Government should appoint a cabinet-level cyber-security minister to take leadership instead of relying on ineffective market forces, report finds
The government’s efforts to protect critical national infrastructure (CNI) from a major cyber-attack are “wholly inadequate”, a parliamentary committee has said.
The joint committee on national security strategy urged the Prime Minister to appoint a cabinet cybersecurity minister to provide “focused and proactive political leadership from the centre of government”.
Such leadership is “essential in driving change and ensuring a consistent approach across the many departments and agencies with responsibility for the resilience of CNI to cyber threats”, the committee said in a new report.
The government has assessed major cyber attacks on targets such as CNI as a “top-tier” national security threat, the committee noted.
And yet, it said the current cyber-security structure in the UK does not provide for effective political oversight of the matter.
“We are concerned that the current complex arrangements for ministerial responsibility mean that day-to-day oversight of cross-government efforts is, in reality, led by officials, with ministers only occasionally ‘checking in’,” the report found.
“This is wholly inadequate to the scale of the task facing the government, and inappropriate in view of the government’s own assessment that major cyber-attacks are a top-tier national security threat.”
The committee, made up of senior MPs and peers, also urged the government to continue information-sharing and collaboration on cyber-attacks with the EU during exit negotiations as a matter of priority.
The committee found that while the government appeared to be prioritising cyber-security, this was as yet merely an “aspiration” that was not being acted on with a “meaningful sense of purpose or urgency”.
Meanwhile, “hostile states” such as Russia are becoming increasingly aggressive in the cyber sphere, and are beginning to explore ways of disrupting critical infrastructure, in addition to more routine activities such as espionage and intellectual property theft, the committee said.
The establishment of the National Cyber Security Centre (NCSC) is a welcome move, but the expectations placed on the GCHQ agency may be “outstripping the resources put at its disposal”.
“There appears to be little beyond anecdotal evidence that the UK is at the forefront of international efforts on cybersecurity,” the report says.
Market forces not enough
Meanwhile, a recent tightening of the cyber-regulatory regime was not the government’s own initiative, “but instead flows from our acceptance of EU-wide regulations”.
More needs to be done at a ministerial level to ensure critical infrastructure operators address cyber-threats at a board level and manage it “proactively”.
But the government is, instead, continuing to “rely on market forces to improve operators’ cyber resilience, despite recognising the previous failure of this approach”, the committee said.
“Too often in our past the UK has been ill-prepared to deal with emerging risks,” said committee chair Margaret Beckett, the former foreign secretary.
“The government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”