The UK’s cyber vulnerabilities

big ben

Government outlines the UK’s strategic cyber security policies for the coming 12 months, with critical national infrastructure a clear priority 

National Infrastructure are those facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends.  It also includes some functions, sites and organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example). 

In the UK, there are 13 national infrastructure sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. Several sectors have defined ‘sub-sectors’; Emergency Services for example can be split into Police, Ambulance, Fire Services and Coast Guard. 

Each sector has one or more Lead Government Department(s) (LGD) responsible for the sector, and ensuring protective security is in place for critical assets. Not everything within a national infrastructure sector is judged to be ‘critical’. The UK government’s official definition of CNI is: 

Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: 

  • Major detrimental impact on the availability, integrity or delivery of essential services – including those services whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or 
  • Significant impact on national security, national defence, or the functioning of the state. 

National Cyber Security Strategy 

The Covid-19 pandemic has highlighted the vulnerability of the UK’s critical national infrastructure (CNI) to disruption by malicious actors, and ensuring the resilience of such essential services will be a clear priority throughout 2021, according to the government’s annual National Cyber Security Strategy 2016-2021 (NCSS) progress report, which was last updated at the end of 2020.  

In the introduction to the 2020 progress report, which reflects on progress already made against the NCSS goals and outlines future priorities as the strategy enters its final year, Paymaster General, Penny Mordaunt wrote that the tumultuous events of the Coronavirus pandemic has done much to reinforce the importance of cyber security to the UK’s national wellbeing. 

“Millions of us have been relying more heavily on digital technology to work, shop and socialise,” wrote Mordaunt. “It has been an empowering and liberating force for good at a time when people have felt confined. It has been a lifeline keeping people connected with family and friends, ensuring the most vulnerable receive medicines and food deliveries, and is underpinning the operational delivery of our ongoing response to the pandemic. 

“But alongside the clear benefits technology brings come growing opportunities for criminals and other malicious actors, here and abroad, to exploit cyber as a means to cause us harm. That is why the role of this strategy and the diverse range of talented and committed cyber security professionals across all sectors of our economy are so important in keeping citizens and services safe. 

“The UK’s departure from the European Union presents new opportunities to define and strengthen our place in the world as a sovereign and independent country. That includes how we tackle existing and emerging cyber security threats at a time when the global landscape is changing dramatically.” 

Mordaunt added: “Our approach to cyber security strategy post-2021 will reinforce the outcome of the current Integrated Review of the UK’s foreign, defence, security and development policy. It will ensure we can continue to defend the UK against evolving cyber threats, deter malicious actors, develop the cyber skills and cyber sector we need and build on the UK’s international leadership, influence and action on cyber security in the years ahead.” 

In the past year, the government has run several initiatives to evolve and strengthen the approaches that CNI organisations take to cyber security, working across government, with various regulators and public and private sector organisations to build a collective understanding of the challenges faced by CNI owners, and develop new strategies to address them. 

This work has included improvements to cyber security regulatory frameworks and the establishment of a Cyber Security Regulators Forum, and the ongoing implementation of the Network and Information Systems (NIS) regulations, which a post-implementation review seems to suggest are proving quite effective at strengthening security approaches among operators of essential services. 

Throughout this year, the government will continue to work across CNI sectors to improve assessment and reporting processes, and plans to develop bespoke penetration testing frameworks to help telco operators in particular defend against, manage and recover from cyber attacks. 

It will also put more energy into improving understanding of the UK’s supply chains and dependencies – which is especially vulnerable to disruption thanks to the government’s approach to Brexit. 

The report outlined plans to extend the deployment of the National Cyber Security Centre’s (NCSC’s) Active Cyber Defence (ACD) programme beyond traditional government sectors in support of private sector CNI. An ACD Broadening project will aim to build on the success of the programme and expand it out to a broader range of sectors to allow them to benefit from automated protection from commodity cyber threats. 

Currently, the service includes protective domain name services, web and mail checks, host-based capability, logging, vulnerability disclosure, the Exercise in a Box programme and the Suspicious Email Reporting Service (SERS). While some of these – most notably Exercise in a Box and SERS – are currently publicly available, others are only made available to public sector bodies. 

The NCSS progress report also outlined other key priorities for 2021, which include: enhancements to the UK’s threat intelligence capabilities; the expansion of cyber crime deterrence programmes such as the National Crime Agency’s (NCA’s) CyberChoices scheme and the ongoing introduction of Cyber Business Resilience Centres around the UK; improving the NCSC’s ability to respond to cyber incidents, including possibly automating some aspects of the process; enhancing security by design standards for connected products and services, working with bodies such as ETSI; bolstering cyber security resilience within the public and private sectors; and developing the UK’s cyber security sector through ongoing startup and scaleup acceleration projects and skills programmes. 

However, 2021 also marks the end of the NCSS in its current form, and there is still no clear idea as to what comes next. The NCSS has been heavily criticised – including by the National Audit Office (NAO) – for missing targets and goals, and although the report made no mention of its misfires, it did highlight the need to plan for the future. 

