Since 2010, the government has categorised major cyber attacks on the United Kingdom and its interests as a top-tier threat to our security. Given the series of attacks in 2017 affecting the NHS and the UK and Scottish parliaments, as well as reported attacks on British energy, communications and media infrastructure, it is not difficult to see why. The government’s plans for an offensive cyber capability – through the joint MoD-GCHQ taskforce announced in the wake of the poisoning of the Skripals – and the exposure of a campaign of global cyber attacks by Russia’s military intelligence service highlight that this important issue is not going away.
At the end of last year, the parliamentary committee I chair, the Joint Committee on the National Security Strategy, launched an inquiry into the cyber security of the UK’s “critical national infrastructure” (CNI) – such as government, communications, energy, transport, water and health provision – which is essential to the smooth running of daily life and to keeping our citizens safe.
Cyber security is not just about technology. It is also about people. And during our inquiry we heard that a shortage of skilled people is one of the greatest challenges facing CNI operators and regulators in securing UK infrastructure against cyber threats. Our witnesses described a talent pool limited not only by the sheer scarcity of people with the precise mix of technical expertise required, but also by a failure to tap unused potential.
The present cyber security talent pool is notably lacking in diversity. For example, only a tenth of the cyber security workforce are women. Faced with this scarcity, we were told that, in addition, CNI sectors seeking to recruit were being priced out by the cyber salary packages offered in the private sector. Simply put, there are not enough people in the UK who both possess cyber security skills and are able and willing to work in the CNI sector.
Yet, despite identifying cyber attacks as a top-tier threat, the government shows little urgency in tackling this issue. Its own 2016 National Cyber Security Strategy (NCSS) identified the need to develop cyber security talent and the profession more broadly. Its key commitment was the creation of a standalone skills strategy, but the government told us that this strategy would not be published before December – an inexplicable delay of more than two years.
We were so struck by the scale and immediacy of the problem, and by the government’s worrying lack of focus in addressing it, that, in July, we published an interim report on our CNI inquiry which was dedicated entirely to cyber security skills.
So, where should the government begin? By defining the problem. We were told in our inquiry that no comprehensive analysis exists of the types of security skills in shortest supply in the UK, the sectors of the economy (including CNI) most affected, or where – at the strategic level – these gaps leave the UK most vulnerable. There is also no conclusive analysis of how the UK compares with its international peers – its main competitors in economic and security terms.
Moreover, there is no single, shared understanding of what counts as “cyber security skills”. Our inquiry found that it covers a range of specialisms. At one extreme is the deep technical expertise required to secure systems and devices (skills possessed by network architects and penetration testers, for example).
More widely, there are the skills required by the many whose jobs now involve a cyber security element (such as teachers, HR directors, lawyers and company directors). Then there is the basic cyber “hygiene” for which all employees are responsible. We concluded in our report that this analysis of this disparate range of skills is the obvious and essential place to start, as the government cannot hope to address the problem properly until it has defined it more rigorously.
We also highlighted the importance of involving industry in tackling the skills deficit. It is itself a source of expertise and is uniquely placed to articulate its current and future skills needs. The government should work in close partnership with both industry and academia, not only
to put in place measures to meet short-term demand for cyber skills, but also to develop a longer-term pipeline.
Such measures should include: using education, both inside and outside the classroom, to create a strong foundation for the future skills base; industry being more creative in how it recruits and reskills employees, albeit with government support; professionalising the relatively immature cyber security industry through achieving Royal Chartered status; introducing robust cross-government coordination and accountability; and identifying a minister with clear lead responsibility for developing cyber security skills.
We also encouraged the government to extend already-effective programmes more widely. For example, the CyberFirst Girls Competition could be used as a model for future programmes designed to attract mothers returning to work into the cyber security profession. The Defence Secretary’s recent announcement on “cyber cadets” in schools, who will learn the fundamentals of cyber security, might be also seen in this light.
Nevertheless, piecemeal efforts such as these will not in themselves provide the range and depth of skills required to defend our CNI against cyber threats. Without a stand-alone skills strategy, the government risks pursuing a number of individually worthwhile but disparate initiatives that fail to add up to more than the sum of their parts.
It is essential that the government, in partnership with industry and education, makes a concerted effort to address the yawning gap between the supply of and demand for cyber security skills – and does so urgently. There is much work to be done.