Funding breakdown not detailed, CNI definitions need reworking, NAO should get involved, warns Parliamentary Committee
A Parliamentary committee that scrutinises National Security Strategy has torn into government policy on critical national infrastructure (CNI) protection.
Funding allocation is opaque, there’s a lack of clearly defined objectives and it is unclear which elements of CNI are “actually critical” the committee said.
The Joint Committee on the National Security Strategy is appointed by the House of Lords and the House of Commons. Its report focussed on the National Cyber Security Programme (NCSP) – and didn’t hold back.
Only Total Budget Known…
In a report published Monday, the Committee said: “The Government is unwilling to publish any information about the 2016–2021 National Cyber Security Programme (NCSP) other than its total budget of £1.9 billion.”
“While we accept that some elements of the NCSP are security-sensitive and therefore should not be made public, such lack of transparency about such large sums of public money is of serious concern.”
The previous Government published Annual Reports and high-level budget breakdowns by activity for the earlier 2011–2016 NCSP.
National Cyber Security Programme: What’s Critical?
In the extensive report on the “Cyber Security of the UK’s Critical National Infrastructure” the Committee warned of the growing risk of attacks from malicious actors including nation states and the vulnerability of aging Operational Technology (OT).
(The Government has identified 13 national infrastructure sectors that are essential to the functioning of daily life: chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water.)
But it suggested that the government’s definition of what constitutes CNI may no longer be fit for purpose.
The report notes: “As the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical. The 2016 National Cyber Security Strategy provides few clues as to how the Government is managing this issue or how it is prioritising its efforts between CNI sectors. It also fails to acknowledge the varying complexity of the CNI sectors and the bearing this should have on the Government’s approach. Asserting that the UK is at the forefront of international efforts on cyber security is not sufficient.”
It adds: “The next National Cyber Security Strategy, due for publication in 2021 should be informed by a mapping of the key interdependencies between CNI sectors—and therefore of national-level cyber risk to CNI—which the Government should complete as soon as possible and keep under continual review. The priorities identified in the next Strategy should also take account of the CNI sectors’ respective maturity in terms of cyber resilience and the varying levels of Government influence over operators in each sector.”
The Committee also called for a designated Cybersecurity Minister.
Raj Samani, Chief Scientist and Fellow at McAfee commented in an emailed statement: “While the government has on many occasions acknowledged the threat posed by nation-state hacking, the appointment of a single “cyber security minister” to the cabinet would reflect this as a priority and support the continued efforts of the National Cyber Security Centre.
He added: “Greater levels of transparency around technology design are vital. We need more visibility into what different components do, and how they do it. We also need greater visibility into what they should and shouldn’t be doing. More effort must be made to secure the most sensitive components of technology upon which we rely every day.”
Calls for an NAO Audit
The Joint Committee on the National Security Strategy concluded: “The Government should resume publishing Annual Reports for the National Cyber Security Programme to improve transparency and aid external scrutiny.”
“These should set out progress made, the challenges faced, and a breakdown of the budget by type of activity and by department or agency; it would also present a regular opportunity to review and adjust plans in response to changing threats, vulnerabilities and technological innovation.”
In a clear warning shot, the committee added: “Given the relatively large sum of public money and the many departments and agencies involved, the Government should also support a programme-wide audit of the NCSP by the National Audit Office to provide public and Parliamentary assurance”.