CyberUK23 Reflections - The Threat to UK Critical Infrastructure

Awen Collective CEO, Jules Farrow-Lesnianski attended the UK NCSC’s flagship event, CyberUK, in Belfast 19-20th April 2023.


CyberUK continues to be so much more than a cyber conference, affording insight and collaboration opportunities across both private and public sectors, and celebrating the excellent work being done across the industry to better protect the UK and beyond. 2023 was no different, and I had a wonderful few days in sunny Belfast seeing familiar faces and meeting new people!

Amongst the many insightful presentations, speeches and panel sessions, there were a few important announcements made that should have a significant impact on UK cyber resilience from our now Deputy Prime Minister, The Rt Hon Oliver Dowden CBE MP, that I want to highlight. His full speech is available here (or here in video form), but I want to focus on three specific points he made.

Firstly, NCSC has now made an official alert to operators of our critical national infrastructure that they face a heightened threat from state-aligned adversaries following the Russian invasion of Ukraine. This is the first time NCSC has ever made such a public disclosure, and I believe, a welcome move to be more transparent with the British public about the significant risk that we as a nation face from cyber attacks. This is also a stark reminder that our private sector critical national infrastructure operators are still not doing enough to safely mitigate this risk which could have catastrophic effects on all of our lives.

In response, our Deputy PM also announced the government will be setting “setting specific and ambitious cyber resilience targets for all critical national infrastructure sectors to meet by 2022” and that he is “examining plans to bring all private sector businesses working in critical national infrastructure within the scope of cyber resilience regulations”. Whilst the introduction of the NIS Directive across the EU in 2018 was a welcome first attempt to bring cyber security regulations into effect across CNI, I believe the results gathered by our UK regulators using the Cyber Assessment Framework haven’t given them, or the government, confidence in many operator’s ability to protect against, detect, or minimise the impact of cyber attacks.

The choice of the penalty of a monetary fine of €20m or 4% of annual global turnover (the same as GDPR) set by the NIS Directive sounds significant, but I think the reality is that a significant percentage of our CNI operators don’t believe they will be in receipt of such a fine. I think this is most evident in sectors that are more akin to the public sector than private, where profit margins are minimal if non-existent. These sectors are often heavily regulated, single points of failure in our critical infrastructure - think water, transport and healthcare as prime examples. Can you imagine the UK government or a sector regulator levying a fine large enough to bankrupt a CNI organisation? I doubt it, and I think the executive teams of these organisations do too. I hope that the government puts significant thought into how to best incentivise the directors of these organisations to invest in their cyber resilience - to my eyes, many are well remunerated for their roles, traditionally due to the risk they are taking on - but as to whether the organisational risk translates well into personal executive risk, I’m not seeing enough action from the board-level of these organisations to back up that theory.

Finally, I was encouraged to hear our Deputy PM commit to examining salaries and benefits offered to cyber professionals within government. The recent media attention around the salary offered for a certain governmental cyber role has seemingly brought the message home - if you want to retain and grow the best cyber people, you need to invest in them. I’ve been disheartened to see the challenges our public sector is facing in recruiting and retaining cyber staff, and have personally felt the impact on many occasions of delayed or abandoned projects which could deliver huge value due to the lack of human resources available to support them. We cannot expect our public sector counterparts to put themselves at a significant personal loss just because they have the passion to protect our country. They are performing some of the most critical roles in our modern society, and their remuneration should reflect that. In the interim, I’m glad to be able to add my support via programmes like NCSC’s i100 scheme and the ICS COI, and encourage anyone who is able to do the same.

I hope to see these commitments from the government materialise into transformative action, and to be discussing the positive steps we’ve seen CNI make to increase their cyber resilience at CyberUK 2024, along with a happier, bigger, and even more highly skilled team of public cyber defenders alongside us.