News reaction: NCC Group inputs into UK Parliament inquiry on the cyber resilience of critical infrastructure

The UK Parliament’s Science, Innovation and Technology Committee has launched an inquiry into the cyber resilience of critical national infrastructure (CNI) to explore the progress towards meeting the Government's 2025 resilience targets, and consider what more needs to be done to secure the UK's CNI.

The UK Government is, in many regards, world-leading in its approach to building national cyber resilience. The implementation of the NIS regulations, including through the adoption of the Cyber Assessment Framework (CAF), have driven up standards across CNI sectors. However, against a backdrop of increasing digitalisation, a changing threat landscape and an evolving definition of what constitutes CNI in the modern age, it’s important to keep the Government’s approach under review.

Last year, the Government announced plans to reform the NIS framework as it applies to the UK, extending the scope of regulations to include ever more critical sectors like managed service providers and energy flexibility firms. With the timelines of these reforms still to be determined, following their exclusion from this week’s King’s Speech, Parliament’s inquiry is extremely timely.

Here, CTO, Siân John, comments on the key points from NCC Group’s response to the inquiry.

There is no silver bullet solution. The cyber resilience of the UK’s CNI is a complex, ever-evolving problem that requires a complex, ever-evolving response. We do, nevertheless, believe that there are a number of measures that should be prioritised as part of the nation’s response:

• Keep pace with technological and societal developments – such as AI – by establishing flexibility, agility and periodic reviews and investing in long-term horizon scanning;
• Move forward with the previously announced reforms to the UK NIS Regulations;
• Expand the Cyber Assessment Framework (CAF) and GovAssure to more effectively meet the challenges and threats faced by CNI, including by embedding ‘Secure by Design’ principles in these frameworks, addressing supply chain risks head on and, ultimately, ensuring they do not become just another ‘tick box’ exercise; 
• Mandate the adoption of realistic, intelligence-driven cyber security assurance testing;
• Establish the evidence-base needed to make informed decisions on cyber security policies, through the formation of an Office for National Cyber Statistics;
• Reform the UK’s cyber laws, including the Computer Misuse Act 1990, so that the UK’s cyber defenders are able to do all they can to protect CNI from cyberattacks;
• Look beyond technical cyber risk toward a wider understanding of what is needed to safeguard continuity of service against non-technical supply chain risks such as supplier failure, concentration risk and service deterioration;
• Improve cyber literacy so that all levels of society, age groups and professions, including senior public sector and CNI leaders, can make informed decisions about their personal and organisational cyber resilience;
• Train and attract a skilled cyber workforce who can defend UK CNI; and,
• Promote close cooperation and collaboration with global allies, particularly the ‘Five Eyes’.

Next steps

The Committee will now host a series of evidence sessions, inviting witnesses to provide their input in person and answer some of the Committee's burning questions. It will then use the feedback received to consider whether there are any gaps in the cyber resilience of its CNI, before making recommendations to the UK Government.

NCC Group is passionate about sharing our insights from operating at the ‘frontline’ of cyber security with policymakers, so that they can make practical considerations and informed decisions about the cyber resilience of the worlds CNI.

We look forward to continuing to engage with the UK Parliament, and policymakers globally, so they can prioritise and manage cyber threats appropriately when it comes to the regulation of CNI.