News
Parliament’s Science and Technology Committee has launched an inquiry into the cyber resilience of the UK’s CNI
October 2023 by Paul Brucciani, Cyber Security Advisor at WithSecure
News today has emerged that Parliament’s Science and Technology Committee has launched an inquiry into the cyber resilience of the UK’s CNI. The inquiry will be open for evidence until 10 November.
Paul Brucciani, Cyber Security Advisor at WithSecure, offered the following thoughts:
“There are two points to consider here:
• Not all countries are able to measure the extent to which their infrastructure is being compromised. HMG should be congratulated on being on being able to do this. The position of being the third ‘most targeted country’ should be assessed against all the other countries with similar measurement capability.
• Not all cyber attacks are targeted. Attacks such as Wannacry and Notpetya, which caused widespread damage, were either targeted elsewhere or were indiscriminate.
The question to be addressed is: “Is the UK CNI peculiarly vulnerable to such attacks?”. Being privately owned may be one reason and this needs to be investigated. Two other areas to look at:
1. The extent to which security is driven by rules: cyber security based on compliance to rules or standards may make it easier to get through client audits, but it may not make you secure. Standards take many years to agree and implement, by which point the cyber threat has moved on, and they reflect the minimum capability that standard setters consider to be generally appropriate, rather than an aspirational capability. Excessive emphasis on codes of compliance rather than responsibility gives rise to complacency and raises the risk of failure. Independently scrutinise standards set by consensus and create a logical, defensible cyber risk strategy, specific and appropriate to your organisation.
2. Do the energy company directors have ‘skin in the game’? We should make those responsible for managing risk. Define the cyber risk management strategy: avoid the mistakes made by financial sector regulators in for example, allowing banks’ capital requirements to be set by the ratings agencies. Not only are ratings agencies not responsible for managing banking risk, they are also susceptible to market pressure. It is they who set disastrously low risk ratings to new and lethal financial products like the collateralised debt obligations which caused the 2007 financial crisis. Execs need to have ‘skin in the game’.”
