The head of the National Cyber Security Research Centre has warned that it is a matter of "when, not if" a devastating cyberattack on UK infrastructure will occur.

Dr Benjamin Farrand, Associate Professor in the University of Warwick's School of Law and expert in cyber security, comments on what this would lead to and how to defend ourselves against an attack:

"The comment by Ciaran Martin, head of the National Cybersecurity Centre - that it is a matter of “when, not if” a category one cyber-attack happens in the UK - is not hyperbole, but largely a statement of fact. Not only are cyber-attacks becoming more sophisticated and far-reaching, but the number of organisations, individuals and objects that can be the focus of such an attack are increasing.

"With national infrastructure relying upon network-facilitated systems for communication and remote access, as well as our information infrastructures such as telecommunications systems being of critical importance to public and private life, widespread outages as the result of attacks on information systems could cause significant social and economic harm, necessitating a national response.

"Furthermore, the lines between public and private are blurring. Cyber-attacks may be orchestrated by states, facilitated by private actors (such as Russian President Vladimir Putin’s so-called ‘Putin’s Army’), or alternatively, private individuals or organisations hire out their technical skills to organised crime groups or national actors to facilitate attacks. For this reason, close cooperation between the public and private sectors in the UK is essential for ensuring the resilience of information systems, and effective defence. Many private providers of critical information systems may have significant security vulnerabilities that may choose not to disclose so as to not lose their competitive commercial edge, but leave them open to cyber-attacks.

"Similarly, public bodies such as the NHS have demonstrated the vulnerability of their systems to attack due to unpatched or out-of-date software. Protection against categeory one cyber-attacks in this context is not dependent on reactive adaptations to these attacks after the fact, but learning from smaller attacks on individual private or public actors, and developing proactive policies for ensuring resilience against attacks, based on information sharing, identification of security best practices, and complete transparency in the event of an identified vulnerability."

23 January 2017

Further information contact:

Luke Walton, International Press Manager

+44 (0) 7824 540 863

+44 (0) 2476 150 868

L dot Walton dot 1 at warwick dot ac dot uk