UK Government to Set Cyber Resilience Targets for Critical National Infrastructure Sectors by 2025
Table Of Contents:
As government and public sector professionals gathered to discuss cybersecurity matters, stark warnings were issued to Critical National Infrastructure (CNI) about incoming attacks from unpredictable actors. Dan Raywood looks at critical points from a CyberUK keynote.
For the past few years, the best of the UK’s public sector in cybersecurity have gathered together at a conference named CyberUK to exchange ideas and deliver perspectives which will drive the agenda forward.
This week saw the 2023 edition held in Belfast, a city visited by President Biden and Prime Minister Rishi Sunak in recent weeks. The government representative this time was Chancellor of the Duchy of Lancaster Oliver Dowden MP, who opened his speech by calling this “a very interesting time for cyber in the UK.”
Cybersecurity In The UK
Why is it interesting? There is a thriving tech sector in the UK. We have a Prime Minister passionate about science and tech, “and because government and industry are building a strong partnership including through the new National Cyber Advisory Board.”
In his keynote, Dowden focused on geo-political issues, including Ukraine, the ransomware attack on the Royal Mail, and an attack on a third-party supplier, which caused severe disruption to NHS 111. Dowden stated that these have been enabled by the ability “to buy and sell sophisticated cyber tools and spyware like Pegasus,” which he says is “something we are taking very seriously, and to which we are responding with our international partners.”
While ransomware was declared a national security threat earlier this year, there is a more persistent threat. Dowden said the NCSC has seen the rise of several Russian-aligned groups sympathetic to Putin’s invasion of Ukraine, who “are now seeking opportunities to compromise our Critical National Infrastructure.”
While there have been attempted attacks in the past, Dowden said, rather than seeking to profit or undertake surveillance, the primary motive of these groups is to disrupt or destroy infrastructure. “These adversaries are ideologically motivated rather than financially motivated.”
Also, as these actors are aligned with national actors, but are often not controlled by foreign states, that makes them more opportunistic and less likely to show restraint, he claims.
Critical National Infrastructure Cybersecurity Struggles
This led Dowden to announce that the NCSC is issuing an official alert to critical national infrastructure operators to highlight the risk they currently face. This includes several recommended actions that operators should follow immediately to increase their resilience and help defend our infrastructure against these attacks.
“Disclosing this threat is not something that we do lightly; this is an unprecedented warning for businesses,” he says. “We have never publicly highlighted the threat from these kinds of groups attempting such attacks before, and I should stress that we do not think that they currently have the capability to cause widespread damage to our infrastructure in the UK.”
Looking more clearly at the alert, the NCSC warned that “some groups have stated an intent to launch ‘destructive and disruptive attacks’ and that CNI organisations should ensure they have taken steps outlined in the NCSC’s heightened threat guidance to strengthen their defences.”
While initial attacks are likely to take the form of Distributed Denial of Service (DDoS) attacks, website defacements or the spread of misinformation, the alert claims some groups could create a more destructive impact against Western infrastructure.
Dr Marsha Quallo-Wright, deputy director for Critical National Infrastructure at the NCSC, said, “The NCSC has produced advice for organisations on steps to take when the cyber threat is heightened, and I would strongly encourage all CNI organisations to follow this now.”
It is pretty telling that this particular vertical is the one to be highlighted as most likely to be attacked. One would presume that the typical targets of financial services, healthcare and gaming would be more likely to be attacked, but perhaps there is a presumption that CNI is less prepared for an attack, and that is where the focus needs to be.
Improving UK Cyber Resilience
On top of the alert, Dowden announced there will be “specific and ambitious” cyber resilience targets set for all critical national infrastructure sectors to meet by 2025, and he was “actively examining plans to bring all private sector businesses working in critical national infrastructure within the scope of cyber resilience regulations.”
He claims that, specifically, these are the companies in charge of keeping the country running and the lights on and power running. It is also about them taking their security seriously, and Dowden said this attitude should also extend to their cybersecurity.
With the publication of the Cyber Security Strategy last year and the National Cyber Strategy in 2016, this government has made its interest in taking cybersecurity seriously clear. “The stronger your business, the stronger our economy, and the more prosperous we become together. In turn, we in government will continue to do as much as possible to support the cyber industry and businesses more widely.”
Dowden concluded his talk at CyberUK by claiming that the Government “is clear-eyed about the challenges that we face” and that business ” needs to be clear in their determination to meet those challenges with us.”
These concepts and ideas from the UK government show a determination to better protect the UK from cyber-attacks and better aid the businesses that can provide that protection. The action points follow fairly standard guidance that many companies would be familiar with, such as patching, backups, incident response and third-party access.