Cyber threats from foreign states and criminal groups are growing more frequent and sophisticated. Cyber attacks continue to feature in the news, including prominent incidents in the last year affecting WhatsApp and British Airways.
Cyber security relates to the protection of devices, data, and services from unauthorised access, harm or misuse.
Use of online services and ‘smart’ consumer devices connected to the internet is also increasing. This means that cyber security is not just an issue for the security services or big business, but also for small businesses and individuals.
This Insight will cover threats to UK cyber security. This includes two key cyber security issues for the new Parliament: telecoms infrastructure and consumer devices.
Where do cyber threats come from?
The Conservative Government’s National Cyber Security Strategy 2016–2021 (NCSS) identified the key actors that pose a threat to UK cyber security. They are generally classified by their motive for engaging in malicious cyber activity.
These include:
- Cyber criminals. Much of the most serious cyber crime is enacted by financially-motivated Russian-language organised crime groups in eastern Europe. The threat also emanates from other countries and regions, including from within the UK. The NCSS identifies emerging threats from south Asia and west Africa as an increasing concern.
- States and state-sponsored groups. These actors regularly attempt to penetrate UK networks. This can be for political, diplomatic, technological, commercial and strategic advantage. According to the NCSS, few states have the technical capability to pose a serious threat to the UK’s overall security. But many more are seeking to develop cyber espionage capability through the use of ‘off the shelf’ hacking tools. A small number of hostile foreign states have developed and deployed offensive cyber capabilities, such as the ability to access an opponent’s networks with the intention of causing disruption, damage or destruction.
- Terrorists. Terrorist groups aspire to conduct damaging cyber activity against the UK and its interests. However, technical capability of terrorist groups is judged to be low by the NCSS. The volume and sophistication of cyber attacks may increase if new, more technologically literate generations engage in extremism.
Which groups are the most active?
According to the 2018 Threat Landscape Report by ENISA, the EU’s Agency for Cyber Security, cyber criminals remained the most active group engaging in malicious cyber activity.
Nation states engaging in malicious cyber activity occurred several times within the EU. This was due to geopolitical developments/tensions, most notably involving China, the USA, North Korea, Russia, Germany and the UK. Terrorism and malicious cyber activity continued to converge, motivated by the desire to launch cyber attacks, as well as fundraise and recruit.
Securing UK infrastructure
The UK’s critical national infrastructure, including utilities, health, transport and communications, is at risk from state-sponsored cyber attacks. It is also increasingly at risk from criminal groups, which can now acquire sophisticated cyber tools.
With some key exceptions, the majority of critical infrastructure in the UK is privately owned. This raises questions regarding how far the Government should intervene in the operations of private companies to ensure that UK national security interests are prioritised.
The cyber security of UK telecoms networks has been in the spotlight in the last year. The May Government found that a stronger statutory framework for telecoms security is required. In particular, there is an outstanding decision on whether parts supplied by Chinese company Huawei and other ‘high-risk’ suppliers should be allowed in UK 5G networks. The Intelligence and Security Committee urged the incoming Prime Minister in July 2019 to take a decision on which companies will be involved in the 5G network, and suggested that debate on the issue had damaged the UK’s international relationships.
How secure are our smart devices?
Use of ‘smart’ devices connected to the internet is increasing in UK households. This includes tech products like fit bits and smart speakers as well as everyday household items like fridges, lightbulbs and toys. Although bringing many economic and social benefits, many smart devices lack basic security features. Security weaknesses in these devices can undermine the privacy and safety of individuals. Vulnerabilities also pose wider risks, for example, if devices are harnessed en masse to carry out larger attacks.
Currently there is no specific regulation setting cyber security standards for consumer products. As a result, there is little incentive for manufacturers to prioritise security in the design of products, which comes at a cost. This places the burden on consumers, often with limited technical knowledge, to make decisions about cyber security. For example, will the device be updated automatically to fix security flaws?
The May Government developed a voluntary code of practice and labelling scheme for consumer devices that set minimum security standards for manufacturers and retailers. The Government was considering making parts of the code and labelling scheme mandatory. This would require new powers in primary legislation to be brought before the next Parliament.
Further reading
- National Cyber Security Strategy 2016-2021, HM Government.
- Annual Review 2019, National Cyber Security Centre.
- Cyber Security and the UK’s Critical National Infrastructure (PDF, 709KB), Third Report of Session 2017–19, Joint Committee on the National Security Strategy, November 2018.
- Progress of the 2016-2021 National Cyber Security Programme, National Audit Office.
- Cyber security in the UK (PDF, 270KB), Ninety-Ninth Report of Session 2017–19, House of Commons Public Accounts Committee, June 2019.
Insights for the new Parliament
This article is part of our series of Insights for the new Parliament. This series covers a range of topics that will take centre stage in UK and international politics in the new Parliament.