How resilient is UK Critical National Infrastructure to cyber-attack?
24 October 2023
The UK is the third most targeted country in the world for cyber-attacks, after the US and Ukraine.
In recent years the UK has seen the use of offensive cyber capabilities by state and non-state actors proliferate, exacerbated by Russia’s full-scale invasion of Ukraine. The UK Government’s National Cyber Strategy 2022 and the Government Cyber Security Strategy 2022-2030 recognised cyber threats to UK Critical National Infrastructure (CNI) - infrastructure whose disruption would have significant national impact - as an area of particular concern.
Digital infrastructure is critical for supporting growth and helping to transform the delivery of public services. It is a keystone in developing critical and emerging technologies within the Science and Technology Framework, and is essential to UK national security under the 2023 Integrated Review Refresh. Much of the UK’s CNI is underpinned by this digital infrastructure, which must be resilient to cyber-attack if it is to fulfil such fundamental roles in the UK economy.
Increasingly CNI makes use of computer systems connected into large networks, and often to the internet. Much of the UK’s CNI is privately owned, and concerns have been raised that there are competing priorities between Government and private operators over cyber resilience strategies, such as appropriate investment levels and how fast a service is restored following an attack. CNI operators can replace proprietary computer systems with commercial products that have varying levels of cyber security and resilience, raising the potential for cyber-attacks that achieve physical disruption.
The best-known cyber-attack affecting UK CNI—the 2017 WannaCry ransomware attack which caused significant disruption to NHS medical services—did not even deliberately target the UK. In August 2023 the Electoral Commission announced that hackers had obtained the details of tens of millions of British voters in a “complex cyber-attack” which went undetected for more than a year.
The Committee has launched an inquiry into the cyber-resilience of the UK’s CNI. It will explore the progress of UK CNI toward achieving recently announced resilience targets by 2025, and what support the sector needs to achieve those targets and efforts to make computer hardware architecture more secure by design to protect CNI. What should be the Government’s approach to standards and regulations for cyber resilience and preparedness, supply chain access, and trusted partners?
The Committee welcomes submissions on any or all of the following
- The types and sources of cyber threats to Critical National Infrastructure (CNI) most critical to the function of the UK digital economy:
- Communications (including space);
- Government; and
- The strengths and weaknesses of the UK Government’s National Cyber Strategy 2022 and Government Cyber Security Strategy 2022-2030 in relation to CNI for the digital economy;
- The effectiveness of the strategic lead provided by the National Security Council, Government Departments and agencies, and the National Cyber Security Centre, and the coherence of cross-government activity;
- The effectiveness of the Government's relationships with, respectively, private-sector operators and regulators in protecting and preparing CNI organisations of most critical to the UK digital economy from cyber-attacks;
- What are the interventions that are required from Government, and CNI organisations most critical to the UK digital economy to ensure the Government’s cyber resilience targets by 2025 are achieved;
- What role will ‘secure by design’ and emerging technologies play in the cyber resilience of CNI most critical to the UK digital economy and their supply chains.
If you have evidence on these questions please submit through the portal on the inquiry page Cyber resilience of the UK's critical national infrastructure by Friday 10 November.
Image: Adobe Stock