“We are considering the contribution this type of testing could make to cyber security assurance within further CNI sectors”
The government has defended its decision not to provide an itemised breakdown of how it is spending £1.9 billion under a National Cyber Security Programme.
It also said it is considering penetration testing schemes for critical national infrastructure, saying proposals to expand trials “have promise”.
The comments came in a response today to a Joint Committee for the National Security Strategy (JCNSS) report that was published in November 2018.
In that report the JCNSS – which includes the chairmen of eight Select Committees from Defence to Foreign Affairs, Justice, Security and Intelligence – criticised the government’s National Cyber Security Programme for spending opacity and a lack of clarity over what constitutes “critical” in Critical National Infrastructure (CNI).
Pushing back, the government responded today: “A breakdown of how the £1.9 billion National Cyber Security Programme is allocated is not made public for national security reasons.”
Government Cybersecurity Spending Breakdown Decision Will Follow NAO Report
“The National Audit Office (NAO) is currently conducting an audit of the National Cyber Security Programme, to be published later this year. The Government notes the Committee’s comments and will also wish to consider the outcome of the NAO audit before determining whether further information could be made available to improve transparency, whilst balancing national security considerations.”
(The JCNSS had said “such lack of transparency about such large sums of public money is of serious concern” and noted that the previous Government published “high-level budget breakdowns by activity for the earlier 2011–2016 NCSP”).
Gov’t Mulling More Penetration Testing
The JCNSS had also called for the government to “establish a plan for the development of threat- and intelligence-led penetration testing and its roll-out across all CNI sectors that takes account of the mixed maturity of the sectors.”
The government responded today: “We agree that penetration testing schemes that simulate the capabilities and attack methods of cyber adversaries have promise as part of the approach to cyber security assurance.”
See also: Lessons from Six Years of Red Teaming
“We have already actively been developing and piloting similar schemes for the Government sector and the Telecommunications sector. We are considering the contribution this type of testing could make to cyber security assurance within further CNI sectors, reflecting factors including sector maturity, cost and capacity.”
“NCSC also supports CNI organisations in accessing penetration testing by providing guidance for testers and maintaining an accreditation scheme of penetration testing companies (known as the CHECK scheme), which provides assurance that services hired in by client companies have a high degree of competence.”
“This guidance is currently being updated to reflect the latest progress in the development of these attack simulation and testing methods.”
Pen Testing Positivity Welcomed by Industry
Ollie Whitehouse, global CTO at NCC Group – a Manchester-headquartered cybersecurity and risk assurance company – gave written and oral evidence in 2017 that was used to inform recommendations for the original JCNSS report.
He told Computer Business Review in an emailed statement: “There’s no doubt that the government is committed to continually improving the security of critical national infrastructure, and its response to the strategy set out in November shows that cyber resilience is becoming a political priority.”
He added: “The government’s recognition of the importance of intelligence-led penetration testing schemes is a significant step forward in reinforcing security across the CNI sector. The success of this, of course, will depend on the availability of high-quality intelligence and capabilities, as well as an update to key UK legislation.”
“Improving supply chain defences is critical to reinforcing our CNI’s security posture, along with efforts to embed risk management and the implementation of schemes such as the Defence Cyber Protection Partnership, so it’s very encouraging to see both of these highlighted in the report.”