Executive summary
Dependence on information and communications technology (ICT) is a defining feature of a modern, interconnected and knowledge-based society and economy. The machinery of government, critical national infrastructure (CNI) – including the provision of essential services such as water, gas, electricity, communications and banking – and much of the straightforward private life of individual people are all ICT-dependent to a large degree. With this dependency
can come vulnerability to aggressors, criminals and even the merely mischievous.
Public and media attention is frequently drawn to tales of hacking and espionage and there is persistent concern about the rapid growth of cyber crime such as banking fraud and identity theft. The discovery of the Stuxnet virus in 2010 provided evidence of the growing sophistication of cyber threats and the
potential damage they could cause to governments, organizations and critical infrastructure around the world.
It is clear both that the sense of threat and vulnerability is mounting and that the public and private sectors are under increasing pressure to ‘do something’ about cyber security. The United Kingdom National Security Strategy (NSS) and Strategic Defence and Security Review (SDSR) released in October 2010 promoted cyber security to a Tier One risk to national security, and its high status was reinforced by the UK government’s allocation of £650 million to cyber security and resilience.
What should be done to meet this challenge? And who or what is best placed to tackle the problem, given that £650 million will hardly enable the government to counter all conceivable cyber threats and that, in any case, the vast majority of critical infrastructure in the UK is privately owned?
