The British government has rejected Parliamentary calls for greater ministerial control over the National Cyber Security Centre (NCSC), an arm of secretive spy agency GCHQ.
In addition, the government affirmed that it will actively try to remain a part of the EU’s Networks and Information Systems Co-operation Group, as well as its “associated work streams, and with the network of Computer Security Incident Response Teams” after Britain leaves the EU, which is currently set for the end of this month.
The news will come as a relief to those who believe British national security is under threat if EU sources of cybersecurity information are closed off to the UK after Brexit.
In its response to a House of Commons report (PDF) about the security of UK critical national infrastructure (CNI), the government said that the current oversight setup for the NCSC, where it answers to the Foreign Secretary via a long chain of officials and ministers, is “the most effective way of achieving our vision of cyber security as a core, embedded part of Government policy for every CNI sector”.
Parliament’s Joint Committee on the National Security Strategy had previously criticised the government for not having a Cabinet Office minister dedicated to overseeing the NCSC, as well as Britain’s CNI infosec improvement efforts.
The government also refused, in its response to Parliament published yesterday, to produce annual reports into how the National Cyber Security Programme (NCSP) was being delivered. These reports were something that the previous Conservative-Liberal Democrat coalition government led by David Cameron was happy to do. Parliament described this refusal as “a backwards step, given that the previous Government published Annual Reports and high-level budget breakdowns by activity”.
Although £1.9bn of taxpayers’ money is spent on that strategy every year, the government refuses to tell the public what its money is being spent on because of “national security reasons”, though it did add that a National Audit Office report into the NCSP will be published later this year.
UK CNI companies are “ultimately responsible” for the security of those installations, said the government’s response to Parliament. It appears that the tension between those who believe the government should directly run cybersecurity efforts and those who believe industry knows best what measures need to be taken has yet to be resolved. For now, the government sides with the latter half of the argument. But a bone has been thrown to those who think the state knows best.
It said: “We note the recommendation regarding mandatory corporate reporting on cyber resilience, and will give this further consideration, building on analysis undertaken as part of the 2016 Cyber Security Regulation and Incentives Review. The government agrees that cyber insurance has a part to play in reducing cyber risk.”
Separately from the report response, the government also quietly reiterated that it has a controversial “hack back” unit at its fingertips.
“Britain now has a National Offensive Cyber Programme, delivered by a Joint Mission between GCHQ and the Ministry of Defence,” said foreign secretary Jeremy Hunt, who was giving a speech in Glasgow, Scotland yesterday.