Gov Slow to Address Urgent CNI Security Needs

A committee of MPs and peers in the UK has criticised the government for its lack of urgency in addressing the cybersecurity skills gap in relation to critical national infrastructure (CNI).

According to a report released following the meeting with The Joint Committee on the National Security Strategy, the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK's CNI operators and regulators in relation to cybersecurity. The report also calls for ministers to step forward and take the lead in developing a strategy to give drive and direction.

The committee references the May 2017 WannaCry attack on the National Health Service, believing it demonstrated a fundamental need to ensure the UK is able to keep CNI secure from cyber-threat. They go on to say that a lack of detailed analysis of which CNI sectors and specialisms are most acutely affected is impacting on the government’s ability to understand, and therefore address, the gap between skills supply and demand.

"Our Report reveals there is a real problem with the availability of people skilled in cybersecurity but a worrying lack of focus from the government to address it," said chair of The Joint Committee, Margaret Beckett MP. "We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us, but also the much larger number of posts which require moderately specialist skills.

"We acknowledge that the cybersecurity profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications. However, we are calling on government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, government must work in close partnership with the CNI sector and providers to create a cybersecurity skills strategy to give clarity and direction. It is a pressing matter of national security to do so."

In its recommendations, the committee proposed the government should address the need for continuing professional development for teachers and lectures, enabling their knowledge to keep pace with the rapidly changing cybersecurity landscape. It also references increasing the numbers of women in the cybersecurity workforce, saying that a version of the CyberFirst Girls Competition could be used to attract returning mothers to the cybersecurity profession.

"I sympathise with the NCSC and others who have been tasked with addressing the cyber-skills gap for a few years now," said Eerke Boiten, professor of cybersecurity, De Mortfort University. "They have pumped significant amounts of money out of the five year Cyber Security Strategy into various initiatives, not all of them looking likely to be productive. In particular, an initiative to introduce cyber security at secondary schools contained no thought on how to integrate this with the computing curriculum.

"I think that both for the medium term and the gender balance issue, secondary schools have to be the focal point. The drop in take up and the general perception of the Computer Science A level are serious concerns. Increasing the number of highly qualified teachers is indeed essential, but calling for more CPD is not going to be effective until there is resource for it at a time when most secondary schools are being cut financially. 

"The government would also do well to note the points made about recruiting from abroad," he continued. "Brexit makes any job in the UK unattractive for most EU applicants; the limits on Tier 2 visas also have an adverse effect. The NSS recommendations gloss over this only where they talk of the 'implications, risks and opportunities of Brexit'."

A standalone skills strategy, promised by government in November 2016 and which would frame and give impetus to its various efforts, will be published by December 2018.

What’s Hot on Infosecurity Magazine?