Government seeks industry views on cyber threat to UK CNI

The cross-bench Science, Innovation and Technology Select Committee (SITC) has launched an inquiry into the cyber resilience of the UK’s critical national infrastructure (CNI) sector and is calling for the security industry to submit evidence in a number of key areas that may ultimately help inform future policy.

It said that the UK is currently the third most targeted country in the world for cyber attacks, after the US and Ukraine, and the risk from both state-backed and financially motivated threat actors was proliferating to an extent where the resilience of CNI operators is becoming of particular concern.

CNI is defined as infrastructure and services deemed so important to the functioning of daily life that if they were to be disrupted by a cyber attack – or other incident or disaster – there would be a significant impact to the functioning of society, and potentially a threat to life.

Broadly, CNI operators include providers of electricity, gas and water utilities, broadband mobile and telecoms services, fuel suppliers, food distribution networks, and public services such as the emergency services and NHS.

Such sectors increasingly make use of large-scale networked computer systems, often connected to the internet, but because much of the UK’s CNI is privately owned, the government is now concerned about the possibility of competing priorities between Westminster and CNI operators over resilience strategies in areas such as appropriate investment levels, and how quickly services are to be restored should the worst come to the worst.

In this instance, the SITC is seeking submissions relating to the communications (including space) energy, government and financial services industries, and during the course of the inquiry, will explore the progress of these sectors towards meeting resilience targets due in 2025, and what support they may need to achieve this, and efforts to make computer hardware architecture secure by design.

Among the questions under consideration are:

• What are various strengths and potential weaknesses of the government’s National Cyber Strategy 2022 and Government Cyber Security Strategy 2022-2030 as they relate to CNI for the digital economy?
• How effective is the strategic lead of the National Security Council, the National Cyber Security Centre (NCSC) and various government bodies, and is cross-departmental activity coherent?
• How effective are the government’s relationship’s with private sector CNI operators and regulators in preparing them for cyber attacks, and protecting them when they happen?
• What further interventions might the government and CNI operators need to make over the next 18 months or so to meet the 2025 targets?
• And what role will so-called secure-by-design best practice and emerging technologies play in ensuring UK CNI operators, and their supply chains, are as resilient as possible?

The deadline for submissions is 10 November 2023.