A UK parliamentary committee has urged the government to appoint a dedicated cyber security minister to help protect the country's critical national infrastructure (CNI).
The joint committee on national security strategy warned that the current level of ministerial oversight was "wholly inadequate".
It argued that the establishment of an identifiable political leader at the centre of government was required to drive change consistently across the different departments and the various CNI sectors involved.
"Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery," read the committee's report.
"We therefore urge the government to appoint a single Cabinet Office Minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure."
This minister would be tasked with assembling the necessary public and private sector resources and executing the measures required to defend against significant cyber threats.
They would also be responsible for the cross-government development and delivery of the National Cyber Security Strategy and Programme.
The committee recommended that the role is empowered to hold departmental ministers to account, sit on the National Security Council (NSC) and relevant NSC sub-committees, and oversees the work of the National Cyber Security Centre and the relevant section of the National Security Secretariat.
Talal Rajab, head of cyber and national security at industry body techUK, welcomed the suggestions.
"The recommendation for the creation of a Cyber Security Minister, responsible for the cross-government delivery of the National Cyber Security Strategy, has merit and should be explored further," he said.
“Much has changed since the strategy was published in 2016, with the threat to government and businesses constantly evolving. As the current strategy draws to a close, it is vital that cyber security becomes business as usual across all areas of government.
"The appointment of a Cabinet Office Minister designated as a cyber security lead could help ensure government remains one step ahead of the threat and drive real change across departments."
The trade body's thoughts were echoed by blockchain startup VChain, which has developed a document verification system for airports, a potential target for critical infrastructure attacks.
VChain CEO Irra Ariella Khi argued that cyber security leadership from the government was essential to ensure that security was built into any critical systems.
"As these MPs have correctly identified, only strong leadership from the government can enforce this forward-thinking approach across critical infrastructure," she said.
"Appointing a cybersecurity minister would demonstrate a proactive, preventative approach from government to secure the UK’s national assets, international borders, and the sensitive data of our citizens."
Changing government strategies
The risk of the type of attack on critical infrastructure that hit Ukraine's energy grid in 2015 and 2016 is growing and the threat is evolving.
In January, Ciaran Martin, the head of the National Cyber Security Centre (NCSC), told the Guardian that he anticipated such as an attack on the UK within the next two years.
"I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack," he said.
There is currently no single minister with responsibility for the cyber resilience of critical infrastructure across the UK, or for cyber security in general.
Instead, day-to-day oversight of cross-government efforts to protect CNI is currently led by officials, with ministers only occasionally "checking in", procedures that the committee said are unfit for the task.
The appointment of a cyber security minister would help create an integrated strategy for the defence of CNI.
"It would bring the UK closer to the approach of other countries where a national approach to cyber security is not just nice-to-have; it is a fundamental feature of the country’s approach to security," added Khi.
She will hope that the UK can find a more qualified candidate than Japanese cyber security minister Yoshitaka Sakurada, who last week admitted that he has never used a computer, but recent developments across government suggest this is not guaranteed.