A major cyberattack on UK infrastructure is likely according to the Head of the National Cyber Security Research Centre, it was reported today.

Professor Ian Robertson, an expert in cyber security from the University of Warwick's Department of Computer Science and Royal Academy of Engineering Visiting Professor of Applied Information Security, agrees:

"Having working in the security industry on the supply side for over 20 years, I agree with the assessment of Ciaran Martin that a cyber-based attack on UK utilities and infrastructure is likely and the consequences will be serious.

"However, this kind of announcement from both Government and private sources is becoming rather frequent and we need better quality information if we are to continue to give it the attention it deserves.The reports in the media mention Russia and North Korea as the main threat sources and link the later to the WannaCry ransomware hack which caused problems for the NHS last year.

"We would need to look at evidence for the attacks more closely to make a proper diagnosis, but in my view the motives of different attackers is quite different. The objective of some must be to gain a strategic advantage in time of international tension or actual war. For others, the rationale is much closer to the normal criminal who searches for a way to make money. WannaCry is in the later category. The attacks were indiscriminate and the disastrous consequences for the NHS are probably more indicative of the poor quality of their IT systems than a targeted attack.

"In fact, it is probably more important that we (and the Government) concentrate on the weaknesses, and the vulnerabilities, in the current IT systems that support the national infrastructure. The threats from other nation states and criminals will always be there and to propose that we prepare for “cyber-retaliation” sounds like a tactic to raise money for an 'arms-race'.

"From my own experience, the IT systems in the critical national infrastructure remain old-fashioned, underfunded and thus unable to withstand the sophisticated attacks which have evolved over the last decade. Standards and guidelines for IT security have improved over time but in most areas they remain “high level frameworks” which are open to interpretation and are frequently violated for reasons of short term expediency. Security bodies, like Mr. Martin's own NCSC operate mainly in an advisory capacity, they have little power to mandate testing and or to enforce improvements. Equally, in the operational side, organisations like the water companies and electricity and gas supply networks are under financial constraints that do not allow security to be a priority.

"In short, Mr. Martin and the media are right, we are at risk from external cyber threats but the real issue, as usual, is internal and is caused by under investment which has allowed vulnerabilities to remain and proliferate."

23 January 2018

Further information contact:

Luke Walton, International Press Manager

+44 (0) 7824 540 863

+44 (0) 2476 150 868

L dot Walton dot 1 at warwick dot ac dot uk