View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 19, 2018

Parliament Tears Into National Cyber Security Programme, Calls for Audit

Funding breakdown not detailed, CNI definitions need reworking, NAO should get involved, warns Parliamentary Committee

By CBR Staff Writer

A Parliamentary committee that scrutinises National Security Strategy has torn into government policy on critical national infrastructure (CNI) protection.

Funding allocation is opaque, there’s a lack of clearly defined objectives and it is unclear which elements of CNI are “actually critical” the committee said.

The Joint Committee on the National Security Strategy is appointed by the House of Lords and the House of Commons. Its report focussed on the National Cyber Security Programme (NCSP) – and didn’t hold back.

Critical National InfrastructureOnly Total Budget Known…

In a report published Monday, the Committee said: “The Government is unwilling to publish any information about the 2016–2021 National Cyber Security Programme (NCSP) other than its total budget of £1.9 billion.”

“While we accept that some elements of the NCSP are security-sensitive and therefore should not be made public, such lack of transparency about such large sums of public money is of serious concern.”

See also: The 5 Most Commonly Used Hacking Tools: Five Eyes Report

The previous Government published Annual Reports and high-level budget breakdowns by activity for the earlier 2011–2016 NCSP.

National Cyber Security Programme

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

National Cyber Security Programme: What’s Critical?

In the extensive report on the “Cyber Security of the UK’s Critical National Infrastructure” the Committee warned of the growing risk of attacks from malicious actors including nation states and the vulnerability of aging Operational Technology (OT).

(The Government has identified 13 national infrastructure sectors that are essential to the functioning of daily life: chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water.)

But it suggested that the government’s definition of what constitutes CNI may no longer be fit for purpose.

See also: Bombshell Report Warns of Huawei Risk to UK’s Critical Infrastructure Security

The report notes: “As the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical. The 2016 National Cyber Security Strategy provides few clues as to how the Government is managing this issue or how it is prioritising its efforts between CNI sectors. It also fails to acknowledge the varying complexity of the CNI sectors and the bearing this should have on the Government’s approach. Asserting that the UK is at the forefront of international efforts on cyber security is not sufficient.”

It adds: “The next National Cyber Security Strategy, due for publication in 2021 should be informed by a mapping of the key interdependencies between CNI sectors—and therefore of national-level cyber risk to CNI—which the Government should complete as soon as possible and keep under continual review. The priorities identified in the next Strategy should also take account of the CNI sectors’ respective maturity in terms of cyber resilience and the varying levels of Government influence over operators in each sector.”

Read this: Critical Infrastructure Security: “The NIS Directive Sucks”

The Committee also called for a designated Cybersecurity Minister.

Raj Samani, Chief Scientist and Fellow at McAfee commented in an emailed statement: “While the government has on many occasions acknowledged the threat posed by nation-state hacking, the appointment of a single “cyber security minister” to the cabinet would reflect this as a priority and support the continued efforts of the National Cyber Security Centre.

He added: “Greater levels of transparency around technology design are vital. We need more visibility into what different components do, and how they do it. We also need greater visibility into what they should and shouldn’t be doing. More effort must be made to secure the most sensitive components of technology upon which we rely every day.”

Calls for an NAO Audit

The Joint Committee on the National Security Strategy concluded: “The Government should resume publishing Annual Reports for the National Cyber Security Programme to improve transparency and aid external scrutiny.”

“These should set out progress made, the challenges faced, and a breakdown of the budget by type of activity and by department or agency; it would also present a regular opportunity to review and adjust plans in response to changing threats, vulnerabilities and technological innovation.”

In a clear warning shot, the committee added: “Given the relatively large sum of public money and the many departments and agencies involved, the Government should also support a programme-wide audit of the NCSP by the National Audit Office to provide public and Parliamentary assurance”.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU