeep is a vital example of an attack that could have been prevented by enforcing these foundational concepts.”
“Security and IT operations teams need complete, up-to-date, and accurate visibility across their whole environment to effectively detect, scope, investigate and quantify cyber risk” said Hodson. “Having this true, company-wide visibility is the only way to stop cyber attackers firmly in their tracks and ensure resilience against business disruption.”
Another expert explained how cyber threats are becoming more dangerous and complex, and how governments must approach security to protect themselves and their citizens.
“It doesn’t come as a surprise that the UK is more vulnerable to cyber attacks than ever before, as a new report from the Public Accounts Committee reveals,” said Dr Darren Williams, CEO and founder of cybersecurity firm BlackFog.
“We’re living in a time of hackers targeting everything from government services to major financial institutions and small businesses,” said Dr Williams. “State-sponsored cybercriminals are of particular concern, with the dangerous combination of rising tensions between states coupled with more and more state services being digitised.”
“Governments around the world need to have the most sophisticated measures in place to protect themselves and their citizens. This means a focus on two things,” said Dr Williams. “Firstly, adopting a multi-layered security strategy to prevent hackers from getting in and crashing operations or interrupting services, and secondly accepting the reality that in many cases, hackers will find a way in. That’s why government organisations must adopt technologies that prevent hackers from removing valuable data, whether that’s state secrets, intellectual property, or citizen information.”
Meanwhile another expert pointed out how the report underlines the real targets on the heads of UK organisations.
“Today’s Commons report, once again, underlines the very real target on UK organisations’ heads from cyber-attackers across the globe,” said David Mount, Director, Europe at Cofense.
“Email phishing attacks are still one of the most prevalent attack forms – and despite significant investments in next-gen technologies, these threats continue to become more sophisticated and effective,” he warned.
“Indeed, Cofense’s recent research, launched this week, found that ninety percent of verified phishing emails were found in environments using secure email gateways – technology designed to identify and block such threats,” said Mount. “This is why we believe automated technical defence controls must be blended with a human element in today’s threat landscape.”
“If we are to successfully defend ourselves against this global threat, we need to put people in the driving seat, educating them on the dangers out there and trusting in their ability to help defend against these actors,” Mount concluded.
Do you know all about security? Try our quiz!