Government Updates UK’s National Risk Register with Cyber Warnings

Written by

The UK government has added several new cyber-related scenarios to its National Risk Register; some of which could theoretically result in mass casualties.

The register is based on the government’s internal, classified National Security Risk Assessment, and considers malicious risks like terrorism and cyber-attacks alongside non-malicious risks such as severe weather incidents.

In the latest edition, published on July 14, the government added new scenarios anticipating what might happen in the event of cyber-attacks on digital infrastructure, water infrastructure, and police systems, as well as a mass CrowdStrike-style outage impacting IT systems.

There’s also a new section devoted to interference in democratic processes, which could come from: “attacks on election infrastructure, deterioration of the online information space, harassment and intimidation towards candidates or voters, the hack and leak of sensitive information relating to a party or a prominent individual, and any element of foreign interference in any of these.”

Read more on critical infrastructure risks: Hostile States Behind 75% of Cyber-Attacks on UK Critical Infrastructure, NCSC Warns

Among the new risks are:

  • A cyber-attack on data infrastructure: A “disruptive and sophisticated” attack against one or more UK colocation datacenters, allowing exfiltration of data, customer information, intellectual property, or operational details. Disaster recovery could take several days to weeks, while it could take years for information to be restored. This has a likelihood score of 5-25% (“highly unlikely”) and is rated “moderate”: fatalities of up to 200, casualties of up to 400 and a cost reaching hundreds of millions of pounds
  • A cyber-attack on water infrastructure: A malicious actor infiltrates the OT systems of a water company and deploys destructive malware, causing the water company to lose visibility and control of its systems. A major disruption to water supply and wastewater services for a large population could take several months to recover from and lead to physical and mental health casualties and fatalities, the register noted. It is given the same likelihood and impact score as above
  • Cyber-attack on policing infrastructure: This could result in compromised investigations/prosecutions, risk to staff safety, reputational damage, and reduction in police access to intelligence and operationally critical information. It might also reduce the effectiveness of frontline policing – resulting in the risk to life, and property, the register claimed. The most severe impacts are likely to last several days, whilst ongoing disruption could last months. Likelihood and impact scores as above
  • Digital outage: Key impacts would include shutdown of communications, emergency services, transport, border control, financial systems, and broadcasting, alongside widespread failure of smart devices and smartphones. The government assesses likelihood at anywhere between 1% and 25%+, and impact from moderate to catastrophic

New Resilience Campaign to be Launched 

Chief secretary to the Prime Minister, Darren Jones, told parliament on June 14 that the updates to the register were necessary given the proliferation of AI and the growing dependence of critical infrastructure on IT and OT systems.

“Throughout our history, the UK has overcome challenges from plagues and pandemics to war and our fair share of wet weather. It is right that we consistently evaluate the risks we could face and plan for what may come,” he said.

“This year we saw temperatures across the UK breaking records in May, only to be exceeded again in June, and AI offers new ways for criminals to carry out cyber-attacks against us, as well as offering huge opportunities for our economy and security.”

The government announced it will be launching a “landmark national resilience campaign” later this year, designed to encourage households to take simple steps to improve their resilience to risks like cyber-attacks.

What’s Hot on Infosecurity Magazine?