The UK’s joint committee on the National Security Structure published a damning report on Britain’s critical national infrastructure (CNI) on Monday (19 November), saying that cyber threats range across a number of sectors including energy, health services, transport and water.
The report states that the UK government is not acting with the “urgency and forcefulness that the situation demands,” and that the critical national infrastructure is a “natural target for a major cyberattack” due to its importance to the economy and everyday life.
“Too often in our past, the UK has been ill-prepared to deal with emerging risks,” said a statement from Chair of the Committee, MP Margaret Beckett, drawing attention to some of the more severe cyber attacks that have hit the UK over recent years, such as the WannaCry ransomware strike in 2017.
Risks for business
Such findings were also highlighted on the EU level in the World Economic Forum’s Regional Risks to Doing Business report published last week.
The study asked more than 12,500 executives around the world to select the global risks that pose the most significant concern for doing business within the next 10 years.
For Europe, cyberattacks were deemed the most pressing threat.
“2017 was a tipping point in the prevalence of cyberattacks in the EU,” the lead author of the report, Aengus Collins, told EURACTIV. “The most significant of which was, of course, the WannaCry ransomware attack.”
“What was concerning about WannaCry was the fact that it employed fairly straightforward methods to create broad disruption across many systems.”
Europol described the 2017 WannaCry cyberattack as “unprecedented” in scale, after it had struck 200,000 computers across 150 countries.
The hit had seen global systems infected with a ransomware which targeted Microsoft Windows operating systems.
The report highlights the fact that the WannaCry attack disrupted systems such as the UK’s National Health Service and German rail infrastructure, and that such targets contribute to the reasons why cyberattacks have been voted as the most pressing issue to EU business.
“This is no surprise,” the report says. “A number of massive cyberattacks took place in 2017 – causing extensive operational disruption and financial losses for organisations around the world.”
Brexit and cybersecurity
Monday’s report also drew attention to the importance of the UK continuing to comply with EU legislation in the field of cybersecurity after Brexit.
The EU’s NIS directive was adopted in 2016, with a deadline of May 2018 for national authorities to start implementing the new rules.
The legislation obliges member states to create Computer Security Incident Response Teams (CSIRTs), build and put into practice national cybersecurity strategies, report security breaches swiftly, and take part in a Cooperation Group that monitors the efficiency of the NIS Directive.
Earlier this year, the UK government said the NIS measures will continue to apply after the UK’s exit from the EU, and that the UK still intends to continue participating in the NIS Cooperation Group.
However, the report also highlights the ambiguity in how the UK “intends to take account of changes made to the NIS regime by the EU after the Brexit transition period,” in addition to drawing attention to the fact that the extent to which the UK is allowed to participate is subject to the nature of the future relationship between the two parties.
Giving evidence before the joint committee on the National Security Structure in June, MP David Lidington addressed the importance of continued collaboration between the EU and UK post-Brexit in the field of cybersecurity.
“There are what I would describe as doctrinal issues with the EU institutions, which we hope we can find a way to overcome,” he said.
“Otherwise, it amounts to a deliberate decision by the EU negotiators to put EU citizens at greater risk than they are at the moment.”