On 19 November 2018, the Joint Committee on the National Security Strategy published its report on the UK’s critical national infrastructure (CNI) (the Report).
The Committee’s inquiry focused on cyber security in the thirteen sectors the Government has identified as essential to the functioning of daily life: chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water.
The Report comes at a time when some stakeholders are questioning whether the Government could be doing more to help the private-sector particularly in relation to nation-state attacks, in the same way that the Government would assist if a nation-state launched a more conventional attack on UK private enterprise.
In summary, the Joint Committee views the current landscape as failing to adequately protect the UK’s CNI and urges the Government to take a number of further steps in advance of the National Cyber Security Strategy due in 2021. In particular the Committee calls on the Government to appoint a single Cabinet Office Minister who is responsible for delivering improved cyber resilience across the UK’s CNIs.
Since 2010, the Government has recognised that a major cyber-attack is a top tier threat with potentially devastating consequences. The cyber-attacks suffered only in the last year by the health, telecommunications, energy and government sectors illustrate the very real threat the UK faces.
Although the Committee welcomed the move away from a ‘tick box’ compliance approach seen by the recent introduction of the Network and Information Systems Regulations 2018, the Report raises concerns that the Regulations are not enough in themselves to achieve the required “leap forward” in cyber resilience across all CNI sectors.
The Report asks the Government to give urgent consideration to how it can drive a change in culture of CNI operators and their extended supply chains including by improving board-level expertise and accountability. The Report recognises that private-sector commercial interests may not always align with the demands of national security.
In particular, the Report suggests the Government should consider improving board-level accountability by the identification of an expert board member with specific responsibility for cyber resilience. Further, the Committee details in its Report that one option for the Government would be to mandate corporate reporting on cyber resilience for private-sector CNI operators. This type of reporting would give shareholders and investors a platform for more robust questioning about cyber risk management. Such changes could have potentially very significant consequences for companies.
There is no doubt that resilience has come to be expected of companies, especially in the wake of a cyber-attack – being prepared has never been so important and board-level engagement is key to this.