The UK Government has published the National Risk Register (NRR) as a public document of the most serious risks, man-made and from nature, facing the UK. Covered are some 89 risks, under nine ‘risk themes’, while some risks could be categorised under more than one theme. The nine are:
• Terrorism
• Cyber
• State threats
• Geographic and diplomatic
• Accidents and systems failures
• Natural and environmental hazards
• Human, animal and plant health
• Societal; and
• Conflict and instability.
The Cabinet Office in charge of government resilience pointed to its ‘whole of society’ approach to national resilience, as set out in recently published UK Government Resilience Framework and National Cyber Strategy. Also launched this spring was a UK-wide Emergency Alerts system, of messages to mobile phones such as in case of flood or similar threat to life.
The document offers a ‘reasonable worst-case scenario’ for each risk, or put another way the worst plausible manifestation of the risk. For example, a malicious cyber attack on a critical electricity system could lead to a total failure of the National Electricity Transmission System (NETS). Consumers without back-up generators would lose their mains electricity supply at once and without warning. “A nationwide loss of power would result in secondary impact across critical utilities networks (including mobile and internet telecommunications, water, sewage, fuel and gas). This would cause significant and widespread disruption to public services provisions, businesses and households, as well as loss of life.” Restoration could take up to seven days.
Deputy Prime Minister and Cabinet Office Minister Oliver Dowden launched the Register on a visit to Able Seaton Port in Hartlepool, hosted by energy firm SSE. Mr Dowden said: “This is the most comprehensive risk assessment we’ve ever published, so that government and our partners can put robust plans in place and be ready for anything. One of those rising risks is energy security. We’ve installed the first turbine at the future world’s largest offshore wind farm, which will provide secure, low-cost and clean energy for the British people – enabling us to stand up to Putin’s energy ransom.”
For the business body Resilience First, its Chair and Board Director, Rick Cudworth welcomed the register, describing it as a vital resource to improving the UK’s resilience. “Providing invaluable information, this document gives us the power to invest, prepare, and respond more effectively. With more detail than previously, and specific scenarios, assumptions and response capabilities set out, we encourage organisations and resilience professionals to use it to stress test and strengthen their own resilience as we all move forwards together.”
You can download the document at https://www.gov.uk/government/publications/national-risk-register-2023.
Comments
Elliott Wilkes, CTO at the cyber firm Advanced Cyber Defence Systems (ACDS), says: “What’s interesting about this is that it’s not pointing to some specific threat of imminent danger but registering the low but non-zero chance of a significant societal-level event that involves cybersecurity, on par with the impact of terrorism. That’s an important point as it shows the gravity an attack might have on daily life and the potential for disruption.
“The likelihood range the UK government assigned to this is five to 25 per cent, which they define as “highly unlikely”. In some respects, that’s a sign of progress — just a few years ago, the head of NCSC was warning about the growing likelihood of a “category one” level attack against the UK. Cyber security awareness has grown, thanks to the work of the government to spread the word, but also the effectiveness of ransomware and cyber attacks starting to get coverage in mainstream media with some degree of frequency. That increased awareness is a net plus for society.
“That said, this is a particularly high bar for the level of disruption. My more immediate concern is the much higher likelihood of cyber attacks that fall short of “catastrophic impact” or great loss of life but are nonetheless deeply disruptive to pockets of the UK, Europe, and the West. In the past few years we’ve already seen ransomware and other cyber attacks on banks, airlines, Royal Mail, airports, and others that all are vitally important to the UK economy. Russia and Russian-aligned actors are increasingly targeting governments and organisations that are critical of Putin and the war in Ukraine. The spillover from that conflict into the West has already happened, and while these may appear to be isolated events, they represent a pattern of behaviour that constitutes an attack on Western countries (as well as global nations, as we saw in the recent attack on Kenyan government services). My worry is less about a single event that causes massive loss of life but rather the complacency we risk if we don’t recognise the impact of the increasingly frequent attacks on household brand names and critical elements of the UK economy.”
And Darren Guccione, CEO and co-founder of Keeper Security, says: “Cybersecurity is national security and must be prioritised as such. Protecting critical infrastructure and the services that people rely on from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating. When used for political purposes, these cyberattacks may be part of a larger effort to threaten operations, destabilise a government or disrupt critical infrastructure such as power grids, transportation networks and financial institutions. Certain malware can even be used to destroy evidence of network infiltration in cases of espionage. In the digital age, it’s clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyberattacks to both support and supplement physical attacks.”
Photo by Mark Rowe; Dungeness nuclear power station, Kent coast.
