The author of a major review into cyber security says recommendations he made in February would have helped tackle the major IT outage crisis today.
Stephen McPartland came up with a number of recommendations in his review, including that the government should set up a cyber charter to allow major companies to share good practice and work together to help tackle wide-reaching IT failures which bring company operations to a halt.
But, despite the McPartland Review being published in February, there was no time to bring the recommendations into force because Mr Sunak called the general election in May.
The Tories said they would adopt his proposals but Labour has not made any guarantee, with the report currently sitting on the shelf.
Mr McPartland’s intervention comes after aircraft were grounded, the NHS’s operations were disrupted, CBBC and Sky television were unable to broadcast, and companies were unable operate during an IT outage caused by an update from the cyber security company Crowdstrike.
Mr McPartland told The Independent: “The mass worldwide IT outage is a clear example of the vulnerability of large organisations to their third party critical suppliers. The impact being felt by businesses and their consumers, shows how fragile our economic resilience is in more digitised economies.
“The McPartland Review made cyber resilience and securing supply chains the first recommendation and called on the government to launch a cyber charter to incentivise this through the tax system.
“The government must work with industry to implement the recommendations and get on with launching a cyber charter as even businesses with robust cyber security measures within their own networks remain exposed to risks stemming from their partners and suppliers.”
His top recommendation would have ensured that companies were prepared to work to fix the problem which in this case was caused by a flawed update in Microsoft systems.
The report said: “Government should launch a cyber charter that will empower large companies to share their cyber security expertise and resources with their 3rd party critical suppliers.
“The cyber charter will help them achieve the Cyber Essentials standard, which is a simple and effective way to protect their systems from the most common cyber attacks. Government should also provide clear incentives for investment in cyber security by improving awareness of existing tax reliefs for cyber security costs, such as software, hardware, or training, including the annual investment allowance for eligible capital expenditure which can cover up to £1m per year. This will enable businesses to invest in cyber security with confidence, knowing that they can reduce their tax bill and enhance their cyber resilience.
“By investing in cyber security, businesses can safeguard their data, customers, and reputation from cyber threats.”
The chief executive of CrowdStrike said he is “deeply sorry” for the incident but warned it would take time for systems to be fully restored.
George Kurtz said a fix had been deployed for a bug in an update which affected Microsoft Windows PCs, knocking many offline around the world, causing flight and train cancellations and crippling some healthcare systems.
In an interview with NBC’s Today Show in the US, Mr Kurtz said: “We’ve been on with our customers all night and working with them – many of our customers are rebooting the system and it’s coming up and operational because we fixed it on our end.
“Some of the systems that aren’t recovering, we’re working with them, so it could be some time for some systems that just automatically won’t recover, but it is our mission to make sure that every customer is fully recovered and we’re not going to relent until we get every customer back to where they were and we’ll continue to protect them and keep the bad guys out of their systems.”
Asked whether he thought an outage of this scale was possible, the CrowdStrike founder said: “Software is a very complex world and there’s a lot of interactions, and always staying ahead of the adversary is a tall task.”
In a post to X, formerly Twitter, Mr Kurtz reiterated that the outage “was not a security or cyber incident”.