The UK government has identified cyber as a Tier One threat alongside terrorism. Cybercrime costs UK businesses vast sums of money every year – and that’s just the cybercrime we know about because it is vastly under-reported. Government and critical national infrastructure (CNI) remain crucial targets for the organized crime gangs that run a large proportion of cybercrime and hostile nation-states, although these are rarer. However, they sometimes outsource this kind of “work” to crime gangs. So, cyber warfare (as we may well consider attacks on CNI) could be in the hands of hostile nations, and the criminal element of those w
The world has seen several times in fact, what happens when they are successful (think about Ukraine’s power grid taken down three times, and WannaCry and NotPetya disabling businesses and the NHS). But is our security leadership developed enough to cope with this persistent and evolving threat? The biggest threat to security today is the general lack of conviction that any danger exists” – that was said by Lord Radcliffe in a Security Report in 1962.
To address this Tier One threat, there needs to be an accurate understanding at the heart of government – it is several years since the National Audit Office (NAO) criticized the lack of knowledge and leadership around information security. The number of remotely managed or web-enabled systems grows every year, and, quite rightly, our CNI needs to benefit from the increased manageability and cost savings that these new ways of working provide.
At the same time, the rush to interconnect numerous legacy systems continues unabated, making systems that were never designed to be internet-facing precisely that. Connecting OT and legacy systems to the internet makes them a “legitimate” target to nation-states using offensive attack capabilities and criminals and terrorists alike. They do not make distinctions based on any moral or ethical code – they seek a result.
So, if we continue to web-enable everything in our CNI, it would be forgivable to imagine that we have taken every possible measure to ensure their security and resilience. Yet as recently as 2017, we discovered that over a third of infrastructure organizations in the UK had not completed basic cyber security standards issued by the UK government, known as the ten steps to cyber security. There can be little doubt, then, that there is a lack of long-term thinking around this area and what looks like an approach akin to “if it ain’t broke, don’t fix it”.
