The government has refused to commit to making all civil servants undergo ongoing cyber security training, but said it is willing to “think creatively” about how to address the need for cyber skills after MPs and peers raised concerns about it capacity to deal with security threats.
In its report in July, the Joint Select Committee on the National Security Strategy said the government should “explore more creative options in building cyber security capacity” both within its departments and in businesses that uphold critical national infrastructure such as the NHS.
The committee said all civil servants should be made to undergo basic cyber security training and continuing professional development, and called for an online portal setting out the material and financial support available to all organisations involved in critical national infrastructure to help them recruit people with cyber security skills and upskill existing employees.
In its response, published today, the government said civil servants are required to undergo training on the government’s security classification policy, “including basic elements of cyber security”. “Different departments set their own mandatory training on the basis of their particular circumstances, including their own risk profiles,” it added.
However, it did not address the committee’s call for mandatory CPD in cyber security skills.
Responding to the recommendation to set up an online portal, the government said there were already various mechanisms for sharing information about skills-related support for organisations, but added: “Given the importance of CNI we will consider what more can be done to make this easier to navigate and provide more tailored advice,” it said.
It also responded positively to the committee’s call to roll out the Industry 100 initiative – which sets a target for the National Cyber Security Centre to work closely with at least 100 industry professionals – to government departments, critical national infrastructure operators and regulators that lack the skills they need to combat cyber threats.
“Extending the Industry 100 initiative may be a creative option to build more capability,” read the government response. It said more assessment was needed of the differences between the initiative’s existing model and the one proposed by the committee.
"The government accepts the need to think creatively about current and future challenges relating to cyber skills," the report said.
"This is a start," said the committee’s chair, Margaret Beckett. However, she added: “The committee remains to be convinced that government has grasped the immediate challenge of keeping critical national infrastructure secure from cyber threats.
“Many of the plans set out in this response will come to fruition in a decade’s time. It fails to answer our questions about today and tomorrow – and this is concerning.”
In its July report, the committee had said it was “struck by the government’s apparent lack of urgency in addressing the [national] cyber security skills gap”. Publishing a cyber security skills strategy should be the government’s “urgent priority”, it said.
In the response, the government confirmed it would publish the skills strategy by the end of this year. It would meet many of the requirements set out by the committee, it said, including assessments of the existing cyber security skills gap and of future skills needs; engagement with the devolved administrations; and an implementation plan.
The committee will examine the skills strategy once it is published to ensure it lives up to the government’s promises, Beckett said.
The response also confirmed that the government is preparing a response to its consultation on developing a cyber security profession, which it has already said will be overseen by a new cyber security council.