I was struck by the lack of detail on how vulnerability can be reduced at home. Too often the focus of government and commentators when considering national security has been on the military and the security agencies rather than the industries that deliver vital services, or the departments and regulators that oversee them. In this high-level document, that looks to be happening again.
The emphasis is on detect, disrupt and deter, but not so much on practical security at home. The pandemic has shown how dependent we all are on core systems and infrastructure for society to function. Their resilience is fundamental to our strength as a country. At the heart of that resilience must be security.
It was my job to support prime ministers and the National Security Council on what the US call homeland security: national resilience, crisis response, cyber security and counter terrorism. We worked at the interface of government and business with a particular focus on critical national infrastructure (CNI). In that role, I became all too aware that the nature of hostile attacks on our country was changing.
Our traditional defences are no longer enough in the age of hybrid warfare where an adversary can act below the threshold of armed conflict but still unbalance, disrupt or deter us. The ongoing Microsoft Exchange incident and last year’s SolarWinds intrusion show how adversaries pre-position for cyber-espionage or disruptive effect. Russia’s cyber pressure on Ukraine and Georgia and Iran’s current tussle with Israel hint at what is then possible. So far we have only seen the lesser part of our adversaries’ armoury.
An excessive focus on our military systems and even our diplomacy for power projection risks creating a Maginot Line – an expensive edifice that is easy for our foes to circumvent. Our major industries and privately run infrastructure are now on the front line. Their networks and systems at home must therefore be robust enough to protect us from cyber threats of hostile states and their organised crime partners.
Some sectors, including civil nuclear, power generation and telecommunications have, to some extent, designed in resilience. They are highlighted as priorities in our National Security Strategies.
My concern today is whether the issue of national resilience – and hence security – carries sufficient weight in the design, regulation and the economic model for key civilian systems: those we rely on now but, even more, those that are emerging.
The Review commits Government to “consider the scope and responsibilities of CNI owners to ensure a consistent resilience standard across sectors” and to “raise levels of cyber security across CNI sectors”. Both phrases suggest vulnerability.
The question for business is how will that be achieved in practice? What regulatory and cost burden will follow and when? Government has the opportunity to shape how this will develop as we “Build back better” and reflect on the lessons of the Covid-19 pandemic. Given the new threats they will encounter, I believe this must be more of a priority.
During lockdown, we have seen how the health, telecommunications and food sectors have had to reshape their services and even business models as a “reasonable worst-case scenario” played out. What would have happened if any of those sectors had simultaneously been targeted by a disruptive systemic cyber attack?
The NHS has been here before. In 2017 the WannaCry attack hit thousands of computers and devices, leading some health trusts to turn away non-critical emergencies. Lessons were learned and security has been given greater priority in new systems, and retrofitted to old. As a result, the NHS today is better prepared than it might otherwise have been. But what about other critical sectors?
A priority for Government in this year of COP26 is the climate emergency – hence its profile in the Integrated Review.
The technologies that help us reduce carbon emissions will be critical. For instance, the fast-growing national electric vehicle (EV) charging network didn’t really exist until a few years ago. Soon this network will power the economy, keeping millions of cars, vans and lorries on the road. It will be at the heart of our energy system too. New technology will allow the power stored in millions of EV batteries to be harnessed to balance local power grids.
Imagine the consequences if this network were compromised by a cyber attack. EVs would be unable to charge. Millions of people would have their lives disrupted. Much of the economy could grind to a halt.
Emerging networks such as this, essential as they are, increase our national “attack surface”. They provide an attractive opportunity for an adversary to unbalance, intimidate, paralyse or even defeat us.
In defence systems, we ensure resilience by building in security and a degree of redundancy by design right at the start. This avoids an expensive retrofit further down the line. We assume they will be targeted. The same should apply to key civilian systems.
This article was original published in The Telegraph