Government proposes new laws to strengthen UK against cyberattack

Government is consulting on new measures to boost British businesses’ cybersecurity after recent high profile attacks

Posted 19 January 2022 by Christine Horton

New laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses, according to the government.

As a result, the government has today issued a series of proposals to strengthen the UK’s cyber resilience.  These include improving the way organisations report cybersecurity incidents and reforming legislation to be more flexible and can react to the speed of technological change.

It says the UK Cybersecurity Council, which regulates the cybersecurity profession, also needs powers to raise the bar and create a set of agreed qualifications and certifications so those working in cybersecurity can prove they are properly equipped to protect businesses online. 

The plans follow recent high-profile cyber incidents such as the cyberattack on SolarWinds and on Microsoft Exchange Servers. These showed vulnerabilities in the third-party products and services used by businesses can be exploited by cybercriminals and hostile states, affecting hundreds of thousands of organisations at the same time. 

They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the US.

“Cyberattacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” said Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez.

“The plans we are announcing today will help protect essential services and our wider economy from cyber threats.

“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online.

It is not an optional extra.”

To make the UK more secure and help prevent these types of attacks the government is aiming, through new legislation, to take a stronger approach to getting at-risk businesses to improve their cyber resilience as part of its new £2.6 billion National Cyber Strategy.

Updating the NIS regulations

Network and Information Systems (NIS) Regulations came into force in 2018 to improve the cybersecurity of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure. Organisations which fail to put in place effective cybersecurity measures can be fined as much as £17 million.

The government wants to update the NIS Regulations and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialised online and digital services. MSPs include security services, workplace services and IT outsourcing. These firms are crucial to boosting the growth of the country’s £150.6 billion digital sector and have privileged access to their clients’ networks and systems. 

The NIS regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their network. They have to report significant incidents and have plans to ensure they quickly recover from them.

While the regulations apply to some digital services such as online marketplaces, online search engines and cloud computing, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.

Research by DCMS shows only 12 percent of organisations review the cybersecurity risks coming from their immediate suppliers and only one in twenty firms (five percent) address the vulnerabilities in their wider supply chain.

The government is today launching a consultation on amending the NIS regulations which includes proposals to: 

  • Expand the scope of the NIS Regulations’ to include managed services. These are typically provided by companies which manage IT services on behalf of other organisations. 
  • Require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cybersecurity attacks they suffer, not just those which impact their services.
  • Give the government the ability to future-proof the NIS regulations by updating them and if necessary bring into scope more organisations in the future which provide critical support to essential services.
  • Transfer all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden. 
  • Update the regulatory regime so the most critical digital service providers in the economy have to demonstrate proactively they are following NIS Regulations to the ICO, and take a more light-touch approach with the remaining digital providers. 

NCSC technical director Dr Ian Levy, said he welcomed the proposed updates to the NIS regulations.

“These measures will ensure that cybersecurity risks are properly managed by organisations and those on whom they rely,” he said.

Empowering the cybersecurity profession

Cybersecurity is a core part of the UK’s booming tech sector which already has hundreds of successful cyber start-ups and more than a hundred tech ‘unicorns’ – companies worth more than £1 billion. As more people are drawn into cyber careers it can be difficult for businesses to know which skills to look for and whether a job candidate has those skills and the necessary qualifications or experience.

The new proposals would enable the UK Cybersecurity Council to define and recognise cyber job titles and link them to existing qualifications and certifications. People would have to meet competency standards set by the council before they could utilise a specific job title across the range of specialisms in cybersecurity. 

This, says the government, would make it easier for employers to identify the specific cyber skills they need in their organisations and create clearer information on career pathways for young people as well as existing practitioners, without providing unnecessary barriers to entry and progression.

The proposals include the creation of a Register of Practitioners, similar to what exists in the medical and legal professions, setting out the practitioners who are recognised as ethical, suitably-qualified or senior.