Government not facing up to CNI cyber risks, committee warns

The Joint Committee on the National Security Strategy (JCNSS) has accused the government of taking an “ostrich strategy” of burying its head in the sand and largely ignoring the threat posed to UK society by the possibility of a major cyber attack causing major disruption to critical national infrastructure (CNI) and daily life.

Marking the publication today of the government’s response to the concerns raised in its year-long ransomware inquiry, the JCNSS expressed “ongoing, deep concerns” that short-term thinking and a lack of preparation and planning are leaving the country open to a damaging incident.

The initial JCNSS report – published in December 2023 – warned that the UK risked becoming a “hostage of fortune” to ransomware, and the government’s response has given it little cause for cheer.

“Perhaps it is not surprising that government is not focused on preparing for the acknowledged, extremely high risk of a destructive and ruinously costly cyber attack on the UK,” said JCNSS chair, long-standing Labour MP Margaret Beckett.

“Despite its place at the top of the UK’s national risk register for years, our national response to the pandemic when it inevitably hit could fairly be categorised as shambolic.

“In this response to our ransomware report, it is ever clearer that the government does not know the extent or costs of cyber attacks across the country – though we’re the third most cyber-attacked country in the world – nor does it have any intention of commensurately upping the stakes or resources in response,” Beckett added.

“If the government insists on operating the ostrich strategy for national cyber security – based on legislation made before the internet arrived, centred on a department that seems to have difficulty mustering much interest in the issue, and in stark contrast to the cyber attackers who are so fantastically well-coordinated and resourced – where is the proactive national security response to protect the UK supposed to come from?

“If the government insists on operating the ostrich strategy for national cyber security, where is the proactive national security response to protect the UK supposed to come from?”

“The UK is and will remain exposed and unprepared if it continues this approach to tackling ransomware. This response from the government is not the assurance the committee sought or that the country needs, and all the responsible and coordinating departments would benefit from going away and reconsidering how the UK is to defend against this most pernicious threat.”

In its response, the government rejected a number of the JCNSS’s recommendations, perhaps most notably the idea of forming a cross-sector regulatory body to oversee cyber security for operators of CNI. It said it did not believe a single, national regulator would deliver improved oversight, and that the idea had been considered, and following industry feedback rejected, in the past.

The JCNSS argued that the regulators themselves charged with implementing the current model are already complaining that limitations in both their own cyber capabilities and the regulations are stopping them from making full use of the powers that they do have, while 42% of operators of essential services say they lack the cyber skills and capacity necessary to deliver against the current NIS regulations.

The JCNSS also reiterated the need for the government and the National Cyber Security Centre to make a new offer to help victims of cyber attacks meet the costs of response, recovery and remediation through pro-bono schemes with the private sector, better resourcing for the National Crime Agency, and work with the insurance sector.

In particular, said the JCNSS, the government’s response failed to acknowledge that the cyber insurance market can be unaffordable for some victims, particularly SMEs and local authorities, and in rejecting its recommendation that public intervention in this area is needed, and suggesting that the National Cyber Strategy alone will serve to reduce claims and lower premiums, it was ignoring the rapid growth in costly cyber attacks and failing to understand the frequency and types of incident that are occurring, and how much victims are paying in ransoms.

Nor, it complained, is there anything in the response to address or assuage concerns over how unprepared and unsupported local authorities are to deal with a ransomware attack, and no offer to counter the lack of resources and skills, or enhance help for affected authorities and people.

The committee said it would seek to assess whether the basis on which the government rejected key recommendations was borne out in evidence, and would continue to press for the recommended interventions to be made if not.