It's now "impossible" to protect critical UK infrastructure from cyber attack

Parliamentary committee warns that mitigating the effects of successful attacks is becoming a 'new normal'

Image of construction workers representing UK infrastructure

MPs and Lords have warned it's "impossible" to completely protect the UK's infrastructure from a WannaCry-scale cyber attack, with mitigation quickly-becoming a new normal'.

Several factors stand in the way of fully securing the UK's critical national infrastructure (CNI), including an increasingly complex security landscape, and the government's failure to define what it considers to be critical, according to the Joint Committee on the National Security Strategy (JCNSS).

Advertisement - Article continues below

In a report assessing the scale of threat the UK faces, the Parliamentary committee also said laws stemming from EU-wide regulations have been useful, but do not go far enough.

"'Critical' national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical," the JCNSS report said.

"Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely.

"Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the 'new normal' if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation."

The committee raised concerns that the expectations for the National Cyber Security Centre (NCSC), formed to provide cyber training and leadership for UK organisations, is outrstripping its resources.

Advertisement - Article continues below
Advertisement - Article continues below

NHS Digital deputy chief executive Rob Shaw revealed in evidence that he had expected an "army" of experts to support the NHS through 2017's WannaCry attack, but soon learned the NCSC lacked staffing to help out on the ground.

JCNSS said it had concerns about the NCSC's capacity to meet growing demand for services and expertise, and that its effectiveness will be limited in future unless it can recruit at the appropriate scale.

The government must also publish a ten-year plan for the institutional development of the NCSC, setting out the resources and staffing levels it expects the organisation to need.

The committee made several further recommendations for the government and for businesses, including instigating a cultural change among CNI-linked organisations, and for politicians and ministers to take initiative in making cyber resilience a priority.

Private sector companies overseeing CNI, as well as firms comprising the supply chain, should consider cyber security as another business risk, and proactively manage threats. This is especially true where "commercial interests may not always align with the demands of national security".

Advertisement - Article continues below

Moreover, the government needs to appoint a cabinet office minister charged with overseeing the resilience of CNI, instead of patchwork of multi-ministerial oversight that exists currently.

Under the current structure, each department would have a different approach to overseeing cyber security in its constituent sectors, with occasional overlap.

A more focused and proactive leadership from central government is needed to ensure cyber security is handled in a more consistent way, the report continued, and blasted the status quo of ministers only occasionally checking-in as "wholly inadequate".

"It's vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives," said Mimecast's cyber resilience expert Pete Banham

"Private sector businesses today need a risk and security champion in the boardroom; likewise, it's time Government had a cyber tsar in the Cabinet.

"Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular fire drills' for all employees to respond to and recover to cyber-attacks.

Advertisement - Article continues below

"We've seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done."

Stuart McKenzie, FireEye's vice president for EMEA, meanwhile warned much of the technology used within CNI remains fragile and relies on outdated standards of security.

"The threats facing CNI have constantly evolved, meaning that today's threat is something that wasn't imaginable when many of the systems were originally designed, leaving them increasingly vulnerable," he said.

"These are not quick problems to solve, but they are not insolvable. We would recommend that CNI organisations conduct a mapping exercise to understand their exposure and risk and put in place some controls to protect the most critical threats.

"With breaches becoming inevitable, organisations need to not only to set defences and identify attacks, but crucially to have a really clear understanding of what to do in the event of a breach - every organisation needs to have a really clear incident response plan that's well tested and regularly rehearsed."

Mandatory policy decisions should also be implemented, the report recommended, including a plan to roll-out penetration-testing for CNI-linked organisations, and continued membership in key EU groups and information-sharing schemes following Brexit.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020