The potential for cyber attacks to cause substantial damage to vital infrastructure is a real and credible threat which requires a coherent and effective strategy, but the cyber security threat cannot be met by Government alone.
These are the key findings of a new Chatham House report entitled Cyber Security and the UK’s Critical National Infrastructure which is being launched today.
There appears to be no coherent picture of what constitutes a cyber vulnerability, and little consensus on the nature and gravity of the problem.
Chatham House states that a more coherent picture of what the consequences or severity of that vulnerability might be is required in order to mitigate and manage the threat and subsequently capitalise on the opportunities cyberspace presents.
Managing vulnerabilities within the CNI
This latest report (which is supported by information intelligence expert BAE Systems Detica) examines the extent of national dependencies on information and communication technology (ICT) and what can be done to manage vulnerabilities within the Critical National Infrastructure (CNI).
The provision of essential services such as water, gas, electricity, communications, transport and banking are all ICT dependent. With this dependency can come vulnerability to aggressors and criminals (and even the merely mischievous).
One of the report’s authors, Paul Cornish, explained: “There is a need to raise awareness about the constantly evolving character of cyberspace. Given society’s reliance upon digital processing and communications, Governments are right to take cyber security seriously. However, it’s not a problem to be met by Governments alone – as a society-wide challenge it requires a society-wide response.”
As a result, the Chatham House report – also authored by David Livingstone, Dave Clemente and Claire Yorke – seeks to raise awareness about the constantly evolving character of cyberspace and the levels of awareness required to meet it successfully.
Key findings of the report
- The Government cannot provide all the answers and guarantee national cyber security in all respects for all stakeholders. As a result, Critical National Infrastructure enterprises should seek to take on greater responsibilities and instil greater awareness across their organisations.
- All organisations should look in more depth at their dependencies and vulnerabilities. Awareness and understanding of cyberspace should be ‘normalised’ and incorporated and embedded into standard management and business practices within and across Government and the public and private sectors.
- Cyber terminology should be clear and language proportionate to the threat. It should also encourage a clear distinction to be made between IT mishaps and genuine cyber attacks.
- Research and investment in cyber security are essential to meeting and responding to the threat in a timely fashion. However, cyber security/protection should not be the preserve of IT Departments but rather of senior executive Boards, strategists and business leaders. It should also be incorporated into all levels of an organisation.
The report sees the light of day just before publication later this week of the Government’s strategy on how to combat the cyber threat.
‘Tier One’ national security risk
Last October, Government ministers upgraded cybercrime to a so-called ‘Tier One’ national security risk last October and set aside GB pound 650 million to improve the UK’s resilience to electronic attack.
Back in March 2009, the International Security Programme at Chatham House, in conjunction with Detica, published Cyberspace and the National Security of the United Kingdom which detailed the growing problems of cyber security.
This current project builds on the findings of this report to examine how widespread dependencies on information and communications technology are being managed by Government, Critical National Infrastructure and the wider UK society.
Research was conducted through a series of interviews with different parts of CNI and focused on senior management and Board members rather than technology specialists in order to understand how the leaders within CNI view the challenges from cyberspace.
All interviews were carried out under a confidentiality agreement in order to promote frank and meaningful discussion.
Plenty of talk, not enough action
Commenting on the report, Frank Coggrave (general manager, EMEA at Guidance Software) told SMT Online: “Cyber security is one of the Government’s Tier One threats but so far we’ve had a lot of talk and not enough action. We’ll await what arised from the Government’s upcoming new cyber strategy.”
Coggrave continued: “The key recommendation in this Chatham House report is for them to set up a ‘single, accessible bank of cyber security information and advice’. We’ve been calling for that for some time. The industry as a whole – customers and vendors – has the responsibility to protect itself from cyber attacks, but it’s not something organisations can do alone as the threats are unremitting, evolving and dangerous.”
He added: “Pooling resources, information and intelligence is vital but difficult to focus on when you’re under personal attack. Government is all about doing important things collectively that individuals cannot accomplish on their own, so let’s see some actual ‘Government’ here, not just rhetoric.”
In conclusion, Goggrave stated: “It’s also about education, and we need to build awareness above and beyond that given out at information security events. Leading industry bodies need to ensure that cyber threats are well documented in as many outlets as possible.”
Download the full report or an Executive Summary