Richard Starnes gave evidence.

We will now hear oral evidence from Richard Starnes, chair of the information security panel for the Worshipful Company of Information Technologists. We have until 4 pm for this session.

Q Thank you, Richard, for giving evidence this afternoon. I have a couple of questions. First, in your view, was the regulatory enforcement regime under NIS1 effective, and does the Bill, as drafted, tackle those challenges? Secondly, could you explain how information sharing and analysis centres improve cyber-resilience in the sectors in which they currently operate?

Richard Starnes:

The question about effectiveness is difficult to answer. There is the apparent effectiveness and the actual effectiveness. The reason I answer in that way is that you have regulators that are operating in environments where they may choose to not publicly disclose how they are regulating; it may be classified due to the nature of the company that was compromised, or who compromised the company. There may not necessarily be a public view of how much of that regulation is actually going on. That is understandable, but it has the natural downside of creating instances where somebody is being taken to task for not doing it correctly, but that is not exposed to the rest of the world. You do not know that it is happening, so the deterrent effect is not there.

Information sharing and analysis centres started in the United States 20 or 25 years ago, when different companies were in the same boat. The first one that I was aware of was the Financial Services ISAC, which comprises large entities—banks, clearing houses and so on—that share intelligence about the types of attacks that they are receiving internationally. They may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them. Those have been relatively good at helping develop defences for those industries.

Q Do you think that would be helpful in this context?

Richard Starnes:

Yes. We have FS-ISAC operating in the United Kingdom and in Europe, with all the major banks, but if you took this and replicated it on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.

Q Thank you for joining us. Reporting of several recent cyber-attacks has one thing in common: there were often insufficient security measures in place. British Airways in 2018 is just one example. Reportedly, the average tenure of a chief information security officer is 18 months. From your perspective, what do CISOs need from the Bill to help strengthen their hand when they are saying to a board, “This is what I need to do to keep our organisation secure”?

Richard Starnes:

On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.

How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.

Q You have answered the question I was about to ask. I may ask an addendum to that, but first I want to clarify something. If you put liability on an individual board member, that is going to cause problems. Do you think that there should be a statutory responsibility for the company to have a board member responsible for cyber-risk, and that the responsibility and accountability should sit at company level?

Richard Starnes:

I think this should flow from the board to the C-level executives. Most boards have a risk committee of some sort, and I think the chair of the risk committee would be a natural place for that responsibility to sit, but there has to be somebody who is ultimately responsible. If the board does not take it seriously, the C-levels will not, and if the C-levels will not, the rest of the company will not.

Q You mentioned stringent application of the regulatory regime. Could you explain the reasons for the lack of enforcement under the current NIS guidelines? Do you feel that the regulatory regime should be streamlined?

Richard Starnes:

That is a very broad question.

I know, sorry. I collapsed it down from quite a few.

Richard Starnes:

There is any number of different reasons. You have 12 competent authorities, at last count, with varying funding models and access to talent. Those could vary quite a bit, depending on those factors. I am not really sure how to answer that question.

Q I am just thinking that if you are putting liability on someone, you need to make sure that they can apply the regulation in a simple and effective manner and ensure that it is enforced, so they do not carry the full burden of liability.

Richard Starnes:

True, but I would submit that under the Companies Act that liability is already there for all the directors; it just has not been used that way.

Q I note your interest in how the Bill will affect smaller businesses. There is not much detail in the Bill, but how do you think the code of practice could create an environment that lifts everyone’s security up without prescribing too great a burden?

Richard Starnes:

You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”

One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast Majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.

Q We have heard concerns about definitions, particularly regarding incident reporting. What are your observations on the Bill as it stands, and those definitions?

Richard Starnes:

Throughout my career, I have been involved in cyber incidents from just about day one. One of the biggest problems that you run into in the first 72 hours, for example, is actually determining whether you have been breached. Just because it looks bad does not mean it is bad. More times than not, you have had indicators of compromise, and you have gone through the entire chain, which has taken you a day, or maybe two or three days, of very diligent work with very clever people to determine that, no, you have not been breached; it was a false positive that was difficult to track down. Do you want to open the door to a regulator coming in and then finding out it is a false positive?

You are also going to have a very significant problem with the amount of alerts that you get with a 24-hour notification requirement, because there is going to be an air of caution, particularly with new legislation. Everybody and his brother is going to be saying, “We think we’ve got a problem.” Alternatively, if they do not, then you have a different issue.

If there are no further questions, I thank our witness for his evidence. I will suspend the Committee for a few minutes because our next witnesses, who will give evidence online, are not ready yet.

Sitting suspended.