Even though Parliament isn’t sitting, each week Hansard publishes the written answers to Parliamentary questions tabled before the recess started and whose answers have finally emerged from the civil service sausage machine and been signed off by the relevant Minister. I have just caught up with the latest list, which includes the answer to the question I tabled five or six weeks ago on electromagnetic pulses (EMP) and the National Security Strategy.
My question followed on from a scary briefing I had attended on the threat of EMP attacks on the critical national infrastructure. (Some comments have suggested that the briefing was scare-mongering rather than scary, although I remain convinced – as subsequent discussions I have had with people who know about the subject have confirmed – that the subject has real substance and should be taken seriously).
The answer I have received from Lord Alan West is as follows:
“The Government’s updated National Security Strategy takes into account the threat posed to UK interests, including the critical national infrastructure, by the full range of “threat actors”, a definition that includes natural hazards, as well as individuals or organisations with malign intent. The associated Cyber Security Strategy of the United Kingdom, published alongside and reflected in the National Security Strategy update, considers a number of methods of cyber attack, including those that generate high levels of power that can damage or disrupt unprotected electronics.
In addition, the Centre for the Protection of National Infrastructure (CPNI) provides advice on electronic or cyber protective security measures to the businesses and organisations that comprise the UK’s critical national infrastructure, including public utilities companies and banks. CPNI also runs a CERT service which responds to reported attacks on private sector networks.”
Reading between the lines, I take this to mean that EMP attacks (and including natural pulses emitted by the Sun) are considered as part of the Strategy and that the CPNI provides relevant advice. I am reassured by the first part of the answer, but less convinced by the second part – I received similar-sounding answers to my questions a few years ago about the advice that the CPNI (or its then predecessor) were giving about information security. And the big question remains: it is only advice, is anyone actually doing anything?