CNI security: managing the public/private conflict of interest
26th September 2024 • Online
Most of our CNI is in the hands of private companies. They need to spend more and tell us more.
In the UK, there are 13 Critical National Infrastructure Sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. Because AKJ Associates runs separate events for the finance sector, for the purely public sector and for healthcare, this CNI Summit will focus on the rest. Clearly, in many, public-private partnership is critical, but what they all share is their importance to the maintenance of the economy, safety and civil society of the United Kingdom.
These sectors face a huge range of threats, ranging from all the standard varieties of attack on digital networks to sophisticated nation state attacks to challenges in IoT/OT infrastructure. All of them are struggling with legacy technology. All of them face the vastly increased attack surface that comes with rapid digitalisation and the use of Cloud. And all of them require huge investment in security right now.
As Chatham House has pointed out, there are many “obvious parallels [between the] critical national infrastructure sectors [and] a UK-wide CNI sector dialogue on cybersecurity could help ensure that industries learn from each other. This could be followed up with a prioritized list of how to tackle the remaining challenges where prioritization takes into account risk, as well as the time required to mitigate it.”
Parliament has recognised the importance of this topic: “Digital infrastructure is critical for supporting growth and helping to transform the delivery of public service…Much of the UK’s CNI is underpinned by this digital infrastructure, which must be resilient to cyber attack…[but] much of the UK’s CNI is privately owned.”
And the NCSC has pointed out that CNI has to be resilient not simply against sophisticated actors in search of valuable data, but also against actors whose main aims are disruption and denial of availability.
In addition, private sector companies that underpin our national security and safety will find themselves subject to ever more regulation to counter the conflicts of interest between shareholder value and profit and investment in the security of critical systems. Regulators also understand that private companies may be incentivised to constrain information sharing during incidents, limiting government entities’ ability to understand and influence outcomes critical to the country.
So, this event will feature presentations from government, the public sector and the private companies upon which our CNI rests. It will look at everything from malware, to APTs, to threat intelligence and incident response, to OT security.