Ministers are failing to prepare for ‘devastating’ cyber attack, MPs warn

The Joint Committee on National Security Strategy said while states such as Russia were expanding their capability to mount disruptive cyber attacks, the level of ministerial oversight was “wholly inadequate”.

It urged Theresa May to appoint a single cyber security minister in the Cabinet Office to take charge of the efforts to build national resilience.

The committee, made up of senior MPs and peers, also called on the Government to “prioritise” continued information-sharing and collaboration on cyber with the EU in the Brexit talks.

It noted the Government assessed a major cyber attack on the UK critical national infrastructure (CNI) represented a “top tier” threat to national security, with potentially “devastating” consequences.

But while ministers had explicitly acknowledged the need to improve resilience, it said their efforts had failed to match the level of risk.

“While we applaud the aspiration, it appears the Government is not delivering on it with a meaningful sense of purpose or urgency,” it said.

“Identifiable political leadership is lacking.

“There is little evidence to suggest a ‘controlling mind’ at the centre of government, driving change consistently across the many departments and CNI sectors involved.

“We are concerned that the current complex arrangements for ministerial responsibility mean that day-to-day oversight of cross-government efforts is, in reality, led by officials, with ministers only occasionally ‘checking in’.

“This is wholly inadequate to the scale of the task facing the Government, and inappropriate in view of the Government’s own assessment that major cyber attacks are a top-tier national security threat.”

The committee welcomed the establishment of the National Cyber Security Centre as the national technical authority but expressed concerns that expectations of what it could achieve were “outstripping the resources put at its disposal”.

It noted that the a recent tightening of the regulatory regime “was not the Government’s own initiative but instead flows from our acceptance of EU-wide regulations”.

Ministers needed to do more, it said, to change the culture of CNI operators in the private sector to ensure the cyber threat was addressed at board level with an understanding that it must be “proactively managed”.

“It appears that the Government is reluctant to move more forcefully and, by default, continues to rely on market forces to improve operators’ cyber resilience, despite recognising the previous failure of this approach,” it said.

The committee chair, former foreign secretary Margaret Beckett, said: “We are struck by the absence of political leadership at the centre of government in responding to this top-tier national security threat.

“Too often in our past the UK has been ill-prepared to deal with emerging risks.

“The Government should be open about our vulnerability and rally support for measures which match the gravity of the threat to our critical national infrastructure.”

A Government spokeswoman said: “Ensuring our critical national infrastructure is secure and resilient against cyber attacks is a priority for the Government, which is why we are investing £1.9bn to improve our cyber capabilities.

“Ministers have clear responsibilities that are rightly shared because every part of government must respond to the challenges we face.

“Since 2016, we have created the National Cyber Security Centre to act as the Government’s leading authority on cyber security, improving our understanding of the threat and reducing the harm from cyber attacks.

“We have made people in the UK safer in cyberspace through our Active Cyber Defence programme, and have produced best practice guidance to support Critical National Infrastructure operators.”