MPs and Lords have warned it's "impossible" to completely protect the UK's infrastructure from a WannaCry-scale cyber attack, with mitigation quickly-becoming a new normal'.
Several factors stand in the way of fully securing the UK's critical national infrastructure (CNI), including an increasingly complex security landscape, and the government's failure to define what it considers to be critical, according to the Joint Committee on the National Security Strategy (JCNSS).
In a report assessing the scale of threat the UK faces, the Parliamentary committee also said laws stemming from EU-wide regulations have been useful, but do not go far enough.
"'Critical' national infrastructure is, by definition, a priority for the Government and industry. However, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical," the JCNSS report said.
"Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely.
"Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the 'new normal' if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation."
The committee raised concerns that the expectations for the National Cyber Security Centre (NCSC), formed to provide cyber training and leadership for UK organisations, is outrstripping its resources.
NHS Digital deputy chief executive Rob Shaw revealed in evidence that he had expected an "army" of experts to support the NHS through 2017's WannaCry attack, but soon learned the NCSC lacked staffing to help out on the ground.
JCNSS said it had concerns about the NCSC's capacity to meet growing demand for services and expertise, and that its effectiveness will be limited in future unless it can recruit at the appropriate scale.
The government must also publish a ten-year plan for the institutional development of the NCSC, setting out the resources and staffing levels it expects the organisation to need.
The committee made several further recommendations for the government and for businesses, including instigating a cultural change among CNI-linked organisations, and for politicians and ministers to take initiative in making cyber resilience a priority.
Private sector companies overseeing CNI, as well as firms comprising the supply chain, should consider cyber security as another business risk, and proactively manage threats. This is especially true where "commercial interests may not always align with the demands of national security".
Moreover, the government needs to appoint a cabinet office minister charged with overseeing the resilience of CNI, instead of patchwork of multi-ministerial oversight that exists currently.
Under the current structure, each department would have a different approach to overseeing cyber security in its constituent sectors, with occasional overlap.
A more focused and proactive leadership from central government is needed to ensure cyber security is handled in a more consistent way, the report continued, and blasted the status quo of ministers only occasionally checking-in as "wholly inadequate".
"It's vital that that short-term memories and political distractions such as Brexit do not derail focus from these important initiatives," said Mimecast's cyber resilience expert Pete Banham
"Private sector businesses today need a risk and security champion in the boardroom; likewise, it's time Government had a cyber tsar in the Cabinet.
"Minimising the impact of attacks should be top priority as a defence-only strategy is doomed to fail. This should include regular fire drills' for all employees to respond to and recover to cyber-attacks.
"We've seen a growing number of CNI organisations, including the NHS, make determined moves to adopt more resilient postures in the last two years. WannaCry helped focus attention and budget allocation but still more needs to be done."
Stuart McKenzie, FireEye's vice president for EMEA, meanwhile warned much of the technology used within CNI remains fragile and relies on outdated standards of security.
"The threats facing CNI have constantly evolved, meaning that today's threat is something that wasn't imaginable when many of the systems were originally designed, leaving them increasingly vulnerable," he said.
"These are not quick problems to solve, but they are not insolvable. We would recommend that CNI organisations conduct a mapping exercise to understand their exposure and risk and put in place some controls to protect the most critical threats.
"With breaches becoming inevitable, organisations need to not only to set defences and identify attacks, but crucially to have a really clear understanding of what to do in the event of a breach - every organisation needs to have a really clear incident response plan that's well tested and regularly rehearsed."
Mandatory policy decisions should also be implemented, the report recommended, including a plan to roll-out penetration-testing for CNI-linked organisations, and continued membership in key EU groups and information-sharing schemes following Brexit.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Bugcrowd’s new MSP program looks to transform pen testing for small businessesNews Cybersecurity provider Bugcrowd has launched a new service aimed at helping MSP’s drive pen testing capabilities - with a particular focus on small businesses.
-
Building a new approach to security with the next generation of penetration testingSponsored Combining human-led testing with continuous automated scanning can elevate your security regime
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
Off-the-shelf ransomware is spurring a new era in the Ukraine warNews Experts agreed Russian forces could be overwhelmed, forced to use less sophisticated tools to meet the regime's demands
-
NCSC: “New class” of Russian cyber attackers seek to destroy critical infrastructureNews The cyber threat has been raised due to the heightened risk of ideologically driven cyber attacks from Russia-aligned adversaries
-
OpenAI to pay up to $20k in rewards through new bug bounty programNews The move follows a period of unrest over data security concerns
-
Kali Linux releases first-ever defensive distro with score of new toolsNews Kali Purple marks the next step for the red-teaming platform on the project's tenth anniversary
-
NCSC warns UK under state-sponsored spear-phishing attacks from Russia and IranNews The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC
