MPs have called for the appointment of a dedicated cyber security minister to tackle the “potentially devastating” threat hostile states pose to the UK’s critical infrastructure.
In its latest report, the Joint Committee on the National Security Strategy warns that “complex arrangements for minister responsibility” mean officials, rather than ministers, are often leading on security issues.
Sign up to Emerging Threats, our weekly cyber security newsletter
There are currently at least six ministers working across five government departments with cyber security as part of their portfolio, but none are exclusively focused on the task of protecting the UK from the rising cyber threat.
The Cabinet Office minister, David Lidington, is charged with overseeing the delivery of the National Cyber Security Strategy, as well as being responsible for implementing all Cabinet Office policy. Ben Wallace, the Home Office’s security minister, has cyber security and cyber crime as part of his official portfolio – alongside 12 other responsibilities.
As foreign secretary, Jeremy Hunt has ultimate responsibility for the Foreign and Commonwealth Office’s work on cyber security, while one of his ministers, Lord Ahmad of Wimbledon, is sometimes described by government as “foreign officer minister for cyber,” although he has three official titles and none of them feature the word “cyber”.
Meanwhile, Margot James often leads on the issue of cyber skills – a key part of the UK’s National Cyber Security Strategy, but reports to culture secretary, Matt Hancock, rather than the minister in charge of the strategy, David Lidington. Finally, Lord O’Shaughnessy, parliamentary under secretary of state for health, is in charge of cyber security in the NHS.
“[The current arrangement] is wholly inadequate to the scale of the task facing the Government, and inappropriate in view of the Government’s own assessment that major cyber attacks are a top-tier national security threat,” the committee warned.
“There should be a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources—in both the public and private sectors—and executing the measures needed to defend against the threat.”
Under the proposals, the minister would be accountable for all government work on the National Cyber Security Strategy, holding ministers to account, sitting on the National Security Council, and overseeing the work of the National Cyber Security Centre.
The committee praised NCSC’s work to date, but said it had concerns about its capacity to shoulder the rising demand for its services, and urged government to publish a strategy for scaling up the organisation.
Andrew Tsonchev, director of technology at Darktrace Industrial, said that while ministerial oversight is “essential”, the issue “requires significant investment by the private sector in new security technologies”. He added that “the appointment of a dedicated Cyber Security Minister may indeed help to coordinate these efforts and align national priorities of growth and defence”.
Irra Ariella Khi, chief executive of blockchain startup VChain, also backed the proposals. “Appointing a cybersecurity minister would demonstrate a proactive, preventative approach from government to secure the UK’s national assets, international borders, and the sensitive data of our citizens.”
A government spokesperson said: “Ensuring our critical national infrastructure is secure and resilient against cyber attacks is a priority for the Government, which is why we are investing £1.9bn to improve our cyber capabilities.
“Ministers have clear responsibilities that are rightly shared because every part of government must respond to the challenges we face.
“Since 2016, we have created the National Cyber Security Centre to act as the Government’s leading authority on cyber security, improving our understanding of the threat and reducing the harm from cyber attacks. We have made people in the UK safer in cyberspace through our Active Cyber Defence programme, and have produced best practice guidance to support Critical National Infrastructure operators.”