The government defines critical national infrastructure (CNI) as infrastructure which if lost or compromised could result in significant casualties, or have significant impact on national security and the functioning of the state. This policy is a pledge to “take action to” protect CNI, to strengthen the security of essential services. This includes shielding CNI from foreign influence and putting in place appropriate defences in an increasingly digitised and interconnected landscape. Note that the wording of this promise means the government has simply promised to do something that will help increase protection – it’s not a guarantee of protection.
In August 2016, the EU adopted the Directive on Security of Network and Information Systems, requiring member states to be equipped to deal with cybercrime. In January 2018, following a consultation on the directive, the National Cyber Security Centre (NCSC) published detailed guidance on cybersecurity. Under the new framework, a simplified reporting system will allow identification of breaches, and regulators will be able to assess critical industry plans. Firms could be fined up to £17 million if they fail to put in place the best safeguards available.
However, from July to November 2018, the Joint Committee on the National Security Strategy published two inquiries into the cybersecurity of critical infrastructure, highlighting inadequacies in ministerial oversight. Moreover, in March 2019 the government’s cybersecurity plan came under the scrutiny of the National Audit Office, which revealed that fewer than 80% of the projects to secure hospitals and power plants would be completed on schedule.
With regards to foreign ownership, in June 2018 the government amended the Enterprise Act 2002, increasing the ability of ministers to scrutinise mergers on national security grounds. Along the same line, in July 2018, the government published the National Security and Investment white paper for consultation. It proposes long-term reforms to protect the nation from national security issues related to foreign ownership, influence or control over businesses. The feedback is still being analysed.
With a new cybersecurity framework rolling out, and the development of reforms to shield critical infrastructure from the dangers of foreign ownership, the government has taken action to secure critical infrastructure. Based on the wording of the promise, this is marked as ‘done’. We’ll keep tracking developments so follow this policy to stay updated!
Secure the facts!
- Cyber Security: Critical National Infrastructure inquiry – Joint Committee on the National Security Strategy
- Progress of the 2016-2021 National Cyber Security Programme – NAO
- UK cyber-security efforts criticised by audit office – BBC.co.uk
- Centre for the protection of national infrastructure – CPNI