The UK’s Cyber Security Strategy report is overdue but a critical independent report has hit the mark
Independently compiled advice on securing the national infrastructure from Chatham House was set for release in anticipation of the government’s publication of its Cyber Security Strategy document. But things did not go quite to plan.
The Cyber Security and the UK’s Critical National Infrastructure report from cyber-security specialist BAE Systems Detica and the Chatham House analysts at the Royal Institute of International Affairs offers advice on how the critical national infrastructure (CNI) could be created. Within the pages, the research team expresses a deep-felt concern that the public and private sector are failing, or do not have the channels in place, to share information on cyber-security issues.
This would have attracted the attention of Minister for Cyber-security Francis Maude but the government’s strategy document was not finished before parliament rose yesterday for the political party conference season, which starts next week.
The Cabinet Office said that cyber security has a Tier 1 priority, and that means it should only be introduced while the House of Commons is sitting. The next opportunity will not be until 12 October.
Paul Cornish, head of the International Security Programme at Chatham House and one of the authors of the Chatham House report, said, “Given society’s reliance upon digital processing and communications, governments are right to take cyber-security seriously. However, it is not a problem to be met by governments alone – as a society-wide challenge, it requires a society-wide response.”
The report is based on interviews with various stakeholders in public and private organisations. It gives an overview of the strengths and weaknesses of the current security measures and makes recommendations on moving forward to a locked-down future for the CNI.
The authors point out that the government’s promised funding of £650 million will not be sufficient to enable the government to counter all conceivable cyber-threats. They try to answer the question of who then is best placed to tackle the problem, given that most of the critical infrastructure at risk in the UK is privately owned and beyond the government’s control.
Many of the interviewees felt the national response mechanism is fractured and incoherent. The report observes that there is widespread dissatisfaction with the quality and quantity of information-sharing between the public and private sectors.
“There was considered to be an absence of an authoritative ‘rich picture’ generated at the centre (ie, by government) that could help to develop a more comprehensive and urgent sense of the cyber threats that need to be tackled,” the report states. “This picture would improve the awareness of risk in and from cyberspace and would enable a more effective collective response.”
The government is blamed for the lack of a point of focus because a full picture of the CNI and the threats it faces is dependent upon a willingness to share sensitive information in a timely manner. The challenge that this sharing society faces is that the UK government is perceived by the interviewees and more widely in industry “to be more willing to solicit information than to divulge it”, the report added.