Time for the UK to strengthen cybersecurity

Ex-security chief Ciaran Martin blames Russian hackers for recent attack on NHS. According to The Times experts say it could be weeks or even months before systems can be restored safely.

A group known as Qilin is believed to have targeted NHS provider Synnovis IT systems, causing cancellations at London hospitals. The attack has led to the widespread cancellation of non-urgent surgery and inpatient admissions at King’s College Hospital, Guy’s and St Thomas’ (including the Royal Brompton and the Evelina London Children’s Hospital). Primary care in southeast London has also been affected.

Meanwhile the Health Service Journal reported in April that a new NHS England programme aimed at expanding cybersecurity resilience is facing a budget cut of 50 per cent and the possibility it may not receive any funding this year.

Despite joint warnings from the Heads of MI5 and the FBI that organisations on both sides of the Atlantic are increasingly being targeted by state-sponsored hackers, it feels the cybersecurity threat to public services is not yet always at the forefront of minds when it comes to managing risks.

End-point security is a major challenge, particularly for the public sector. The Government’s Cybersecurity Strategy is very welcome but fails to mention device security once. When it comes to cybersecurity, everyone typically thinks about software, but the resilience of our PCs, laptops and printers is often underappreciated.

A lack of protection for hardware in our schools and hospitals leaves the UK vulnerable to malign actors, and the data shows that the Government remains an attractive target for cyber attackers, with 40% of cyber incidents between 2020 and 2021 affecting the public sector.

There are three simple steps a new Government could take to up our game:

1. The National Procurement Policy Statement (NPPS), which sets out national priorities and guidance for contracting authorities, to set out cyber security requirements as a required purchasing criteria in public sector procurement.
2. Mandate device security requirements as one of the award criteria for the purchase of laptops, computers, and printers - using the expertise and guidance from the National Cyber Security Centre to set stronger cyber requirements for public sector and their supply chain, including hardware security. Strengthening these requirements would help protect schools and hospitals which have seen a sharp rise in both the amount and sophistication of attacks in recent years.
3. Monitor compliance and set out transparent mechanisms to intervene or exclude providers were necessary.

Taken together, these measures would help safeguard the UK from any potential attack from rogue actors and nation-states and bring us into line with best practice from across the world.

It was extremely welcome that Labour’s Shadow Cabinet Office Minister Florence Eshalomi last year proposed to add “cyber security” to the new Procurement Act. This amendment would have made cyber security one of the strategic national priorities for procurement, but unfortunately Government rejected this proposal and also missed an opportunity to strengthen the revised National Procurement Policy Statement.

NHS cyberattack: Ex-security chief blames Russian hackers (thetimes.com)

Exclusive: Cyber security budget faces 50% cut | News | Health Service Journal (hsj.co.uk)

https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030