The government’s new risk register is heavy on cyber. Is that a good or bad thing?
Posted: September 8, 2023 Filed under: Uncategorized | Tags: cyber resilience, cybersecurity, government, national risk register Leave a commentWhat are the chances of a catastrophic cyber incident occurring in the UK in the next two years? How many might die, or be maimed in such an incident? And how much might it cost the country? These are the kinds of unpleasant questions the government seeks to answer in its latest National Risk Register (NRR).
Since 2008, the report has been published to help businesses running critical national infrastructure (CNI), and other organisations, to enhance their resilience to potential risks. The big difference between now and then is that cyber is now one of nine key “themes” examined in the report.
I recently spoke to some experts to write an upcoming feature for Assured Intelligence.
What the NRR says
For the first time, the NRR was compiled from information in the National Security Risk Assessment (NSRA), a classified document written with help from government experts. It highlights potential cyber risk across multiple scenarios. These involve data theft and/or disruption to:
- Gas infrastructure
- Electricity infrastructure
- Civil nuclear facilities
- Fuel supply infrastructure
- Government
- The health and social care system
- The transport sector
- Telecommunications systems
- UK financial infrastructure
- A UK retail bank
The NRR ranks the likelihood of such attacks happening in the next two years as a “4” on a scale of 1–5, with 5 being the most likely (>25%). That equates to a “highly unlikely” risk with a “moderate” impact. However, as mild as this sounds, even a moderate incident could lead to up to 1000 fatalities and casualties of up to 2000, with losses in the billions of pounds. By contrast, the estimated economic damage from cyber incidents in 2000 was pegged at £10-100m.
That’s a reflection of the digital world we live in, as is the mention of AI as a potential chronic risk (as opposed to the acute risks highlighted above). Chronic risks, the NRR says, are manifest over a longer period of time and can make acute risks “more likely and serious”.
Should we be concerned?
Egress VP of threat intelligence, Jack Chapman, believes the government has it about right.
“I agree with the government’s risk assessment and its accuracy based on historic threats. Obviously this strongly depends on the geo-political landscape and how it evolves,” he told me.
“However, there’s been an increase in digitalisation in this space, meaning the risks and impact are increasing. There’s also a far higher level of uncertainty with the government’s assessment in comparison to previous reports.”
However, it’s not all doom and gloom, as steps are being taken to mitigate these acute cyber risks and build resilience into CNI, he added.
“It’s important to note that more active work is being done around cybersecurity than ever before; from putting security-by-design at the heart of new projects, to the impact the NCSC is having in the sector to help mitigate this risk,” Chapman said.
How can CNI hit back?
The big question is how exactly can CNI providers enhance resilience? Arun Kumar, regional director at ManageEngine, believes AI may hold the key, in helping to identity threats “faster and more accurately” than humans. But he goes further.
“Regulation will also play a vital role in carefully managing the negative impact of AI. It’s important to maintain strong security practices such as compliance with NIST and GDPR regulations,” he told me.
“Change needs to be foreseen and carefully managed—striking a balance between utilising the benefits of AI and limiting the negative side. To this end, collaboration is also paramount, both internally and externally within the cybersecurity community, encompassing researchers, professionals, enterprises and policymakers.”
Other best practices could include enhanced password management, vulnerability scanning and prompt patching, and user education to ward off the threat of phishing. To that we could add several other best practices, outlined by the National Cyber Security Centre (NCSC) here. It’s a tall job for CNI firms on an increasingly tight budget. But the alternative is undoubtedly worse.
phil muncaster 