Ahead of the Cyber Security and Resilience Bill, the Parliamentary Office of Science and Technology (POST), an office of both Houses of Parliament, has brought out a briefing note on ‘cyber resilience of UK digital infrastructure’.
The briefing goes over cyber threats, noting that cyber or physical attacks may be conducted by financially motivated criminals, politically driven โhacktivistsโ, or insiders. It recalls the 2017 WannaCry ransomware attack that exploited a vulnerability in Microsoft Windows software used to share files over a network, and affected the NHS among many others worldwide; and points out that legacy technology is a significant issue for the UK Government. Meanwhile, cyber attacks on operational technology are rising; and vendors may have weaker cybersecurity than the CNI operators they supply; and skills shortages are a well-documented barrier to cyber risk management.
Comment
Juliette Hudson, CTO at CybaVerse, said: “The government is clearly growing concerned about the vulnerability of the UKโs critical infrastructure, to both cyber attacks and physical outages, and is working to strengthen its resilience. The UKโs infrastructure is unpinned by digital technologies today, which makes the country increasingly vulnerable to outages and attacks. This has been evidenced in last yearโs CrowdStrike outage, but also in the recent ransomware attacks on UK businesses.
“It was hard to comprehend that a huge institution like M&S could suffer so significantly at the hands of a group of teenagers, but this is the reality of cyber crime today. If organisations arenโt prepared, the impacts can be severe, highly disruptive and very costly. It could be said that the UK has got off lightly so far in terms of the impacts of attacks on CNI.
“While we have experienced attacks on critical industries, their impacts have been fairly limited. But this wonโt be the case forever, and many experts are growing concerned about the UKโs ability to manage and survive a large-scale attack. With Russian state-sponsored actors actively carrying out ransomware attacks on the country, and China pre-positioning within CNI to carry out future assaults, the UK could soon face a major attack that is highly disruptive to society and threatens the safety of the country.
“This has been one of the key drivers behind the forthcoming Bill. The POSTnote highlights the vulnerabilities our digital dependencies expose the country to, and provides recommendations on how to drive up resilience. However, given that the Cyber Security and Resilience Bill is unlikely to come fully into force for a number of months, and attackers have already made significant strides in achieving their objectives, is it too little too late? Letโs hope not.โ
