UK cyber-readiness is 'patchy', says Chatham House

The UK government is not sharing enough information about cyberthreats with critical infrastructure organisations, according to Chatham House, the Royal Institute of International Affairs.

The UK government is not sharing enough information about cyberthreats with critical infrastructure organisations, according to a report by Chatham House. Image credit: Chatham House

Critical national infrastructure (CNI) organisations, which include banks, utilities companies and transport companies, are not getting enough intelligence from the government about the extent of cybersecurity dangers, Chatham House analyst David Livingstone told ZDNet UK on Thursday.

"There are obvious improvements that can be made across government," said Livingstone, an associate fellow in the international security programme at Chatham House. "The government could establish a rich picture of what the threats are, a big threat picture, so people could make up their own minds about the threats that are relevant to themselves."

Both government and CNI organisations need to establish better internal strategies and risk management to deal with rapidly evolving attacks, Chatham House said in a report published on Wednesday.

The government responded to the criticism on Thursday, saying that it "recognises that the threat from cyberattacks is real and growing", and adding that it had dedicated £650m to cybersecurity over the next four years.

"Closer collaboration between the government and the private sector is crucial to protecting our interests in cyber-space, including critical national infrastructure," the Cabinet Office said in a statement. "The government will shortly set out how it will achieve this in a new Cyber Security Strategy."

'Patchy' knowledge

In both the public and private sectors, cybersecurity knowledge across the CNI is 'patchy', according to Livingstone. Deficiencies are not confined to one industry sector, but spread throughout CNI. For example, organisations had failed to recognise that crucial suppliers were at risk, instead relying on a service-level-agreement (SLA).

"[One organisation] did not identify critical vulnerabilities in highly cyber-based, critical supply chains," said Livingstone. "SLAs are no good when your supplier has been completely and utterly taken out. When your own business is failing, and quickly, it's probably too late to revert to contract and point out agreements."

The CNI industry should request independent audits, which cover established information security standards, plus wider security questions such as staff vetting, said Livingstone. Often, organisations with a single, high-level person in charge of cyber response were best equipped to deal with cyberthreats, Livingstone added.

In a cybersecurity report released on Wednesday, the Zurich Insurance company found that over a quarter of the UK's medium-sized technology companies felt highly exposed to risks from cybercrime. Almost a third of technology companies rank intellectual property protection as "a key factor", Zurich said in a statement on Wednesday.