State-controlled hardware and hackers: how safe is the UK’s infrastructure?

Cyber attacks are nothing new and it’s been many years since they moved out of the realm of science fiction and into the reality of the everyday world. Up until this point, cyber attacks have largely been attributed (officially at least) to cybercriminals, acting on their own behalf, rather than to any hostile government.

However, as technology advances and budgets change hands, cyberspace could be the new, 21st-century battlefield and both the EU and the UK are busy shoring up their cyber defences.

The Networks and Information Systems Directive

This directive dates back to long before the infamous WannaCry attack of May 2017. It was first proposed way back in 2013 and accepted in August 2016. Member states were then given 21 months to implement the directive into their own law so it will only come into force in the UK on 9th May this year.

This means that in theory at least, those in charge of managing networks and information services should be almost ready for it. Admittedly, there can be a vast difference between “should be” and “are”, as was clearly demonstrated in the way that the NHS succumbed to the WannaCry attack due to blatant and fundamental failures in its approach to IT security, such as continuing to use Windows XP, even though Microsoft had officially ended support for this operating system in April 2014.

At the same time, however, it has to be noted that no UK government will want to be left to deal with another WannaCry-style incident, so politicians of all persuasions will be highly motivated to do everything they can to prevent one.

The UK’s own cybersecurity measures

Back in 2016, the government pledged £1.9 billion to enhance the UK’s digital defences, part of which was spent on the creation of the National Cyber Security Centre, which opened in October 2016 and satisfies the requirement of the NIS directive for member states to have a national NIS competent authority or competent authorities.

The government also set a target of recruiting 80 “cyber-specials” for the National Crime Agency. The term “cyber-specials” refers both to Special Constables (who undergo full police training) and cyber police volunteers (who don’t but who do have specialist skills in relevant areas).

Last but by no means least, the government is looking at ways to train people in the skills they will need to deal with 21st-century threats. It is reaching out to businesses via its Cyber Essentials scheme and has expanded GCHQ’s CyberFirst scheme, which aims to identify and develop “young cyber talent”.

The government is also working with industry to offer more cybersecurity-related apprenticeships, particularly in the fields of energy, finance and transport. While all of this is very encouraging, how long the government will be able to hold on to talent in the public sector is an open question, when faced with competition from the private sector. But the progress the private sector makes can also make a positive impact on public sector policies, so keep a close eye on the specialists in all realms to keep your own business and personal online activity safe.