The potential for cyber attacks to cause damage to vital infrastructure is a real and credible threat which requires a coherent and effective strategy, says a new Chatham House report, Cyber Security and the UK’s Critical National Infrastructure. However, the cyber security threat cannot be met by government alone.
There appears to be no coherent picture of what constitutes a cyber vulnerability, and little consensus on the nature and gravity of the problem. A more coherent picture of what the consequences or severity of that vulnerability might be is required in order to mitigate and manage the threat and capitalise on the opportunities cyberspace presents.
This report examines the extent of national dependencies on information and communication technology (ICT) and what can be done to manage vulnerabilities within the Critical National Infrastructure (CNI).
The provision of essential services such as water, gas, electricity, communications, transport and banking are all ICT dependent. With this dependency can come vulnerability to aggressors and criminals and even the merely mischievous.
Paul Cornish, a report author, says:
'There is a need to raise awareness about the constantly evolving character of cyberspace. Given society’s reliance upon digital processing and communications, governments are right to take cyber security seriously. However, it is not a problem to be met by governments alone - as a society-wide challenge it requires a society-wide response.
'This report seeks to raise awareness about the constantly evolving character of cyberspace and the levels of awareness required to meet it successfully.'
Key findings of the report include:
- The government cannot provide all the answers and guarantee national cyber security in all respects for all stakeholders. As a result, Critical National Infrastructure enterprises should seek to take on greater responsibilities and instil greater awareness across their organizations
- All organisations should look in more depth at their dependencies and vulnerabilities. Awareness and understanding of cyberspace should be ‘normalised’ and incorporated and embedded into standard management and business practices within and across government and the public and private sectors
- Cyber terminology should be clear and language proportionate to the threat. It should also encourage a clear distinction to be made between IT mishaps and genuine cyber attacks
- Research and investment in cyber security are essential to meeting and responding to the threat in a timely fashion. However, cyber security/protection should not be the preserve of IT departments but of senior executive boards, strategists and business leaders and it should be incorporated into all levels of an organization.
Notes to Editors
Cyber Security and the UK’s Critical National Infrastructure by Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke, is supported by information intelligence experts BAE Systems Detica.
Protecting and Exploiting Cyberspace in the UK’s Critical National Infrastructure
Wednesday 14 September 17:30 - 19:00
In March 2009 the International Security Programme at Chatham House, in conjunction with Detica, published Cyberspace and the National Security of the United Kingdom which detailed the growing problems of cyber security.
This current project builds on the findings of this report to examine how widespread dependencies on information and communications technology are being managed by government, Critical National Infrastructure, and wider UK society.
Research was conducted through a series of interviews with different parts of CNI and focused on senior management and board members rather than technology specialists in order to understand how the leaders within CNI view the challeng es from cyberspace. All interviews were conducted under a confidentiality agreement in order to promote frank and meaningful discussion.
Nicola Norton: +44 (0)20 7957 5739; +44 (0)7917 757 528
Sara Karnas: +44 (0)20 7314 2787; +44 (0)7775 037 700
Francis Grove-White: +44 (0)20 7957 5725