EU institutions will be guilty of putting their citizens at greater risk unless they co-operate with the UK over cyber security following Brexit, Theresa May’s deputy has warned.
David Lidington said that, despite a readiness on the part of EU member states to work with Britain on security, there was a doctrinal resistance in Brussels to co-operation in some areas.
The Chancellor of the Duchy of Lancaster was speaking to the parliamentary Joint Committee on National Security Strategy, which heard evidence of a rising cyber threat to the UK from states such as Russia and North Korea.
He said last year’s WannaCry ransomware attack, which paralysed computers across the NHS, brought home the need for UK authorities to get a greater grip on the vulnerability of critical infrastructure.
Mr Lidington announced new requirements for Government contractors to comply with cyber security standards. Companies will be given a credit rating-style assessment, with poor performers barred from tendering for public sector work.
Targets for disruption by Russia have spread beyond the UK’s hard infrastructure such as energy networks to include democratic institutions and the media, Mr Martin told the committee.
Priority areas for improving resilience to attack included the universal credit system, energy smart meters, the Bank of England’s settlement system, aviation and telecoms, he said.
The Government’s hopes of close co-operation with the EU on security over Brexit have been thrown into question by the decision to exclude UK companies from elements of the Galileo satellite system on security grounds.
Mr Lidington told the committee: “We remain very clearly of the view that an ambitious and systematic pattern of intensive co-operation between ourselves and the EU27 is in the national security of all of us.
“I think that view is shared by a number of EU member states.
“But there are what I would describe as doctrinal issues with the EU institutions which we hope we can find a way to overcome, because otherwise it amounts to a deliberate decision by EU negotiators to put EU citizens at greater risk than they are at the moment.
“We will continue to do what we regard as the right thing and we hope very much that at the end of the day our partners will recognise it is in their interests to work with us on this.”
On top of a long-standing pattern of attacks on infrastructure like energy systems, there was now “targeting of softer power – democratic institutions, media institutions and things relating to freedom of speech”.
He added: “We have seen a diversification by North Korea away from what might be called political retaliation attacks into, frankly, the theft of money, which is what we believe was behind the WannaCry attack.”
Mr Martin said cyber crime evolved in recent years to the point where the most sophisticated gangs were operating almost at national state level.
“There is a highly developed market in cyber attack tools and techniques,” he explained.
“Things like money laundering capabilities and data mining capabilities, so states of more modest means can acquire those capabilities.”
He acknowledged that the NCSC was facing tough competition from high-paying private sector for staff with the deep expertise needed to confront the problems, describing the situation as “challenging but not at crisis levels for us as an organisation”.
Mr Lidington told the committee: “What we are seeing is a range of cyber threats from both nation states and cyber criminals, a rising level of threat with more frequent and more complex attacks and more sectors that we can identify as being at risk.
“Last year we saw attacks on CNI (critical national infrastructure) in the health, media, telecoms and energy sectors.”
Attacks like WannaCry showed the vulnerability of networked computers to even a small-scale breach, like the insertion of an infected memory stick into a single machine.
“It is important we get a greater grip on these supply chains,” he said.
