Britain may not be able to fend off a determined cyber-attack, MPs warn
And those utility price controls? Er, not helpful
Britain's critical national infrastructure is vulnerable to hackers and neither UK.gov nor privatised operators are doing enough to tighten things up, a Parliamentary committee has warned.
The Joint Committee on the National Security Strategy has laid into the government for its slapdash approach to IT security, claiming that officials are "not acting with the urgency and forcefulness that the situation demands".
"It appears the government is not delivering on it with a meaningful sense of purpose or urgency. Its efforts so far certainly fail to do justice to its own assessment that major cyber attacks on the UK and interests are a top-tier threat to national security," said their report (PDF, 709kB/64 pages).
The committee includes one-time tech entrepreneur Baroness (Martha) Lane-Fox of Soho, Dr Julian Lewis MP, who is also chairman of the House of Commons' Defence Committee, and former Labour foreign secretary Margaret Beckett. Constitutional nerds will know that Britain's intelligence agencies MI5 and MI6 report to the home and foreign secretaries, respectively, while cyber-defence policy intersects with the Ministry of Defence's cybersecurity activities.
The UK's critical national infrastructure (CNI), which the report said "is a natural target for a major cyber attack", faces a dual threat of more aggressive overseas hackers and a lack of funding for cyber defences.
"Hostile states are becoming more aggressive in their behaviour, with some states – especially Russia – starting to explore ways of disrupting CNI, in addition to conducting espionage and theft of intellectual property."
CNI was defined as comprising 13 market sectors: chemicals; civil nuclear communications; defence; emergency services; energy; finance; food; government; health; space; transport and water.
Unusually for a Parliamentary committee, the report also squarely blamed a flagship government policy, price controls on energy utilities, for strangling investment in cyber defences – previous state threats to fine those firms for crap cybersecurity having seemingly met significant push-back behind the scenes.
"Many CNI operators are utility providers whose funding streams are pre-agreed, often by regulators, and limited by price controls. Without a more flexible approach to price controls, the question often asked in relation to cyber security – 'how much is enough?' – can become particularly acute for these CNI operators," wrote the report's authors, citing evidence given to the committee by Ofgem's Johnathan Brearley and Water UK's Paul Smith, who told the committee "that investment in cyber security by operators in the energy and water sectors is limited by price controls".
Though the National Cyber Security Centre arm of GCHQ was set up a couple of years ago to help counter this kind of threat, the report also warned that "there appears to be little beyond anecdotal evidence that the UK is at the forefront of international efforts on cybersecurity", suggesting that, despite its publicity, GCHQ may in fact not be able to cope with the scale of the threat if things got truly nasty. ®