The risk of cyber attacks and severe space weather events such as solar storms are among the top extreme risks the UK faces, and the country is currently unprepared to assess and tackle future threats and hazards, a report from the House of Lords has found.
Following its year-long inquiry into the UK’s current risk assessment system, the House of Lords’ risk committee concluded the current set up was “not rigorous enough to justify the confidence placed in it” and that the Covid-19 pandemic demonstrated the UK’s deficiencies in that regard.
The report recommended a change in approach, from attempts to forecast risks and mitigate them to a more comprehensive preparedness system, with areas in central government dedicated to analysing risks on an ongoing basis.
When it comes to technology-related risks, the report pointed out that a cyber attack on the UK’s critical infrastructure “could wreak havoc”. In addition, it noted that extreme events in space weather such as solar storms, could render the internet inoperable for long periods of time.
The report drilled down further on the possibility of a severe solar storm and the national electricity grid coming under immense strain with blackouts occurring. It noted the world’s reliance on electricity and satellite communications for routine operations could present serious issues in the event of a severe solar storm.
“Emerging technologies such as autonomous navigation systems in cars, planes and ships, 5G mobile communications and the internet of things could increase our vulnerability to space weather,” it added.
Moreover, the report warned “critical infrastructures could be disrupted by the power and communications failures, putting lives at risk”. It also noted that satellite outages and the inability of satellite signals to reach the Earth “could throw communication and navigation systems into chaos”. As an example, the report noted that the UK’s emergency communication system used by emergency services in the UK relies on GPS and could be taken offline.
In addition, a severe solar storm could impact road traffic management systems, streetlights and rail signalling systems, the report noted. “[These systems] could fail and navigation systems could begin guiding maritime, aircraft and road traffic into dangerous locations,” it said, adding that aircraft systems failures could lead to widespread operational disruption.
The public response to such an event – which would occur “lmost without warning”, with the UK only having about 12 hours from observation to impact – could be unpredictable, the report noted. “Infrastructure failure and a breakdown of social cohesion could lead to impacts of an unpredictable direction and unknowable magnitude,” the report stated.
The government identifies and assesses risks through the process of creating the National Security Risk Assessment (NSRA), which identifies around 130 risks, including malicious and non-malicious, chronic and acute, international and domestic threats and hazards, and its public-facing version, the National Risk Register (NRR), which communicates risks to stakeholders such as the general public and businesses.
Regarding recent policy developments that are relevant to the UK’s risk assessment capabilities, the House of Lords report cited the creation of the National Science and Technology Council and the Office for Science and Technology Strategy, in July 2021.
The new bodies, which have a remit of setting the strategic technological and scientific direction for the UK, will provide insights on emerging technology, horizon scanning and capability assessments. However, the House of Lords report noted that currently there were no plans for these strategic technology bodies under the Cabinet Office to inform the National Security Risk Assessment.
On the changes needed within government to build resilience and improve the approach to risk in the centre, recommendations made in the report included more international engagement and collaboration around risk, as well as abandoning the “culture of secrecy”, especially in relation to building the NSRA, and creating teams with external specialists from different areas of expertise into the process.
In addition, the report called for the creation of the Office for Preparedness and Resilience, a non-departmental body within government with the remit of providing independent challenge to the risk assessment approach. This, according to the Lords, should be headed by a newly created role of government chief risk officer, also responsible for placing pressure on government to either mitigate or prevent disruptive events.
The report also noted that the NSRA and the public-facing NRR were presented as static, word-based documents, and that there was an opportunity for data to be better used in the government’s risk assessments.
Witnesses heard during the Lords inquiry also drew attention to “the need to understand what data is held, what data is needed, where it sits or who owns it, and how it will be made available, and for this to be known in advance of an emergency”, as well as the value of data analytics and visualisation in the response process.