The Joint Committee on the National Security Strategy has warned that a critical lack of skilled cyber security workers could place the UK's critical national infrastructure firms at risk of cyber-attacks and that the government is doing nothing about it.
The committee noted that the shortage in specialist skills and deep technical expertise is "one of the greatest challenges faced by the UK’s critical national infrastructure firms" and that ministers need to develop a strategy in double quick time to address the issue.
Urgent steps needed to plug the skills gap
"We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us; but also the much larger number of posts which require moderately specialist skills. We found little to reassure us that Government has fully grasped the problem and is planning appropriately," said Margaret Beckett MP, the Chair of the Joint Committee.
"We acknowledge that the cyber security profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications.
"However, we are calling on Government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, Government must work in close partnership with the CNI sector and providers to create a cyber security skills strategy to give clarity and direction. It is a pressing matter of national security to do so," she added.
Ciaran Martin, chief of the National Cyber Security Centre, told the Joint Committee that his department finds it a “constant and difficult challenge” to recruit the deep technical expertise it needs even though it is the responsibility of the NCSC to provide specialist support and advice to critical national infrastructure firms. Rob Crook, Managing Director of Cyber and Intelligence at Raytheon UK also told the Committee that the vacancy rate in the company’s cyber security unit was 20–30%.
The Committee noted that the danger to CNI firms is significant considering that many of such firms often have legacy industrial control systems which were not designed with cyber security in mind but are routinely connected to the Internet to allow real-time monitoring.
It also found two main reasons behind the lack of skilled cyber security workers at CNI firms: the first being higher salaries being offered by private enterprises to skilled and experienced cyber security workers, and the second being a persistent lack of gender diversity, limiting the size of the talent pool.
"There is no detailed analysis available of which CNI sectors are most affected, in which disciplines and at which levels of expertise the shortage is most acute, or of where these gaps leave the UK critically vulnerable. The Government cannot hope to address the problem properly until it has defined it more rigorously. The first task will be to develop a clearer, and shared, understanding of what counts as a cyber security job and skill.
"The Government should publish a framework setting out the different types of skills required to ensure the cyber security of the UK’s CNI. In doing so, it might take the framework produced by the United States’ National Institute for Cybersecurity Education as a model. This new framework should form the basis of any future initiative to minimise the cyber security skills gap," it said.
Attacks on CNI firms to double in next two years
Back in December, a report from cyber security firm Huntsman Security estimated that cyber-attacks on the UK's critical national infrastructure would rise by 100% over the next two years.
"With the ISACA predicting a global shortage of two million cybersecurity jobs by 2019, there simply aren’t enough security analysts in the UK, or even the world, to cope with the growing threat that critical infrastructure faces.
"National agencies are already reporting a significant increase in reported attacks, let alone those that pass undetected," said Peter Woollacott, CEO of Huntsman Security.
He added that considering how quickly critical infrastructure services are going online, there are many more opportunities for attackers to disrupt operations as well as the capability of firms to render essential services to citizens.
"Even a simple DDoS attack has brought services such as Sweden’s trains to their knees recently. There’s no way to block all of these potential attacks at the walls of an organisation, and security analysts will soon be overwhelmed by the sheer volume they face. If organisations can’t address these challenges, the danger to the public, and the harm to the organisation itself, will be unacceptable," he said.