The report highlighted several developing trends that will inform government strategy after 2021, notably: the increasing reliance on digital networks and systems as surfaced by the pandemic; the increasing pace of technological change and greater global competition; a wider range of cyber adversaries as more criminal groups gain access to commoditised attacks and state-backed actors enhance their capabilities; and competing visions for the future of the open internet and the possible risk of its fragmentation, which the government said will make consensus on norms and ethics in cyber space harder to reach. 

The UK’s approach to these challenges are largely defined by the outcomes of the Integrated Review of Security, Defence, Development and Foreign Policy. 

“The achievements of the last four years mean we start from a position of strength,” wrote the report’s authors. “Cyber security is an area where the UK can genuinely claim to be world-leading. But a changing global context will require a renewed response. The UK will need to strengthen our cyber resilience to drive economic recovery, get ahead of changing technologies, and enhance our international cooperation and engagement to work towards a more stable cyber space. 

“We will not achieve this unless we continue to work ever more effectively with partners in the UK and abroad – the devolved administrations, businesses, universities, local authorities, civil society, international allies and individual citizens – wherever they share our vision of the benefits that cyber space can bring. The government will continue to consult and engage with our partners as we develop our approach for the future.” 

Mimecast research 

In 2020, the global pandemic caused a global shift to remote and hybrid work, forcing organisations to pivot the way they operate practically overnight — with little to no preparation. And where most organisations saw crisis, cybercriminals saw opportunity. Mimecast’s recent report and survey from 1,225 global IT decision makers and underscored by Mimecast Threat Center research determined the dramatic effects Covid-19 has had on infrastructure and business’s cybersecurity resilience.  

Cybercriminals have changed the way they do business. Security and IT teams must do the same. More than six in ten companies suffered a ransomware attack last year. On average, organisations experienced six days of downtime as a result – double the amount of time as the year before. 

Email threats dramatically increased in 20202 when remote working was introduced. Cybercriminals took advantage of the rise in digital activity with new social engineering attacks, detected by the Mimecast Threat Center and affecting 64% of workers.  

79% of organisations were hurt by their lack of cyber preparedness. Even still, email security at more than 40% of businesses falls short in one or more critical areas, and 13% of businesses don’t have an email security system at all.  

It is evident that the pandemic has changed lives in many ways including the worlds digital revolution. With digital, comes great cyber risk, organisations, government and critical infrastructure must remain vigilant and increase their cyber resilience and knowledge to best combat the new digital age.  

Commentary: Dr Jamie Collier, Intelligence Analyst at Mandiant Threat Intelligence 

The cyber review has correctly identified that cyberspace is an increasingly contested domain. While the National Cyber Force signals a greater willingness to engage, it is encouraging that the language demonstrates there is still a focus on remaining a responsible player. This is therefore not a complete overhaul of the current playbook but the National Cyber Force responds to a threat landscape that is growing in complexity for at least three reasons. 

First, beyond the big four of Russia, China, Iran, and North Korea, other states are now developing cyber capabilities. Vietnam is one example of a country that has quickly ramped up its ability to conduct cyber operations. The UK must therefore plan ahead and anticipate the growing threat posed by emerging players. 

Second, cybercriminals are becoming increasingly professionalised and sophisticated. This is showcased by the growing scourge of ransomware operations – where data is encrypted and rendered unusable unless an extortion fee is paid. The issue has quickly moved from something of a nuisance to a matter of national security. This has been showcased over the past year by the prominence of ransomware operations targeting critical infrastructure and the healthcare sector amidst a global pandemic. 

Third, the UK must counter growing levels of online disinformation. These operations are now conducted by a variety of countries beyond Russia. Here, the link between disinformation and cyber security is increasingly blurry. For instance, disinformation operators are known to first steal sensitive documents before leaking them at a time intended to cause maximum disruption. These campaigns will also often seek to compromise and then use government social media accounts or websites as a platform to distribute their message. 

Commentary: Prutha Parikh, Senior Security Research Manager, Trustwave SpiderLabs 

The COVID-19 pandemic created enormous challenges for businesses worldwide – and cybersecurity challenges were prominent among them. Employees transitioning to working from home created new vulnerabilities in network systems designed for a centralised, in-office workforce. As a result, there was a subsequent spike in cybercriminal activity, as bad actors hastened to take advantage of the situation, along with an increase in malware attacks and other network security threats. 

With the move to remote work, we saw a sudden surge in the use of personal devices accessing corporate networks while being connected to home Wi-Fi networks. These home networks can be largely unsecured, making them a primary target for attackers looking into a point of access.   

Enterprise-level security solutions do not guard systems on home networks. Home networks typically use obsolete software and are not regularly patched, making them much more appealing to cybercriminals. This shift to home network utilisation has exponentially expanded the edges of corporate networks, requiring organisations to adapt their protections. In our research, we noticed an uptick in VPN and video conferencing tool vulnerabilities – along with insecure, open access to remote access tools and external services directly accessible over the Internet.  

Organisations should always take a holistic approach to security. The SolarWinds supply chain attack showed that a well-rounded defense-in-depth approach to detection and response is critical when prevention fails. From a network security best practices standpoint, the SolarWinds compromise shouldn’t deter organisations from installing patches from suppliers.   

As mentioned in the 2021 Network Security Report, having an up-to-date asset inventory, continuously monitoring the network for known vulnerabilities, and ensuring systems having the latest patches installed should remain an integral part of an organisation’s holistic security program.    


To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922