Critical Infrastructure Security
,
Geo Focus: The United Kingdom
,
Geo-Specific
Risk of Espionage and Disruption Key Risks, Lawmakers Warned
The British government is “extremely worried” about the Chinese and Russian cyberespionage and disruptive hacks, government officials told a parliamentary committee on Monday.
See Also: Essential Elements to Consider when Choosing a Micro-Segmentation Solution
The United Kingdom has faced a “substantial escalation in cyberthreats” in the last three years, said Bella Powell, cyber director of the government security group in the Cabinet Office, during a Parliament Public Accounts Committee hearing.
“We assess Russia and China, from a nation-state perspective posing substantial risk. Russia tends to be an irresponsible actor, and what that means in practice is that there may be a significant impact across a number of organizations in the U.K.,” Powell said.
Powell added that the critical infrastructure hacking by the Chinese nation-state hacking group tracked as Volt Typhoon in the United States is an indication of possible attacks against the U.K. as well (see: Chinese State Hacker ‘Volt Typhoon’ Targets Guam and US).
“They have been identified as conducting pre-positioning activity on the U.S. critical national infrastructure with the potential to escalate that to disruptive and destructive activity. And that is a clear indicator of the scale of threats from Chinese state actors and from their intent to disrupt essential services,” Powell said.
Another official testified the growing sophistication of threat actors is further cause for concern.
“We should be extremely worried. Hackers have been more aggressive and more careless in their attacks than we’d expected. We’re also now worried about the risk of disruption of essential services,” said Vincent Devine, government chief security officer and the head of the government security function at the Cabinet Office.
Hearing witnesses cited ransomware hacks against the National Health Service and the British Library as examples of disruptive hacks.
The hearing was convened following National Audit Report findings that the government failed to secure legacy IT systems. The auditor found nearly 58 systems underpinning critical functions lacked “fundamental system controls” (see: Critical UK Government Systems at High Risk, Warn Auditors).
Catherine Little, permanent secretary to the Cabinet Office, acknowledged the widespread use of legacy IT as one the primary “security gaps” faced by the government.
“The ability for us to keep up is challenging, and the challenges that make it particularly difficult is the state of our legacy IT, the scale of it, the complexity of it is a very serious issue,” Little said.
While the U.K. departments and their leadership did a poor job in assessing cyber risks within their organization, it has steadily improved in the last three years, Powell said.
“We have made some significant changes especially in the last three years, especially in ensuring that seniors across the government have a clear picture of what the threat environment looks like,” Powell said. “More importantly, we have only recently started to give a really clear picture to senior leaders across the government of what we expect from them in terms of the current requirements.”