View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 7, 2019updated 07 Jul 2022 12:34pm

Government: We’re Mulling Broader Pen Testing for CNI

"We are considering the contribution this type of testing could make to cyber security assurance within further CNI sectors"

By CBR Staff Writer

The government has defended its decision not to provide an itemised breakdown of how it is spending £1.9 billion under a National Cyber Security Programme.

It also said it is considering penetration testing schemes for critical national infrastructure, saying proposals to expand trials “have promise”.

The comments came in a response today to a Joint Committee for the National Security Strategy (JCNSS) report that was published in November 2018.

See also: Parliament Tears Into National Cyber Security Programme, Calls for Audit

In that report the JCNSS – which includes the chairmen of eight Select Committees from Defence to Foreign Affairs, Justice, Security and Intelligence – criticised the government’s National Cyber Security Programme for spending opacity and a lack of clarity over what constitutes “critical” in Critical National Infrastructure (CNI).

Pushing back, the government responded today: “A breakdown of how the £1.9 billion National Cyber Security Programme is allocated is not made public for national security reasons.”

Government Cybersecurity Spending Breakdown Decision Will Follow NAO Report

“The National Audit Office (NAO) is currently conducting an audit of the National Cyber Security Programme, to be published later this year. The Government notes the Committee’s comments and will also wish to consider the outcome of the NAO audit before determining whether further information could be made available to improve transparency, whilst balancing national security considerations.”

(The JCNSS had said “such lack of transparency about such large sums of public money is of serious concern” and noted that the previous Government published “high-level budget breakdowns by activity for the earlier 2011–2016 NCSP”).

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Gov’t Mulling More Penetration Testing

The JCNSS had also called for the government to “establish a plan for the development of threat- and intelligence-led penetration testing and its roll-out across all CNI sectors that takes account of the mixed maturity of the sectors.”

The government responded today: “We agree that penetration testing schemes that simulate the capabilities and attack methods of cyber adversaries have promise as part of the approach to cyber security assurance.”

See also: Lessons from Six Years of Red Teaming

“We have already actively been developing and piloting similar schemes for the Government sector and the Telecommunications sector. We are considering the contribution this type of testing could make to cyber security assurance within further CNI sectors, reflecting factors including sector maturity, cost and capacity.”

“NCSC also supports CNI organisations in accessing penetration testing by providing guidance for testers and maintaining an accreditation scheme of penetration testing companies (known as the CHECK scheme), which provides assurance that services hired in by client companies have a high degree of competence.”

“This guidance is currently being updated to reflect the latest progress in the development of these attack simulation and testing methods.”

Pen Testing Positivity Welcomed by Industry

Ollie Whitehouse, global CTO at NCC Group – a Manchester-headquartered cybersecurity and risk assurance company – gave written and oral evidence in 2017 that was used to inform recommendations for the original JCNSS report.

He told Computer Business Review in an emailed statement: “There’s no doubt that the government is committed to continually improving the security of critical national infrastructure, and its response to the strategy set out in November shows that cyber resilience is becoming a political priority.”

He added: “The government’s recognition of the importance of intelligence-led penetration testing schemes is a significant step forward in reinforcing security across the CNI sector. The success of this, of course, will depend on the availability of high-quality intelligence and capabilities, as well as an update to key UK legislation.”

“Improving supply chain defences is critical to reinforcing our CNI’s security posture, along with efforts to embed risk management and the implementation of schemes such as the Defence Cyber Protection Partnership, so it’s very encouraging to see both of these highlighted in the report.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU