The purpose of a government committee is to be critical. If it did nothing but agree with its subject matter status quo, there would be little point to it. That said, in the latest report published November 12, 2018 by the UK parliament’s Joint Committee on the National Security Strategy, this committee is somewhat critical of the UK’s National Security Strategy (NCS).
This report (PDF) specifically examines the critical national infrastructure (CNI — or more usually in the U.S., just CI). It says, for example, “The Government’s current approach to improving the cyber resilience of the UK’s critical national infrastructure is long on aspiration but short on delivery.”
Nevertheless, the report misses the mark in one important area. It demands ministerial control over public and private CNI security. “There should be,” it recommends, “a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources — in both the public and private sectors — and executing the measures needed to defend against the threat.”
Ministers are political animals, not security experts — they come and go, and their position is dependent upon the Prime Minister’s patronage, not on ability or performance.
The implementation of the EU’s Network and Information Systems Regulations (NIS), which will stay in force beyond Brexit, is expected to raise the bar on security delivery within the CNI — but the report warns that NIS is “not a ‘silver bullet'”.
The committee has two concerns. Firstly, the regulations are limited in scope; and secondly, responsibility is fragmented across multiple Whitehall departments and different Competent Authorities for different sectors.
However, rather than establishing a Ministerial czar within government, it should consider the model responsible for GDPR — a single independent body such as the Information Commissioner’s Office (ICO) responsible for all CNI sectors.
Government could still set the requirements for improving CNI security, but responsibility for ensuring accurate implementation would fall on independent security experts rather than a career politician.
Despite its concerns over the adequacy of NIS, the report makes only one specific related recommendation: “The Government should establish a plan… for the development of threat- and intelligence-led penetration testing and its roll-out across all CNI sectors that takes account of the mixed maturity of the sectors in terms of their cyber resilience.”
It accepts that pentesting provides only “a snapshot of operational resilience at a particular moment in time against a particular set of threats,” and suggests this should be done in combination with other methods of regulatory assurance. (The report makes no mention of the ‘continuous external monitoring’ — and even automatic threat triaging — now available https://www.securityweek.com/92-external-web-apps-have-exploitable-security-flaws-or-weaknesses-report from some third-party vendors as an alternative or addition to ‘point-in-time pentesting.)
The additional methods of regulatory assurance should comprise non-regulatory incentives and interventions that would improve security in the CNI supply chains, and support operators in managing the risk “associated with hardware, software and services bought ‘off the shelf’, especially those procured from major international suppliers.”
Huawei is top of mind here since it is the only international supplier mentioned by name within the recommendations. “The Government should set out in its response to this Report its assessment of how, and how effectively, the Huawei Cyber Security Evaluation Centre Oversight Board provides additional assurance in relation to the UK’s cyber security.”
At a building (often known as ‘the Cell‘) in the small market town of Banbury, UK, the UK government has access to Huawei source code. Although there has never been any publicized incidence of unacceptable code, there has been increasing concern over the last year on whether this is sufficient to ensure the integrity of all Huawei telecoms products — which are widely used by BT.
This is a pertinent request given the current reports surfacing Thursday that the U.S. Government has asked other governments and telecoms operators in allied nations to avoid the use Huawei equipment. U.S., and other western intelligence agencies, are concerned over the potential for Huawei equipment to be used for espionage by the Chinese government.
Other recommendations by the committee to improve CNI security include “identifying an expert board member with specific responsibility for cyber resilience and mandatory corporate reporting on cyber resilience, in accordance with the spirit of forthcoming reforms to the Companies Act 2006.”
This is also in the spirit of the current NYS financial regulations. Relevant companies should be required to have a ‘CISO’ on the board, and those companies should report to their competent authority on the state of their cybersecurity posture.
The final recommendation is that the government should consider whether and how increased use of cyber insurance could be used to improve companies’ cyber practices. In reality, this could work only if cyber insurance becomes a legal requirement for the CNI — this would force those companies to comply with the security requirements demanded by the insurance companies. Insurance companies will inevitably set the security bar high if only to minimize the likelihood of having to pay out in the event of a breach.
The committee praises the role and effect of the National Cyber Security Centre (NCSC). But it is concerned that the Centre doesn’t have the necessary resources. It would like to see the NCSC properly financed, and recommends its budget should be “a ring-fenced fund separate from (and safe from) general departmental budget pressures.”
However, there is one cryptic comment on the NCSC that leaves much to the imagination: “we heard there are unresolved tensions derived from its status as part of GCHQ…”