Threat to the UK’s most critical infrastructure from cyberthreats is ‘enduring and significant’ - it's time for public procurement to catch up

The National Cyber Security Centre (NCSC), part of GCHQ, has published its seventh Annual Review raising awareness of the increasingly unpredictable cyberthreat landscape. You can see the full review here.

NCSC warns that the UK needs to accelerate work to keep pace with the changing cyberthreats facing the UK. The review states that the threat to the UK’s most critical infrastructure from cyberthreats is ‘enduring and significant’, amid a rise of state-aligned groups and ongoing geopolitical challenges. In response, the review calls for continued collaboration with allies and industry to enhance cyber resilience and counter the “epoch-defining challenge”.

In response to the ongoing challenge the NCSC has called for continued collaboration with allies and industry to further develop its understanding of the cyber capabilities that are threatening the UK.

Earlier this year at CyberUK in Belfast, Deputy Prime Minister Oliver Dowden MP added to previous warnings from the Heads of MI5 and the FBI, to highlight the growing threat of ideologically driven cyber adversaries and the need for businesses and critical infrastructure operators to strengthen their security. At HP, we fully supported Mr Dowden’s “call to arms”, because as he says, “a safer business means a safer economy and a more attractive destination for entrepreneurs.”

Despite warnings from the Deputy Prime Minister, cyber security is not always top of mind when it comes to risk management. Users typically think about software and supply chains, but the resilience of PCs, laptops, and printers is often overlooked. This lack of protection for hardware architecture can leave businesses?and?the public sector vulnerable to malicious actors

HP has recently responded to the Science, Innovation and Technology Committee’s inquiry into cyber resilience of the UK's critical national infrastructure. In our submission we argue that public sector cyber resilience strategy should prioritise analysing security and resilience capabilities in endpoint device hardware and firmware, including the ability to detect security events (that may even reach the magnitude of a breach) and recover from attacks.

One of the additional steps the Government should take is to include cyber security criteria and national security considerations in the National Procurement Policy Statement – explicitly setting cyber resilience as a procurement priority for technology, products and services.

HP welcomes the creation a new National Security Unit for Procurement, sitting within the Cabinet Office, to work across government. We urge Government to set a timeline for the creation of the National Security Unit for Procurement, develop clear guidelines how the new process will work, and to engage with suppliers – such as the IT sector – to set up an effective and transparent process.

The implementation of the Procurement Act is an unique opportunity to strengthen the UK’s cyber resilience and put the necessary focus on cyber security to keep the UK safe from malign actors. Ahead of the new measures going live in October 2024, we have an important window to act and prioritise cyber security in public procurement starting with our critical national infrastructure.