A SHORTAGE of expertise in cyber security could affect government plans to protect the country’s critical national infrastructure (CNI), including energy, health emergency services and defence, according to one of the industry’s leading experts.
In its latest assessment of the threats to CNI, the Cabinet Office said that the transport sector continued to face “enduringly high levels of threat from international terrorism”, while the various sectors were “core strategic interests” for foreign intelligence agencies, whose activities were likely to include espionage for economic, political, military or commercial gain.
There was also a growing cyber threat, said the National Cyber Security Centre (NCSC), with more and more devices being connected to the internet.
“With the growth of our dependence on technology comes increased risk. We know there are hostile states and cyber criminals that may seek to exploit UK organisations and infrastructure to further their own agenda and prosperity. Campaigns can be persistent, including espionage, intellectual property theft or extortion by ransoming data, or through malware.”
The Sector Security and Resilience Plans are classified documents, and the published versions give little detail – not surprisingly – about how our CNI would be protected in the event of attacks.
But Kevin Murphy, president of the Scottish Chapter of international IT professionals association ISACA, told The National the lack of expertise cast doubt on their effectiveness.
“It’s all very well having a plan, but you’ll need people to put that plan into practice, make it effective and also to update it based on the latest threats,” he said.
“Now that is very, very difficult for governmental organisations when we know across the entire cyber security industry there’s already a 60 per cent shortfall in expertise.
“So the first question is, for each respective area, who’s going to put the plans into practice.
“When you look at CNI, because the Government plays such a large part, and in the document they emphasis the NCSC – can the government agencies be effective if they don’t have the budget to give continual cyber training for their personnel.
“How can they keep the best talent to help these plans evolve? What you’ll see is the richest industries such as finance, energy and communications, will offer the highest wages and will get the best talent. They’ll offer access to the most expensive training courses.
“And because of that you will find that the defences for CNI are probably lopsided to the richest industries, and that’s not necessarily where the greatest risk is.”
Murphy – a former police officer turned international award-winning security consultant who now works for RBS – said there was a need for more cooperation between the private and public sector to address security concerns.
“We are actually doing exercises which take in a number of banks, but also on some occasions the scenario will focus on the effects of a loss of power and will take in other sectors such as emergency services.
“The government plan has to include more cross-infrastructure planning. What happens if the water supply and the electricity grid are taken out; what happens if it’s the grid and then the financial centres?
“It needs to have that aggregate risk, and it’s not clear from the document how they are thinking about it.
“They’re even talking about the NCSC with 200 employees, but there’s a discrepancy between them and the private sector in terms of salaries and training itself.”
Murphy added: “It’s not all about money – they’ll never be able to compete with the banks, so they’ll have to tell how it’s a great place to develop careers, a whole benefits package.
“Plans are just academic until they are put into place.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here